Post new topic   Reply to topic
View previous topic Printable version Log in to check your private messages View next topic
Author Message
Luis_POffline
Post subject: Issue with ssh  PostPosted: 22.11.2010, 18:02



Joined: 2010-09-11
Posts: 151
Location: Barcelona, Spain
Status: Offline
Scenario: A domestic small wired lan with two computers: my wife's laptop and my desktop, both running aptosid keres (well, actually older releases fully updated). The administrator (myself) tries to get connected from his (my) computer to my wife's one for administration tasks. After reading carefully aptosid manual for ssh, man ssh, man ssh_config and man sshd_config, and having changed /etc/sshd_config in the side of the server (my wife's side) in this way:

      Code:

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
ListenAddress 192.168.0.3
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 12
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile   %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
AllowTcpForwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
AllowUsers root lluis
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes


When the administrator gives the order, the system refuses to connect:

      Code:

root@myxbox:/home/lluis# ssh -X root@192.168.0.2
ssh: connect to host 192.168.0.2 port 22: Connection refused


What is this administrator doing wrongly?

Thanks in advance.

Luis_P
 
 View user's profile Send private message  
Reply with quote Back to top
slamOffline
Post subject: RE: Issue with ssh  PostPosted: 22.11.2010, 18:16
Team Member


Joined: 1970-01-01
Posts: 607
Location: w3
Status: Offline
You need to start sshd on the other machine, before accessing it from outside:
      Code:
su
/etc/init.d/ssh restart

If one of your machines involved does have internet access, you should consider to disallow root login via ssh (instead become root on the other machine via su after connecting), and authenticate via self created gpg-keys instead password. Also do not ssh as root.
Greetings,
Chris

_________________
an operating system must operate
development is life
my Debian repo


Last edited by slam on 22.11.2010, 18:20; edited 1 time in total
 
 View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number 
Reply with quote Back to top
finottiOffline
Post subject: RE: Issue with ssh  PostPosted: 22.11.2010, 18:17



Joined: 2010-09-12
Posts: 317

Status: Offline
Just a couple of ideas:

Did you restart /etc/init.d/ssh after the configuration? Are you trying to connect from 192.168.0.3?

P.S.: You shouldn't allow ssh to root... It's much safer to ssh as a user and then change to root.
 
 View user's profile Send private message  
Reply with quote Back to top
Luis_POffline
Post subject:   PostPosted: 22.11.2010, 18:38



Joined: 2010-09-11
Posts: 151
Location: Barcelona, Spain
Status: Offline
Thanks for your quick answer.

sshd was running in the laptop.

ls /etc/rc5.d gives (before ssh restart):

      Code:

total 4
lrwxrwxrwx 1 root root  15 sep 14 01:39 K01rsync -> ../init.d/rsync
lrwxrwxrwx 1 root root  13 sep 14 01:39 K01ssh -> ../init.d/ssh
-rw-r--r-- 1 root root 677 ago 15 20:32 README
lrwxrwxrwx 1 root root  17 sep 14 01:22 S01ifplugd -> ../init.d/ifplugd
lrwxrwxrwx 1 root root  18 sep 14 01:23 S01qemu-kvm -> ../init.d/qemu-kvm
lrwxrwxrwx 1 root root  17 sep 14 01:34 S01rsyslog -> ../init.d/rsyslog
lrwxrwxrwx 1 root root  14 oct 16 15:08 S01sudo -> ../init.d/sudo
lrwxrwxrwx 1 root root  36 sep 14 01:38 S01virtualbox-ose-guest-utils -> ../init.d/virtualbox-ose-guest-utils
lrwxrwxrwx 1 root root  15 sep 14 01:37 S02acpid -> ../init.d/acpid
lrwxrwxrwx 1 root root  17 sep 29 22:00 S02anacron -> ../init.d/anacron
lrwxrwxrwx 1 root root  14 sep 29 22:00 S02cron -> ../init.d/cron
lrwxrwxrwx 1 root root  14 sep 14 01:38 S02cups -> ../init.d/cups
lrwxrwxrwx 1 root root  14 sep 14 01:37 S02dbus -> ../init.d/dbus
lrwxrwxrwx 1 root root  13 sep 14 01:38 S02gpm -> ../init.d/gpm
lrwxrwxrwx 1 root root  20 sep 14 01:38 S02irqbalance -> ../init.d/irqbalance
lrwxrwxrwx 1 root root  21 sep 14 01:34 S02loadcpufreq -> ../init.d/loadcpufreq
lrwxrwxrwx 1 root root  19 sep 14 01:38 S03bluetooth -> ../init.d/bluetooth
lrwxrwxrwx 1 root root  22 sep 14 01:34 S03cpufrequtils -> ../init.d/cpufrequtils
lrwxrwxrwx 1 root root  13 sep 14 01:38 S03hal -> ../init.d/hal
lrwxrwxrwx 1 root root  15 sep 14 01:39 S03saned -> ../init.d/saned
lrwxrwxrwx 1 root root  13 sep 14 01:39 S04kdm -> ../init.d/kdm
lrwxrwxrwx 1 root root  18 sep 29 22:00 S05bootlogs -> ../init.d/bootlogs
lrwxrwxrwx 1 root root  18 sep 29 22:00 S06rc.local -> ../init.d/rc.local
lrwxrwxrwx 1 root root  19 sep 29 22:00 S06rmnologin -> ../init.d/rmnologin
lrwxrwxrwx 1 root root  23 sep 29 22:00 S06stop-bootlogd -> ../init.d/stop-bootlogd


After ssh restart, the output of the list is the same.

And the connection neither is possible.

Regards.

Luis_P.
 
 View user's profile Send private message  
Reply with quote Back to top
Luis_POffline
Post subject:   PostPosted: 22.11.2010, 18:52



Joined: 2010-09-11
Posts: 151
Location: Barcelona, Spain
Status: Offline
I just realized that there is a "K" in the second line of the output, before /init.d/ssh which, if I'm not wrong, means that the service cannot start.

I'll try to change this. And, of course, I'll change the permissions of root.

Keep you informed.

Luis_P
____________________________________________________________
Edited:
More info:

I've run update-rc.d ssh defaults with this output:
      Code:

root@aptosidmerce:/home/merce# update-rc.d ssh defaults
update-rc.d: using dependency based boot sequencing
update-rc.d: warning: ssh stop runlevel arguments (0 1 6) do not match LSB Default-Stop values (none)
insserv: warning: current start runlevel(s) (empty) of script `ssh' overwrites defaults (2 3 4 5).
insserv: warning: current stop runlevel(s) (2 3 4 5) of script `ssh' overwrites defaults (empty).
root@aptosidmerce:/home/merce#


And the "K" continues...
 
 View user's profile Send private message  
Reply with quote Back to top
hefeeOffline
Post subject:   PostPosted: 22.11.2010, 20:17



Joined: 2010-09-14
Posts: 26

Status: Offline
Connection refused, says that the server is running...

but you have in your config:
      Code:
PermitRootLogin yes

with this a root user isn't allowed to login, that is good for security reason. try another user.

For finding erros use ssh -v or ssh -vv or ssh -vvv than ssh giving more debug messages. On the PC where you want to connect look into the logs (dmesg, debug, auth etc.) for better understanding what is going wrong.
 
 View user's profile Send private message  
Reply with quote Back to top
lotmanOffline
Post subject:   PostPosted: 22.11.2010, 21:19



Joined: 2010-09-12
Posts: 6
Location: berlin
Status: Offline
      hefee wrote:


but you have in your config:
      Code:
PermitRootLogin yes

with this a root user isn't allowed to login, that is good for security reason. try another user.


It is the other way around... So root should be able to connect. How about trying a standard-configuration to see if that works to figure out if it is a configuration-error?

Lotman
 
 View user's profile Send private message  
Reply with quote Back to top
Luis_POffline
Post subject:   PostPosted: 22.11.2010, 23:01



Joined: 2010-09-11
Posts: 151
Location: Barcelona, Spain
Status: Offline
Data from my wife's laptop (ssh server, adress 192.168.0.2)

From /var/log/auth.log
      Code:

....
Nov 22 19:20:55 aptosidmerce sshd[4217]: error: Bind to port 22 on 192.168.0.3 failed: Cannot assign requested address.
Nov 22 19:20:55 aptosidmerce sshd[4217]: fatal: Cannot bind any address.
.....



From /var/log/messages
      Code:

root@aptosidmerce:/var/log# cat messages | grep ssh
Nov 21 23:07:29 aptosidmerce kernel: [11955.430089] [ 2122]  1000  2122      821        6   0       0             0 ssh-agent
root@aptosidmerce:/var/log#


Data from my desktop (ssh client, adress 192.168.0.3):

      Code:

lluis@myxbox:~$ ssh -vvv lluis@192.168.0.2
OpenSSH_5.5p1 Debian-5+b1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.0.2 [192.168.0.2] port 22.
debug1: connect to address 192.168.0.2 port 22: Connection refused
ssh: connect to host 192.168.0.2 port 22: Connection refused
lluis@myxbox:~$
 
 View user's profile Send private message  
Reply with quote Back to top
muchan
Post subject:   PostPosted: 22.11.2010, 23:30
Moderator


Joined: 2010-09-11
Posts: 468

IP address of your wife's PC is so 192.168.0.2, isn't it?
sshd on her PC can't access to the port 22 of 192.168.0.3, because it's other PC's IP address, no?
 
 View user's profile Send private message  
Reply with quote Back to top
Luis_POffline
Post subject:   PostPosted: 23.11.2010, 09:19



Joined: 2010-09-11
Posts: 151
Location: Barcelona, Spain
Status: Offline
Yes.

Lines 4 - 9 of my wifes's /etc/sshd_config (first post):

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
ListenAddress 192.168.0.3
Protocol 2

Then, if I've not misunderstood, this machine can bind to 192.168.0.3 (my desktop), which is I want to do. And I cannot.

Thanks for your attention.

Luis_P
 
 View user's profile Send private message  
Reply with quote Back to top
finottiOffline
Post subject:   PostPosted: 23.11.2010, 10:41



Joined: 2010-09-12
Posts: 317

Status: Offline
Did you try commenting out the "ListenAddress" specification and trying again? (Don't forget to restart sshd on the server after every change!)
 
 View user's profile Send private message  
Reply with quote Back to top
finottiOffline
Post subject:   PostPosted: 23.11.2010, 10:45



Joined: 2010-09-12
Posts: 317

Status: Offline
In fact it seems that ListenAddress is not to specify which IPs are allowed to connect, but which on the server will listen... (Assuming I am reading this right: http://tldp.org/LDP/solrhe/Securing-Optimizing-Linux-RH-Edition-v1.3/chap15sec122.html)
 
 View user's profile Send private message  
Reply with quote Back to top
muchan
Post subject:   PostPosted: 23.11.2010, 10:54
Moderator


Joined: 2010-09-11
Posts: 468

Probably just misunderstanding about 'Bind'?
It's binding the sshd, the server listening to incoming TCP port.
so should be the IP address of the server (her PC, 192.168.0.2).

Your PC starts ssh connection as client.
 
 View user's profile Send private message  
Reply with quote Back to top
broweOffline
Post subject:   PostPosted: 23.11.2010, 15:08



Joined: 2010-09-12
Posts: 152
Location: Canada
Status: Offline
I have a similar network setup at home. I used default settings for ssh and my router is the dhcp server. In the router I reserved a specific ip for each computer so they automatically get the same ip every time they reconnect.

Double check your router and see what ip is showing up there. Regarding the bind... you might want to have the laptop listen to the router ip rather than your desktop. However, the default config for ssh should work fine in your situation... get that working first then play with tweaks listed above (especially what Slam mentioned about pgp keys and restricting root login).
 
 View user's profile Send private message  
Reply with quote Back to top
Luis_POffline
Post subject:   PostPosted: 23.11.2010, 21:57



Joined: 2010-09-11
Posts: 151
Location: Barcelona, Spain
Status: Offline
      muchan wrote:
Probably just misunderstanding about 'Bind'?


You are right. I had misunderstood the word "Bind", I believed sshd "binds" to an external address, but it is not so, it binds to the same machine. Now ssh runs smoothly. Smile

Thanks a lot.

Luis_P
 
 View user's profile Send private message  
Reply with quote Back to top
Display posts from previous:     
Jump to:  
All times are GMT - 12 Hours
Post new topic   Reply to topic
View previous topic Printable version Log in to check your private messages View next topic
Powered by Zafenio