Please offer advice on setting up the SSH server.

I have followed the instructions to enable SSH by checking "Allow remote login" in System Preferences. Using an SSH client, I can tell that the SSH server is running because the connection is accepted. However, I get the error "Access denied" when the password is entered. This happens with several users, so it does not seem to be a password issue with a user. Is there a configuration step that I missed for SSH? Do we need to generate keys?

Thanks for any advice.

yep. generate keys...

at least, for starters, it might get you further along...

% man ssh-keygen

ssh-keygen - authentication key generation, management and conversion

% ssh-keygen
Generating public/private rsa1 key pair.
Enter file in which to save the key (/Users/user/.ssh/identity):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /Users/user/.ssh/identity.
Your public key has been saved in /Users/user/.ssh/identity.pub.
The key fingerprint is:
xxx user@host

Thanks for your help. Of course a little information and research causes more questions...

So I need to generate a key for each user that will log in, or just a host key? From what I understand about SSH I thought the server would just need a server key, but where should this be saved? Does it matter who I am logged in to the server as when I am create the server(host) key?
Then each client would generate their own key on their machine, and the server and client will exchange public keys when the connection is made?

jones, this is a hint site, not a magical answer kiosk ;]

i think it might be easier than your queries, but i may be wrong.

generate the key on the remote host, and ssh from local host...

% ssh 192.168.1.54
The authenticity of host '192.168.1.54 (192.168.1.54)' can't be established.
RSA key fingerprint is xxx.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.54' (RSA) to the list of known hosts.
user@192.168.1.54's password:

Welcome to Darwin!

remotehost:~ user % _

edit: sorry, this flew out of my original post:

from the ssh-keygen man page

Normally each user wishing to use SSH with RSA or DSA authentication runs
this once to create the authentication key in $HOME/.ssh/identity,
$HOME/.ssh/id_dsa or $HOME/.ssh/id_rsa. Additionally, the system adminis-
trator may use this to generate host keys, as seen in /etc/rc.


now, someone's going to have to tell me if this [ want to continue? yes ] is secure or have i just thwarted ssh and telnet'd unsecurely.

so, i got curious about my ssh session, and ran ssh verbosely:

it blathers on about going about its duties pretty good, e.g., ...

% ssh -v 192.168.1.54
OpenSSH_2.9.9p2, SSH protocols 1.5/2.0, OpenSSL 0x0090602f
debug1: Reading configuration data /sw/etc/ssh/ssh_config
debug1: Seeding random number generator
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: restore_uid
debug1: ssh_connect: getuid 0 geteuid 0 anon 1
debug1: Connecting to 192.168.1.54 [192.168.1.54] port 22.
debug1: restore_uid
debug1: restore_uid
debug1: Connection established.
...

one of the more interesting things is 'Rhosts Authentication disabled, originating port will not be trusted'

anyone know if that's referring to the absense of the /etc/rhosts file? and, i presume, is a non-problem on OSX, in this regards, anyway.

TIA

-mt

In OSX server when you create users you must select a shell for that user. By default "none" is selected. In client all users by default have SSH access and use tcsh if the service is running.

there is no need to set up anything else. The host keys are already generated.

Problem solved! I assigned shells to each user (under the Advanced option in Add/Maintain Users) and we are now able to log in.

We did not have to generate keys, either on the server or on the clients.

Thanks for all the hints.