GateKeeper seems to have started blocking aspects of ssh… Can I edit the System Policy database (/var/db/SystemPolicy) to allow ssh to run properly?
This started happening (a few days) after I created an ~/.ssh/id_rsa file. It seems ssh hangs when trying to parse this file. It has permissions of 600, and is owned by my uid.
$ ssh -v <user>@<host>
....
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: ~/.ssh/id_rsa
debug1: key_parse_private_pem: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Here, ssh hangs, and I get the following in /var/log/system.log
coreservicesd[30]: Application App:"SecurityAgent" [ 0x0/0x864363b] @ 0x0x7fb6fb012670 tried to be brought forward, but isn't in fPermittedFrontASNs ( ( ASN:0x0-0x1001:) ), so denying.
WindowServer[120]: [cps/setfront] Failed setting the front application to SecurityAgent, psn 0x0-0x864363b, securitySessionID=0x186a4, err=-13066
com.apple.SecurityServer[15]: Engine::authorize: Rule::evaluate returned 4294907288 returning errAuthorizationInternal
If I run spctl --master-disable, then ssh works as expected, but obviously my security settings are diminished. Any idea how I can get ssh to work without disabling GateKeeper entirely?
UPDATE:-
The spctl --master-disable trick doesn't work for me any more 🙁
Since asking the question, I have updated to OSX 10.8.1. Not sure if that's related, but I can't think of anything else that would affect the ssh security policy.
So now, I can't commit anything to github!! :@
Help!?
UPDATE2:-
For some reason unbeknown to me, ssh and git would ask me for the id_rsa password (and then actually authenticate / connect) if I was in a fresh terminal session. I use tmux (like screen, which comes pre-installed on OSX, but I prefer tmux), in which I keep my bash sessions open for days, or weeks at a time. In an old tmux shell, I get the errors as described above, but in a fresh bash session, there are no error messages, and everything works as expected, even with spctl --master-enable..
Anyone know why this is, or how to re-authenticate a shell??
Best Answer
Check .ssh/id_rsa and make sure you still have these lines on top and bottom:
They are crucial to the functionality of the SSH PubKeyAuth setup. Looking at the output from your debug, it appears that SSH is complaining about not knowing what type of key it is, which is defined by the first line. Likewise, after considering this, I removed the first line from my own private key, and SSH suddenly started bugging me to enter my passphrase for the key.
If this solution doesn't work, I'm afraid your only option will most likely be to re-generate your key pair.