From the box to another system theire is no problem, but from other
Greetings, After upgrade from 8.0 to 8.2 I have problems accessing my system with SSH. linux-boxes or windows (using Putty) I cannot access it anymore. The firewall is on, also services allowed is SSH and I also tell firewall to accept tru port 22. I read a lot of info and went tru some conf files but I do not know where the problems is located exactly Richard
From the box to another system theire is no problem, but from other
I'm just going to state the obvious here, but it's a start... Have you tried turning off the FW to make sure that is not the source of your problem? Any error messages on the client side, when you try to connect? Are you sure that both the client and the server are using the same SSH protocol? +----------------------------------------- | José J. Cintrón - <jcintron@mitre.org> +----------------------------------------- -----Original Message----- From: Richard Farla [mailto:farla-klep@planet.nl] Sent: Monday, February 23, 2004 16:21 To: suse-security@suse.com Subject: [suse-security] access via SSH Greetings, After upgrade from 8.0 to 8.2 I have problems accessing my system with SSH. linux-boxes or windows (using Putty) I cannot access it anymore. The firewall is on, also services allowed is SSH and I also tell firewall to accept tru port 22. I read a lot of info and went tru some conf files but I do not know where the problems is located exactly Richard -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
From the box to another system theire is no problem, but from other
Forgot one... Are you sure that the SSH daemon is running??? +----------------------------------------- | José J. Cintrón - <jcintron@mitre.org> +----------------------------------------- -----Original Message----- From: José J. Cintrón [mailto:jcintron@mitre.org] Sent: Monday, February 23, 2004 17:12 To: 'Richard Farla'; suse-security@suse.com Subject: RE: [suse-security] access via SSH I'm just going to state the obvious here, but it's a start... Have you tried turning off the FW to make sure that is not the source of your problem? Any error messages on the client side, when you try to connect? Are you sure that both the client and the server are using the same SSH protocol? +----------------------------------------- | José J. Cintrón - <jcintron@mitre.org> +----------------------------------------- -----Original Message----- From: Richard Farla [mailto:farla-klep@planet.nl] Sent: Monday, February 23, 2004 16:21 To: suse-security@suse.com Subject: [suse-security] access via SSH Greetings, After upgrade from 8.0 to 8.2 I have problems accessing my system with SSH. linux-boxes or windows (using Putty) I cannot access it anymore. The firewall is on, also services allowed is SSH and I also tell firewall to accept tru port 22. I read a lot of info and went tru some conf files but I do not know where the problems is located exactly Richard -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here -- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
See this http://portal.suse.com/sdb/en/2003/11/fhassel_ssh_update.html José J. Cintrón wrote:
Forgot one... Are you sure that the SSH daemon is running???
+----------------------------------------- | José J. Cintrón - <jcintron@mitre.org> +-----------------------------------------
-----Original Message----- From: José J. Cintrón [mailto:jcintron@mitre.org] Sent: Monday, February 23, 2004 17:12 To: 'Richard Farla'; suse-security@suse.com Subject: RE: [suse-security] access via SSH
I'm just going to state the obvious here, but it's a start... Have you tried turning off the FW to make sure that is not the source of your problem? Any error messages on the client side, when you try to connect? Are you sure that both the client and the server are using the same SSH protocol?
+----------------------------------------- | José J. Cintrón - <jcintron@mitre.org> +-----------------------------------------
-----Original Message----- From: Richard Farla [mailto:farla-klep@planet.nl] Sent: Monday, February 23, 2004 16:21 To: suse-security@suse.com Subject: [suse-security] access via SSH
Greetings,
After upgrade from 8.0 to 8.2 I have problems accessing my system with SSH. From the box to another system theire is no problem, but from other linux-boxes or windows (using Putty) I cannot access it anymore.
The firewall is on, also services allowed is SSH and I also tell firewall to
accept tru port 22. I read a lot of info and went tru some conf files but I do not know where the problems is located exactly
Richard
Op maandag 23 februari 2004 23:11, schreef u:
I'm just going to state the obvious here, but it's a start... Have you tried turning off the FW to make sure that is not the source of your problem? Any error messages on the client side, when you try to connect? Are you sure that both the client and the server are using the same SSH protocol?
Hello again, I turned off FW and then I can access it using SSH, so probably not a v1 or v2 issue. Yes sshd is running. Strange is that I setup FW with yast2 and surely allowe SSH as added service, I also accept port 22 to be open. This is confermed to be open using nmap scanning localhost (127.0.0.1) Looking in /var/log/messages I notice that the boxes that want to gain access will be DROPPED by SuSE FW. Richard.
Hi !
I turned off FW and then I can access it using SSH, so probably not a v1 or v2 issue. Yes sshd is running. Strange is that I setup FW with yast2 and surely allowe SSH as added service, I also accept port 22 to be open. This is confermed to be open using nmap scanning localhost (127.0.0.1)
--> You have to scan from OUTSIDE, because localhost may well be open locally while the FW is blocking the requests from outside. Check /etc/ssh/sshd_config to make sure there is no "ListenAddress" restrictions. Check /etc/sysconfig/SuSEfirewall2 Make sure "ssh" is in "FW_SERVICES_EXT_TCP". Check /etc/hosts.allow to make sure the hosts are allowed to connect to the ssh-daemon. Add a line sshd: your.ip or sshd: your.ip/netmask
Looking in /var/log/messages I notice that the boxes that want to gain access will be DROPPED by SuSE FW.
--> Could you post the line from /var/log/messages where the connection is dropped. HTH, Armin -- Am Hasenberg 26 office: Institut für Atmosphärenphysik D-18209 Bad Doberan Schloss-Straße 6 Tel. ++49-(0)38203/42137 D-18225 Kühlungsborn / GERMANY Email: schoech@iap-kborn.de Tel. +49-(0)38293-68-102 WWW: http://armins.cjb.net/ Fax. +49-(0)38293-68-50
I'll stick with the obvious... Since you are able to connect when you disable the FW it is safe to assume that the FW is the problem and not SSH or the clients... Checke the following line in /etc/sysconfig/SuSEfirewall2 FW_SERVICES_EXT_TCP="" and make sure that it has either ssh or 22 as one of the untries between the "" Richard Farla wrote:
Op maandag 23 februari 2004 23:11, schreef u:
I'm just going to state the obvious here, but it's a start... Have you tried turning off the FW to make sure that is not the source of your problem? Any error messages on the client side, when you try to connect? Are you sure that both the client and the server are using the same SSH protocol?
Hello again,
I turned off FW and then I can access it using SSH, so probably not a v1 or v2 issue. Yes sshd is running. Strange is that I setup FW with yast2 and surely allowe SSH as added service, I also accept port 22 to be open. This is confermed to be open using nmap scanning localhost (127.0.0.1)
Looking in /var/log/messages I notice that the boxes that want to gain access will be DROPPED by SuSE FW.
Richard.
-- +------------------------------------------ | José J. Cintrón - <jcintron@mitre.org> +------------------------------------------
Op dinsdag 24 februari 2004 16:23, schreef u:
I'll stick with the obvious... Since you are able to connect when you disable the FW it is safe to assume that the FW is the problem and not SSH or the clients...
Checke the following line in /etc/sysconfig/SuSEfirewall2
FW_SERVICES_EXT_TCP=""
and make sure that it has either ssh or 22 as one of the untries between the ""
Hi, FW_SERVICES_EXT_TCP=ssh stands in /etc/sysconfig/SuSEfirewall2 indeed It must be a FW problem, because FW disabled everything works fine. Richard
/ 2004-02-25 08:17:46 +0100 \ Philipp Rusch:
Hi, must read FW_SERVICES_EXT_TCP="ssh"
FW_SERVICES_EXT_TCP=ssh
this is bash syntax and sourced by a bash script, so quoting only matters if you have white space (or special characters) to quote. you have _QUICKMODE=no ? note also that _EXT_TCP does not help, if you are comming from INT so check _DMZ_TCP and _INT_TCP, too! Lars Ellenberg
Op woensdag 25 februari 2004 09:51, schreef Lars Ellenberg:
must read FW_SERVICES_EXT_TCP="ssh"
this is bash syntax and sourced by a bash script, so quoting only matters if you have white space (or special characters) to quote.
you have _QUICKMODE=no ?
note also that _EXT_TCP does not help, if you are comming from INT so check _DMZ_TCP and _INT_TCP, too!
Lars Ellenberg
Hello, Thanks Lars for your golden tip: indeed I had to edit FW so that: FW_SERVICES_EXT_TCP="ssh" FW_SERVICES_INT_TCP="ssh" FW_SERVICES_DMZ_TCP="ssh" Indeed I come in by LAN so INT has to allow ssh. Considering the above settings and ONLY want to ssh over LAN, I think I could leave blank EXT and DMZ ?? Anyway things work out fine now... Richard
Hi Richard! On Thu, 26 Feb 2004, Richard Farla wrote:
Thanks Lars for your golden tip: indeed I had to edit FW so that: FW_SERVICES_EXT_TCP="ssh" FW_SERVICES_INT_TCP="ssh" FW_SERVICES_DMZ_TCP="ssh" Indeed I come in by LAN so INT has to allow ssh. Considering the above settings and ONLY want to ssh over LAN, I think I could leave blank EXT and DMZ ??
Exactly right. That is what I have used for a couple of years. dproc
Anyway things work out fine now...
Richard
Hi, Did you specify the correct interface for FW_DEV_EXT? Holger Am Dienstag, 24. Februar 2004 10:54 schrieb Richard Farla:
Op maandag 23 februari 2004 23:11, schreef u:
I'm just going to state the obvious here, but it's a start... Have you tried turning off the FW to make sure that is not the source of your problem? Any error messages on the client side, when you try to connect? Are you sure that both the client and the server are using the same SSH protocol?
Hello again,
I turned off FW and then I can access it using SSH, so probably not a v1 or v2 issue. Yes sshd is running. Strange is that I setup FW with yast2 and surely allowe SSH as added service, I also accept port 22 to be open. This is confermed to be open using nmap scanning localhost (127.0.0.1)
Looking in /var/log/messages I notice that the boxes that want to gain access will be DROPPED by SuSE FW.
Richard.
-----Original Message----- From: Richard Farla <farla-klep@planet.nl> To: suse-security@suse.com Date: Mon, 23 Feb 2004 22:21:16 +0100 Subject: [suse-security] access via SSH
Greetings,
After upgrade from 8.0 to 8.2 I have problems accessing my system with SSH. From the box to another system theire is no problem, but from other linux-boxes or windows (using Putty) I cannot access it anymore.
The firewall is on, also services allowed is SSH and I also tell firewall to accept tru port 22. I read a lot of info and went tru some conf files but I do not know where the problems is located exactly
Richard
On the linux side the clients will have to remove the hosts entry in the ~/.ssh/known_hosts file. If there is something simular on the windows boxes you will need to do the same there as well. Ken
comments inside: -SNIP -
After upgrade from 8.0 to 8.2 I have problems accessing my system with SSH. From the box to another system theire is no problem, but from other linux-boxes or windows (using Putty) I cannot access it anymore.
The firewall is on, also services allowed is SSH and I also tell firewall to accept tru port 22. I read a lot of info and went tru some conf files
-SNIP-
On the linux side the clients will have to remove the hosts entry in the ~/.ssh/known_hosts file. If there is something simular on the windows boxes you will need to do the same there as well.
you mean to *remove* these entries ?? Why ? just wondering, Philipp
On Tue, 2004-02-24 at 03:09, Philipp Rusch wrote:
comments inside:
-SNIP -
After upgrade from 8.0 to 8.2 I have problems accessing my system with SSH. From the box to another system theire is no problem, but from other linux-boxes or windows (using Putty) I cannot access it anymore.
The firewall is on, also services allowed is SSH and I also tell firewall to accept tru port 22. I read a lot of info and went tru some conf files
-SNIP-
On the linux side the clients will have to remove the hosts entry in the ~/.ssh/known_hosts file. If there is something simular on the windows boxes you will need to do the same there as well.
you mean to *remove* these entries ?? Why ?
just wondering, Philipp
Because it contains the -old- key info for the server you are trying to connect to. You only need to remove the line for the server that has been upgraded. -- Ken Schneider unix user since 1989 linux user since 1994 SuSE user since 1998 (5.2)
On Tue, Feb 24, 2004 at 07:55:11AM -0500, Kenneth Schneider wrote:
Because it contains the -old- key info for the server you are trying to connect to. You only need to remove the line for the server that has been upgraded.
Openssh upgrades should not generate new host keys (/etc/ssh/ssh_host_*key*). If the keys have been replaced the openssh client will issue a warning. -- Stefan Tichy ( s.list at pi4tel dot de )
On Mon, 23 Feb 2004, Richard Farla wrote:
Greetings,
From the box to another system theire is no problem, but from other
After upgrade from 8.0 to 8.2 I have problems accessing my system with SSH. linux-boxes or windows (using Putty) I cannot access it anymore.
The firewall is on, also services allowed is SSH and I also tell firewall to accept tru port 22. I read a lot of info and went tru some conf files but I do not know where the problems is located exactly
Richard
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here
Assuming that you are allowing port 22, the most likely explanation is that putty is trying to connect to SSH1. Tell putty to only use SSH2. You can verify this condition by taking a look at /var/log/messages. -- -linux_lad public key on request
participants (13)
-
-linux_lad -
Armin Schoech -
dproc -
Holger Schletz -
Jose J. Cintron -
José J. Cintrón
-
Ken Schneider -
Kenneth Schneider
-
Lars Ellenberg -
Michael Unger -
Philipp Rusch -
Richard Farla -
Stefan Tichy