Recently while deploying a new MacPro with Mac OS X 10.6 Snow Leopard Server I encountered the following error in relation to the SFTP services.
Permission denied (publickey,keyboard-interactive) After considerable searching through numerous dead ends all leading to the accounts in question have expired I stumbled upon the correct answer. The user accounts in question were not part of the Administrators group, therefore; were not allowed access to the system through SFTP. The obvious method to correct this would be to add all of those users to the administrators group and walk away. WRONG!!!!No the correct thing to do is to open the Server Administration page and add this group of selected users to the allowed SFTP list. However when you open the Server Admin you won’t find an SFTP access section. SFTP access is actually part of the SSH protocol and provided by Apple’s port of OpenSSH to the system. In the following screen observe that I simply added the imagestaff group to the allowed list and saved the changes.
There are a few things worth noting about SSH and SFTP. Apple has bundled an anti brute force mechanism into the operating system called the Event Monitor Daemon or emond. Emond watches for unsuccessful login attempts via ssh and subsequently enters a temporary denial rule into the firewall. This rule denies ALL traffic from a specific IP address. That means if you have a remote office that connects to the server for other services like email, web and DNS these users will be cut off for the duration of the temporary rule. In my experience this temporary blacklisting lasts between 15 and 40 minutes.
This article is a work in progress and I will likely add more to it in the future. In addition I will likely relocate this to the Tehcnobabel pages.
Hi,
I’m seeing behavior very much like this on my own system — unfortunately I do not have the Server
release so I don’t have access to the Server Admin tool. Can anyone tell me how I can fix this without that utility? By the way, I already have enabled remote login in each user’s Sharing pane — that is definitely NOT the problem!
Thanks.
Hi Roger,
Just curious what type of user are the ones trying to ssh in? Also when was the last time you ran a permissions fix on the system drive?
Cheers,
@mikelking
Now I see that this article is for the snow leopard “server”. Do you know any tricks that can be done for the plain snow leopard?
Do you have remote login enabled for each user? It’s controlled in the System Preferences under sharing. By default it is turned off even if you launch sshd using launchd it will not function properly until you enable the remote login permission.
Cheers,
Mikel King
Thank you for the helpful tip.
How can I open the Server Administration page?
On the console open the ‘Server Admin’ which can be found in the Applications->Server directory. You can also install the server applications on another machine to administer the server remotely but you must ensure that you have the appropriate ports (I think it’s tcp-687) open in the firewall or be on a VPN/LAN connection.
This german translation is completely unreadable and useless!!!
Please turn off that transbabel toy!!!
Thank you for letting me know I shall take care of it asap.