ssh fails: image not found [preauth]

macos homebrew ssh

When I try to SSH to my computer, ssh fails with this error:

Mothership:~ kuyan$ ssh kuyan@localhost
Connection closed by ::1

This also happens when I attempt to SSH to my user from another computer. This message appears in Console when I attempt to connect:

12/12/12 3:44:30.468 PM sshd[2576]: fatal: ssh_sandbox_child: sandbox_init: dlopen(/usr/lib/libsandbox.1.dylib, 261): image not found [preauth]

Relevant information:

  • I'm using a different version of sshd than OS X provides, installed via brew install openssh - but this error occurs with both versions.

  • /usr/lib/libsandbox.1.dylib exists:

    Mothership:~ kuyan$ ls /usr/lib/libsandbox*
/usr/lib/libsandbox.1.dylib /usr/lib/libsandbox.dylib

  • Here's my /etc/sshd_config. The relevant line seems to be UsePrivilegeSeparation: when uncommented and set to yes instead of sandbox, everything works A-OK.

  • Though I'm not using MacPorts, the error I'm getting is essentially the one here.
  • sshd version: OpenSSH_6.1p1, OpenSSL 0.9.8r 8 Feb 2011

Solution 1:

dtruss shows:

2892/0xdc8e:  stat64("/usr/lib/libsandbox.1.dylib\0", 0x7FFF500DA5F0, 0x7FFF500DB500)        = -1 Err#2

which is ENOENT (No such file or directory) and the reason is probably that chroot already happened. If you are so foolish as to experiment by

sudo mkdir -p /var/empty/usr/lib
sudo cp /usr/lib/libsandbox.1.dylib /var/empty/usr/lib

You will move the crash to the next shlib not under /var/empty/

sshd[3256]: fatal: ssh_sandbox_child: sandbox_init: dlopen (/usr/lib/libsandbox.1.dylib, 261):
Library not loaded: /usr/lib/libsqlite3.dylib\\n  Referenced from: /usr/lib/libsandbox.1.dylib\\n  Reason: image not found [preauth]

If you persist with this madness

sudo cp /usr/lib/libsqlite3.dylib /usr/lib/libMatch.1.dylib /var/empty/usr/lib/

sshd will start to work again at least for SSH keys, passwords still don't work.

You can also edit /usr/local/etc/sshd_config changing

UsePrivilegeSeparation sandbox

into

UsePrivilegeSeparation yes

But outside of debugging purposes I don't suggest trying any of this.

Solution 2:

I've fixed this problem in MacPorts' sshd by porting a patch from Apple's sshd (which can be found at http://opensource.apple.com/source/OpenSSH/OpenSSH-186/). Apple moved the function that calls sandbox_init(3) (which calls dlopen(3) internally) before the chroot(2) call that would make loading the library fail.

The required patches are

  • http://trac.macports.org/browser/trunk/dports/net/openssh/files/patch-sandbox-darwin.c-apple-sandbox-named-external.diff,
  • http://trac.macports.org/browser/trunk/dports/net/openssh/files/patch-sshd.c-apple-sandbox-named-external.diff and
  • putting http://trac.macports.org/browser/trunk/dports/net/openssh/files/org.openssh.sshd.sb into the location referenced in the first patch.

and openssh needs to be built with -D__APPLE_SANDBOX_NAMED_EXTERNAL__ in the preprocessor flags.

The failure to authenticate with passwords is because OS X doesn't support the required library functions to do that without using PAM. Setting UsePAM yes in your sshd_config should work (as should applying http://trac.macports.org/browser/trunk/dports/net/openssh/files/pam.patch, which changes the default to enabling PAM).

Related

How much RAM do the different models of iPad have?
Migration Assistant and USB Time Machine disk
Better way of using the iPhone with a Bluetooth speaker
Should I replace my Macbook battery, charger, or both after 5+ years of use?
Transfer data from nonfunctional Mac to another Mac with an external drive
Can I make Firefox the default browser in iOS [duplicate]
Make CMD-Delete a keyboard shortcut in Apple Mail to move a message to the archive?
Activation lock problem
How can I configure macOS to mimic the double press spacebar function from iOS?
How can I try to boot a completely stuck Macbook Pro?
How can I change banner notification time on a MacBook with OS X 10.10.5?
Will an iPhone only activate using the SIM card that it was originally activated with?