ssh‐specific and passwordless login (as required by znapzend) - xenophon61/Znapzend-recipes-for-mixed-MacOS-Linux-environment GitHub Wiki

It seems that MacOS clients only accept ssh keys of the 25519 type (apparently higher security than plain rsa). For this reason, one must set up passwordless login using such a key, as follows:

ssh-keygen -t ed25519
ssh-copy-id -i ~/.ssh/id_ed25519 [username]@[MacOS remote hostname].local
ssh-copy-id -i ~/.ssh/id_ed25519 root@[MacOS remote hostname]

... and then test the connection using ssh (add the -v flag to verify which key was used).

An empiric obvervation

Say you have been connecting all along with plain rsa keys, and now using the 25519 key. A situation may arise where ~/.ssh/knownhosts has multiple keys and the znapzend daemon throws "Permission denied (publickey,password,keyboard-interactive)" errors.

It's probably best to clean things up, by removing the keys. This should be done both at your user .ssh directory and after issuing a sudo su, for the root directory, as follows:

ssh-keygen -f ~/.ssh/known_hosts -R [localhostname]

Then, recreate the key, say as root, but also under the user running znapzend:

sh-3.2# ssh-keygen -t ed25519
sh-3.2# ssh-copy-id -i ~/.ssh/id_ed25519.pub [username]@[remotehost]

This procedure works nicely in MacOS Sonoma, for a remote Sonoma host.

additional notes are provided in "Captain's log" and the "Appendix" section

  • for example, one must setup an ~/.ssh/environment in MacOS targets

  • there must be an "environment" file under ~/.ssh in a target MacOS machine for it to accept znapzend connections

  • this way, an ssh environment (that includes $PATH) is provided when connecting

  • here's what it may contain

PATH=/usr/local/bin:/usr/local/sbin:/usr/local/bin:/System/Cryptexes/App/usr/bin:/usr/bin:/bin:/usr/sbin:/sbin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/local/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/bin:/var/run/com.apple.security.cryptexd/codex.system/bootstrap/usr/appleinternal/bin:/usr/local/zfs/bin

Reference: https://github.com/oetiker/znapzend/issues/327 and https://superuser.com/questions/1484960/set-path-when-ssh-into-macos

References

  • a Medium article detailing the procedure to obtain an 25519 key