1

Is there a setting somewhere that overrides the user password for SSH? Whenever I try to login via password to my os x server I get an error message in secure.log ->

Failed password for < user > from < ip > port < port > ssh2

The password is correct, I can use it locally on the server. What is going on here? Logging in via public key works fine. If I enabled PAM, I just get a different version of the same message:

error: PAM: permission denied for < user > from < client IP > via < server IP >

I am a dunce when it comes to server related things. Could someone tell me what I should be looking for? Nothing strange is output from running ssh -vvv

borrrden
  • 133
  • 6
  • Can you restart the sshd with the `-d` option so that it produces more info into syslog? Maybe you get more hints then. – ott-- Nov 28 '12 at 10:33
  • Actually I don't really know how to start it like that...`sudo /usr/sbin/sshd -d' just says Cannot bind any address – borrrden Nov 28 '12 at 10:47
  • The current running sshd blocks the port. Does `launchctl stop com.openssh.sshd` work for you? Else do `launchctl list` to see the available services. Restart it later when your test are done. – ott-- Nov 28 '12 at 12:04

1 Answers1

0

In /etc/ssh/sshd_config, PasswordAuthentication should be set to yes.

You will need to restart ssh after making this change.

It should be mentioned that the reason it's difficult to search for instructions on how to do this is that all the tutorials out there are for how to disable password authentication. There's a reason people prefer it disabled. It requires a little more initial setup but it is a more secure configuration.

Ladadadada
  • 26,337
  • 7
  • 59
  • 90
  • I also prefer it this way, but it is a bother to teach all of our clients how to make RSA keys. PasswordAuthentication is already set to YES in the config file (the password is asked for, just not accepted) – borrrden Nov 28 '12 at 09:24
  • In the end I went with RSA key auth. Easier *and* more secure. I didn't realize that private keys were not machine specific (thought they were because the default comment at the end is the machine identifier) and that WinSCP and Cyberduck could use them without any real complicated setup. – borrrden Dec 03 '12 at 05:23