sftp as root
Warren Michelsen
I normally ssh to the server in Terminal (passwordless via RSA keys) and then su to root, if needed. I'd like to be able to use BBEdit instead of Terminal and pico.
So I've set the server to allow passwordless log-in by root using a key.
How do I get BBEdit to use sftp as the root user with no password?
Or is "sftp" the wrong mechanism? Can I tunnel BBEdit's connection in ssh or some such?
Bottom line: I want BBEdit to connect and edit files on my server as root, using my public key instead of a password. Can I do that?
Charlie Garrison
On 16/07/09 at 12:49 AM -0700, Warren Michelsen
<wmich...@gmail.com> wrote:
>Is sftp done in a ssl tunnel?
sftp uses ssh, not ssl.
>So I've set the server to allow passwordless log-in by root using a key.
Have you tested that from command line? If it works there it
should work from BBEdit.
>How do I get BBEdit to use sftp as the root user with no password?
Enter 'root' for username, and leave password blank. I don't use
BBEdit for sftp but I was curious if use of ssh keys was
automatic. I tested it now and it "just worked" (as expected).
>Or is "sftp" the wrong mechanism? Can I tunnel BBEdit's connection in ssh or some such?
sftp is using ssh already.
>Bottom line: I want BBEdit to connect and edit files on my
>server as root, using my public key instead of a password. Can
>I do that?
You should be able to. If ssh works for passwordless root login
from command line, then it should work in BBEdit as well.
Charlie
--
Charlie Garrison <garr...@zeta.org.au>
PO Box 141, Windsor, NSW 2756, Australia
O< ascii ribbon campaign - stop html mail - www.asciiribbon.org
http://www.ietf.org/rfc/rfc1855.txt
Warren Michelsen
sftp as root:
>Good afternoon,
>
>On 16/07/09 at 12:49 AM -0700, Warren Michelsen
>
>
>Have you tested that from command line? If it works there it
>should work from BBEdit.
Works from CLI, BBEdit asks for my password.
>
>You should be able to. If ssh works for passwordless root login
>from command line, then it should work in BBEdit as well.
After I click the connect button, BBEdit says: Opening sftp
connection and puts up an additional password dialog. Entering the
password does not log me in.
Patrick Woolsey
[...]
>After I click the connect button, BBEdit says: Opening sftp
>connection and puts up an additional password dialog. Entering the
>password does not log me in.
>
What app version are you running?
(In particular, if you have BBEdit 9 prior to 9.2.1, please update. :-)
Regards,
Patrick Woolsey
==
Bare Bones Software, Inc. <http://www.barebones.com>
P.O. Box 1048, Bedford, MA 01730-1048
Warren Michelsen
sftp as root:
>you wrote:
>[...]
>>After I click the connect button, BBEdit says: Opening sftp
>>connection and puts up an additional password dialog. Entering the
>>password does not log me in.
>>
>
>What app version are you running?
9.2.1
Curiously, attempting a connection to another Mac running Leopard
gets me the error:
(application error code: 22120)
Both this Leo Mac and the earlier (Tiger) Mac allow me to ssh as root
from Terminal with no password.
I AM able to sftp connect to both the Tiger Mac and the Leo Mac with
BBEdit with no password when using a non-root account.
Warren Michelsen
sftp as root:
>you wrote:
>[...]
>>After I click the connect button, BBEdit says: Opening sftp
>>connection and puts up an additional password dialog. Entering the
>>password does not log me in.
>>
>
>What app version are you running?
version 9.2.1 (2532) of Fri, 19 Jun 2009
Trying to sftp to my server as root using passwordless public key
authentication.
Previously, I used sftp with passwords, until I set up ssh using
keys, no passwords.
Now that I should be able to connect with no password, BBE won't let
me delete the passwords from the ftp settings. I click to "Change"
the ftp settings, remove the password and tell it to Save. When next
I open that setting, the password is back.
I tried completely deleting the connection setting and recreating it
with no password. When I selected the re-created setting to "Change"
it had a password. I think it's looking in Keychain and fetching the
password for that user/host and inserting that password.
So I deleted that password from keychain. Now each time I select that
ftp bookmark, BBE pops up a separate dialog asking: "Password for
root@[hostname]" with Cancel and (disabled) OK button. Apparently, if
I hit Cancel, it won't even bother to try connecting.
I do not have this problem with a non-root account that also uses
public key authentication. root seems to behave differently or be a
special case.
Yes, I can ssh as root to the host in question using Terminal.
Secure.log on the host has no logged attempts from my IP address so I
have to think that, sans a password, BBE doesn't even attempt to
connect as root.
System.log, however, says:
Jul 19 17:11:38 smtp DirectoryService[65]: Failed Authentication
return is being delayed due to over five recent auth failures for
username: root.
Jul 19 17:11:38 smtp sshd[14379]: error: PAM: Authentication failure
for root from [my.public.hostname]
Jul 19 17:11:38 smtp sshd[14379]: error: PAM: Authentication failure
for root from [my.public.hostname]
Jul 19 17:11:38 smtp sshd[14379]: error: PAM: Authentication failure
for root from [my.public.hostname]
Who is this "Pam" and why is she preventing me from logging in? ;-)
Patrick Woolsey
[...]
>>What app version are you running?
>
>version 9.2.1 (2532) of Fri, 19 Jun 2009
>
OK, thanks.
>I do not have this problem with a non-root account that also uses
>public key authentication. root seems to behave differently or be a
>special case.
>
>Yes, I can ssh as root to the host in question using Terminal.
>
>Secure.log on the host has no logged attempts from my IP address so I
>have to think that, sans a password, BBE doesn't even attempt to
>connect as root.
Off-hand, I can't think of any reason why the specific remote account (root
or otherwise) should matter; I'll fwd this to support and follow up with
you from there.
Steve Nelson
answer?
Thanks,
Steve
Patrick Woolsey
[re ssh connection problems with 'root' account]
>
>I'm having the same issue as well with 9.2.1. Any progress on an
>answer?
We haven't yet been able to reproduce this issue or isolate a cause.
As a general reminder :-), we ask & recommend that anyone who encounters a
problem contact tech support directly.
Warren Michelsen
sftp as root:
>Good afternoon,
>
>On 16/07/09 at 12:49 AM -0700, Warren Michelsen
><wmich...@gmail.com> wrote:
>
>>How do I get BBEdit to use sftp as the root user with no password?
>
>Enter 'root' for username, and leave password blank. I don't use
>BBEdit for sftp but I was curious if use of ssh keys was
>automatic. I tested it now and it "just worked" (as expected).
Charlie, are you saying you were able to sftp as root with no
password and it worked?
I can do it as other than root, but not as root. Did you do it as root?
I was told elsewhere:
"SSH and SFTP are quite different protocols. I suspect the problem
is that SSH establishes a terminal connection entirely within sshd.
SFTP uses an SSH tunnel to ftpd. Ftpd has its own set of access
restrictions one of which is you can't connect as root."
So I'd be very curious to know if anyone can successfully connect via
BBE's sftp as root with no password.
Charlie Garrison
On 16/08/09 at 9:24 AM -0700, Warren Michelsen
<wmich...@gmail.com> wrote:
>Charlie, are you saying you were able to sftp as root with no
>password and it worked?
>
>I can do it as other than root, but not as root. Did you do it as root?
I can connect via sftp using BBEdit with the root account. It
works fine for me.
>I was told elsewhere:
>
>"SSH and SFTP are quite different protocols. I suspect the
>problem is that SSH establishes a terminal connection entirely
>within sshd. SFTP uses an SSH tunnel to ftpd. Ftpd has its own
>set of access restrictions one of which is you can't connect as root."
There are two protocols that use the term SFTP. They are
generally distinguished as 'sftp' vs 'SFTP' but that is still
very ambiguous. The one of interest, and the one BBE is using is
the ssh variant. It is the sftp protocol inside an ssh tunnel.
If you can ssh to the machine as root, then you should be able
to connect as root from with BBEdit.
>So I'd be very curious to know if anyone can successfully
>connect via BBE's sftp as root with no password.
I can, so that's at least one. I throw a question back; are you
able to connect as root (without password) via ssh from the
command line?
Warren Michelsen
sftp as root:
>Good afternoon,
>
>On 16/08/09 at 9:24 AM -0700, Warren Michelsen
><wmich...@gmail.com> wrote:
>
>>Charlie, are you saying you were able to sftp as root with no
> >password and it worked?
>I can connect via sftp using BBEdit with the root account. It
>works fine for me.
With no password?
>
>If you can ssh to the machine as root, then you should be able
>to connect as root from with BBEdit.
That was my expectation.
>
>>So I'd be very curious to know if anyone can successfully
>>connect via BBE's sftp as root with no password.
>
>I can, so that's at least one. I throw a question back; are you
>able to connect as root (without password) via ssh from the
>command line?
Yes.
Previously I would ssh to the server in question (in Terminal) as
other than root then su to root (or sudo) to edit configuration and
other files that I could not edit without being root. But I would
like the convenience of BBEdit's features when editing such files.
Since sftp cannot 'su' to root, I enabled the root account and set
it, as I did my other account, to use keys for password-less log-in.
ssh from Terminal works just fine. I'd expected that just leaving out
the password when sftp'ing as root would Just Work but it doesn't,
and I'm puzzled.
I can use passwordl-ess sftp using another non-root account. Root
seems to be treated differently.
I was watching both secure.log and system.log while trying to get BBE
to log in as root without a password over a network connection.
Here's what secure.log showed:
Aug 14 11:08:22 smtp com.apple.SecurityServer: authinternal failed to
authenticate user root.
Aug 14 11:08:22 smtp com.apple.SecurityServer: Failed to authorize
right system.login.tty by process /usr/sbin/sshd for authorization
created by /usr/sbin/sshd.
Aug 14 11:08:22 smtp com.apple.SecurityServer: authinternal failed to
authenticate user root.
Aug 14 11:08:22 smtp com.apple.SecurityServer: Failed to authorize
right system.login.tty by process /usr/sbin/sshd for authorization
created by /usr/sbin/sshd.
Aug 14 11:08:22 smtp com.apple.SecurityServer: authinternal failed to
authenticate user root.
Aug 14 11:08:22 smtp com.apple.SecurityServer: Failed to authorize
right system.login.tty by process /usr/sbin/sshd for authorization
created by /usr/sbin/sshd.
here's what system.log showed:
Aug 14 11:08:22 smtp DirectoryService[160]: Failed Authentication
return is being delayed due to over five recent auth failures for
username: root.
Aug 14 11:08:22 smtp sshd[19730]: error: PAM: Authentication failure
for root from [my.ip]
Aug 14 11:08:22 smtp sshd[19730]: error: PAM: Authentication failure
for root from [my.ip]
Aug 14 11:08:22 smtp sshd[19730]: error: PAM: Authentication failure
for root from [my.ip]
So, I suspect that hacker/attackers are attempting to log in as root
and running up this counter which has a limit of 5.
What is curious is, of course, that I can ssh as root successfully
via Terminal and the 5-limit does not affect me.
Do normal ssh and ssh tunnels use different authentication? Does
normal ssh not use PAM?
Any suggestions as to what I should watch/monitor while attempting
BBE's sftp as root would be appreciated.