SFTP doesn't work on 10.12

I recently upgraded from 10.10 to 10.12 on a Mac with Hazel, and my rules which copy items using SFTP stopped working. I can't get Hazel to either use a password or a SSH key to authenticate any more.

I think macOS has changed where/how it stores SSH passphrases in the keychain recently, so it might be related, but I can't use a password either!

This is what I get in the log with my existing rule:

Code: Select all: 2017-08-20 12:59:47.073 HazelHelper[499] Error reading keyfile file://localhost/Users/nicholas/.ssh/id_dsa: Error Domain=NSCocoaErrorDomain Code=260 "The file “id_dsa” couldn’t be opened because there is no such file." UserInfo={NSFilePath=/Users/nicholas/.ssh/id_dsa, NSUnderlyingError=0x610000652690 {Error Domain=NSPOSIXErrorDomain Code=2 "No such file or directory"}}

This refers to an old DSA key which I retired since you're not supposed to use them any more...

If I edit the server and try to specify a password, I get:

Error connecting to [server]
The folder “~” could not be accessed. The operation couldn’t be completed. (NSURLErrorDomain error -1012.)

When I try to specify my SSH key, in addition to the above I get:

Code: Select all: 2017-08-20 13:01:39.470 HazelHelper[499] Unable to retrieve generic password for /Users/nicholas/.ssh/id_rsa for SSH: -25300 - Error Domain=NSOSStatusErrorDomain Code=-25300 "errKCItemNotFound / errSecItemNotFound: / The item cannot be found."

The keychain item is definitely there:

Code: Select all: % security find-generic-password -a '/Users/nicholas/.ssh/id_rsa' keychain: "/Users/nicholas/Library/Keychains/login.keychain-db" version: 512 class: "genp" attributes: 0x00000007 <blob>="SSH: /Users/nicholas/.ssh/id_rsa" 0x00000008 <blob>=<NULL> "acct"<blob>="/Users/nicholas/.ssh/id_rsa"

However it looks like the passphrase can't be accessed except by OpenSSH itself (and Keychain Access, though it's somewhat special!):

I'm unclear as to exactly how Hazel is trying to SFTP but these problems seem like they might go away if it just uses the built-in SSH and or ssh-agent... as is, I can't get things to work at all.

Thanks,

—Nicholas

I suggest removing the keychain entry and then trying to connect in Hazel again. That will re-construct the keychain entry with the proper access restrictions for Hazel. Give that a shot and report back.

Mr_Noodle wrote:I suggest removing the keychain entry and then trying to connect in Hazel again. That will re-construct the keychain entry with the proper access restrictions for Hazel. Give that a shot and report back.

OK, I deleted both keychain items which referenced id_rsa and tried to connect in Hazel again. I still get the same error, but now with a few more things in the log:

Code: Select all: default 22:19:48.442028 -0400 HazelHelper 0x600000a77e40 opened /Users/nicholas/Library/Keychains/login.keychain-db: 4386988 bytes default 22:19:48.444657 -0400 HazelHelper 0x600000a73d80 opened /Users/nicholas/Library/Keychains/1Password.keychain: 20460 bytes default 22:19:48.448153 -0400 HazelHelper skipping upgrade for locked keychain /Users/nicholas/Library/Keychains/1Password.keychain default 22:19:48.448301 -0400 HazelHelper 0x61000106bdc0 opened /Users/nicholas/Library/Keychains/VIPAccess.keychain: 22152 bytes default 22:19:48.451323 -0400 HazelHelper skipping upgrade for locked keychain /Users/nicholas/Library/Keychains/VIPAccess.keychain default 22:19:48.451512 -0400 HazelHelper 0x610000c73840 opened /Library/Keychains/System.keychain: 84944 bytes default 22:19:49.001739 -0400 HazelHelper Error loading contents of URL sftp://[...]/: Error Domain=NSURLErrorDomain Code=-1012 "The folder “temp” could not be accessed. The operation couldn’t be completed. (NSURLErrorDomain error -1012.)" UserInfo={NSLocalizedDescription=The folder “temp” could not be accessed. The operation couldn’t be completed. (NSURLErrorDomain error -1012.)} default 22:19:59.502782 -0400 HazelHelper 0x61800087b240 opened /Users/nicholas/Library/Keychains/1Password.keychain: 20460 bytes default 22:19:59.505627 -0400 HazelHelper skipping upgrade for locked keychain /Users/nicholas/Library/Keychains/1Password.keychain default 22:19:59.505731 -0400 HazelHelper 0x6180008647c0 opened /Users/nicholas/Library/Keychains/VIPAccess.keychain: 22152 bytes default 22:19:59.508306 -0400 HazelHelper skipping upgrade for locked keychain /Users/nicholas/Library/Keychains/VIPAccess.keychain default 22:19:59.508410 -0400 HazelHelper 0x610000e79d00 opened /Library/Keychains/System.keychain: 84944 bytes

Are you able to connect via SFTP with both a password and a SSH key?

Nicholas

Yes. Click on the lock icon to select the key file and enter the passphrase for the key.

The logs show that you can't access the "temp" folder on the server. You may want to check the permissions there.

Mr_Noodle wrote:Yes. Click on the lock icon to select the key file and enter the passphrase for the key.

The logs show that you can't access the "temp" folder on the server. You may want to check the permissions there.

There is no problem accessing that folder - the error message is misleading and it does not even get that far. I checked on the server - I do not see an attempt to authenticate either via password or public key, regardless of what is specified in Connect to Server in Hazel. It seems Hazel attempts to authenticate with the 'none' method, fails, and gives up. This is the debug output from sshd on the server when Hazel attempts to connect:

Code: Select all: # sshd -D -d -p 2222 debug1: sshd version OpenSSH_6.7, OpenSSL 1.0.1t 3 May 2016 debug1: private host key: #0 type 1 RSA debug1: private host key: #1 type 2 DSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-D' debug1: rexec_argv[2]='-d' debug1: rexec_argv[3]='-p' debug1: rexec_argv[4]='2222' Set /proc/self/oom_score_adj from 0 to -1000 debug1: Bind to port 2222 on 0.0.0.0. Server listening on 0.0.0.0 port 2222. debug1: Bind to port 2222 on ::. Server listening on :: port 2222. debug1: Server will not fork when running in debugging mode. debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: inetd sockets after dupping: 3, 3 Connection from <client> port 25805 on <server> port 2222 debug1: Client protocol version 2.0; client software version libssh2_1.4.4_DEV debug1: no match: libssh2_1.4.4_DEV debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.7p1 Debian-5+deb8u3 debug1: permanently_set_uid: 101/65534 [preauth] debug1: list_hostkey_types: ssh-rsa,ssh-dss [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug1: kex: client->server aes128-ctr hmac-sha1 none [preauth] debug1: kex: server->client aes128-ctr hmac-sha1 none [preauth] debug1: expecting SSH2_MSG_KEXDH_INIT [preauth] debug1: SSH2_MSG_NEWKEYS sent [preauth] debug1: expecting SSH2_MSG_NEWKEYS [preauth] debug1: SSH2_MSG_NEWKEYS received [preauth] debug1: KEX done [preauth] debug1: userauth-request for user nriley service ssh-connection method none [preauth] debug1: attempt 0 failures 0 [preauth] Address <client> maps to <hostname>, but this does not map back to the address - POSSIBLE BREAK-IN ATTEMPT! debug1: PAM: initializing for "nriley" debug1: PAM: setting PAM_RHOST to "<client>" debug1: PAM: setting PAM_TTY to "ssh" Connection closed by <client> [preauth] debug1: do_cleanup [preauth] debug1: monitor_read_log: child log fd closed debug1: do_cleanup debug1: PAM: cleanup debug1: Killing privsep child 8867

Using a client that works, I see something after 'PAM: setting PAM_TTY to "ssh"', starting with:

Code: Select all: debug1: userauth-request for user nriley service ssh-connection method publickey [preauth]

or:

Code: Select all: debug1: userauth-request for user nriley service ssh-connection method password [preauth]

Do you control the server? If so, you may need to look into the PAM setup there (or turn off PAM for ssh). Also, there seems to be a DNS issue as the server doesn't seem to like that the hostname does not map to the IP address you are connecting from.

Mr_Noodle wrote:Do you control the server? If so, you may need to look into the PAM setup there (or turn off PAM for ssh). Also, there seems to be a DNS issue as the server doesn't seem to like that the hostname does not map to the IP address you are connecting from.

Yes, I do. Unfortunately I do not control the DNS on the client side (single address for the entire apartment building I live in) and this is just a warning, not an error. I really do not think this is a server-side issue — I log into this server with a multitude of SSH clients from many different platforms without issue and it worked fine *from Hazel* prior to my upgrading on this Mac from 10.10 to 10.12. If it would help I could get you an account to troubleshoot.

Nicholas

Sure, email in to support with details and I can take a look.

Was this ever resolved?

I ask because I see precisely the same `NSURLErrorDomain error -1012` error with all of my Vultr servers, attempting to log in as root with my id_rsa key, no matter the directory, 100% of the time.

ForkLift and Mountain Duck have no problems with exactly the same settings and key (although Mountain Duck does flake out after a few hours’ use). IIRC, Transmit worked fine too, although it’s been a while since I’ve used it.

SSH using Warp is fine, too.

- Hazel 5.3.1
- MacOS 14.2.1
- Debian bookworm

Thanks!

To clarify, that is the only error I see, and it’s the same whether I use the key or root’s password.

Sorry for the unsatisfying answer but I think we tried to work through this on email and never really got anywhere useful. I rarely need to upload things in this way any more (thanks to the proliferation of attachment support in chat apps) so didn't put a lot of effort into troubleshooting.

Please email/post your logs. Make sure to turn on debug mode and connection logging as described here: https://www.noodlesoft.com/kb/hazel-debug-mode/

Sorry for my own delay in replying. I had been watching my mail inbox for a response, forgetting that support is via this forum.

You might want to update your instructions for accessing Hazel’s preferences: there seems no longer to be a “Preferences...” item in the Hazel menu. Command-, worked fine, however.

I’ve turned on logging. Unfortunately, the error occurs when I try to create the action, not when files are being processed — and no entry is added to the log file. (Well, an error might, of course, be created upon processing — but I can’t get that far.)

If it's happening in the UI, you need to check the regular console logs. Do the following:

- Launch Console
- Make sure your machine is selected in the left sidebar under Devices
- Enter Hazel into the search field and press return
- Click the message in the middle of the window to start streaming.
- Replicate the bug
- Send me the log messages that appear.