Author |
Message |
Luis_P
|
|
Post subject: Issue with ssh
Posted: 22.11.2010, 18:02
|
|

Joined: 2010-09-11
Posts: 171
Location: Barcelona, Spain
Status: Offline
|
|
Scenario: A domestic small wired lan with two computers: my wife's laptop and my desktop, both running aptosid keres (well, actually older releases fully updated). The administrator (myself) tries to get connected from his (my) computer to my wife's one for administration tasks. After reading carefully aptosid manual for ssh, man ssh, man ssh_config and man sshd_config, and having changed /etc/sshd_config in the side of the server (my wife's side) in this way:
Code:
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
ListenAddress 192.168.0.3
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 12
PermitRootLogin yes
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding yes
AllowTcpForwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AllowUsers root lluis
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
When the administrator gives the order, the system refuses to connect:
Code:
root@myxbox:/home/lluis# ssh -X root@192.168.0.2
ssh: connect to host 192.168.0.2 port 22: Connection refused
What is this administrator doing wrongly?
Thanks in advance.
Luis_P |
|
|
|
|
 |
slam
|
|
Post subject: RE: Issue with ssh
Posted: 22.11.2010, 18:16
|
|
Team Member

Joined: 1970-01-01
Posts: 607
Location: w3
Status: Offline
|
|
You need to start sshd on the other machine, before accessing it from outside:
Code:
su
/etc/init.d/ssh restart
If one of your machines involved does have internet access, you should consider to disallow root login via ssh (instead become root on the other machine via su after connecting), and authenticate via self created gpg-keys instead password. Also do not ssh as root.
Greetings,
Chris |
_________________ an operating system must operate
development is life
my Debian repo
Last edited by slam on 22.11.2010, 18:20; edited 1 time in total
|
|
|
|
 |
finotti
|
|
Post subject: RE: Issue with ssh
Posted: 22.11.2010, 18:17
|
|

Joined: 2010-09-12
Posts: 479
Status: Offline
|
|
Just a couple of ideas:
Did you restart /etc/init.d/ssh after the configuration? Are you trying to connect from 192.168.0.3?
P.S.: You shouldn't allow ssh to root... It's much safer to ssh as a user and then change to root. |
|
|
|
|
 |
Luis_P
|
|
Post subject:
Posted: 22.11.2010, 18:38
|
|

Joined: 2010-09-11
Posts: 171
Location: Barcelona, Spain
Status: Offline
|
|
Thanks for your quick answer.
sshd was running in the laptop.
ls /etc/rc5.d gives (before ssh restart):
Code:
total 4
lrwxrwxrwx 1 root root 15 sep 14 01:39 K01rsync -> ../init.d/rsync
lrwxrwxrwx 1 root root 13 sep 14 01:39 K01ssh -> ../init.d/ssh
-rw-r--r-- 1 root root 677 ago 15 20:32 README
lrwxrwxrwx 1 root root 17 sep 14 01:22 S01ifplugd -> ../init.d/ifplugd
lrwxrwxrwx 1 root root 18 sep 14 01:23 S01qemu-kvm -> ../init.d/qemu-kvm
lrwxrwxrwx 1 root root 17 sep 14 01:34 S01rsyslog -> ../init.d/rsyslog
lrwxrwxrwx 1 root root 14 oct 16 15:08 S01sudo -> ../init.d/sudo
lrwxrwxrwx 1 root root 36 sep 14 01:38 S01virtualbox-ose-guest-utils -> ../init.d/virtualbox-ose-guest-utils
lrwxrwxrwx 1 root root 15 sep 14 01:37 S02acpid -> ../init.d/acpid
lrwxrwxrwx 1 root root 17 sep 29 22:00 S02anacron -> ../init.d/anacron
lrwxrwxrwx 1 root root 14 sep 29 22:00 S02cron -> ../init.d/cron
lrwxrwxrwx 1 root root 14 sep 14 01:38 S02cups -> ../init.d/cups
lrwxrwxrwx 1 root root 14 sep 14 01:37 S02dbus -> ../init.d/dbus
lrwxrwxrwx 1 root root 13 sep 14 01:38 S02gpm -> ../init.d/gpm
lrwxrwxrwx 1 root root 20 sep 14 01:38 S02irqbalance -> ../init.d/irqbalance
lrwxrwxrwx 1 root root 21 sep 14 01:34 S02loadcpufreq -> ../init.d/loadcpufreq
lrwxrwxrwx 1 root root 19 sep 14 01:38 S03bluetooth -> ../init.d/bluetooth
lrwxrwxrwx 1 root root 22 sep 14 01:34 S03cpufrequtils -> ../init.d/cpufrequtils
lrwxrwxrwx 1 root root 13 sep 14 01:38 S03hal -> ../init.d/hal
lrwxrwxrwx 1 root root 15 sep 14 01:39 S03saned -> ../init.d/saned
lrwxrwxrwx 1 root root 13 sep 14 01:39 S04kdm -> ../init.d/kdm
lrwxrwxrwx 1 root root 18 sep 29 22:00 S05bootlogs -> ../init.d/bootlogs
lrwxrwxrwx 1 root root 18 sep 29 22:00 S06rc.local -> ../init.d/rc.local
lrwxrwxrwx 1 root root 19 sep 29 22:00 S06rmnologin -> ../init.d/rmnologin
lrwxrwxrwx 1 root root 23 sep 29 22:00 S06stop-bootlogd -> ../init.d/stop-bootlogd
After ssh restart, the output of the list is the same.
And the connection neither is possible.
Regards.
Luis_P. |
|
|
|
|
 |
Luis_P
|
|
Post subject:
Posted: 22.11.2010, 18:52
|
|

Joined: 2010-09-11
Posts: 171
Location: Barcelona, Spain
Status: Offline
|
|
I just realized that there is a "K" in the second line of the output, before /init.d/ssh which, if I'm not wrong, means that the service cannot start.
I'll try to change this. And, of course, I'll change the permissions of root.
Keep you informed.
Luis_P
____________________________________________________________
Edited:
More info:
I've run update-rc.d ssh defaults with this output:
Code:
root@aptosidmerce:/home/merce# update-rc.d ssh defaults
update-rc.d: using dependency based boot sequencing
update-rc.d: warning: ssh stop runlevel arguments (0 1 6) do not match LSB Default-Stop values (none)
insserv: warning: current start runlevel(s) (empty) of script `ssh' overwrites defaults (2 3 4 5).
insserv: warning: current stop runlevel(s) (2 3 4 5) of script `ssh' overwrites defaults (empty).
root@aptosidmerce:/home/merce#
And the "K" continues... |
|
|
|
|
 |
hefee
|
|
Post subject:
Posted: 22.11.2010, 20:17
|
|

Joined: 2010-09-14
Posts: 26
Status: Offline
|
|
Connection refused, says that the server is running...
but you have in your config:
Code:
PermitRootLogin yes
with this a root user isn't allowed to login, that is good for security reason. try another user.
For finding erros use ssh -v or ssh -vv or ssh -vvv than ssh giving more debug messages. On the PC where you want to connect look into the logs (dmesg, debug, auth etc.) for better understanding what is going wrong. |
|
|
|
|
 |
lotman
|
|
Post subject:
Posted: 22.11.2010, 21:19
|
|

Joined: 2010-09-12
Posts: 6
Location: berlin
Status: Offline
|
|
hefee wrote:
but you have in your config:
Code:
PermitRootLogin yes
with this a root user isn't allowed to login, that is good for security reason. try another user.
It is the other way around... So root should be able to connect. How about trying a standard-configuration to see if that works to figure out if it is a configuration-error?
Lotman |
|
|
|
|
 |
Luis_P
|
|
Post subject:
Posted: 22.11.2010, 23:01
|
|

Joined: 2010-09-11
Posts: 171
Location: Barcelona, Spain
Status: Offline
|
|
Data from my wife's laptop (ssh server, adress 192.168.0.2)
From /var/log/auth.log
Code:
....
Nov 22 19:20:55 aptosidmerce sshd[4217]: error: Bind to port 22 on 192.168.0.3 failed: Cannot assign requested address.
Nov 22 19:20:55 aptosidmerce sshd[4217]: fatal: Cannot bind any address.
.....
From /var/log/messages
Code:
root@aptosidmerce:/var/log# cat messages | grep ssh
Nov 21 23:07:29 aptosidmerce kernel: [11955.430089] [ 2122] 1000 2122 821 6 0 0 0 ssh-agent
root@aptosidmerce:/var/log#
Data from my desktop (ssh client, adress 192.168.0.3):
Code:
lluis@myxbox:~$ ssh -vvv lluis@192.168.0.2
OpenSSH_5.5p1 Debian-5+b1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.0.2 [192.168.0.2] port 22.
debug1: connect to address 192.168.0.2 port 22: Connection refused
ssh: connect to host 192.168.0.2 port 22: Connection refused
lluis@myxbox:~$
|
|
|
|
|
 |
|
Post subject:
Posted: 22.11.2010, 23:30
|
|
Moderator

Joined: 2010-09-11
Posts: 469
|
|
IP address of your wife's PC is so 192.168.0.2, isn't it?
sshd on her PC can't access to the port 22 of 192.168.0.3, because it's other PC's IP address, no? |
|
|
|
|
 |
Luis_P
|
|
Post subject:
Posted: 23.11.2010, 09:19
|
|

Joined: 2010-09-11
Posts: 171
Location: Barcelona, Spain
Status: Offline
|
|
Yes.
Lines 4 - 9 of my wifes's /etc/sshd_config (first post):
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
ListenAddress 192.168.0.3
Protocol 2
Then, if I've not misunderstood, this machine can bind to 192.168.0.3 (my desktop), which is I want to do. And I cannot.
Thanks for your attention.
Luis_P |
|
|
|
|
 |
finotti
|
|
Post subject:
Posted: 23.11.2010, 10:41
|
|

Joined: 2010-09-12
Posts: 479
Status: Offline
|
|
Did you try commenting out the "ListenAddress" specification and trying again? (Don't forget to restart sshd on the server after every change!) |
|
|
|
|
 |
finotti
|
|
Post subject:
Posted: 23.11.2010, 10:45
|
|

Joined: 2010-09-12
Posts: 479
Status: Offline
|
|
|
|
 |
|
Post subject:
Posted: 23.11.2010, 10:54
|
|
Moderator

Joined: 2010-09-11
Posts: 469
|
|
Probably just misunderstanding about 'Bind'?
It's binding the sshd, the server listening to incoming TCP port.
so should be the IP address of the server (her PC, 192.168.0.2).
Your PC starts ssh connection as client. |
|
|
|
|
 |
browe
|
|
Post subject:
Posted: 23.11.2010, 15:08
|
|

Joined: 2010-09-12
Posts: 157
Location: Canada
Status: Offline
|
|
I have a similar network setup at home. I used default settings for ssh and my router is the dhcp server. In the router I reserved a specific ip for each computer so they automatically get the same ip every time they reconnect.
Double check your router and see what ip is showing up there. Regarding the bind... you might want to have the laptop listen to the router ip rather than your desktop. However, the default config for ssh should work fine in your situation... get that working first then play with tweaks listed above (especially what Slam mentioned about pgp keys and restricting root login). |
|
|
|
|
 |
Luis_P
|
|
Post subject:
Posted: 23.11.2010, 21:57
|
|

Joined: 2010-09-11
Posts: 171
Location: Barcelona, Spain
Status: Offline
|
|
muchan wrote:
Probably just misunderstanding about 'Bind'?
You are right. I had misunderstood the word "Bind", I believed sshd "binds" to an external address, but it is not so, it binds to the same machine. Now ssh runs smoothly.
Thanks a lot.
Luis_P |
|
|
|
|
 |
|