13 Replies Latest reply: Oct 7, 2009 9:22 AM by Dreadnought
Dreadnought Level 1 Level 1 (15 points)
I've been performing some trial and error and can't seem to give any of my users SSH access. My administrator account works fine, but no other account can connect. It seems to be this way regardless of which services I give the user from "Server Preferences" and even if I give them "Administer this Server" access. What's the trick here?

Thanks!

MBP C2D & Mac Mini 1.25ghz, Mac OS X (10.5.1)
  • planb77 Level 7 Level 7 (32,280 points)
    Hello Dreadnought,

    I don't have any direct answers for you, but I may be able to point you somewhere that does. Check out this article on setting up ssh access on a Leopard server. Hope it helps.

    [SSH with Leopard|http://blog.robseaman.com/2008/11/30/ssh-with-leopard]

    B-rock
  • Dreadnought Level 1 Level 1 (15 points)
    Hi B-rock,

    I took a quick look at that article and it looks like it addresses the OS X client... I'm hoping to find some clear instructions on how to enable SSH for users on the OS X Server side.
  • MrHoffman Level 6 Level 6 (12,980 points)
    Ok, so to confirm, the Settings ssh checkbox in Server Admin is enabled, as is the per-user ssh (or wide-open ssh) Access to ssh within Server Admin?

    What's different about the users? Are the users on a different disk volume than the administrator? Are the users in Open Directory?

    Can the users connect to the server via http (if Apache is running) or telnet (if enabled) or other such?

    What (else) have you tried?

    Is there a managed LAN (vLAN or "smart" switches or otherwise) here?
  • Dreadnought Level 1 Level 1 (15 points)
    I don't get it... I can use Cyberduck to SFTP to my server fine if I use the administrator account, but if I use either of two user accounts (with all the settings the same as when I connect as the administrator except the username and password) I get a password failed message from both Cyberduck and OS X Server.

    Here's the log from OS X Server, you can see the first and second users trying to login and ultimately getting "Failed password..." even though I'm definitely using the correct passwords. Finally you see me logging in as the administrator and for some reason we see "Accepted password..."

    Sep 16 09:42:38 myservername sshd[77825]: /etc/sshd_config line 75: Unsupported option KerberosGetAFSToken
    Sep 16 09:42:38 myservername com.apple.SecurityServer[37]: checkpw() succeeded, creating credential for user firstusername
    Sep 16 09:42:38 myservername com.apple.SecurityServer[37]: checkpw() succeeded, creating shared credential for user firstusername
    Sep 16 09:42:38 myservername com.apple.SecurityServer[37]: Succeeded authorizing right system.login.tty by client /usr/sbin/sshd for authorization created by /usr/sbin/sshd.
    Sep 16 09:42:38 myservername sshd[77825]: Failed password for firstusername from 10.0.1.1 port 45988 ssh2
    Sep 16 09:43:12 myservername sshd[77855]: /etc/sshd_config line 75: Unsupported option KerberosGetAFSToken
    Sep 16 09:43:13 myservername com.apple.SecurityServer[37]: checkpw() succeeded, creating credential for user secondusername
    Sep 16 09:43:13 myservername com.apple.SecurityServer[37]: checkpw() succeeded, creating shared credential for user secondusername
    Sep 16 09:43:13 myservername com.apple.SecurityServer[37]: Succeeded authorizing right system.login.tty by client /usr/sbin/sshd for authorization created by /usr/sbin/sshd.
    Sep 16 09:43:13 myservername sshd[77855]: Failed password for secondusername from 10.0.1.1 port 41965 ssh2
    Sep 16 09:43:52 myservername sshd[77874]: /etc/sshd_config line 75: Unsupported option KerberosGetAFSToken
    Sep 16 09:43:52 myservername com.apple.SecurityServer[37]: checkpw() succeeded, creating credential for user administrator
    Sep 16 09:43:52 myservername com.apple.SecurityServer[37]: checkpw() succeeded, creating shared credential for user administrator
    Sep 16 09:43:52 myservername com.apple.SecurityServer[37]: Succeeded authorizing right system.login.tty by client /usr/sbin/sshd for authorization created by /usr/sbin/sshd.
    Sep 16 09:43:52 myservername sshd[77874]: Accepted password for administrator from 10.0.1.1 port 38438 ssh2
    Sep 16 09:43:52 myservername sshd[77881]: subsystem request for sftp
  • Dreadnought Level 1 Level 1 (15 points)
    Yes, "Remote Login (SSH)" checkbox in Server Admin is checked. I left the "Access" alone so it still shows the SSH service allows access by "all users or groups."

    I don't think there is anything relevant different about the users? I created them in Server Preferences. I guess they don't have a check in "Allow user to administer this server" if that is somehow relevant? I'm pretty sure I already tried checking that though during one of my tests and it made no difference.

    The users can access their mail accounts fine on the server using their short names and passwords. No strange networking stuff going on, I'm actually doing all this testing on the same switch.
  • MrHoffman Level 6 Level 6 (12,980 points)
    Server Preferences -> Select User -> Select Services -> VPN services checked?
  • Dreadnought Level 1 Level 1 (15 points)
    Yes, I've always had that checked for all my users.
  • Dreadnought Level 1 Level 1 (15 points)
    I just looked into how to initiate a paid technical support incident with Apple regarding this issue and I found this:

    http://store.apple.com/us/product/MB040ZM/C

    Is $6K really the only option for lodging a single OS X Server technical support incident with Apple?
  • Dreadnought Level 1 Level 1 (15 points)
    I just noticed something that may be related to this issue... the only user that can login to my OS X Server (10.5.8) locally is "administrator." All the other accounts I've created for myself and my users that work fine for remote connections (mail and iCal basically) do not work for simply logging into the server when I'm sitting at it locally. The login screen just bounces around when I type the correct short names and passwords.

    Is there some privilege or group I need to add to new users so they can login to the server locally? And maybe that will allow SSH access?
  • foilpan Level 4 Level 4 (1,385 points)
    are these other users setup with network homes? do they actually have homedirs?

    it looks like a kerberos issue. i think you explicitly need to pass an option with ssh to use kerberos logins. something like this: ssh server.domain.com -o GSSAPIAuthentication=yes

    of course, verify you have a kerberos ticket on the client side before trying that.

    there are other references to this in these forums.
  • Dreadnought Level 1 Level 1 (15 points)
    I don't think I use Kerberos... it shows "Stopped" in Server Admin and I'm not sure why I would need it. I used the standard setting (I think that was the option anyway) when I first installed OS X Server.

    I used Server Preferences to create the user accounts. I guess it doesn't setup home folders for new users? All my users show "/var/empty" under Workgroup Manager/Home. Login Shell is set for /usr/bin/false.

    I'll try setting a home folder and a login shell and see if SSH starts working. Maybe Server Preferences isn't a good tool for creating accounts?
  • foilpan Level 4 Level 4 (1,385 points)
    right. users need a default login shell to be able to login via ssh, as far as i know.
  • Dreadnought Level 1 Level 1 (15 points)
    Ok, setting a shell and home folder worked! SSH and SFTP are working great. I'm surprised (ok, at this point not really) that the Server Preferences didn't ask me about this stuff during the account creation.