Newsroom Update

Beginning in May, a special Today at Apple series titled “Made for Business” will offer small business owners and entrepreneurs free opportunities to learn how Apple products and services can support their growth and success. Learn more >

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Cidy Long
Cidy Long Author
User level: Level 1
1 points

SSH access denied by X Server 3.0.3

I had a mac mini server runs Mavericks 10.9.2 + X Server 3.0.3. System is working on FQDN to provide web site and webmail services to public access. DNS, Open Directory, local network accounts were set up properly, so webmail and web site are working in internet.


I can access my X server from intranet (LAN) by "ssh XX@myserver-ip" with all other local network user accouts except git user account.


I had git service is running in my X Server to provide my R&D projects repositories and some internal important business documents. I set up remote login properly on X server, last week git account is working well, I can push my projects to server by using sourcetree git client on my development iMac. Unfortunately, git account not work any more this week, I can't push my project update to my remote X Server.


As I set up ssh in my sourcetree git client to talk to my X Server repository, I tried to connect my X Server by run "ssh git@10.1.1.100", I got response as:


MacBookUnibody:Applications cidylong$ ssh git@10.1.1.100

Password:

Password:

Password:

Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).


I tried run ssh with -vT.


MacBookUnibody:Applications cidylong$ ssh -vT git@10.1.1.100

OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011

debug1: Reading configuration data /etc/ssh_config

debug1: /etc/ssh_config line 20: Applying options for *

debug1: Connecting to 10.1.1.100 [10.1.1.100] port 22.

debug1: Connection established.

debug1: identity file /Users/cidylong/.ssh/id_rsa type 1

debug1: identity file /Users/cidylong/.ssh/id_rsa-cert type -1

debug1: identity file /Users/cidylong/.ssh/id_dsa type -1

debug1: identity file /Users/cidylong/.ssh/id_dsa-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.2

debug1: Remote protocol version 2.0, remote software version OpenSSH_6.2

debug1: match: OpenSSH_6.2 pat OpenSSH*

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-ctr hmac-md5-etm@openssh.com none

debug1: kex: client->server aes128-ctr hmac-md5-etm@openssh.com none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Server host key: RSA 04:38:a6:c8:f3:10:fd:4e:db:58:5c:b6:f8:4d:71:81

debug1: Host '10.1.1.100' is known and matches the RSA host key.

debug1: Found key in /Users/cidylong/.ssh/known_hosts:2

debug1: ssh_rsa_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: Roaming not allowed by server

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive

debug1: Next authentication method: publickey

debug1: Offering RSA public key: /Users/cidylong/.ssh/id_rsa

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive

debug1: Trying private key: /Users/cidylong/.ssh/id_dsa

debug1: Next authentication method: keyboard-interactive

Password:

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive

Password:

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive

Password:

debug1: Authentications that can continue: publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive

debug1: No more authentication methods to try.

Permission denied (publickey,gssapi-keyex,gssapi-with-mic,keyboard-interactive).


I tried re-generate my public key and add it to X Server by ssh-add to update the public key in server, but nothing get better.


As there is no .ssh/authorized_keys in network account user by using keychain in Mavericks instead.


I don't have an idea what I can do in next step, if any one have idea, please point out a right direction.


Please help!!

Mac mini, OS X Mavericks (10.9.1), X server 3.0.2's open directory iss

Posted on Mar 5, 2014 12:15 AM

Reply
8 replies
User profile for user: Cidy Long
Cidy Long Author
User level: Level 1
1 points

Mar 5, 2014 2:52 AM in response to piero giobbi

Yeah. I did. OD is working well, all other network user accounts are working properly, include mail and ssh login services from other macs. Only git user account not work.


Only different between other users and git is: git user has some project source was kept in xCode's git repositories in same Mac Mini X Server. So git needs to connect to git repository services. Other users are using mail and file sharing system.


I am very confuse now, everyone is talking about Mavericks put the public key in server's user acount's home folder .ssh/authorized_keys. But I found out, there is no such folder in Mavericks 10.9.2 at all. It was handled over to keychain to hold the public keys.


As my git user account was defined as network user account, so there is no local login UI provide to such user, even I login with git account to access git user's home directory, I have to use "su - git" from terminal. I can't fire keychain access UI application from terminal, it is very hard to find out what's wrong with the key, but seem definitely is some thing wrong with the public key matching.


Thank you!

Reply
User profile for user: Cidy Long
Cidy Long Author
User level: Level 1
1 points

Mar 5, 2014 3:30 AM in response to piero giobbi

Probably it is a way to go, but i had quite lots services is running now. I will looking for a workaround to access my git repository first and wait for X Server issue was fixed.


I believe it is because X server 3.0.3 it too new, and Applde didn't do enough testing, the bad thing is, there is not enough information to trace back, from my first post you can see,


debug1: ssh_rsa_verify: signature correct


actually, seems the key is correct. But don't know somehow the ssh permission is still denied.

Reply
User profile for user: Cidy Long
Cidy Long Author
User level: Level 1
1 points

Mar 6, 2014 5:52 PM in response to Cidy Long

Update. I tried to do follow steps to fix this issue, maybe helpful for some one else in the future who meet the same issue.


1. unload ssh.plist from the running Mac OS X Mavericks 10.9.2 to stop ssh service from the system.


sudo launchctl unload /Library/LaunchDaemons/ssh.plist


2. start sshd in debug mode from Mac OS X Mavericks 10.9.2 by


sudo /usr/sbin/sshd -Dd


this mode will enable lots of debug log showing in console, we can get more ssh work status and steps.


3. connect to server from client with


ssh -vT git@server-IP


watch server response, shows actually public key failured, and try kerberos and fail again, and then go keyboard interactive password request.


first try, failed, and then start again, went through client process, use same password, hooray!! authenication success. that is what we need.


4. stop ssd in debug mode and reload plist in system service


5. try client login again in ssh git@server-IP, Hooray!! works.


Discussion: Maybe somehow reason made some file was locked by accidently by system, but don't know which file, and this exception was not cauth by ssh and tell user, so user don't know what's wrong at all. after system running in debug mode, ssh unlocked such locked file and system back to normal.


This maybe helpful for some one meet same problem.

Reply

SSH access denied by X Server 3.0.3

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple ID.
Learn more Sign up