SSH login

googolplex

googolplex

jeff.hume.ca
How can I set up SSH so that I can log in when my mac is just at the login screen and not running in a certain user. Does it work that way by default?

Also are there any clients for windows that let you log in to SSH?

I'm wanting this so I can do stuff on my mac from school on PCs and bybass the schools port-blocking onto IRC :D. BTW what port does SSH use?
 
So long as you have remote access enabled in the sharing section of your system preferences, you should be able to ssh into your mac.

As for the windows ssh clients... there are tons of them... Take a look www.tucows.com and find one that looks appealing to you...

Personally, I use a program called Putty. Its pretty small, has any bell and whistle that most folks would need and its pretty fast. All in all I would recommend it.

SSH is on port 22
Telnet is on port 23

Good luck
 
BSDimwit said you can and I'm sure he knows what he is talking about. what you need is for sshd (the ssh deamon) to be running. I personally thought that when you logged out it would quit this because it quits all other applications but perhaps the unix core still runs. If I get a chance to do some testing on this I'll let you know.
 
Originally posted by testuser
All system daemons are run as root. They continue to function without interruption during user logins and logouts.
Click to expand...

One little quibble - actually many daemons run as special 'nobody' type users with extremely limited permissions. The idea is that if someone exploits a bug in the server, the damage they could do is limited to what the daemon user could do.

For example, apache runs as the user www, and the postfix mail daemons run as the user postfix.
 
Do you mean, so you could login to your iBook from away, or so you could log into a desktop Mac from your iBook which you're lugging around?

Anyway, on the server machine:
In System Preferences > Sharing > "Application" tab, check the 'allow remote login'.

On the client machine, if it's a Mac, nothing; if it's a PC, get a ssh client.
 
all the processes that I have mentioned are indeed launched from root

Hmm, that's interesting. I hadn't realized that an httpd process is run as root. Interesting though, as soon as I turn on web sharing (don't even connect once) it looks like this:

: 1 23:09; ps auxc | grep http
root 22770 0.0 0.3 2436 1016 ?? Ss 0:00.08 httpd
www 22771 0.0 0.1 2436 272 ?? S 0:00.01 httpd

And, it seems both are listening on port 80 (I didn't even realize that was possible).

: 0 23:09; sudo lsof | grep httpd | grep 80
httpd 22770 root 16u inet 0x0183b4cc 0t0 TCP *:80 (LISTEN)
httpd 22771 www 16u inet 0x0183b4cc 0t0 TCP *:80 (LISTEN)

Anyway, OS X has a "daemon" user by default, I'd be surprised if it's not used by some daemon processes. Perhaps I'm just in for a surprise ;-}

edit: silly mark, it's BB, not HTML
 
One httpd will be running as root; as on all Unix-like systems, you need root to use a port under 1024. If you set Apache to listen on a larger port (say, 8080), then you can keep it from running anything as root, but shouldn't be necessary.

ftpd will be root until a user logs in, then it should change to that user.
 
yeah, this is true for any UNIX. if a daemon wants to listen to a port lower than 1024, it bust be root.
 
go to your system preferences... once in there click the sharing icon. Once that opens there are several tabs at the top... not sure which one this is under as I am on a pc at the moment, but under one of them is a check box that will enable remote access. From there, you should be able to make it work...

Once you turn it on, get on another machine with an ssh client on it and do your stuff...
 
Originally posted by testuser
...How does an app do this? ...similar to a user doing a "su"? I assume it can only go from:
root -> any user
without authentication, and not the other way around:
user -> another user
user -> root
...
Click to expand...
This is actually pretty common for security reasons; the app usually calls setuid() (man page is available). But yes, only root-owned processes can do it, otherwise that would pretty much kill the concept of security.
 
Originally posted by testuser
All system daemons are run as root. They continue to function without interruption during user logins and logouts.

This is why you do not need to be logged in to run:
Apache webserver
ssh server
ftp server
telnet server
ntalk server
etc

(Actually the last three services mentioned are spawned through the inetd server).
Click to expand...

Took the words right out of my mouth... ;)

If you boot to ``>console`` in Other Users at the login screen, you can see all the processes that are running with ``top``
 
Originally posted by BSDimwit
go to your system preferences... once in there click the sharing icon. Once that opens there are several tabs at the top... not sure which one this is under as I am on a pc at the moment, but under one of them is a check box that will enable remote access. From there, you should be able to make it work...

Once you turn it on, get on another machine with an ssh client on it and do your stuff...
Click to expand...

Additional information: the "Allow remote login" checkbox which appears in the "Applications" tab of the Sharing pane in System Preferences turns on SSH in OS X 10.0.4 and later; prior to that, it enabled telnet. For security reasons, Apple made this change. telnet is still available, but needs to be enabled via CLI. Prior to OS 10.1, the System Preferences Sharing pane was not divided between "File & Web" and "Application" tabs as it is now, but the checkbox is still there and labeled in the same way.
 
Originally posted by Gwailo


Took the words right out of my mouth... ;)

If you boot to ``>console`` in Other Users at the login screen, you can see all the processes that are running with ``top``
Click to expand...

you do not have to log in to the console to use top. you can run it from terminal.app. also the process viewer provides a nice frontend to that command
 
Well, I thought sshd was run as root (which it is) and wouldn't be interrupted by logins/outs on the machine too, but as soon as I log out of OS X, any new SSH connection attempts are prompted for the password then returned "Permission Denied" errors.

For Example:

1. Walk across room and ssh in as user deraven - works fine - exit ssh
2. Walk back to the SSH serving machine, log out (just sitting with login pane on the screen)
3. Walk back to the other computer - try to SSH - permission denied after password is entered

If I relaunch the SSH daemon (uncheck "Allow remote login" in Sharing, then recheck it), it works fine again unless I locally log off the machine.

Any ideas? Has anyone had experiences to the contrary?

Thanks for any input...
 
Originally posted by testuser
Try this:
1. ssh to your Mac. Don't quit the client or end this session! Take a look at the daemon:
ps aux | grep sshd | grep -v grep

You should see two processes (one main sshd process with the lower PID number, and one for this session).

2. Walk back to the Mac and log out (to the login screen)

3. Try to ssh to your Mac again in another session (window). Try accessing your Mac through more than one user account.

If step 3 fails, use the window from step 1 to look again at the processes:
ps aux | grep sshd | grep -v grep

Is the main sshd process still running?
Click to expand...

I already tried that, actually. Here's what happens:

If I'm SSHed into the box from another machine, then head over and log out locally, the SSH session that's running for the most part still works fine, but starts picking up odd little errors. Like, if I do a ps from the session, several of the lines it returns are something similar to "session socket error" (I'm at work now and don't remember exactly what it was). Also, if I then try to log out, it gives another error very much like the one I just mentioned, then the session eventually times out.

If I try to start a new SSH session with a different user while I've still got the other remote session going and logged out locally, it does the "Access Denied" thing.

Basically, any session that's already started will continue to work (with some quirks) but it will not accept any new connections.

During this whole process as well as after I log back in locally, the main sshd process is still running, but it won't accept any new connections unless it is restarted.
 
When you are receiving access denied errors, does sshd log anything interesting to /var/log/system.log? Specifically, does it claim something to the effect of your username being illegal? If so, I've seen that myself, but have yet to figure out a fix to it...

If not, what, if any, errors are logged?
 
Originally posted by blb
When you are receiving access denied errors, does sshd log anything interesting to /var/log/system.log? Specifically, does it claim something to the effect of your username being illegal? If so, I've seen that myself, but have yet to figure out a fix to it...

If not, what, if any, errors are logged?
Click to expand...

Here's what's in the log:

May 28 22:37:04 localhost sshd[4629]: input_userauth_request: illegal user deraven
May 28 22:37:04 localhost sshd[4629]: Failed none for illegal user deraven from 192.168.1.2 por
t 50008 ssh2
May 28 22:37:04 localhost sshd[4629]: Failed keyboard-interactive for illegal user deraven from
192.168.1.2 port 50008 ssh2
May 28 22:37:08 localhost sshd[4629]: Failed password for illegal user deraven from 192.168.1.2
port 50008 ssh2
May 28 22:37:13 localhost last message repeated 2 times
May 28 22:37:13 localhost sshd[4629]: Connection closed by 192.168.1.2


Again, this all goes away if I restart sshd.
 
is the shell name listed in 'nidump passwd .|grep deraven|awk -F: '{print $7}'' in /etc/shells?

(btw..those are all single quotes)
 
You must log in or register to reply here.
Back
Top