277
Cannot ssh into root after upgrading to Sierra
I have searched online quite extensively, have not seen a similar situation. Hope it is not a stupid overlook on some settings.
I have 3 Mac mini. Two of them are upgraded to Sierra during a unrelated reboot. The 3rd one stays in El Captain. So I have a nice mix to try various things.
After upgrading, ssh as root:
1. from any machine to El Capitan: root and administrator accounts both work fine.
2. from any machine to Sierra: ssh as root failed. ssh as administrator works.
I am sure the password is correct, since I can log in as root from GUI. It is just ssh not working
Wondering if anyone seeing the similar issue and if there is any work-around/fix. Without that, I will have to disable auto update, revert back to El Capitan, and reinstall everything, which is such a hassle, with so many hours already spent on these machines.
Below is the debug output. (from the same Sierra machine, administrator user ssh into root)
===============================================================
brc-qa-mac2:bin brc-qa$ ssh -vvv root@1.1.1.12
OpenSSH_7.2p2, LibreSSL 2.4.1
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug2: resolving "1.1.1.12" port 22
debug2: ssh_connect_direct: needpriv 0
debug1: Connecting to 1.1.1.12 [1.1.1.12] port 22.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /Users/brc-qa/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/brc-qa/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/brc-qa/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/brc-qa/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/brc-qa/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/brc-qa/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/brc-qa/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /Users/brc-qa/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.2
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.2
debug1: match: OpenSSH_7.2 pat OpenSSH* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug1: Authenticating to 1.1.1.12:22 as 'root'
debug3: hostkeys_foreach: reading file "/Users/brc-qa/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/brc-qa/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from 1.1.1.12
debug3: order_hostkeyalgs: prefer hostkeyalgs: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug3: send packet: type 20
debug1: SSH2_MSG_KEXINIT sent
debug3: receive packet: type 20
debug1: SSH2_MSG_KEXINIT received
debug2: local client KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-e xchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,ex t-info-c
debug2: host key algorithms: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-ed25519,rsa-sha2-512,rsa-sha2-256,ssh-rsa
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc,3des-cbc
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com,zlib
debug2: compression stoc: none,zlib@openssh.com,zlib
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug2: peer server KEXINIT proposal
debug2: KEX algorithms: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-e xchange-sha256,diffie-hellman-group14-sha1
debug2: host key algorithms: ssh-rsa,rsa-sha2-512,rsa-sha2-256,ecdsa-sha2-nistp256,ssh-ed25519
debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com
debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1
debug2: compression ctos: none,zlib@openssh.com
debug2: compression stoc: none,zlib@openssh.com
debug2: languages ctos:
debug2: languages stoc:
debug2: first_kex_follows 0
debug2: reserved 0
debug1: kex: algorithm: curve25519-sha256@libssh.org
debug1: kex: host key algorithm: ecdsa-sha2-nistp256
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none
debug3: send packet: type 30
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug3: receive packet: type 31
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:PNAQsDf/ZIgA9KlCM/SBExSaPQD1vKML2y0dhOdG2cg
debug3: hostkeys_foreach: reading file "/Users/brc-qa/.ssh/known_hosts"
debug3: record_hostkey: found key type ECDSA in file /Users/brc-qa/.ssh/known_hosts:1
debug3: load_hostkeys: loaded 1 keys from 1.1.1.12
debug1: Host '1.1.1.12' is known and matches the ECDSA host key.
debug1: Found key in /Users/brc-qa/.ssh/known_hosts:1
debug3: send packet: type 21
debug2: set_newkeys: mode 1
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug3: receive packet: type 21
debug2: set_newkeys: mode 0
debug1: rekey after 134217728 blocks
debug1: SSH2_MSG_NEWKEYS received
debug2: key: /Users/brc-qa/.ssh/id_rsa (0x0)
debug2: key: /Users/brc-qa/.ssh/id_dsa (0x0)
debug2: key: /Users/brc-qa/.ssh/id_ecdsa (0x0)
debug2: key: /Users/brc-qa/.ssh/id_ed25519 (0x0)
debug3: send packet: type 5
debug3: receive packet: type 7
debug1: SSH2_MSG_EXT_INFO received
debug1: kex_input_ext_info: server-sig-algs=<rsa-sha2-256,rsa-sha2-512>
debug3: receive packet: type 6
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug3: send packet: type 50
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug3: start over, passed a different list publickey,password,keyboard-interactive
debug3: preferred publickey,keyboard-interactive,password
debug3: authmethod_lookup publickey
debug3: remaining preferred: keyboard-interactive,password
debug3: authmethod_is_enabled publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/brc-qa/.ssh/id_rsa
debug3: no such identity: /Users/brc-qa/.ssh/id_rsa: No such file or directory
debug1: Trying private key: /Users/brc-qa/.ssh/id_dsa
debug3: no such identity: /Users/brc-qa/.ssh/id_dsa: No such file or directory
debug1: Trying private key: /Users/brc-qa/.ssh/id_ecdsa
debug3: no such identity: /Users/brc-qa/.ssh/id_ecdsa: No such file or directory
debug1: Trying private key: /Users/brc-qa/.ssh/id_ed25519
debug3: no such identity: /Users/brc-qa/.ssh/id_ed25519: No such file or directory
debug2: we did not send a packet, disable method
debug3: authmethod_lookup keyboard-interactive
debug3: remaining preferred: password
debug3: authmethod_is_enabled keyboard-interactive
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
debug3: send packet: type 61
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
debug3: send packet: type 61
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: userauth_kbdint
debug3: send packet: type 50
debug2: we sent a keyboard-interactive packet, wait for reply
debug3: receive packet: type 60
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
debug3: send packet: type 61
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug3: authmethod_lookup password
debug3: remaining preferred:
debug3: authmethod_is_enabled password
debug1: Next authentication method: password
root@1.1.1.12's password:
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Permission denied, please try again.
root@1.1.1.12's password:
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Permission denied, please try again.
root@1.1.1.12's password:
debug3: send packet: type 50
debug2: we sent a password packet, wait for reply
debug3: receive packet: type 51
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,password,keyboard-interactive).
===========================================================
/var/log/system.log seems only having one related line. It is printed when ssh failed on the last password try.
Oct 21 16:31:07 brc-qa-mac2 com.apple.xpc.launchd[1] (com.openssh.sshd.8CA46868-DDD8-4355-8F6D-D1F4916023EF[991]): Service exited with abnormal code: 255
On the Siera system, check Applications -> Utilities -> Console -> search for 'sshd' (or look in /var/log/system.log). There should be messages that give a clue about why the ssh login was rejected.
Check /etc/ssh/sshd_config and see if
PermitRootLogin no
is specified?
Have you considered using an ssh-keygen key in /var/root/.ssh/authorized_keys
You would create an ssh-keygen key under your own account. Then you copy the contents of the ~/.ssh/*.pub file into the destination Mac's /var/root/.ssh/authorized_keys file. You would then be able to login to the the root account without needing a root password (much more secure). Wash, Rinse, Repeat for each of your user accounts that want to ssh into root, and copy the *.pub contents into each of the individual Mac root accounts.
On the Siera system, check Applications -> Utilities -> Console -> search for 'sshd' (or look in /var/log/system.log). There should be messages that give a clue about why the ssh login was rejected.
Check /etc/ssh/sshd_config and see if
PermitRootLogin no
is specified?
Have you considered using an ssh-keygen key in /var/root/.ssh/authorized_keys
You would create an ssh-keygen key under your own account. Then you copy the contents of the ~/.ssh/*.pub file into the destination Mac's /var/root/.ssh/authorized_keys file. You would then be able to login to the the root account without needing a root password (much more secure). Wash, Rinse, Repeat for each of your user accounts that want to ssh into root, and copy the *.pub contents into each of the individual Mac root accounts.
And if /var/log/system.log is not giving you much 'sshd' information, then check if there is a /var/log/secure.log.
You should be able to increase the sshd logging on the Sierra system via
/etc/ssh/sshd_config
and add
LogLevel DEBUG3
I strongly suggest that after you are done, you disable the LogLevel value. I've had issues on Linux systems leaving LogLevel enabled, but it can be very helpful figuring out why sshd is rejecting your login.
Changing PermitRootLogin to yes made the difference!
Thanks, @BobHarris!!!
Note, you should really consider disabling the 'root' password, and switching over to ssh-keygen keys. It is far more secure, as 'root' is a known account and it makes it much easier for a "Script Kiddie" to probe/repeatedly guess the password for.
Googling "Mac passwordless ssh" and you will find lots of examples.
Firstly, enable the root account and give it a password.
You can't ssh in as root because it's not enabled in the ssh config.
edit /etc/ssh/sshd_config (with nano, if you like)
look for
# Authentication:
and an entry below that looks like:
#PermitRootLogin prohibit-password
Just below it, add the following line:
PermitRootLogin yes
Save your changes. No need to restart sshd; launchd reloads for new incoming connections. You should be able to ssh in as root now. Works on High Sierra too.
最後更新:2017-10-14 06:46:25
上一篇:
BiauKai missing in macOS Sierra
下一篇: Can you transfer an in process call on Apple Wa...
- How do i use my apple music subscription on my ...
- How can I find my keychain login password?
- Can’t download a game
- Apple Watch as gps tracker
- How do I see where I owe iTunes
- Cursor jumping issue on MacBook Pro 2017
- Messages on iCloud
- CAn I take a shower with iwatch 1 series
- i cannot get the newest Itunes to download on m...
- Flickering color bars without cracks/visible da...
相關內容
- "com.apple.installer.pagecontroller error
- any idea what error 3503 is?
- Underallocation Detected on Main device
- The operation couldn’t be completed. (BKA...
- is ctoid.exe a virus on my ipad safari browser?
- iTunes Error: Declined to authorize this image ...
- Keep High Efficiency Original if Available Chec...
- iTunes 12.7 cannot edit playlist
- High Sierra Stuck & Decryption paused
- Need to unlock iphone 5 to reactivate the phone...
熱門內容
- Christian Music Removed From Itunes
- I'm being billed twice every month for Apple Mu...
- iMac running slow
- Fix disappearing album art after moving iTunes
- Activation Locked iWatch
- Can I change the iwatch to miles instead of kil...
- I keep seeing the "You don't have permission to...
- can't read any menus macbook air
- iPad 2, iOs9.3, taking days to restore
- charges made under itune memeberships