ssh fails: image not found [preauth]

When I try to SSH to my computer, ssh fails with this error:

Mothership:~ kuyan$ ssh kuyan@localhost
Connection closed by ::1

This also happens when I attempt to SSH to my user from another computer. This message appears in Console when I attempt to connect:

12/12/12 3:44:30.468 PM sshd[2576]: fatal: ssh_sandbox_child: sandbox_init: dlopen(/usr/lib/libsandbox.1.dylib, 261): image not found [preauth]

Relevant information:

  • I'm using a different version of sshd than OS X provides, installed via brew install openssh - but this error occurs with both versions.
  • /usr/lib/libsandbox.1.dylib exists:

    Mothership:~ kuyan$ ls /usr/lib/libsandbox*
    /usr/lib/libsandbox.1.dylib /usr/lib/libsandbox.dylib
    
  • Here's my /etc/sshd_config. The relevant line seems to be UsePrivilegeSeparation: when uncommented and set to yes instead of sandbox, everything works A-OK.

  • Though I'm not using MacPorts, the error I'm getting is essentially the one here.
  • sshd version: OpenSSH_6.1p1, OpenSSL 0.9.8r 8 Feb 2011

Solution 1:

dtruss shows:

2892/0xdc8e:  stat64("/usr/lib/libsandbox.1.dylib\0", 0x7FFF500DA5F0, 0x7FFF500DB500)        = -1 Err#2

which is ENOENT (No such file or directory) and the reason is probably that chroot already happened. If you are so foolish as to experiment by

sudo mkdir -p /var/empty/usr/lib
sudo cp /usr/lib/libsandbox.1.dylib /var/empty/usr/lib

You will move the crash to the next shlib not under /var/empty/

sshd[3256]: fatal: ssh_sandbox_child: sandbox_init: dlopen (/usr/lib/libsandbox.1.dylib, 261):
Library not loaded: /usr/lib/libsqlite3.dylib\\n  Referenced from: /usr/lib/libsandbox.1.dylib\\n  Reason: image not found [preauth]

If you persist with this madness

sudo cp /usr/lib/libsqlite3.dylib /usr/lib/libMatch.1.dylib /var/empty/usr/lib/

sshd will start to work again at least for SSH keys, passwords still don't work.

You can also edit /usr/local/etc/sshd_config changing

UsePrivilegeSeparation sandbox

into

UsePrivilegeSeparation yes

But outside of debugging purposes I don't suggest trying any of this.

Solution 2:

I've fixed this problem in MacPorts' sshd by porting a patch from Apple's sshd (which can be found at http://opensource.apple.com/source/OpenSSH/OpenSSH-186/). Apple moved the function that calls sandbox_init(3) (which calls dlopen(3) internally) before the chroot(2) call that would make loading the library fail.

The required patches are

  • http://trac.macports.org/browser/trunk/dports/net/openssh/files/patch-sandbox-darwin.c-apple-sandbox-named-external.diff,
  • http://trac.macports.org/browser/trunk/dports/net/openssh/files/patch-sshd.c-apple-sandbox-named-external.diff and
  • putting http://trac.macports.org/browser/trunk/dports/net/openssh/files/org.openssh.sshd.sb into the location referenced in the first patch.

and openssh needs to be built with -D__APPLE_SANDBOX_NAMED_EXTERNAL__ in the preprocessor flags.

The failure to authenticate with passwords is because OS X doesn't support the required library functions to do that without using PAM. Setting UsePAM yes in your sshd_config should work (as should applying http://trac.macports.org/browser/trunk/dports/net/openssh/files/pam.patch, which changes the default to enabling PAM).