SSH/SFTP fails silently on OSX 10.8.2 - ssh-agent issue

Question

Level 1

0 points

SSH/SFTP fails silently on OSX 10.8.2 - ssh-agent issue

I'm trying to login to a remote machine with SSH or SFTP.

when I try `ssh u-indgo@ssh1.eu1.frbit.com` the CLI just won't respond. I get an empty new line, in which I can type characters, but nothing more.

When I try to connect with `SFTP` using the same credentials (I use `Transmit` as my SFTP client) it just hangs forever and doesn't connect.

No errors. No response.

The problem isn't specific to `frbit.com` and persists with other IP's as well.

running with the -vv flag I got the following output:

debug1: Reading configuration data /Users/matanya/.ssh/config

debug1: Reading configuration data /usr/local/Cellar/openssh/6.1p1/etc/ssh_config

debug2: ssh_connect: needpriv 0

debug1: Connecting to ssh1.eu1.frbit.com [46.137.57.195] port 22.

debug2: fd 3 setting O_NONBLOCK

debug1: fd 3 clearing O_NONBLOCK

debug1: Connection established.

debug1: identity file /Users/matanya/.ssh/id_rsa type 1

debug1: identity file /Users/matanya/.ssh/id_rsa-cert type -1

debug1: identity file /Users/matanya/.ssh/id_dsa type 2

debug1: identity file /Users/matanya/.ssh/id_dsa-cert type -1

debug1: identity file /Users/matanya/.ssh/id_ecdsa type -1

debug1: identity file /Users/matanya/.ssh/id_ecdsa-cert type -1

debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1

debug1: match: OpenSSH_5.5p1 pat OpenSSH_5*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.1

debug2: fd 3 setting O_NONBLOCK

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-e xchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,di ffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blow fish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie- hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blow fish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib@openssh.com

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: mac_setup: found hmac-md5

debug1: kex: server->client aes128-ctr hmac-md5 none

debug2: mac_setup: found hmac-md5

debug1: kex: client->server aes128-ctr hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug2: dh_gen_key: priv key bits set: 140/256

debug2: bits set: 543/1024

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Server host key: RSA 31:4c:71:e0:56:14:04:0d:c7:b2:6c:fc:8a:42:33:2e

debug1: Host 'ssh1.eu1.frbit.com' is known and matches the RSA host key.

debug1: Found key in /Users/matanya/.ssh/known_hosts:2

debug2: bits set: 513/1024

debug1: ssh_rsa_verify: signature correct

debug2: kex_derive_keys

debug2: set_newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug2: set_newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: Roaming not allowed by server

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

UPDATE: going through `system.log` I found the following:

Mar 6 10:28:17 matanyas-imac com.apple.launchd.peruser.501[235] (org.openbsd.ssh-agent[574]): Exited with code: 1

Mar 6 10:28:17 matanyas-imac com.apple.launchd.peruser.501[235] (org.openbsd.ssh-agent): Throttling respawn: Will start in 10 seconds

Mar 6 10:28:27 matanyas-imac com.apple.launchd.peruser.501[235] (org.openbsd.ssh-agent[575]): Exited with code: 1

Mar 6 10:28:27 matanyas-imac com.apple.launchd.peruser.501[235] (org.openbsd.ssh-agent): Throttling respawn: Will start in 10 seconds

What does `Code 1` stand for?

UPDATE: Following @Eir Nym advice, I found the file that `launchd` has problems with at `System/Library/LaunchAgents/org.openbsd.ssh-agent.plist`:

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>Label</key>

<string>org.openbsd.ssh-agent</string>

<key>ProgramArguments</key>

<array>

<string>/usr/bin/ssh-agent</string>

</array>

<key>ServiceIPC</key>

<true/>

<key>Sockets</key>

<dict>

<key>Listeners</key>

<dict>

<key>SecureSocketWithKey</key>

</dict>

<key>EnableTransactions</key>

<true/>

</dict>

</plist>

When I run `/usr/bin/ssh-agent` I get:

SSH_AUTH_SOCK=/var/folders/pg/1g6_hnwx47bgqv5vcm1lq18h0000gn/T//ssh-01WuaHF32Sl V/agent.2145; export SSH_AUTH_SOCK;

SSH_AGENT_PID=2146; export SSH_AGENT_PID;

echo Agent pid 2146;

as for the `-l` flag (`<string>-l</string>`) there is no such flag on my version of `ssh-agent`. Outputs:

ssh-agent: illegal option -- l

SSH version: OpenSSH_5.8p2, OpenSSL 0.9.8r 8 Feb 2011

iMac, OS X Mountain Lion (10.8.2)

Posted on Mar 8, 2013 3:02 AM

Reply

Answer 1

etresoft

Level 8

46,312 points

Mar 8, 2013 1:57 PM in response to matfish2

Your key files are probably corrupted. Move them aside and try again.

Reply

Answer 2

Linc Davis

Level 10

209,547 points

Mar 8, 2013 5:14 PM in response to matfish2

What do you get from this:

ls -Oaeln .ssh

Reply

Answer 3

matfish2 Author

Level 1

0 points

Mar 9, 2013 12:57 AM in response to Linc Davis

ls -Oaeln .ssh:

total 64

drwxrwxrwx 10 501 20 - 340 Mar 7 18:50 .

drwxr-xr-x+ 51 501 20 - 1734 Mar 8 20:49 ..

0: ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000000C deny delete

-rw------- 1 501 20 - 1766 Jan 27 14:34 github_rsa

-rw-r--r-- 1 501 20 - 397 Jan 27 14:34 github_rsa.pub

-rw-r--r-- 1 501 20 - 611 Feb 23 15:07 id_dsa.pub

-rw------- 1 501 20 - 1675 Mar 1 17:24 id_rsa

-rw-r--r-- 1 501 20 - 403 Mar 1 17:24 id_rsa.pub

-rwxrwxrwx 1 501 20 - 1692 Mar 6 08:09 indgo.pem

-rw-r--r-- 1 501 20 - 1681 Mar 6 08:20 known_hosts

-rw-r--r-- 1 501 20 - 415 Feb 23 12:03 known_hosts.back

It may be worthwhile mentioning that ssh does work in the following scenarios:

a. if i switch user to root (su -) or even su matanya

b. if i run `

unset SSH_AUTH_SOCK`

Reply

Answer 4

matfish2 Author

Level 1

0 points

Mar 9, 2013 1:00 AM in response to etresoft

@etresoft, I've tried this already. renamed the existing .ssh folder, and created a fresh one. Didn't work

Reply

Answer 5

BobHarris

Level 9

53,117 points

Mar 9, 2013 4:35 AM in response to matfish2

I think Linc has figured out your problem.

There are a handful of files and directories that must have restrictive permissions or ssh will not allow a connection.

The ssh man page lists all the files and required permissions.

Looking at your ls output I see the .ssh directory is too permissive. If that is wrong, even after recreating, then chances are other critical ssh files or directories are wrong. Read the ssh man page, find every file and directory mentioned and make sure there permissions are correct. Make sure to use the ls options Linc gave you.

Reply

Answer 6

BobHarris

Level 9

53,117 points

Mar 9, 2013 5:27 AM in response to matfish2

Also keep in mind that both local AND remote ssh files must have correct permissions to make a secure connection. Check both systems.

Reply

Answer 7

matfish2 Author

Level 1

0 points

Mar 9, 2013 5:37 AM in response to BobHarris

@BobHarris, I'm pretty sure the problem is with my local ssh. When I try to ssh as root user, or even If I explicity change to my own user (su matanya) it does work.

I've also reset my permission on both .ssh folder and the home folder, to deny write permission from others and group (chmod go-w) but the problem persists

I think the key to the mystery lies in the system log

Mar 6 10:28:27 matanyas-imac com.apple.launchd.peruser.501[235] (org.openbsd.ssh-agent[575]): Exited with code: 1

Mar 6 10:28:27 matanyas-imac com.apple.launchd.peruser.501[235] (org.openbsd.ssh-agent): Throttling respawn: Will start in 10 seconds

The same message would repeat itself infinitely until I reboot

Reply

Answer 8

Linc Davis

Level 10

209,547 points

Mar 9, 2013 7:36 AM in response to matfish2

I'll take your word for it that you've fixed the permissions. Is ssh-agent in fact running?

Reply

Answer 9

etresoft

Level 8

46,312 points

Mar 9, 2013 8:21 AM in response to matfish2

If it works with another user, but not your own, and not with your own user via non-traditional means, then it is probably your shell startup scripts.

Open a few terminal windows. Move aside your shell startup scripts. Open a new terminal window and try it again. Then find out what from your old startup scripts is causing the problem.

Reply

Answer 10

matfish2 Author

Level 1

0 points

Mar 9, 2013 8:45 AM in response to Linc Davis

here is the new output for ls -Oaeln .ssh:

total 72

drwxr-xr-x 11 501 20 - 374 Mar 9 15:34 .

drwxr-xr-x+ 51 501 20 - 1734 Mar 8 20:49 ..

0: ABCDEFAB-CDEF-ABCD-EFAB-CDEF0000000C deny delete

-rw-r--r-- 1 0 20 - 60 Mar 9 15:34 config

-rw------- 1 501 20 - 1766 Jan 27 14:34 github_rsa

-rw-r--r-- 1 501 20 - 397 Jan 27 14:34 github_rsa.pub

-rw-r--r-- 1 501 20 - 611 Feb 23 15:07 id_dsa.pub

-rw------- 1 501 20 - 1675 Mar 1 17:24 id_rsa

-rw-r--r-- 1 501 20 - 403 Mar 1 17:24 id_rsa.pub

-rwxr-xr-x 1 501 20 - 1692 Mar 6 08:09 indgo.pem

-rw-r--r-- 1 501 20 - 1681 Mar 6 08:20 known_hosts

-rw-r--r-- 1 501 20 - 415 Feb 23 12:03 known_hosts.back

How do I check if ssh-agent is running?

Reply

Answer 11

matfish2 Author

Level 1

0 points

Mar 9, 2013 9:00 AM in response to etresoft

etresoft wrote:

If it works with another user, but not your own, and not with your own user via non-traditional means, then it is probably your shell startup scripts.

This isn't the case: It doesn't work with any user (root or matanya) until I explicitly switch user using `su -` or `su matanya`. Then it works for the account I switched too - be it root or matanya. Any transition works (i.e. root-root, root-matanya, matanya-root, matanya-matanya)

That is: the problem doesn't seem to be account-specific

Reply