ctlow

Q: SSH Permissions

I know this has been done, but I can't find it either here or elsewhere.

I just reinstalled my SSH protocols after replacing a hard drive on the server and restoring (data only) from a Time Machine backup. I seemed to have to start the SSH process from scratch.

I have outlined the procedures (which I learned here) at ctlow.ca/SSH-VPN_MacOSX.html.

It worked, but when I log in from the client, it just goes through without asking for passwords. I think it asked for one password the first time, the private key(?) password, but it used to ask for that (in a little text box, echoed) every time, and then the server password(?) in Terminal itself, not echoed.

Now, neither of those are happening.

So, I found some notes I had made about this, and reset permissions to the .ssh folder as 700 and to the files inside it as 600, on both the server and the client.

It ends up looking like this:

 

ClientComputer:~ ClientID$ ls -ael .ssh

total 24

drwx------   5 ClientID  staff   170 11 Sep 15:24 .

drwxr-x-wx+ 24 ClientID  staff   816 13 Sep 08:26 ..

0: group:everyone deny delete

-rw-------@  1 ClientID  staff    32 10 Feb  2012 config

-rw-------   1 ClientID  staff  1766 11 Sep 15:11 id_rsa

-rw-------   1 ClientID  staff   818 11 Sep 15:33 known_hosts

====

ServerComputer:~ ServerID$ ls -ael .ssh

total 16

drwx------   4 ServerID  staff  136 11 Sep 15:28 .

drwxr-xr-x@ 25 ServerID  staff  850 11 Sep 15:30 ..

0: group:everyone deny delete

-rw-------   1 ServerID  staff  416 11 Sep 15:28 authorized_keys

-rw-------   1 ServerID  staff  391 11 Sep 15:26 known_hosts

 

I don't think that I'm particularly at risk, but I was happy with having to use two passwords to log into the SSH tunnel. Any idea why I'm being asked for no passwords now? (I did specify a password when generating the keys.)

Thank you.

Charles

P.S. The client is running 10.9, the server 10.11.

P.P.S. The info window for the client-user showed "shared folder" which I don't know how it got like that, and have unchecked the box. I doubt if that's related to my question.

iMac, OS X El Capitan (10.11.6)

Posted on Sep 16, 2016 2:11 PM

Close

Q: SSH Permissions

  • All replies
  • Helpful answers

Previous Page 2
  • by etresoft,

    etresoft etresoft Sep 18, 2016 10:20 AM in response to ctlow
    Level 7 (29,320 points)
    Mac OS X
    Sep 18, 2016 10:20 AM in response to ctlow

    The only post in that thread with any actual information is the one by Zacharias Beckman. What he reports sounds accurate. However, he is attributing some performance issues to FileVault and there is no evidence of that. Modern versions of OS X, in general, are just buggy and slow.

     

    I don't know what you are talking about in terms of "the keys" and I don't know what you mean by "password-protected User-folder". I know that FileVault provides good encryption so I'm comfortable recommending it. But I don't know if your "password-protected User-folder" provides any security of any kind.

  • by Loner T,

    Loner T Loner T Sep 18, 2016 1:24 PM in response to etresoft
    Level 7 (24,409 points)
    Safari
    Sep 18, 2016 1:24 PM in response to etresoft

    etresoft wrote:

     

    I don't know what you are talking about in terms of "the keys" and I don't know what you mean by "password-protected User-folder". I know that FileVault provides good encryption so I'm comfortable recommending it. But I don't know if your "password-protected User-folder" provides any security of any kind.

    This is related to SSH keys and client/server authentication sub-discussion. 

  • by ctlow,

    ctlow ctlow Sep 18, 2016 6:18 PM in response to etresoft
    Level 1 (12 points)
    Mac OS X
    Sep 18, 2016 6:18 PM in response to etresoft

    Yes, terminology; this isn't my area. By "the keys" I meant the private key in the .ssh hidden folder. It's about the only sensitive thing on my laptop. And by "password-protected User-folder" I meant that I have a password-protected account login, which also kicks in after the screensaver starts or the computer goes into sleep mode.

    Plus, as has been pointed out, if I lost my laptop computer (client) I could change the public key on the desktop computer (server).

    I also use a "Sparse Disk Image Bundle" or two instead of FileVault for the higher-sensitivity material. That has worked well although I seem to recall one crashing once, not from having forgotten the password, but retrieved it from a backup.

    Thanks most sincerely for all of your excellent advice and information.

    Charles

  • by etresoft,

    etresoft etresoft Sep 19, 2016 7:11 AM in response to ctlow
    Level 7 (29,320 points)
    Mac OS X
    Sep 19, 2016 7:11 AM in response to ctlow

    Your login account is not password protected unless you used FileVault. That concept is a holdover from the world of networks where the server was under lock and key. It doesn't have any meaning in the modern world.

  • by ctlow,

    ctlow ctlow Sep 19, 2016 9:49 AM in response to etresoft
    Level 1 (12 points)
    Mac OS X
    Sep 19, 2016 9:49 AM in response to etresoft

    Well, a friend forgot her login password on her Mac and I was able to get all her data back for her with no backups available. (I forget how I did it.) I'm guessing that you're referring to me that kind of thing. Perhaps login passwords are meant to deter "honest thieves."

    So I'm not getting anyone here to back off about file vault. I understand that. Thanks again.

  • by ctlow,

    ctlow ctlow Oct 7, 2016 7:11 AM in response to ctlow
    Level 1 (12 points)
    Mac OS X
    Oct 7, 2016 7:11 AM in response to ctlow

    Follow-up to myself, just for thoroughness: sometimes, in no pattern which I can recognize, but I think sometimes when my "client" is connected to a new network, I get asked from my private-key password again. I never get asked for the server password to establish the tunnel. (Then connecting the services - File Sharing, Screen Sharing - they have their own passwords, of course.)

    Charles

Previous Page 2