Notice (2018-05-24): bugzilla.xamarin.com is now in
Please join us on
Visual Studio Developer Community and in the
Mono organizations on
GitHub to continue tracking issues. Bugzilla will remain
available for reference in read-only mode. We will continue to work
on open Bugzilla bugs, copy them to the new locations
as needed for follow-up, and add the new items under Related
Our sincere thanks to everyone who has contributed on this bug
tracker over the years. Thanks also for your understanding as we
make these adjustments and improvements for the future.
Please create a new report on
Developer Community with
your current version information, steps to reproduce, and relevant error
messages or log files if you are hitting an issue that looks similar to
this resolved bug and you do not yet see a matching new report.
"Could not authenticate the user using the existing ssh keys" warning message could be more descriptive for the particular case where the user home folder on the Mac has incorrect permissions
This is a direct follow-up to Bug 37600 (and Bug 36050).
## Steps to replicate
1. Start with a Mac and Windows PC that are already set up so that Visual Studio can pair, build, and deploy successfully to iOS simulator.
2. On the Mac, add write permissions for "other" or "group" (or both) on the home directory:
chmod og+w "$HOME"
3. Attempt to build and deploy an iOS application project to the iOS simulator. (You will be prompted for your Mac password again during the initial connection.)
## Results using the latest development builds that add some improved error messages
### On the Windows side
The diagnostic build output and the Error List show the following 2 messages:
> warning : Could not authenticate the user using the existing ssh keys
> error : Unable to connect to Address='192.168.1.56:22' with User='macuser'
### On the Mac side
One of the messages in `/var/log/system.log` file explains why the SSH keys were refused:
> sshd: Authentication refused: bad ownership or modes for directory /Users/macuser
## Possible improvements
Because this particular cause of the problem has proven to be fairly common for customers (see Bug 36050), it might be appropriate to add an additional check for this specific cause so that a more specific message can be displayed.
There are a few different ways the test could be done. I think a direct approach for just this _one_ permissions problem would be fine. (Trying to cover all the various ways `sshd` could possibly fail during a key-based authentication is definitely not a requirement.)
So the steps could be something like:
1. Check if the user home directory on Mac has write permissions enabled for "other" or "group" during the initial password-based authorization.
2. Fail with an error message if the permissions are wrong. Maybe just borrow some of the `sshd` error text and add that to the existing message :
> Could not authenticate the user using the existing ssh keys: bad ownership or
> modes for directory /Users/macuser
(Of course the original shorter message would still be appropriate in some other failure scenarios, so the fix should not be just to change the wording of that original message.)
## Version info (brief)
- XamarinVS (78089e0)
- XamarinVS master (bae9845)
Created attachment 14580 [details]
Minimal console test app for key-based authentication
I am adding this small tool on the bug just in case it might come in handy.
This is a modified version of the minimal SSHConsoleApp from the build host connectivity troubleshooting guide . This modified version attempts to use the saved SSH key that Xamarin creates during the initial password-based authentication.
This might be useful as an extra troubleshooting test if the "Could not authenticate the user using the existing ssh keys" message causes trouble in a future situation where the home directory permissions are _not_ the problem.
The exception handling for SSH authentication on XMA has been improved, and also this particular permission issue has been addressed.
The improvements has been introduced on master branch since commits:
- fix: 68ae5112d6cbcafb292648c80d893d37b7db816f
- merge: 873539a0d61cb32d214c6dfc9ccddd08d03ac6ec
As mentioned in the previous comment, the exception handling and connection error messages has been improved, and now we have more messages.
However, we have no way of knowing if the SSH authentication failed for this particular user permissions issue.
We use SSH.net library to authenticate, and the exception that comes when an authentication failure occurs, is not very descriptive, and also it's always the same exception type.
So, we are being as clear as possible with the information that the underlying SSH.net library provides.
In this cause, we can identify if the authentication error is related to user credentials or to SSH keys. The error messages that we are showing are:
* User Credentials error:
- Message: "Invalid credentials. Please try again"
- Tooltip: "Please make sure that the credentials used matches what is shown in the Remote Login dialog on the Mac"
* SSH Keys error:
- Message: "Unable to authenticate with SSH keys. Please try to log in with credentials first"
- Tooltip: "Please make sure that the host environment is properly configured for using SSH authentication"
I'm getting this exception (by using Brendan's project): Permission denied (publickey).
For details about which particular file or directory on the Mac has incorrect permissions, you can try the following steps on the Mac shortly after you see the error:
1. Run the following command in a Terminal.app command prompt:
grep sshd /var/log/system.log > "$HOME/Desktop/sshd.log"`
2. Open the `sshd.log` file from your Desktop.
3. Look for "Authentication refused: bad ownership or modes".
If those steps do not reveal the problem, please file a new bug report  that includes that `sshd.log` log file and a description of the particular issues you're seeing in Visual Studio. Thanks!
I solved it by myself eventually. The problem was that the public key wasn't written to authorized_keys on Mac, and Xamarin failed to "cat" it there due to permission denied (my authorized_keys file is read-only).
I think the exact mechanism could be better documented. Also, isn't this way a bit problematic from security perspective? I mean an app writing public keys into authorized_keys without clear warning and using a password-less private key?
Updating target milestone for verification. (The commit from Comment 3 is included in Cycle 7, but it was not included in any of the Cycle 6 Service Releases.)
(Side note related to Comment 7: Cycle 7 also adds encryption of the private key file.)