Bug 37674 - "Could not authenticate the user using the existing ssh keys" warning message could be more descriptive for the particular case where the user home folder on the Mac has incorrect permissions
Summary: "Could not authenticate the user using the existing ssh keys" warning message...
Alias: None
Product: Visual Studio Extensions
Classification: Xamarin
Component: iOS ()
Version: 4.0.0 (C6)
Hardware: PC Windows
: --- normal
Target Milestone: 4.1.0 (C7)
Assignee: Brendan Zagaeski (Xamarin Team, assistant)
Depends on:
Reported: 2016-01-14 03:37 UTC by Brendan Zagaeski (Xamarin Team, assistant)
Modified: 2016-04-27 19:45 UTC (History)
7 users (show)

Is this bug a regression?: ---
Last known good build:

Minimal console test app for key-based authentication (4.66 KB, application/zip)
2016-01-14 03:53 UTC, Brendan Zagaeski (Xamarin Team, assistant)

Notice (2018-05-24): bugzilla.xamarin.com is now in read-only mode.

Please join us on Visual Studio Developer Community and in the Xamarin and Mono organizations on GitHub to continue tracking issues. Bugzilla will remain available for reference in read-only mode. We will continue to work on open Bugzilla bugs, copy them to the new locations as needed for follow-up, and add the new items under Related Links.

Our sincere thanks to everyone who has contributed on this bug tracker over the years. Thanks also for your understanding as we make these adjustments and improvements for the future.

Please create a new report on Developer Community with your current version information, steps to reproduce, and relevant error messages or log files if you are hitting an issue that looks similar to this resolved bug and you do not yet see a matching new report.

Related Links:

Description Brendan Zagaeski (Xamarin Team, assistant) 2016-01-14 03:37:27 UTC
"Could not authenticate the user using the existing ssh keys" warning message could be more descriptive for the particular case where the user home folder on the Mac has incorrect permissions

This is a direct follow-up to Bug 37600 (and Bug 36050).

## Steps to replicate

1. Start with a Mac and Windows PC that are already set up so that Visual Studio can pair, build, and deploy successfully to iOS simulator.

2. On the Mac, add write permissions for "other" or "group" (or both) on the home directory:

chmod og+w "$HOME"

3. Attempt to build and deploy an iOS application project to the iOS simulator. (You will be prompted for your Mac password again during the initial connection.)

## Results using the latest development builds that add some improved error messages

### On the Windows side

The diagnostic build output and the Error List show the following 2 messages:

> warning : Could not authenticate the user using the existing ssh keys
> error : Unable to connect to Address='' with User='macuser'

### On the Mac side

One of the messages in `/var/log/system.log` file explains why the SSH keys were refused:

> sshd[14826]: Authentication refused: bad ownership or modes for directory /Users/macuser

## Possible improvements

Because this particular cause of the problem has proven to be fairly common for customers (see Bug 36050), it might be appropriate to add an additional check for this specific cause so that a more specific message can be displayed.

There are a few different ways the test could be done. I think a direct approach for just this _one_ permissions problem would be fine. (Trying to cover all the various ways `sshd` could possibly fail during a key-based authentication is definitely not a requirement.)

So the steps could be something like:

1. Check if the user home directory on Mac has write permissions enabled for "other" or "group" during the initial password-based authorization.

2. Fail with an error message if the permissions are wrong. Maybe just borrow some of the `sshd` error text and add that to the existing message :

> Could not authenticate the user using the existing ssh keys: bad ownership or
> modes for directory /Users/macuser

(Of course the original shorter message would still be appropriate in some other failure scenarios, so the fix should not be just to change the wording of that original message.)

## Version info (brief)

- XamarinVS (78089e0) 
- XamarinVS master (bae9845)
Comment 1 Brendan Zagaeski (Xamarin Team, assistant) 2016-01-14 03:53:17 UTC
Created attachment 14580 [details]
Minimal console test app for key-based authentication

I am adding this small tool on the bug just in case it might come in handy.

This is a modified version of the minimal SSHConsoleApp from the build host connectivity troubleshooting guide [1]. This modified version attempts to use the saved SSH key that Xamarin creates during the initial password-based authentication.

This might be useful as an extra troubleshooting test if the "Could not authenticate the user using the existing ssh keys" message causes trouble in a future situation where the home directory permissions are _not_ the problem.

[1] http://developer.xamarin.com/guides/ios/getting_started/installation/windows/xamarin-mac-agent/xma-troubleshooting/
Comment 3 mag@xamarin.com 2016-01-26 19:04:49 UTC
The exception handling for SSH authentication on XMA has been improved, and also this particular permission issue has been addressed.

The improvements has been introduced on master branch since commits: 

 - fix: 68ae5112d6cbcafb292648c80d893d37b7db816f
 - merge: 873539a0d61cb32d214c6dfc9ccddd08d03ac6ec
Comment 4 mag@xamarin.com 2016-03-02 15:00:03 UTC
As mentioned in the previous comment, the exception handling and connection error messages has been improved, and now we have more messages.

However, we have no way of knowing if the SSH authentication failed for this particular user permissions issue.

We use SSH.net library to authenticate, and the exception that comes when an authentication failure occurs, is not very descriptive, and also it's always the same exception type.

So, we are being as clear as possible with the information that the underlying SSH.net library provides.

In this cause, we can identify if the authentication error is related to user credentials or to SSH keys. The error messages that we are showing are:

* User Credentials error:
 - Message: "Invalid credentials. Please try again"
 - Tooltip: "Please make sure that the credentials used matches what is shown in the Remote Login dialog on the Mac"

* SSH Keys error:
 - Message: "Unable to authenticate with SSH keys. Please try to log in with credentials first"
 - Tooltip: "Please make sure that the host environment is properly configured for using SSH authentication"
Comment 5 Miha Markic 2016-03-15 17:06:41 UTC
I'm getting this exception (by using Brendan's project): Permission denied (publickey).
Comment 6 Brendan Zagaeski (Xamarin Team, assistant) 2016-03-16 05:11:55 UTC
For details about which particular file or directory on the Mac has incorrect permissions, you can try the following steps on the Mac shortly after you see the error:

1. Run the following command in a Terminal.app command prompt:

grep sshd /var/log/system.log > "$HOME/Desktop/sshd.log"`

2. Open the `sshd.log` file from your Desktop.

3. Look for "Authentication refused: bad ownership or modes".

If those steps do not reveal the problem, please file a new bug report [1] that includes that `sshd.log` log file and a description of the particular issues you're seeing in Visual Studio. Thanks!

[1] https://bugzilla.xamarin.com/newbug
Comment 7 Miha Markic 2016-03-16 07:12:37 UTC
Hi Brendan,

I solved it by myself eventually. The problem was that the public key wasn't written to authorized_keys on Mac, and Xamarin failed to "cat" it there due to permission denied (my authorized_keys file is read-only).

I think the exact mechanism could be better documented. Also, isn't this way a bit problematic from security perspective? I mean an app writing public keys into authorized_keys without clear warning and using a password-less private key?
Comment 8 Brendan Zagaeski (Xamarin Team, assistant) 2016-04-27 19:45:27 UTC
Updating target milestone for verification. (The commit from Comment 3 is included in Cycle 7, but it was not included in any of the Cycle 6 Service Releases.)

(Side note related to Comment 7: Cycle 7 also adds encryption of the private key file.)