[opensuse] trouble with ssh connecting
I use ssh to sync my 2 laptops. I have all my keys in place, so it normally connects without a problem or having to enter a password. Until recently it worked fine, but now here is what I am dealing with. On laptop #1, I connect to laptop #2 with the following: ssh -X george@192.168.1.169 It connects fine without any trouble. On laptop #2 I connect to #1 with the following ssh -X george@192.168.1.180 I can connect to myself from laptop #1 to laptop #1 by running the same command ssh -X george@192.168.1.180, and it works no problem. So I think the port is open on that computer. Until recently this had no problem connecting. Now it just hangs. No error given, it just sits there. Maybe after 5 or 10 minutes it will say the request timed out, but sometimes it doesn't do anything except sit there until I hit ctrl-c to break the request. I can ping the other computer no problem, but cannot connect by ssh. Port 22 is open according to SuSEfirewall2 -- George Box: 42.3 | KDE Plasma 5.8 | AMD Phenom IIX4 | 64 | 32GB Laptop #1: TW | Plasma 5.13 | AMD FX 7TH GEN | 64 | 32GB Laptop #2: 15.0 | KDE Plasma 5.8 | Core i5 | 64 | 8GB -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/11/2018 12.08, George from the tribe wrote:
I use ssh to sync my 2 laptops. I have all my keys in place, so it normally connects without a problem or having to enter a password. Until recently it worked fine, but now here is what I am dealing with.
On laptop #1, I connect to laptop #2 with the following: ssh -X george@192.168.1.169
It connects fine without any trouble.
On laptop #2 I connect to #1 with the following ssh -X george@192.168.1.180
I can connect to myself from laptop #1 to laptop #1 by running the same command ssh -X george@192.168.1.180, and it works no problem. So I think the port is open on that computer.
No, I think the firewall doesn't intervene in this case.
Until recently this had no problem connecting. Now it just hangs. No error given, it just sits there. Maybe after 5 or 10 minutes it will say the request timed out, but sometimes it doesn't do anything except sit there until I hit ctrl-c to break the request.
On both computers, or only one? What openSUSE versions are they running?
I can ping the other computer no problem, but cannot connect by ssh. Port 22 is open according to SuSEfirewall2
To make sure, just check the firewall log at the time of the attempt. -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))
Carlos E. R. wrote:
On 12/11/2018 12.08, George from the tribe wrote:
I use ssh to sync my 2 laptops. I have all my keys in place, so it normally connects without a problem or having to enter a password. Until recently it worked fine, but now here is what I am dealing with.
On laptop #1, I connect to laptop #2 with the following: ssh -X george@192.168.1.169
It connects fine without any trouble.
On laptop #2 I connect to #1 with the following ssh -X george@192.168.1.180
I can connect to myself from laptop #1 to laptop #1 by running the same command ssh -X george@192.168.1.180, and it works no problem. So I think the port is open on that computer.
No, I think the firewall doesn't intervene in this case.
In my case, it does. Just realized I cannot ssh into my laptop anymore, and the firewall was blocking. The reson was that the sshd service configuration for the firewall, /etc/sysconfig/SuSEfirewall2.d/services/sshd, was/is part of the openssh package, but the latest one doesn't have it anymore (because SuSEfirewall has been dropped). Nice move :( (This is Tumbleweed - don't know how it is on other systems) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/11/2018 15.00, Peter Suetterlin wrote:
Carlos E. R. wrote:
On 12/11/2018 12.08, George from the tribe wrote:
I use ssh to sync my 2 laptops. I have all my keys in place, so it normally connects without a problem or having to enter a password. Until recently it worked fine, but now here is what I am dealing with.
On laptop #1, I connect to laptop #2 with the following: ssh -X george@192.168.1.169
It connects fine without any trouble.
On laptop #2 I connect to #1 with the following ssh -X george@192.168.1.180
I can connect to myself from laptop #1 to laptop #1 by running the same command ssh -X george@192.168.1.180, and it works no problem. So I think the port is open on that computer.
No, I think the firewall doesn't intervene in this case.
In my case, it does. Just realized I cannot ssh into my laptop anymore, and the firewall was blocking.
The reson was that the sshd service configuration for the firewall, /etc/sysconfig/SuSEfirewall2.d/services/sshd, was/is part of the openssh package, but the latest one doesn't have it anymore (because SuSEfirewall has been dropped). Nice move :(
(This is Tumbleweed - don't know how it is on other systems)
Well, in TW you should not be using SuSEfirewll2. -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))
Carlos E. R. wrote:
On 12/11/2018 15.00, Peter Suetterlin wrote:
In my case, it does. Just realized I cannot ssh into my laptop anymore, and the firewall was blocking.
The reson was that the sshd service configuration for the firewall, /etc/sysconfig/SuSEfirewall2.d/services/sshd, was/is part of the openssh package, but the latest one doesn't have it anymore (because SuSEfirewall has been dropped). Nice move :(
(This is Tumbleweed - don't know how it is on other systems)
Well, in TW you should not be using SuSEfirewll2.
I just continuously updated my installation. I cannot remember anything urging me to remove the package and replace it with something else, nor was such a switch done by the updates..... OK, for real - of course I know about the switch, as I read the list here. But not everyone does. (And I still think that switch to firewalld was one of the worst stunts in opensuse history - but that's another topic) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/11/2018 15.32, Peter Suetterlin wrote:
Carlos E. R. wrote:
On 12/11/2018 15.00, Peter Suetterlin wrote:
In my case, it does. Just realized I cannot ssh into my laptop anymore, and the firewall was blocking.
The reson was that the sshd service configuration for the firewall, /etc/sysconfig/SuSEfirewall2.d/services/sshd, was/is part of the openssh package, but the latest one doesn't have it anymore (because SuSEfirewall has been dropped). Nice move :(
(This is Tumbleweed - don't know how it is on other systems)
Well, in TW you should not be using SuSEfirewll2.
I just continuously updated my installation. I cannot remember anything urging me to remove the package and replace it with something else, nor was such a switch done by the updates.....
OK, for real - of course I know about the switch, as I read the list here. But not everyone does.
(And I still think that switch to firewalld was one of the worst stunts in opensuse history - but that's another topic)
Oh, I agree. I have migrated two machines to 15.0, a third is waiting, and I haven't still done the firewall in any. I fear it. -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))
* Carlos E. R. <robin.listas@telefonica.net> [11-12-18 11:16]:
On 12/11/2018 15.32, Peter Suetterlin wrote:
Carlos E. R. wrote:
On 12/11/2018 15.00, Peter Suetterlin wrote:
In my case, it does. Just realized I cannot ssh into my laptop anymore, and the firewall was blocking.
The reson was that the sshd service configuration for the firewall, /etc/sysconfig/SuSEfirewall2.d/services/sshd, was/is part of the openssh package, but the latest one doesn't have it anymore (because SuSEfirewall has been dropped). Nice move :(
(This is Tumbleweed - don't know how it is on other systems)
Well, in TW you should not be using SuSEfirewll2.
I just continuously updated my installation. I cannot remember anything urging me to remove the package and replace it with something else, nor was such a switch done by the updates.....
OK, for real - of course I know about the switch, as I read the list here. But not everyone does.
(And I still think that switch to firewalld was one of the worst stunts in opensuse history - but that's another topic)
Oh, I agree. I have migrated two machines to 15.0, a third is waiting, and I haven't still done the firewall in any. I fear it.
really doesn't appear too difficult. I have it on three boxes now and thing I have everything I had with SuSEfirewall2. it's just different. there are plenty of examples and instructions on the net. I successfully opened ports for kconnectd and vnc and moved ssh. but my server is still on 42.2 and SuSEfirewall2. I probably will not change it until I upgrade it. there is an add-on for yast which will make changes for you but not nearly as comprehensive and leading as before. -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Registered Linux User #207535 @ http://linuxcounter.net Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* Patrick Shanahan <paka@opensuse.org> [11-12-18 13:00]:
* Carlos E. R. <robin.listas@telefonica.net> [11-12-18 11:16]:
On 12/11/2018 15.32, Peter Suetterlin wrote:
Carlos E. R. wrote:
On 12/11/2018 15.00, Peter Suetterlin wrote:
In my case, it does. Just realized I cannot ssh into my laptop anymore, and the firewall was blocking.
The reson was that the sshd service configuration for the firewall, /etc/sysconfig/SuSEfirewall2.d/services/sshd, was/is part of the openssh package, but the latest one doesn't have it anymore (because SuSEfirewall has been dropped). Nice move :(
(This is Tumbleweed - don't know how it is on other systems)
Well, in TW you should not be using SuSEfirewll2.
I just continuously updated my installation. I cannot remember anything urging me to remove the package and replace it with something else, nor was such a switch done by the updates.....
OK, for real - of course I know about the switch, as I read the list here. But not everyone does.
(And I still think that switch to firewalld was one of the worst stunts in opensuse history - but that's another topic)
Oh, I agree. I have migrated two machines to 15.0, a third is waiting, and I haven't still done the firewall in any. I fear it.
really doesn't appear too difficult. I have it on three boxes now and thing I have everything I had with SuSEfirewall2. it's just different. there are plenty of examples and instructions on the net. I successfully opened ports for kconnectd and vnc and moved ssh. but my server is still on 42.2 and SuSEfirewall2. I probably will not change it until I upgrade it.
there is an add-on for yast which will make changes for you but not nearly as comprehensive and leading as before.
fwiw: Just updated and rebooted a remote tw box w/SuSEfirewall2 and could no longer connect. and yast firewall does not work either. ran yast sysconfig and enabled ssh and had to manually restart SuSEfirewall2 to re-enable ssh pass thru. and difficult to accomplish giving blind direction on the phone. finally got remote access and installed firewalld and switched w/o further incidence. BUT... not good these type of changes w/o any notice and no way to recover w/o remote assistance. next time the remote aid may not be as viable and then a loooong trip for very suspect reasons. yes, this is a RANT, but a NECESSARY RANT. PAY ATTENTION. tw is a long term investment. -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Registered Linux User #207535 @ http://linuxcounter.net Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Op maandag 12 november 2018 20:15:44 CET schreef Patrick Shanahan:
* Patrick Shanahan <paka@opensuse.org> [11-12-18 13:00]:
* Carlos E. R. <robin.listas@telefonica.net> [11-12-18 11:16]:
On 12/11/2018 15.32, Peter Suetterlin wrote:
Carlos E. R. wrote:
On 12/11/2018 15.00, Peter Suetterlin wrote:
In my case, it does. Just realized I cannot ssh into my laptop anymore, and the firewall was blocking.
The reson was that the sshd service configuration for the firewall, /etc/sysconfig/SuSEfirewall2.d/services/sshd, was/is part of the openssh package, but the latest one doesn't have it anymore (because SuSEfirewall has been dropped). Nice move :(
(This is Tumbleweed - don't know how it is on other systems)
Well, in TW you should not be using SuSEfirewll2.
I just continuously updated my installation. I cannot remember anything urging me to remove the package and replace it with something else, nor was such a switch done by the updates.....
OK, for real - of course I know about the switch, as I read the list here. But not everyone does.
(And I still think that switch to firewalld was one of the worst stunts in opensuse history - but that's another topic)
Oh, I agree. I have migrated two machines to 15.0, a third is waiting, and I haven't still done the firewall in any. I fear it.
really doesn't appear too difficult. I have it on three boxes now and thing I have everything I had with SuSEfirewall2. it's just different. there are plenty of examples and instructions on the net. I successfully opened ports for kconnectd and vnc and moved ssh. but my server is still on 42.2 and SuSEfirewall2. I probably will not change it until I upgrade it.
there is an add-on for yast which will make changes for you but not nearly as comprehensive and leading as before.
fwiw: Just updated and rebooted a remote tw box w/SuSEfirewall2 and could no longer connect. and yast firewall does not work either. ran yast sysconfig and enabled ssh and had to manually restart SuSEfirewall2 to re-enable ssh pass thru. and difficult to accomplish giving blind direction on the phone.
finally got remote access and installed firewalld and switched w/o further incidence.
BUT... not good these type of changes w/o any notice and no way to recover w/o remote assistance. next time the remote aid may not be as viable and then a loooong trip for very suspect reasons.
yes, this is a RANT, but a NECESSARY RANT.
PAY ATTENTION.
tw is a long term investment. This would mean you did/do not have the TW Update repo active. That's where a fixed set of openssl packages were pushed, AFAIK they should be in later snapshots as well.
-- Gertjan Lettink a.k.a. Knurpht openSUSE Board Member openSUSE Forums Team -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* Knurpht-openSUSE <knurpht@opensuse.org> [11-12-18 14:19]:
Op maandag 12 november 2018 20:15:44 CET schreef Patrick Shanahan:
* Patrick Shanahan <paka@opensuse.org> [11-12-18 13:00]:
* Carlos E. R. <robin.listas@telefonica.net> [11-12-18 11:16]:
On 12/11/2018 15.32, Peter Suetterlin wrote:
Carlos E. R. wrote:
On 12/11/2018 15.00, Peter Suetterlin wrote: > In my case, it does. Just realized I cannot ssh into my laptop > anymore, and the firewall was blocking. > > The reson was that the sshd service configuration for the firewall, > /etc/sysconfig/SuSEfirewall2.d/services/sshd, was/is part of the > openssh > package, but the latest one doesn't have it anymore (because > SuSEfirewall has been dropped). > Nice move :( > > (This is Tumbleweed - don't know how it is on other systems)
Well, in TW you should not be using SuSEfirewll2.
I just continuously updated my installation. I cannot remember anything urging me to remove the package and replace it with something else, nor was such a switch done by the updates.....
OK, for real - of course I know about the switch, as I read the list here. But not everyone does.
(And I still think that switch to firewalld was one of the worst stunts in opensuse history - but that's another topic)
Oh, I agree. I have migrated two machines to 15.0, a third is waiting, and I haven't still done the firewall in any. I fear it.
really doesn't appear too difficult. I have it on three boxes now and thing I have everything I had with SuSEfirewall2. it's just different. there are plenty of examples and instructions on the net. I successfully opened ports for kconnectd and vnc and moved ssh. but my server is still on 42.2 and SuSEfirewall2. I probably will not change it until I upgrade it.
there is an add-on for yast which will make changes for you but not nearly as comprehensive and leading as before.
fwiw: Just updated and rebooted a remote tw box w/SuSEfirewall2 and could no longer connect. and yast firewall does not work either. ran yast sysconfig and enabled ssh and had to manually restart SuSEfirewall2 to re-enable ssh pass thru. and difficult to accomplish giving blind direction on the phone.
finally got remote access and installed firewalld and switched w/o further incidence.
BUT... not good these type of changes w/o any notice and no way to recover w/o remote assistance. next time the remote aid may not be as viable and then a loooong trip for very suspect reasons.
yes, this is a RANT, but a NECESSARY RANT.
PAY ATTENTION.
tw is a long term investment.
This would mean you did/do not have the TW Update repo active. That's where a fixed set of openssl packages were pushed, AFAIK they should be in later snapshots as well.
I fail to understand your comment, or you failed to read the post ... I definitely have Tw Updates active and others. I did not fail to connect for having an incorrect/broken ssh configuration or openssh version. the update dropped ssh from SuSEfirewall2 config just as Peter noted and having to reboot the machine for dbus changes, lost connect and could not regain. THAT IS A PROBLEM and more so for a remote.remote.remote box. -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Registered Linux User #207535 @ http://linuxcounter.net Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Op maandag 12 november 2018 20:26:50 CET schreef Patrick Shanahan:
* Knurpht-openSUSE <knurpht@opensuse.org> [11-12-18 14:19]:
Op maandag 12 november 2018 20:15:44 CET schreef Patrick Shanahan:
* Patrick Shanahan <paka@opensuse.org> [11-12-18 13:00]:
* Carlos E. R. <robin.listas@telefonica.net> [11-12-18 11:16]:
On 12/11/2018 15.32, Peter Suetterlin wrote:
Carlos E. R. wrote: > On 12/11/2018 15.00, Peter Suetterlin wrote: >> In my case, it does. Just realized I cannot ssh into my laptop >> anymore, and the firewall was blocking. >> >> The reson was that the sshd service configuration for the >> firewall, >> /etc/sysconfig/SuSEfirewall2.d/services/sshd, was/is part of the >> openssh >> package, but the latest one doesn't have it anymore (because >> SuSEfirewall has been dropped). >> Nice move :( >> >> (This is Tumbleweed - don't know how it is on other systems) > > Well, in TW you should not be using SuSEfirewll2.
I just continuously updated my installation. I cannot remember anything urging me to remove the package and replace it with something else, nor was such a switch done by the updates.....
OK, for real - of course I know about the switch, as I read the list here. But not everyone does.
(And I still think that switch to firewalld was one of the worst stunts in opensuse history - but that's another topic)
Oh, I agree. I have migrated two machines to 15.0, a third is waiting, and I haven't still done the firewall in any. I fear it.
really doesn't appear too difficult. I have it on three boxes now and thing I have everything I had with SuSEfirewall2. it's just different. there are plenty of examples and instructions on the net. I successfully opened ports for kconnectd and vnc and moved ssh. but my server is still on 42.2 and SuSEfirewall2. I probably will not change it until I upgrade it.
there is an add-on for yast which will make changes for you but not nearly as comprehensive and leading as before.
fwiw: Just updated and rebooted a remote tw box w/SuSEfirewall2 and could no longer connect. and yast firewall does not work either. ran yast sysconfig and enabled ssh and had to manually restart SuSEfirewall2 to re-enable ssh pass thru. and difficult to accomplish giving blind direction on the phone.
finally got remote access and installed firewalld and switched w/o further incidence.
BUT... not good these type of changes w/o any notice and no way to recover w/o remote assistance. next time the remote aid may not be as viable and then a loooong trip for very suspect reasons.
yes, this is a RANT, but a NECESSARY RANT.
PAY ATTENTION.
tw is a long term investment.
This would mean you did/do not have the TW Update repo active. That's where a fixed set of openssl packages were pushed, AFAIK they should be in later snapshots as well.
I fail to understand your comment, or you failed to read the post ...
I definitely have Tw Updates active and others. I did not fail to connect for having an incorrect/broken ssh configuration or openssh version. the update dropped ssh from SuSEfirewall2 config just as Peter noted and having to reboot the machine for dbus changes, lost connect and could not regain. THAT IS A PROBLEM and more so for a remote.remote.remote box. In that case you missed that SuSEfirewall2 is deprecated and not even available in TW anymore.
-- Gertjan Lettink a.k.a. Knurpht openSUSE Board Member openSUSE Forums Team -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* Knurpht-openSUSE <knurpht@opensuse.org> [11-12-18 14:32]:
Op maandag 12 november 2018 20:26:50 CET schreef Patrick Shanahan:
* Knurpht-openSUSE <knurpht@opensuse.org> [11-12-18 14:19]:
Op maandag 12 november 2018 20:15:44 CET schreef Patrick Shanahan:
* Patrick Shanahan <paka@opensuse.org> [11-12-18 13:00]:
* Carlos E. R. <robin.listas@telefonica.net> [11-12-18 11:16]:
On 12/11/2018 15.32, Peter Suetterlin wrote: > Carlos E. R. wrote: >> On 12/11/2018 15.00, Peter Suetterlin wrote: >>> In my case, it does. Just realized I cannot ssh into my laptop >>> anymore, and the firewall was blocking. >>> >>> The reson was that the sshd service configuration for the >>> firewall, >>> /etc/sysconfig/SuSEfirewall2.d/services/sshd, was/is part of the >>> openssh >>> package, but the latest one doesn't have it anymore (because >>> SuSEfirewall has been dropped). >>> Nice move :( >>> >>> (This is Tumbleweed - don't know how it is on other systems) >> >> Well, in TW you should not be using SuSEfirewll2. > > I just continuously updated my installation. I cannot remember > anything > urging me to remove the package and replace it with something > else, > nor was > such a switch done by the updates..... > > OK, for real - of course I know about the switch, as I read the > list > here. > But not everyone does. > > (And I still think that switch to firewalld was one of the worst > stunts in > opensuse history - but that's another topic)
Oh, I agree. I have migrated two machines to 15.0, a third is waiting, and I haven't still done the firewall in any. I fear it.
really doesn't appear too difficult. I have it on three boxes now and thing I have everything I had with SuSEfirewall2. it's just different. there are plenty of examples and instructions on the net. I successfully opened ports for kconnectd and vnc and moved ssh. but my server is still on 42.2 and SuSEfirewall2. I probably will not change it until I upgrade it.
there is an add-on for yast which will make changes for you but not nearly as comprehensive and leading as before.
fwiw: Just updated and rebooted a remote tw box w/SuSEfirewall2 and could no longer connect. and yast firewall does not work either. ran yast sysconfig and enabled ssh and had to manually restart SuSEfirewall2 to re-enable ssh pass thru. and difficult to accomplish giving blind direction on the phone.
finally got remote access and installed firewalld and switched w/o further incidence.
BUT... not good these type of changes w/o any notice and no way to recover w/o remote assistance. next time the remote aid may not be as viable and then a loooong trip for very suspect reasons.
yes, this is a RANT, but a NECESSARY RANT.
PAY ATTENTION.
tw is a long term investment.
This would mean you did/do not have the TW Update repo active. That's where a fixed set of openssl packages were pushed, AFAIK they should be in later snapshots as well.
I fail to understand your comment, or you failed to read the post ...
I definitely have Tw Updates active and others. I did not fail to connect for having an incorrect/broken ssh configuration or openssh version. the update dropped ssh from SuSEfirewall2 config just as Peter noted and having to reboot the machine for dbus changes, lost connect and could not regain. THAT IS A PROBLEM and more so for a remote.remote.remote box. In that case you missed that SuSEfirewall2 is deprecated and not even available in TW anymore.
and where would I have missed that? I know about firewalld being the next supported firewall script but NEVER sat that support/updates/... for SuSEfirewall2 were DROPPED and/or that my system would fail to function. and I read more of the openSUSE traffic than most. and if I did indeed miss that NOTICE, I am definitely not to only one here who failed to see it. and perhaps at some point we should begin to trim part of the quoted material ??? -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Registered Linux User #207535 @ http://linuxcounter.net Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Op maandag 12 november 2018 20:37:09 CET schreef Patrick Shanahan:
* Knurpht-openSUSE <knurpht@opensuse.org> [11-12-18 14:32]:
In that case you missed that SuSEfirewall2 is deprecated and not even available in TW anymore.
and where would I have missed that? I know about firewalld being the next supported firewall script but NEVER sat that support/updates/... for SuSEfirewall2 were DROPPED and/or that my system would fail to function. and I read more of the openSUSE traffic than most.
and if I did indeed miss that NOTICE, I am definitely not to only one here who failed to see it. There were lots of posts on opensuse-factory@o.o
and perhaps at some point we should begin to trim part of the quoted material ???
Point taken -- Gertjan Lettink a.k.a. Knurpht openSUSE Board Member openSUSE Forums Team -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 12/11/2018 20.46, Knurpht-openSUSE wrote:
Op maandag 12 november 2018 20:37:09 CET schreef Patrick Shanahan:
* Knurpht-openSUSE <knurpht@opensuse.org> [11-12-18 14:32]:
In that case you missed that SuSEfirewall2 is deprecated and not even available in TW anymore.
and where would I have missed that? I know about firewalld being the next supported firewall script but NEVER sat that support/updates/... for SuSEfirewall2 were DROPPED and/or that my system would fail to function. and I read more of the openSUSE traffic than most.
and if I did indeed miss that NOTICE, I am definitely not to only one here who failed to see it. There were lots of posts on opensuse-factory@o.o
Posts, yes, I saw some of them. I was aware of it. But I don't recall an official notice for TW. I see a paragraph in the 15.0 release notes, though. And anyway, on Leap upgrades SuSEfirewall2 is installed and running, so people may not notice. I have met a few these days that did not know that they should not still use SuSEfirewall2. Maybe a warning when YaST or zypper see a deprecated package in the system? -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))
Carlos E. R. wrote:
Posts, yes, I saw some of them. I was aware of it. But I don't recall an official notice for TW.
It's always your/our fault. One should read all release notes for each update. But who really does? But I seem to remember posts here from 'officials' stating that 'SFW doesn't stop working if you don't uninstall it'. As we see, that is only partially true. And the problem can easily show up with more programs: woodstock: # rpm -qf /etc/sysconfig/SuSEfirewall2.d/services/*|sort|uniq SuSEfirewall2-3.6.378-3.1.noarch dhcp-4.3.5-6.2.x86_64 dovecot-2.3-1.2.noarch file /etc/sysconfig/SuSEfirewall2.d/services/sshd is not owned by any package file /etc/sysconfig/SuSEfirewall2.d/services/tincd is not owned by any package mariadb-10.2.18-1.2.x86_64 nfs-client-2.1.1-8.1.x86_64 nut-2.7.4-10.1.x86_64 postfix-3.3.1-4.1.x86_64 pulseaudio-12.2-1.1.x86_64 rsync-3.1.3-3.1.x86_64 samba-4.9.1+git.101.212e237d8ef-1.1.x86_64 samba-client-4.9.1+git.101.212e237d8ef-1.1.x86_64 subversion-1.10.3-1.1.x86_64 ypbind-2.5-1.2.x86_64 So better make backups of it ;^> (and this also shows that, despite 'deprecated', many packages still 'support' SFW....)
I see a paragraph in the 15.0 release notes, though. And anyway, on Leap upgrades SuSEfirewall2 is installed and running, so people may not notice. I have met a few these days that did not know that they should not still use SuSEfirewall2.
That's why I think the switch was badly timed/prepared. SuSEfirewall supported a plugin service system, so many of the configuration files were not part of the SFW package, but from the daemon packages. In principle a very nice thing. But it bites back in case of such changes. So before removing it there could/should have been a (last) update that incorporates all those config files, at least for the usual services, and remove them from the daemon packages. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/12/2018 01:15 PM, Patrick Shanahan wrote:
BUT... not good these type of changes w/o any notice and no way to recover w/o remote assistance. next time the remote aid may not be as viable and then a loooong trip for very suspect reasons.
yes, this is a RANT, but a NECESSARY RANT.
PAY ATTENTION.
tw is a long term investment.
Remote administration is quite a challenge when these things happen. I have found myself on the receiving end on a few updates (thankfully just a few). Somewhere in the testing rings there should be a requirement for one box being remote administered to hopefully catch these before they have real-world impacts. Thankfully I'm only few miles from the office, but others are not so lucky.... -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Op maandag 12 november 2018 21:11:47 CET schreef David C. Rankin:
On 11/12/2018 01:15 PM, Patrick Shanahan wrote:
BUT... not good these type of changes w/o any notice and no way to recover w/o remote assistance. next time the remote aid may not be as viable and then a loooong trip for very suspect reasons.
yes, this is a RANT, but a NECESSARY RANT.
PAY ATTENTION.
tw is a long term investment.
Remote administration is quite a challenge when these things happen. I have found myself on the receiving end on a few updates (thankfully just a few).
Somewhere in the testing rings there should be a requirement for one box being remote administered to hopefully catch these before they have real-world impacts. Thankfully I'm only few miles from the office, but others are not so lucky....
Agreed, an openQA test for ssh should be > nice. -- Gertjan Lettink a.k.a. Knurpht openSUSE Board Member openSUSE Forums Team -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Patrick Shanahan wrote:
* Carlos E. R. <robin.listas@telefonica.net> [11-12-18 11:16]:
Oh, I agree. I have migrated two machines to 15.0, a third is waiting, and I haven't still done the firewall in any. I fear it.
really doesn't appear too difficult. I have it on three boxes now and thing I have everything I had with SuSEfirewall2. it's just different. there are plenty of examples and instructions on the net.
There's two problems: - SuSEfirewall was very nicely documented in the config file. You could read through it, make your changes, then activate. firewalld was basically 'we now use this (RedHat) thing. Go find and read their manuals' (Yes, I'm exagerating a bit). - firewalld is live. You can't easily prepare a configuration without running the actual thing during the setup. If you need to upgrade a server that is both needed online and has to be secured that is a PITA situation.
I successfully opened ports for kconnectd and vnc and moved ssh. but my server is still on 42.2 and SuSEfirewall2. I probably will not change it until I upgrade it.
Exactly. Because - see above :P -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 2018-11-12 12:08, George from the tribe wrote:
On laptop #1, I connect to laptop #2 with the following: ssh -X george@192.168.1.169
It connects fine without any trouble.
On laptop #2 I connect to #1 with the following ssh -X george@192.168.1.180
Add -v and check the outpout. Like so: ssh -v -X george@192.168.1.180 ssh -v -X george@192.168.1.169 -- /bengan -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/12/18 7:09 AM, Bengt Gördén wrote:
On 2018-11-12 12:08, George from the tribe wrote:
On laptop #1, I connect to laptop #2 with the following: ssh -X george@192.168.1.169
It connects fine without any trouble.
On laptop #2 I connect to #1 with the following ssh -X george@192.168.1.180
Add -v and check the outpout.
Like so: ssh -v -X george@192.168.1.180 ssh -v -X george@192.168.1.169
Ok----
ssh -X -v george@192.168.1.180 OpenSSH_7.8p1, OpenSSL 1.1.0h-fips 27 Mar 2018 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 25: Applying options for * debug1: Connecting to 192.168.1.180 [192.168.1.180] port 22.
It hangs ther and doesn't do anything else until it times out. -- George Box: 42.3 | KDE Plasma 5.8 | AMD Phenom IIX4 | 64 | 32GB Laptop #1: TW | Plasma 5.13 | AMD FX 7TH GEN | 64 | 32GB Laptop #2: 15.0 | KDE Plasma 5.8 | Core i5 | 64 | 8GB -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 13/11/2018 02.07, George from the tribe wrote:
Ok----
ssh -X -v george@192.168.1.180 OpenSSH_7.8p1, OpenSSL 1.1.0h-fips 27 Mar 2018 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 25: Applying options for * debug1: Connecting to 192.168.1.180 [192.168.1.180] port 22.
It hangs ther and doesn't do anything else until it times out.
You need an update (zypper patch) -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))
Op dinsdag 13 november 2018 02:22:29 CET schreef Carlos E. R.:
On 13/11/2018 02.07, George from the tribe wrote:
Ok----
ssh -X -v george@192.168.1.180
OpenSSH_7.8p1, OpenSSL 1.1.0h-fips 27 Mar 2018 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 25: Applying options for * debug1: Connecting to 192.168.1.180 [192.168.1.180] port 22.
It hangs ther and doesn't do anything else until it times out.
You need an update (zypper patch) If the machine runs TW that would be zypper dup
-- Gertjan Lettink a.k.a. Knurpht openSUSE Board Member openSUSE Forums Team -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/12/18 7:31 PM, Knurpht-openSUSE wrote:
Op dinsdag 13 november 2018 02:22:29 CET schreef Carlos E. R.:
On 13/11/2018 02.07, George from the tribe wrote:
Ok----
ssh -X -v george@192.168.1.180
OpenSSH_7.8p1, OpenSSL 1.1.0h-fips 27 Mar 2018 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 25: Applying options for * debug1: Connecting to 192.168.1.180 [192.168.1.180] port 22.
It hangs ther and doesn't do anything else until it times out.
You need an update (zypper patch) If the machine runs TW that would be zypper dup
ssh -X -v george@192.168.1.169 OpenSSH_7.8p1, OpenSSL 1.1.0h-fips 27 Mar 2018 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 25: Applying options for * debug1: Connecting to 192.168.1.169 [192.168.1.169] port 22. debug1: Connection established. debug1: identity file /home/george/.ssh/id_rsa type 0 debug1: identity file /home/george/.ssh/id_rsa-cert type -1 debug1: identity file /home/george/.ssh/id_dsa type -1 debug1: identity file /home/george/.ssh/id_dsa-cert type -1 debug1: identity file /home/george/.ssh/id_ecdsa type -1 debug1: identity file /home/george/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/george/.ssh/id_ed25519 type -1 debug1: identity file /home/george/.ssh/id_ed25519-cert type -1 debug1: identity file /home/george/.ssh/id_xmss type -1 debug1: identity file /home/george/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_7.8 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.8 debug1: match: OpenSSH_7.8 pat OpenSSH* compat 0x04000000 debug1: Authenticating to 192.168.1.169:22 as 'george' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: kex: curve25519-sha256 need=64 dh_need=64 debug1: kex: curve25519-sha256 need=64 dh_need=64 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ecdsa-sha2-nistp256 SHA256:0qx45+KgDuDNDfqdf7H6PeF6egZD8gSkYRczNKVJcLQ debug1: Host '192.168.1.169' is known and matches the ECDSA host key. debug1: Found key in /home/george/.ssh/known_hosts:14 debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey after 134217728 blocks debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,null> debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue:
This is a real challenge. I ran a zypper dup on both machines yesterday, both running TW, hoping the update would fix the problem. But the problem is still there. Also I am running the same version of SSH, OpenSSH_7.8p1, on both machines. Connecting from big lap to small lap is no problem, but small lap to big lap is a problem. Also systemctl shows me I am running sshd, but firewalld is inactive/dead. That is the same on both computers. Here are the commands with extra verbage: publickey,password,keyboard-interactive debug1: Next authentication method: publickey debug1: Offering public key: RSA SHA256:T+BYMtLALpja+hE2Ajn43sjUylxbPfFFxEDcKEntZEY /home/george/.ssh/id_rsa debug1: Server accepts key: pkalg rsa-sha2-512 blen 279 debug1: Authentication succeeded (publickey). Authenticated to 192.168.1.169 ([192.168.1.169]:22). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: pledge: exec debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0 debug1: Remote: /home/george/.ssh/authorized_keys:3: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding debug1: Remote: /home/george/.ssh/authorized_keys:3: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding debug1: Requesting X11 forwarding with authentication spoofing. debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 debug1: Sending env LC_CTYPE = en_US.UTF-8 Last login: Mon Nov 12 20:58:22 2018 from 192.168.1.180 Have a lot of fun... george@tribetrekDell:~> ssh -X -v george@192.168.1.180 OpenSSH_7.8p1, OpenSSL 1.1.0h-fips 27 Mar 2018 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 25: Applying options for * debug1: Connecting to 192.168.1.180 [192.168.1.180] port 22. debug1: connect to address 192.168.1.180 port 22: Connection timed out ssh: connect to host 192.168.1.180 port 22: Connection timed out so you can see that from the first computer connecting to the 2nd, it connects fine, but then on the 2nd, trying to log back into the 1st, it doesn't, even after having just updated tumbleweed on both computers. -- George Box: 42.3 | KDE Plasma 5.8 | AMD Phenom IIX4 | 64 | 32GB Laptop #1: TW | Plasma | AMD FX 7TH GEN | 64 | 32GB Laptop #2: TW | Plasma | Core i5 | 64 | 8GB -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* George from the tribe <tech@reachthetribes.org> [11-12-18 22:12]:
On 11/12/18 7:31 PM, Knurpht-openSUSE wrote:
Op dinsdag 13 november 2018 02:22:29 CET schreef Carlos E. R.:
On 13/11/2018 02.07, George from the tribe wrote:
Ok----
ssh -X -v george@192.168.1.180
OpenSSH_7.8p1, OpenSSL 1.1.0h-fips 27 Mar 2018 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 25: Applying options for * debug1: Connecting to 192.168.1.180 [192.168.1.180] port 22.
It hangs ther and doesn't do anything else until it times out.
You need an update (zypper patch) If the machine runs TW that would be zypper dup
This is a real challenge. I ran a zypper dup on both machines yesterday, both running TW, hoping the update would fix the problem. But the problem is still there.
Also I am running the same version of SSH, OpenSSH_7.8p1, on both machines. Connecting from big lap to small lap is no problem, but small lap to big lap is a problem.
Also systemctl shows me I am running sshd, but firewalld is inactive/dead. That is the same on both computers.
ssh -X -v george@192.168.1.169 OpenSSH_7.8p1, OpenSSL 1.1.0h-fips 27 Mar 2018 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 25: Applying options for * debug1: Connecting to 192.168.1.169 [192.168.1.169] port 22. debug1: Connection established. debug1: identity file /home/george/.ssh/id_rsa type 0 debug1: identity file /home/george/.ssh/id_rsa-cert type -1 debug1: identity file /home/george/.ssh/id_dsa type -1 debug1: identity file /home/george/.ssh/id_dsa-cert type -1 debug1: identity file /home/george/.ssh/id_ecdsa type -1 debug1: identity file /home/george/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/george/.ssh/id_ed25519 type -1 debug1: identity file /home/george/.ssh/id_ed25519-cert type -1 debug1: identity file /home/george/.ssh/id_xmss type -1 debug1: identity file /home/george/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_7.8 debug1: Remote protocol version 2.0, remote software version OpenSSH_7.8 debug1: match: OpenSSH_7.8 pat OpenSSH* compat 0x04000000 debug1: Authenticating to 192.168.1.169:22 as 'george' debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: algorithm: curve25519-sha256 debug1: kex: host key algorithm: ecdsa-sha2-nistp256 debug1: kex: server->client cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: kex: client->server cipher: chacha20-poly1305@openssh.com MAC: <implicit> compression: none debug1: kex: curve25519-sha256 need=64 dh_need=64 debug1: kex: curve25519-sha256 need=64 dh_need=64 debug1: expecting SSH2_MSG_KEX_ECDH_REPLY debug1: Server host key: ecdsa-sha2-nistp256 SHA256:0qx45+KgDuDNDfqdf7H6PeF6egZD8gSkYRczNKVJcLQ debug1: Host '192.168.1.169' is known and matches the ECDSA host key. debug1: Found key in /home/george/.ssh/known_hosts:14 debug1: rekey after 134217728 blocks debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: rekey after 134217728 blocks debug1: SSH2_MSG_EXT_INFO received debug1: kex_input_ext_info: server-sig-algs=<ssh-ed25519,ssh-rsa,rsa-sha2-256,rsa-sha2-512,ssh-dss,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,null> debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue:
Here are the commands with extra verbage: publickey,password,keyboard-interactive debug1: Next authentication method: publickey debug1: Offering public key: RSA SHA256:T+BYMtLALpja+hE2Ajn43sjUylxbPfFFxEDcKEntZEY /home/george/.ssh/id_rsa debug1: Server accepts key: pkalg rsa-sha2-512 blen 279 debug1: Authentication succeeded (publickey). Authenticated to 192.168.1.169 ([192.168.1.169]:22). debug1: channel 0: new [client-session] debug1: Requesting no-more-sessions@openssh.com debug1: Entering interactive session. debug1: pledge: exec debug1: client_input_global_request: rtype hostkeys-00@openssh.com want_reply 0 debug1: Remote: /home/george/.ssh/authorized_keys:3: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding debug1: Remote: /home/george/.ssh/authorized_keys:3: key options: agent-forwarding port-forwarding pty user-rc x11-forwarding debug1: Requesting X11 forwarding with authentication spoofing. debug1: Sending environment. debug1: Sending env LANG = en_US.UTF-8 debug1: Sending env LC_CTYPE = en_US.UTF-8 Last login: Mon Nov 12 20:58:22 2018 from 192.168.1.180 Have a lot of fun...
george@tribetrekDell:~> ssh -X -v george@192.168.1.180 OpenSSH_7.8p1, OpenSSL 1.1.0h-fips 27 Mar 2018 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 25: Applying options for * debug1: Connecting to 192.168.1.180 [192.168.1.180] port 22. debug1: connect to address 192.168.1.180 port 22: Connection timed out ssh: connect to host 192.168.1.180 port 22: Connection timed out
so you can see that from the first computer connecting to the 2nd, it connects fine, but then on the 2nd, trying to log back into the 1st, it doesn't, even after having just updated tumbleweed on both computers.
yast sysconfig search for ssh enable it for FW_SERVICES_ACCEPT_EXT systemctl restart SuSEfirewall2 worked for me -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Registered Linux User #207535 @ http://linuxcounter.net Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/12/18 10:15 PM, Patrick Shanahan wrote:
yast sysconfig search for ssh enable it for FW_SERVICES_ACCEPT_EXT
systemctl restart SuSEfirewall2
worked for me
Patrick you are AWESOME. That totally worked! Thanks! Although I could not find it in yast, so I went into the file /etc/sysconfig/SuSEfirewall2 and found that line, and made it look like this: FW_SERVICES_ACCEPT_EXT="0.0.0.0/0,tcp,22" I restarted the firewall and immediately I got ssh connection back. I saw on an openSUSE page that setting the line like that means that only ipv4 connections will work. Well, it also allowed my connection to be reset. Oh I might mention I only had to do this on one computer, my bigger laptop, the one I was trying to connect to. I didn't make any changes on the smaller laptop, the one I was trying to connect from. -- George Box: 42.3 | KDE Plasma 5.8 | AMD Phenom IIX4 | 64 | 32GB Laptop #1: TW | Plasma 5.13 | AMD FX 7TH GEN | 64 | 32GB Laptop #2: 15.0 | KDE Plasma 5.8 | Core i5 | 64 | 8GB -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2018-11-13 a las 17:21 -0600, George from the tribe escribió:
On 11/12/18 10:15 PM, Patrick Shanahan wrote:
yast sysconfig search for ssh enable it for FW_SERVICES_ACCEPT_EXT
systemctl restart SuSEfirewall2
worked for me
Patrick you are AWESOME. That totally worked! Thanks! Although I could not find it in yast, so I went into the file /etc/sysconfig/SuSEfirewall2 and found that line, and made it look like this: FW_SERVICES_ACCEPT_EXT="0.0.0.0/0,tcp,22"
I restarted the firewall and immediately I got ssh connection back. I saw on an openSUSE page that setting the line like that means that only ipv4 connections will work.
Yes, from every computer in the world. - -- Cheers Carlos E. R. (from openSUSE 42.3 x86_64 "Malachite" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- iJIEAREIADoWIQQt/vKEw5659AgM/X2NrxRtxRYzXAUCW+tk0hwccm9iaW4ubGlz dGFzQHRlbGVmb25pY2EubmV0AAoJEI2vFG3FFjNcNegBAIcKqHM3TPcaHqTRxmF2 Og18d9OfVtfrbFaLsGqFCNVwAP9HsYPCZIMvqduwpM+7XnK4vQDZ+HTK4Bh+Ut63 jXj/3Q== =48r+ -----END PGP SIGNATURE-----
On 11/13/18 3:21 PM, George from the tribe wrote:
Although I could not find it in yast, so I went into the file /etc/sysconfig/SuSEfirewall2 and found that line, and made it look like this: FW_SERVICES_ACCEPT_EXT="0.0.0.0/0,tcp,22"
Point of order: this will open ssh to the world. Do you really want to do this, George? You might want to consider swapping the IP of your client laptop with the 0.0.0.0. There are other things you might consider doing too, among them disabling username/password logins, using the ssh public cert instead. Regards, Lew -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/13/18 6:01 PM, Lew Wolfgang wrote:
On 11/13/18 3:21 PM, George from the tribe wrote:
Although I could not find it in yast, so I went into the file /etc/sysconfig/SuSEfirewall2 and found that line, and made it look like this: FW_SERVICES_ACCEPT_EXT="0.0.0.0/0,tcp,22"
Point of order: this will open ssh to the world. Do you really want to do this, George? You might want to consider swapping the IP of your client laptop with the 0.0.0.0.
There are other things you might consider doing too, among them disabling username/password logins, using the ssh public cert instead.
Regards, Lew
No I didn't realize that. Thank you, I will take it off and hope that I can still make ssh work. -- George Box: 42.3 | KDE Plasma 5.8 | AMD Phenom IIX4 | 64 | 32GB Laptop #1: TW | Plasma 5.13 | AMD FX 7TH GEN | 64 | 32GB Laptop #2: 15.0 | KDE Plasma 5.8 | Core i5 | 64 | 8GB -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 17/11/2018 04.01, George from the tribe wrote:
On 11/13/18 6:01 PM, Lew Wolfgang wrote:
On 11/13/18 3:21 PM, George from the tribe wrote:
Although I could not find it in yast, so I went into the file /etc/sysconfig/SuSEfirewall2 and found that line, and made it look like this: FW_SERVICES_ACCEPT_EXT="0.0.0.0/0,tcp,22"
Point of order: this will open ssh to the world. Do you really want to do this, George? You might want to consider swapping the IP of your client laptop with the 0.0.0.0.
There are other things you might consider doing too, among them disabling username/password logins, using the ssh public cert instead.
Regards, Lew
No I didn't realize that. Thank you, I will take it off and hope that I can still make ssh work.
No, rather read the examples in the file and use "192.168.1.0/24,tcp,22" or whatever your local LAN is. An alternative is "FW_TRUSTED_NETS=..." -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
On 17/11/18 04:48 AM, Carlos E. R. wrote:
An alternative is "FW_TRUSTED_NETS=..."
Don't you sometimes wish there was a "FW_NOT_TRUSTED_NETS=..."0.0.0.0' just to draw people's attention to it? -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/13/18 6:01 PM, Lew Wolfgang wrote:
On 11/13/18 3:21 PM, George from the tribe wrote:
Although I could not find it in yast, so I went into the file /etc/sysconfig/SuSEfirewall2 and found that line, and made it look like this: FW_SERVICES_ACCEPT_EXT="0.0.0.0/0,tcp,22"
Point of order: this will open ssh to the world. Do you really want to do this, George? You might want to consider swapping the IP of your client laptop with the 0.0.0.0.
There are other things you might consider doing too, among them disabling username/password logins, using the ssh public cert instead.
Regards, Lew
Or rather, put my ip address from the smaller laptop here and see how that works. -- George Box: 42.3 | KDE Plasma 5.8 | AMD Phenom IIX4 | 64 | 32GB Laptop #1: TW | Plasma 5.13 | AMD FX 7TH GEN | 64 | 32GB Laptop #2: 15.0 | KDE Plasma 5.8 | Core i5 | 64 | 8GB -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* George from the tribe <tech@reachthetribes.org> [11-13-18 18:24]:
On 11/12/18 10:15 PM, Patrick Shanahan wrote:
yast sysconfig search for ssh enable it for FW_SERVICES_ACCEPT_EXT
systemctl restart SuSEfirewall2
worked for me
Patrick you are AWESOME. That totally worked! Thanks! Although I could not find it in yast, so I went into the file /etc/sysconfig/SuSEfirewall2 and found that line, and made it look like this: FW_SERVICES_ACCEPT_EXT="0.0.0.0/0,tcp,22"
I restarted the firewall and immediately I got ssh connection back. I saw on an openSUSE page that setting the line like that means that only ipv4 connections will work. Well, it also allowed my connection to be reset.
Oh I might mention I only had to do this on one computer, my bigger laptop, the one I was trying to connect to. I didn't make any changes on the smaller laptop, the one I was trying to connect from.
the problem comes from the dropped support for SuSEfirewall2, in this case update scripts from openssh and yast, iiuc. 42.2 is on my server and eventially I will have to deal with it but would prefer not changing until I update the system. there is firewalld and the SuSEfirewall2 conversion script to firewalld available. and I have used it on a Tw machine successfully, but do not know if I trust it completely for my server with mail, ssh and web servers. and I have a large contingency of ipset bans I would like to continue plus some custom adds to SuSEfirewall2/iptables. -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Registered Linux User #207535 @ http://linuxcounter.net Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 13/11/2018 04.10, George from the tribe wrote:
On 11/12/18 7:31 PM, Knurpht-openSUSE wrote:
Op dinsdag 13 november 2018 02:22:29 CET schreef Carlos E. R.:
On 13/11/2018 02.07, George from the tribe wrote:
Ok----
ssh -X -v george@192.168.1.180
OpenSSH_7.8p1, OpenSSL 1.1.0h-fips 27 Mar 2018 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 25: Applying options for * debug1: Connecting to 192.168.1.180 [192.168.1.180] port 22.
It hangs ther and doesn't do anything else until it times out.
You need an update (zypper patch) If the machine runs TW that would be zypper dup
This is a real challenge. I ran a zypper dup on both machines yesterday, both running TW, hoping the update would fix the problem. But the problem is still there.
Make sure you have the "update" repository enabled: many people on TW don't have it. -- Cheers / Saludos, Carlos E. R. (from openSUSE 15.0 (Legolas))
On 11/13/2018 12:48 AM, somebody wrote:
Make sure you have the "update" repository enabled: many people on TW don't have it.
I looked for an update repo for TW, and was told that since it is a rolling release, updating should be a case of installing the latest. What is in the update that wouldn't be in the latest rolling release? Say a customer installed TW on Nov01. On Nov10, they want to make sure they have the latest, so they update against 'current' on Nov10. Is it the case that they should have moved to the latest patches for Nov01 before syncing their dist to the Nov10 version? The idea of there being updates for a rolling release seems a bit odd. So why? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
17.11.2018 19:00, L A Walsh пишет:
On 11/13/2018 12:48 AM, somebody wrote:
Make sure you have the "update" repository enabled: many people on TW don't have it.
I looked for an update repo for TW, and was told that since it is a rolling release, updating should be a case of installing the latest.
What is in the update that wouldn't be in the latest rolling release?
Emergency updates that bypass normal release cycle.
Say a customer installed TW on Nov01. On Nov10, they want to make sure they have the latest, so they update against 'current' on Nov10.
Is it the case that they should have moved to the latest patches for Nov01 before syncing their dist to the Nov10 version? The idea of there being updates for a rolling release seems a bit odd. So why?
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 11/17/18 10:00 AM, L A Walsh wrote:
On 11/13/2018 12:48 AM, somebody wrote:
Make sure you have the "update" repository enabled: many people on TW don't have it.
I looked for an update repo for TW, and was told that since it is a rolling release, updating should be a case of installing the latest.
What is in the update that wouldn't be in the latest rolling release? Say a customer installed TW on Nov01. On Nov10, they want to make sure they have the latest, so they update against 'current' on Nov10.
Is it the case that they should have moved to the latest patches for Nov01 before syncing their dist to the Nov10 version? The idea of there being updates for a rolling release seems a bit odd. So why?
I use the update repo, for example, if I have a new package that I want to install in between a rolling release. If what I want that is new for me happens to also have an emergency release that bypasses the normal release cycle, as Andrei says, it will be installed from the update repo. -- George Box: 42.3 | KDE Plasma 5.8 | AMD Phenom IIX4 | 64 | 32GB Laptop #1: TW | Plasma 5.13 | AMD FX 7TH GEN | 64 | 32GB Laptop #2: 15.0 | KDE Plasma 5.8 | Core i5 | 64 | 8GB -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 17/11/2018 17.00, L A Walsh wrote:
On 11/13/2018 12:48 AM, somebody wrote:
Make sure you have the "update" repository enabled: many people on TW don't have it.
I looked for an update repo for TW, and was told that since it is a rolling release, updating should be a case of installing the latest.
What is in the update that wouldn't be in the latest rolling release?
Well, sometimes, like now, some nasty problem is found soon after a "release". The system is not ready to make another release fast enough, it will take some days, sometimes weeks because in the interim something was changed and the distro will not build or pass the testings, so trying to "release" would be even worse if not impossible. However, it is possible to create a patch to correct the immediate problem in a package or two and put an update, a patch, in the update repo. It is not the first time this has been done. Yes, many people think than the update repo is not necessary on Tumbleweed and remove it. Wrong! Don't. If you did, put it back. It may not be used in many months, hopefully, till one day it is used - like this time. This should be written in red somewhere in the instructions. -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
On 18/11/2018 14:35, Carlos E. R. wrote:
Make sure you have the "update" repository enabled: many people on TW
Hi Carlos ! - any ideas how to get my privoxy going ? thanks cheers ..... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 18/11/2018 13.39, ellanios82 wrote:
On 18/11/2018 14:35, Carlos E. R. wrote:
Make sure you have the "update" repository enabled: many people on TW
Hi Carlos !
- any ideas how to get my privoxy going ?
No, but if I had I would post to your privoxy thread, not here. -- Cheers / Saludos, Carlos E. R. (from 42.3 x86_64 "Malachite" at Telcontar)
Op maandag 12 november 2018 12:08:47 CET schreef George from the tribe:
I use ssh to sync my 2 laptops. I have all my keys in place, so it normally connects without a problem or having to enter a password. Until recently it worked fine, but now here is what I am dealing with.
On laptop #1, I connect to laptop #2 with the following: ssh -X george@192.168.1.169
It connects fine without any trouble.
On laptop #2 I connect to #1 with the following ssh -X george@192.168.1.180
I can connect to myself from laptop #1 to laptop #1 by running the same command ssh -X george@192.168.1.180, and it works no problem. So I think the port is open on that computer.
Until recently this had no problem connecting. Now it just hangs. No error given, it just sits there. Maybe after 5 or 10 minutes it will say the request timed out, but sometimes it doesn't do anything except sit there until I hit ctrl-c to break the request.
I can ping the other computer no problem, but cannot connect by ssh. Port 22 is open according to SuSEfirewall2
Check openssh and openssh-helper on the system you can't connect to. Version 7.8p1 does not accept an ssh connection. On OBS you can find 7.9p1 which solves that problem. -- fr.gr. member openSUSE Freek de Kruijf -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* Freek de Kruijf <freek@opensuse.org> [11-12-18 08:42]:
Op maandag 12 november 2018 12:08:47 CET schreef George from the tribe:
I use ssh to sync my 2 laptops. I have all my keys in place, so it normally connects without a problem or having to enter a password. Until recently it worked fine, but now here is what I am dealing with.
On laptop #1, I connect to laptop #2 with the following: ssh -X george@192.168.1.169
It connects fine without any trouble.
On laptop #2 I connect to #1 with the following ssh -X george@192.168.1.180
I can connect to myself from laptop #1 to laptop #1 by running the same command ssh -X george@192.168.1.180, and it works no problem. So I think the port is open on that computer.
Until recently this had no problem connecting. Now it just hangs. No error given, it just sits there. Maybe after 5 or 10 minutes it will say the request timed out, but sometimes it doesn't do anything except sit there until I hit ctrl-c to break the request.
I can ping the other computer no problem, but cannot connect by ssh. Port 22 is open according to SuSEfirewall2
Check openssh and openssh-helper on the system you can't connect to. Version 7.8p1 does not accept an ssh connection. On OBS you can find 7.9p1 which solves that problem.
7.8p1 does not but 7.8p1-3.1 does. -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri Registered Linux User #207535 @ http://linuxcounter.net Photos: http://wahoo.no-ip.org/piwigo paka @ IRCnet freenode -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Freek de Kruijf wrote:
I can ping the other computer no problem, but cannot connect by ssh. Port 22 is open according to SuSEfirewall2
Check openssh and openssh-helper on the system you can't connect to. Version 7.8p1 does not accept an ssh connection. On OBS you can find 7.9p1 which solves that problem.
The issue is not really 7.8p1, but (at least for me) the firewall. My system still uses SuSEfirewall, and there the config for ssh is in /etc/sysconfig/SuSEfirewall2.d/services/sshd. That one was part of the openssh package, but no longer is in 7.8p1. So the firewall complains it cannot find the configuration for service sshd and doesn't open the port :( Just creating the above file with the one line TCP="ssh" and then restarting the firewall allows me to get in again. 7.8p1 is happily answering once the packages actually get through to it. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Op maandag 12 november 2018 15:07:30 CET schreef Peter Suetterlin:
Freek de Kruijf wrote:
I can ping the other computer no problem, but cannot connect by ssh. Port 22 is open according to SuSEfirewall2
Check openssh and openssh-helper on the system you can't connect to. Version 7.8p1 does not accept an ssh connection. On OBS you can find 7.9p1 which solves that problem.
The issue is not really 7.8p1, but (at least for me) the firewall. My system still uses SuSEfirewall, and there the config for ssh is in /etc/sysconfig/SuSEfirewall2.d/services/sshd. That one was part of the openssh package, but no longer is in 7.8p1. So the firewall complains it cannot find the configuration for service sshd and doesn't open the port :(
Just creating the above file with the one line TCP="ssh" and then restarting the firewall allows me to get in again. 7.8p1 is happily answering once the packages actually get through to it.
As was mentioned there was also trouble with openssh-7.8p1-1.1 but was solved in 7.8p1-3.1. -- fr.gr. member openSUSE Freek de Kruijf -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Freek de Kruijf wrote:
As was mentioned there was also trouble with openssh-7.8p1-1.1 but was solved in 7.8p1-3.1.
Ah, my bad - seems I had skipped that version (1.1), I indeed run 3.1. I had only seen 7.8 vs. 7.9.... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (13)
-
Andrei Borzenkov -
Anton Aylward -
Bengt Gördén -
Carlos E. R. -
David C. Rankin -
ellanios82 -
Freek de Kruijf -
George from the tribe -
Knurpht-openSUSE -
L A Walsh -
Lew Wolfgang -
Patrick Shanahan -
Peter Suetterlin