How to Set Up SSH to Access Local Machine Remotely

ssh

I need to be able to ssh back to my localhost, samwise.local in my case, but ssh on Mojave will only let me do this if I authorise by password and I need passwordless login. I've set ssh keys via ssh-keygen, then copied them using ssh-copy-id flink@samwise.local but to no effect, ssh keeps on demanding my login password.

The terminal session is below, including ssh -v output at the end

Last login: Fri Jan 25 11:17:19 from 192.168.1.28 
samwise:~ flink$ rm -rf .ssh 
samwise:~ flink$ ssh-keygen  
Generating public/private rsa key pair. 
Enter file in which to save the key (/Users/flink/.ssh/id_rsa):  
Created directory '/Users/flink/.ssh'. 
Enter passphrase (empty for no passphrase):  
Enter same passphrase again:  
Your identification has been saved in /Users/flink/.ssh/id_rsa. 
Your public key has been saved in /Users/flink/.ssh/id_rsa.pub. 
The key fingerprint is: 
SHA256:zyyv6N+5GKoTwCcWuVxr31XDye5QMcSgMr0Yt7TbnS8 flink@samwise.local 
The key's randomart image is: 
+---[RSA 2048]----+ 
|   .      .*+o   | 
|  o .  . .  O.   | 
| o + .+ =  + .   | 
|  B +  B +o .    | 
| . = ...S. o     | 
|    . . .* ...   |
|     .  + = o    | 
|    .  o * .E.   | 
|    .++.+.=. ..  | 
+----[SHA256]-----+ 
samwise:~ flink$ ls -la .ssh/ 
total 16 
drwx------   4 flink  staff   128 25 Jan 11:18 . 
drwxrwxrwx+ 30 flink  staff   960 25 Jan 11:18 .. 
-rw-------   1 flink  staff  1831 25 Jan 11:18 id_rsa 
-rw-r--r--   1 flink  staff   401 25 Jan 11:18 id_rsa.pub 
samwise:~ flink$ ssh flink@samwise.local 
The authenticity of host 'samwise.local (192.168.1.28)' can't be established. 
ECDSA key fingerprint is SHA256:gHEngv0Vn4P/2DjF3soDQRltzuFhgsHCvY8s9UOszYc. 
Are you sure you want to continue connecting (yes/no)? yes 
Warning: Permanently added 'samwise.local,192.168.1.28' (ECDSA) to the list of known hosts. 
Password: 
Last login: Fri Jan 25 11:18:09 2019 
samwise:~ flink$ exit 
logout 
Connection to samwise.local closed. 
samwise:~ flink$ ssh-copy-id flink@samwise.local 
/usr/bin/ssh-copy-id: INFO: Source of key(s) to be installed: "/Users/flink/.ssh/id_rsa.pub" 
/usr/bin/ssh-copy-id: INFO: attempting to log in with the new key(s), to filter out any that are already installed 
/usr/bin/ssh-copy-id: INFO: 1 key(s) remain to be installed -- if you are prompted now it is to install the new keys 
Password: 

Number of key(s) added:        1 

Now try logging into the machine, with:   "ssh 'flink@samwise.local'" 
and check to make sure that only the key(s) you wanted were added. 

samwise:~ flink$ ls -la .ssh/ 
total 32 <br>
drwx------   6 flink  staff   192 25 Jan 11:19 . 
drwxrwxrwx+ 30 flink  staff   960 25 Jan 11:18 .. 
-rw-------   1 flink  staff   401 25 Jan 11:19 authorized_keys 
-rw-------   1 flink  staff  1831 25 Jan 11:18 id_rsa 
-rw-r--r--   1 flink  staff   401 25 Jan 11:18 id_rsa.pub 
-rw-r--r--   1 flink  staff   188 25 Jan 11:19 known_hosts 
samwise:~ flink$ cat .ssh/authorized_keys  
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN07+JChrArXS2AjC547sG9sWw6vb1C3P7tXICzpZ96iJT4xyfe8bovUOHw5G9FHJ8gte2JrXQcQSUu9RCaoLTQLvRckI21l7JH7zCL28g+3Tp3V+5F9LFME5lCYnLoTmTW8pHZHtMh9BtbK/YWlwS3gAq39w1LfPr8rNJCEkmysL40DFvn7qFEQT+M/IXSgQn7ceeAl6zHe5ngGdJHiwHap6Y7qcxdwJXK9fcuYZ2GgzAKxetEIyYlrCU7TLdmkLSmEkSlLgVjRq60bFynimmRQfFeKgzgGUXQBZSzjxWl5V4Qu6GY3PkZvmMbekB0KJN6qftrhNd6G7s7Q5b2mWt flink@samwise.local 
samwise:~ flink$ cat .ssh/known_hosts  
samwise.local,192.168.1.28 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBDhhA65O8M2Z7h9f+7vrkUN8FRUn1vYanj/QLJIAYbQ+2cWICitc6KAyQ+/mZgHmoD2GpqAXK/ID/pRM4w6zdzc= 
samwise:~ flink$ cat .ssh/id_rsa.pub  
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDN07+JChrArXS2AjC547sG9sWw6vb1C3P7tXICzpZ96iJT4xyfe8bovUOHw5G9FHJ8gte2JrXQcQSUu9RCaoLTQLvRckI21l7JH7zCL28g+3Tp3V+5F9LFME5lCYnLoTmTW8pHZHtMh9BtbK/YWlwS3gAq39w1LfPr8rNJCEkmysL40DFvn7qFEQT+M/IXSgQn7ceeAl6zHe5ngGdJHiwHap6Y7qcxdwJXK9fcuYZ2GgzAKxetEIyYlrCU7TLdmkLSmEkSlLgVjRq60bFynimmRQfFeKgzgGUXQBZSzjxWl5V4Qu6GY3PkZvmMbekB0KJN6qftrhNd6G7s7Q5b2mWt flink@samwise.local 
samwise:~ flink$ ssh flink@samwise.local 
Password: 
Last login: Fri Jan 25 11:19:04 2019 from 192.168.1.28 
samwise:~ flink$ exit 
logout
Connection to samwise.local closed. 
samwise:~ flink$ ssh -v flink@samwise.local 
OpenSSH_7.9p1, OpenSSL 1.0.2q  20 Nov 2018 
debug1: Reading configuration data /usr/local/etc/ssh/ssh_config 
debug1: Connecting to samwise.local [192.168.1.28] port 22. 
debug1: Connection established. 
debug1: identity file /Users/flink/.ssh/id_rsa type 0 
debug1: identity file /Users/flink/.ssh/id_rsa-cert type -1 
debug1: identity file /Users/flink/.ssh/id_dsa type -1 
debug1: identity file /Users/flink/.ssh/id_dsa-cert type -1 
debug1: identity file /Users/flink/.ssh/id_ecdsa type -1 
debug1: identity file /Users/flink/.ssh/id_ecdsa-cert type -1 
debug1: identity file /Users/flink/.ssh/id_ed25519 type -1 
debug1: identity file /Users/flink/.ssh/id_ed25519-cert type -1 
debug1: identity file /Users/flink/.ssh/id_xmss type -1 
debug1: identity file /Users/flink/.ssh/id_xmss-cert type -1 
debug1: Local version string SSH-2.0-OpenSSH_7.9 
debug1: Remote protocol version 2.0, remote software version OpenSSH_7.9 
debug1: match: OpenSSH_7.9 pat OpenSSH* compat 0x04000000 
debug1: Authenticating to samwise.local:22 as 'flink' 
debug1: SSH2_MSG_KEXINIT sent 
debug1: SSH2_MSG_KEXINIT received 
debug1: kex: algorithm: curve25519-sha256 
debug1: kex: host key algorithm: ecdsa-sha2-nistp256 
debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none 
debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none 
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY 
debug1: Server host key: ecdsa-sha2-nistp256 SHA256:gHEngv0Vn4P/2DjF3soDQRltzuFhgsHCvY8s9UOszYc 
debug1: Host 'samwise.local' is known and matches the ECDSA host key. 
debug1: Found key in /Users/flink/.ssh/known_hosts:1 
debug1: rekey after 134217728 blocks 
debug1: SSH2_MSG_NEWKEYS sent 
debug1: expecting SSH2_MSG_NEWKEYS 
debug1: SSH2_MSG_NEWKEYS received 
debug1: rekey after 134217728 blocks 
debug1: Will attempt key: /Users/flink/.ssh/id_rsa RSA SHA256:zyyv6N+5GKoTwCcWuVxr31XDye5QMcSgMr0Yt7TbnS8 
debug1: Will attempt key: /Users/flink/.ssh/id_dsa  
debug1: Will attempt key: /Users/flink/.ssh/id_ecdsa  
debug1: Will attempt key: /Users/flink/.ssh/id_ed25519  
debug1: Will attempt key: /Users/flink/.ssh/id_xmss  
debug1: SSH2_MSG_EXT_INFO received 
debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521> 
debug1: SSH2_MSG_SERVICE_ACCEPT received 
debug1: Authentications that can continue: publickey,password,keyboard-interactive 
debug1: Next authentication method: publickey 
debug1: Offering public key: /Users/flink/.ssh/id_rsa RSA SHA256:zyyv6N+5GKoTwCcWuVxr31XDye5QMcSgMr0Yt7TbnS8 
debug1: Authentications that can continue: publickey,password,keyboard-interactive 
debug1: Trying private key: /Users/flink/.ssh/id_dsa 
debug1: Trying private key: /Users/flink/.ssh/id_ecdsa 
debug1: Trying private key: /Users/flink/.ssh/id_ed25519 
debug1: Trying private key: /Users/flink/.ssh/id_xmss 
debug1: Next authentication method: keyboard-interactive 
Password: 
debug1: Authentication succeeded (keyboard-interactive). 
Authenticated to samwise.local ([192.168.1.28]:22). 
debug1: channel 0: new [client-session] 
debug1: Requesting no-more-sessions@openssh.com 
debug1: Entering interactive session. 
debug1: pledge: network 
debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0 
debug1: Remote: Ignored authorized keys: bad ownership or modes for directory /Users/flink 
Last login: Fri Jan 25 11:20:57 2019 from 192.168.1.28 
samwise:~ flink$ exit 
logout 
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0 
debug1: channel 0: free: client-session, nchannels 1 
Connection to samwise.local closed. 
Transferred: sent 2700, received 2800 bytes, in 3.0 seconds 
Bytes per second: sent 902.8, received 936.2 
debug1: Exit status 1 
samwise:~ flink$

Best Answer

This looks like it might be your problem:

debug1: Remote: Ignored authorized keys: bad ownership or modes for directory /Users/flink

Your home directory seems to be world writeable (and the .. line from your ls -l .ssh command supports this). That's no good, because it means any user on the computer can replace your .ssh directory, and thus your authorized_keys file.

Related Solutions

Changing Terminal colors when ssh-ing into remote machine and back

I'm using the following.

Have a shell command, called myssh, with content:

PROFILE="$1";shift;
DEF="Basic" #the default profile name
echo "tell app \"Terminal\" to set current settings of first window to settings set \"${PROFILE}\""|osascript
ssh $@
echo "tell app \"Terminal\" to set current settings of first window to settings set \"${DEF}\""|osascript

and use bash aliases for the connect, like:

alias ssweb='myssh Homebrew user@web.example.com'
alias ssmail='myssh Ocean me@mail.example.com'

When I want to ssh into the web server, I simply write ssweb in the Terminal and I got the "Homebrew" profile. When the ssh session ends, the AppleScript sets back to the "Basic".

The aliases should go into your $HOME/.profile or similar bash-startup file.

The "Homebrew", "Ocean" etc. are the setting profiles from the Terminal.app preferences. You can also set up different fonts, encodings, etc.

Of course, you can use it directly (without aliases) like:

myssh Pro user@another.machine.example.com
       ^        ^
       |        ssh command arguments
       terminal profile name

MacOS – Mac OS X Lion and sshpass

You should first file a complaint with the server's administration, observing that public key authentication is vastly more secure than simply a password, but I'll assume you've already done so, and your admins are simply idiots.

Apple sadly removed ssh-askpass when they integrated its functionality into ssh, scp, and ssh-add. There is however an SSHKeychain package that provides an ssh-askpass with an Apple-like Cocoa password prompt for macports' openssh package. It should fix your problems the way you want, perhaps even setting the SSH_ASKPASS variable for you.

Just fyi, I'd usually recommend against installing the openssh macports package itself because it break your Apple password prompt, but once you've installed SSHKeychain macports usually offers a more recent openssh than Apple.

There is nothing wrong imho with embedding passwords in scripts when the server disables public key authentication, i.e. if they cared about security, they should reenable public keys. There are even servers that intentionally break sshpass. You could access such machines using the following expect script :

#!/usr/bin/expect -f
set timeout -1
set send_human {.05 0.1 1 .07 1.5}
eval spawn $argv
match_max 100000
expect {
   -re "USERNAME@(\[0-9A-Za-z_\\-\\.\]+)'s password: "
     { sleep 0.1 ; send -- "PASSWORD\r" ; sleep 0.3 }
}
interact

You may speed up this script by reducing the sleeps and send_human delays.

Best Answer

Related Solutions

Changing Terminal colors when ssh-ing into remote machine and back

MacOS – Mac OS X Lion and sshpass

Related Question