# SSH login



## googolplex (May 6, 2002)

How can I set up SSH so that I can log in when my mac is just at the login screen and not running in a certain user. Does it work that way by default?

Also are there any clients for windows that let you log in to SSH? 

I'm wanting this so I can do stuff on my mac from school on PCs and bybass the schools port-blocking onto IRC . BTW what port does SSH use?


----------



## BSDimwit (May 6, 2002)

So long as you have remote access enabled in the sharing section of your system preferences, you should be able to ssh into your mac.

As for the windows ssh clients... there are tons of them...   Take a look www.tucows.com and find one that looks appealing to you...

Personally, I use a program called Putty.  Its pretty small, has any bell and whistle that most folks would need and its pretty fast.  All in all I would recommend it.

SSH is on port 22
Telnet is on port 23

Good luck


----------



## Koelling (May 6, 2002)

BSDimwit said you can and I'm sure he knows what he is talking about. what you need is for sshd (the ssh deamon) to be running. I personally thought that when you logged out it would quit this because it quits all other applications but perhaps the unix core still runs. If I get a chance to do some testing on this I'll let you know.


----------



## googolplex (May 6, 2002)

So what do I have to do to get it running on my ibook?


----------



## scruffy (May 6, 2002)

> _Originally posted by testuser _
> *All system daemons are run as root.  They continue to function without interruption during user logins and logouts.
> *



One little quibble - actually many daemons run as special 'nobody' type users with extremely limited permissions.  The idea is that if someone exploits a bug in the server, the damage they could do is limited to what the daemon user could do.

For example, apache runs as the user www, and the postfix mail daemons run as the user postfix.


----------



## scruffy (May 6, 2002)

Do you mean, so you could login to your iBook from away, or so you could log into a desktop Mac from your iBook which you're lugging around?

Anyway, on the server machine:
In System Preferences > Sharing > "Application" tab, check the 'allow remote login'.

On the client machine, if it's a Mac, nothing; if it's a PC, get a ssh client.


----------



## scruffy (May 7, 2002)

_all the processes that I have mentioned are indeed launched from root_

Hmm, that's interesting.  I hadn't realized that an httpd process is run as root.  Interesting though, as soon as I turn on web sharing (don't even connect once) it looks like this:

: 1 23:09; ps auxc | grep http
root    22770   0.0  0.3     2436   1016  ??  Ss     0:00.08 httpd
www     22771   0.0  0.1     2436    272  ??  S      0:00.01 httpd

And, it seems _both_ are listening on port 80 (I didn't even realize that was possible).

: 0 23:09; sudo lsof | grep httpd | grep 80
httpd     22770    root   16u   inet 0x0183b4cc        0t0      TCP *:80 (LISTEN)
httpd     22771     www   16u   inet 0x0183b4cc        0t0      TCP *:80 (LISTEN)

Anyway, OS X has a "daemon" user by default, I'd be surprised if it's not used by some daemon processes.  Perhaps I'm just in for a surprise ;-}

edit: silly mark, it's BB, not HTML


----------



## blb (May 7, 2002)

One httpd will be running as root; as on all Unix-like systems, you need root to use a port under 1024.  If you set Apache to listen on a larger port (say, 8080), then you can keep it from running anything as root, but shouldn't be necessary.

ftpd will be root until a user logs in, then it should change to that user.


----------



## lethe (May 7, 2002)

yeah, this is true for any UNIX.  if a daemon wants to listen to a port lower than 1024, it bust be root.


----------



## BSDimwit (May 7, 2002)

go to your system preferences... once in there click the sharing icon.  Once that opens there are several tabs at the top... not sure which one this is under as I am on a pc at the moment, but under one of them is a check box that will enable remote access.  From there, you should be able to make it work...

Once you turn it on, get on another machine with an ssh client on it and do your stuff...


----------



## blb (May 7, 2002)

> _Originally posted by testuser _
> *...How does an app do this? ...similar to a user doing a "su"? I assume it can only go from:
> root -> any user
> without authentication, and not the other way around:
> ...


This is actually pretty common for security reasons; the app usually calls setuid() (man page is available).  But yes, only root-owned processes can do it, otherwise that would pretty much kill the concept of security.


----------



## Gwailo (May 18, 2002)

> _Originally posted by testuser _
> *All system daemons are run as root.  They continue to function without interruption during user logins and logouts.
> 
> This is why you do not need to be logged in to run:
> ...



Took the words right out of my mouth... 

If you boot to ``>console`` in Other Users at the login screen, you can see all the processes that are running with ``top``


----------



## chenly (May 18, 2002)

> _Originally posted by BSDimwit _
> *go to your system preferences... once in there click the sharing icon.  Once that opens there are several tabs at the top... not sure which one this is under as I am on a pc at the moment, but under one of them is a check box that will enable remote access.  From there, you should be able to make it work...
> 
> Once you turn it on, get on another machine with an ssh client on it and do your stuff... *



Additional information: the "Allow remote login" checkbox which appears in the "Applications" tab of the Sharing pane in System Preferences turns on SSH in OS X 10.0.4 and later; prior to that, it enabled telnet. For security reasons, Apple made this change. telnet is still available, but needs to be enabled via CLI. Prior to OS 10.1, the System Preferences Sharing pane was not divided between "File & Web" and "Application" tabs as it is now, but the checkbox is still there and labeled in the same way.


----------



## lethe (May 19, 2002)

> _Originally posted by Gwailo _
> *
> 
> Took the words right out of my mouth...
> ...



you do not have to log in to the console to use top.  you can run it from terminal.app.  also the process viewer provides a nice frontend to that command


----------



## chenly (May 19, 2002)

> _Originally posted by lethe _
> *...also the process viewer provides a nice frontend to that command...*



With kill functionality to boot (awful pun intended)!


----------



## deraven (May 29, 2002)

Well, I thought sshd was run as root (which it is) and wouldn't be interrupted by logins/outs on the machine too, but as soon as I log out of OS X, any new SSH connection attempts are prompted for the password then returned "Permission Denied" errors.

For Example:

1. Walk across room and ssh in as user deraven - works fine - exit ssh
2. Walk back to the SSH serving machine, log out (just sitting with login pane on the screen)
3. Walk back to the other computer - try to SSH - permission denied after password is entered

If I relaunch the SSH daemon (uncheck "Allow remote login" in Sharing, then recheck it), it works fine again unless I locally log off the machine.

Any ideas? Has anyone had experiences to the contrary?

Thanks for any input...


----------



## deraven (May 29, 2002)

> _Originally posted by testuser _
> *Try this:
> 1.  ssh to your Mac.  Don't quit the client or end this session!  Take a look at the daemon:
> ps aux | grep sshd | grep -v grep
> ...



I already tried that, actually. Here's what happens:

If I'm SSHed into the box from another machine, then head over and log out locally, the SSH session that's running for the most part still works fine, but starts picking up odd little errors. Like, if I do a ps from the session, several of the lines it returns are something similar to "session socket error" (I'm at work now and don't remember exactly what it was). Also, if I then try to log out, it gives another error very much like the one I just mentioned, then the session eventually times out.

If I try to start a new SSH session with a different user while I've still got the other remote session going and logged out locally, it does the "Access Denied" thing.

Basically, any session that's already started will continue to work (with some quirks) but it will not accept any new connections.

During this whole process as well as after I log back in locally, the main sshd process is still running, but it won't accept any new connections unless it is restarted.


----------



## blb (May 29, 2002)

When you are receiving _access denied_ errors, does sshd log anything interesting to /var/log/system.log?  Specifically, does it claim something to the effect of your username being illegal?  If so, I've seen that myself, but have yet to figure out a fix to it...

If not, what, if any, errors are logged?


----------



## deraven (May 29, 2002)

> _Originally posted by blb _
> *When you are receiving access denied errors, does sshd log anything interesting to /var/log/system.log?  Specifically, does it claim something to the effect of your username being illegal?  If so, I've seen that myself, but have yet to figure out a fix to it...
> 
> If not, what, if any, errors are logged? *



Here's what's in the log:

May 28 22:37:04 localhost sshd[4629]: input_userauth_request: illegal user deraven
May 28 22:37:04 localhost sshd[4629]: Failed none for illegal user deraven from 192.168.1.2 por
t 50008 ssh2
May 28 22:37:04 localhost sshd[4629]: Failed keyboard-interactive for illegal user deraven from
 192.168.1.2 port 50008 ssh2
May 28 22:37:08 localhost sshd[4629]: Failed password for illegal user deraven from 192.168.1.2
 port 50008 ssh2
May 28 22:37:13 localhost last message repeated 2 times
May 28 22:37:13 localhost sshd[4629]: Connection closed by 192.168.1.2


Again, this all goes away if I restart sshd.


----------



## fintler (May 29, 2002)

is the shell name listed in 'nidump passwd .|grep deraven|awk -F: '{print $7}'' in /etc/shells?

(btw..those are all single quotes)


----------



## deraven (May 29, 2002)

> _Originally posted by fintler _
> *is the shell name listed in 'nidump passwd .|grep deraven|awk -F: '{print $7}'' in /etc/shells?
> 
> (btw..those are all single quotes) *



Yep. I'm using tcsh.

Again, it's not problem until I log out locally. After that, I need to restart sshd for it to work again.


----------



## blb (May 29, 2002)

> _Originally posted by deraven _
> *Here's what's in the log:
> 
> May 28 22:37:04 localhost sshd[4629]: input_userauth_request: illegal user deraven
> ...


Yup, that's the error I've seen before.  My current working theory is sshd somehow loses its ability to speak to lookupd to find the user information.  Why logging out of a loginwindow session causes this to occur, I don't know yet...

Best bet for now is to make sure Apple knows.


----------



## Gwailo (Jun 2, 2002)

I use PuTTY, it's cheap (features) and cheap (free).


----------



## Pavao (Jun 7, 2002)

I have this very same problem on my iBook. I thought it came with 10.1.5 but, as this thread shows, it was already present in  10.1.4.

I'm connecting from my linux box (192.168.1.2) that doesn't have a valid dns name. But this shouldn't matter, right?

I noticed that if I reboot with sshd already running (i.e., sshd will be started before anyone logs in, when the mac is starting up) ssh logins work as they should, even if a user logs in at the Macintosh and then logs out.

Maybe this has been present all the way from the 10.0.x days but no one noticed it... :-(


----------



## Gwailo (Jun 13, 2002)

> _Originally posted by lethe _
> *
> 
> you do not have to log in to the console to use top.  you can run it from terminal.app.  also the process viewer provides a nice frontend to that command *



Sure! But I meant that so that you can test to see that the daemons are running while a user is logged out...which was mentioned so I'm keeping my mouth shut.


----------

