I'm very new to SSH so I have a few questions that will be obvious to many of you. I've been following through the guide at https://en.opensuse.org/SDB:Configure_openSSH which is rather outdated but the basics are still relevant. So until now I've succeeded in connecting between machines on the same network, browsing and copying files remotely, launching YaST in ncurses mode to do remote updates, etc. All fine. I now want to connect to a machine on another network (in another country). I realize that I've probably fallen at the first hurdle, since although I configured some basics on that remote machine, I never added a line to hosts.allow with the address of my computer here at home, and hosts.deny is set to refuse ALL other connections. Presumably, since I therefore currently have no access at all, I'll have to speak to the user of that remote machine and have them log in as root and add the relevant line to the hosts.allow file? Related to that, whilst the remote user's IP address is dynamic and their ISP charges a fee to switch to static, would I get around that by associating their domain name to their connection with reverse DNS? And if so, what are the implications of doing so? Could that result in increased snoops/attacks or wider broadcast of their domain? And then how do I specify which machine at their end, behind their router, my SSH command goes to? Until now I've only been specifying local addresses, e.g. 192.168.0.10. Is this even how it works? I cannot find anything relating to that in any other SSH articles or guides I've googled for, which makes me think the concept is different. Is the machine effectively specified by the port number I assign, meaning I should assign different port numbers for every device? I'd have thought that was one of the fundamental things anybody wants to do with SSH yet none of the many SSH pages I've pulled up explains anything about this. Cheers. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 08/09/2016 à 16:38, gumb a écrit :
user of that remote machine and have them log in as root and add the relevant line to the hosts.allow file?
did you open the firewall in the remote? It's all what is necessary on openSUSE (beside starting sshd daemon :-)
And then how do I specify which machine at their end, behind their router,
if the remote computer is behind a router, you have to forward the ssh port of the router to a port on the receiver. For this look at the receiver router manual some configure online (web app), some others locally. jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/09/16 16:45, jdd wrote:
did you open the firewall in the remote? It's all what is necessary on openSUSE (beside starting sshd daemon :-)
Yes, I've configured the openSUSE firewall on each end.
if the remote computer is behind a router, you have to forward the ssh port of the router to a port on the receiver. For this look at the receiver router manual
some configure online (web app), some others locally.
jdd
The receiver's router is some rather pathetic device provided free by their ISP. When I was there recently I logged in to its configuration settings, which aren't very extensive. There was a setting to allow specified services to pass through. I selected 'SSH' from the list, then selected their PC from the list of known/connected devices, and changed the port number to the one I'd previously configured (i.e. not the default 22). What isn't clear is how I would SSH into more than machine at their end. Currently that isn't necessary, but once you've selected 'SSH' from the list you can only choose one device. If I try to add another configuration and select SSH again it says I've already set that and I must change the existing configuration. This seems to be a severe limitation of a cheap router. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On September 8, 2016 8:55:00 AM PDT, gumb <gumb@linuxmail.org> wrote:
On 08/09/16 16:45, jdd wrote:
did you open the firewall in the remote? It's all what is necessary on openSUSE (beside starting sshd daemon :-)
Yes, I've configured the openSUSE firewall on each end.
if the remote computer is behind a router, you have to forward the ssh port of the router to a port on the receiver. For this look at the receiver router manual
some configure online (web app), some others locally.
jdd
The receiver's router is some rather pathetic device provided free by their ISP. When I was there recently I logged in to its configuration settings, which aren't very extensive. There was a setting to allow specified services to pass through. I selected 'SSH' from the list, then selected their PC from the list of known/connected devices, and changed
the port number to the one I'd previously configured (i.e. not the default 22).
What isn't clear is how I would SSH into more than machine at their end. Currently that isn't necessary, but once you've selected 'SSH' from the
list you can only choose one device. If I try to add another configuration and select SSH again it says I've already set that and I must change the existing configuration. This seems to be a severe limitation of a cheap router.
Use a different port for each machine behind the router. This isn't a limitation of the router. It's basic TCP you are up against. Once you have a ssh connection to one machine you can ssh to any of the others. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/08/2016 12:00 PM, John Andersen wrote:
Use a different port for each machine behind the router.
This isn't a limitation of the router. It's basic TCP you are up against.
It's the shortage of IPv4 address that he's up against, causing people to share 1 IP address among multiple devices. With IPv6, every device can have at least one globally unique address. With my ISP, I have a /64 prefix, which provides 2^64 or 18.4 billion, billion addresses available for me. Every IPv6 capable device I have can be reached without messing around with different port numbers. That nonsense is caused by that hack called NAT, that's necessitated by the address shortage. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/08/2016 08:55 AM, gumb wrote:
On 08/09/16 16:45, jdd wrote:
did you open the firewall in the remote? It's all what is necessary on openSUSE (beside starting sshd daemon :-)
Yes, I've configured the openSUSE firewall on each end.
if the remote computer is behind a router, you have to forward the ssh port of the router to a port on the receiver. For this look at the receiver router manual
some configure online (web app), some others locally.
jdd
The receiver's router is some rather pathetic device provided free by their ISP. When I was there recently I logged in to its configuration settings, which aren't very extensive. There was a setting to allow specified services to pass through. I selected 'SSH' from the list, then selected their PC from the list of known/connected devices, and changed the port number to the one I'd previously configured (i.e. not the default 22).
What isn't clear is how I would SSH into more than machine at their end. Currently that isn't necessary, but once you've selected 'SSH' from the list you can only choose one device. If I try to add another configuration and select SSH again it says I've already set that and I must change the existing configuration. This seems to be a severe limitation of a cheap router.
Selecting SSH in that router is just a pre-fabbed rule to open the default SSH port 22, if you wanted more PC's running SSHD then you would use different ports. Check to see if the router lets you do a manual port forward, as it should. Meaning you tell it what port to open, not have it tell you. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/08/2016 12:06 PM, sdm wrote:
Selecting SSH in that router is just a pre-fabbed rule to open the default SSH port 22, if you wanted more PC's running SSHD then you would use different ports. Check to see if the router lets you do a manual port forward, as it should. Meaning you tell it what port to open, not have it tell you.
HMMM. HMMM. The way I read gumb's description the remote router (?firewall?) is 'pathetic' = 'primitive', in that it does port forwarding only. It may only be a NAT'ing router. Yes, many low end devices are like that. Its typical of ISP economics. (Think of it as pure IPTables setting.) A more sophisticated firewall/router, say a Linux box running it all, would have a SSHD on the firewall that can either redirect or use as a proxy/forwarder. Since this is dumb forwarding using the router the more sophisticated binding capability of the ssh/sshd pairing isn't there. So the ssh connection comes in on port 22 of the Internet side and out to whatever port and address on the inside. Think of this as simlpl pass-though, ore perhaps non-trivial pass-though if its a NAT'ing router that is buggering around with packet headers. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/09/16 19:01, Anton Aylward wrote:
On 09/08/2016 12:06 PM, sdm wrote:
Selecting SSH in that router is just a pre-fabbed rule to open the default SSH port 22, if you wanted more PC's running SSHD then you would use different ports. Check to see if the router lets you do a manual port forward, as it should. Meaning you tell it what port to open, not have it tell you.
HMMM. HMMM.
The way I read gumb's description the remote router (?firewall?) is 'pathetic' = 'primitive', in that it does port forwarding only. It may only be a NAT'ing router. Yes, many low end devices are like that. Its typical of ISP economics. (Think of it as pure IPTables setting.)
A more sophisticated firewall/router, say a Linux box running it all, would have a SSHD on the firewall that can either redirect or use as a proxy/forwarder.
Since this is dumb forwarding using the router the more sophisticated binding capability of the ssh/sshd pairing isn't there.
So the ssh connection comes in on port 22 of the Internet side and out to whatever port and address on the inside. Think of this as simlpl pass-though, ore perhaps non-trivial pass-though if its a NAT'ing router that is buggering around with packet headers.
There's a big thread about this router here: https://community.plus.net/t5/Tech-Help-Software-Hardware-etc/Unlocking-the-... I'm not good at multitasking and have been too busy pondering over this ML's responses and typing replies to look into it, so I'm not yet past page 1. But the initial post suggests it is limited. Whilst I can't say for certain without logging into the remote router, from what I recall, it was only possible to assign ONE device on the local network to the SSH service. If you try to add another configuration it says you've already set it, and I didn't see a way to add multiple devices under the SSH service. So I think Anton's description might be the more accurate. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* gumb <gumb@linuxmail.org> [09-08-16 13:23]: [...]
I'm not good at multitasking and have been too busy pondering over this ML's responses and typing replies to look into it, so I'm not yet past page 1. But the initial post suggests it is limited.
Whilst I can't say for certain without logging into the remote router, from what I recall, it was only possible to assign ONE device on the local network to the SSH service. If you try to add another configuration it says you've already set it, and I didn't see a way to add multiple devices under the SSH service.
so either pick another "service" and change the port assigned or make a new service and use the port you want to assign the particular machine. the "services" the router provides are only name tags for particular ports. -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/09/16 19:27, Patrick Shanahan wrote:
Whilst I can't say for certain without logging into the remote router, from what I recall, it was only possible to assign ONE device on the local network to the SSH service. If you try to add another configuration it says you've already set it, and I didn't see a way to add multiple devices under the SSH service.
so either pick another "service" and change the port assigned or make a new service and use the port you want to assign the particular machine.
the "services" the router provides are only name tags for particular ports.
Sorry, I shouldn't be pursuing this particular aspect since it will probably be irrelevant. I hadn't thought about doing it via your 'trick' method. But what a moronic router config if that's what's required. There is only the one machine I want to access at the remote end currently, so as long as the router at least provides one configuration, which it does, that should be enough for now. If I'm going to SSH from the other end, then my own router does have multiple such configurations. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, Sep 8, 2016 at 1:44 PM, gumb <gumb@linuxmail.org> wrote:
On 08/09/16 19:27, Patrick Shanahan wrote:
Whilst I can't say for certain without logging into the remote router, from what I recall, it was only possible to assign ONE device on the local network to the SSH service. If you try to add another configuration it says you've already set it, and I didn't see a way to add multiple devices under the SSH service.
so either pick another "service" and change the port assigned or make a new service and use the port you want to assign the particular machine.
the "services" the router provides are only name tags for particular ports.
Sorry, I shouldn't be pursuing this particular aspect since it will probably be irrelevant. I hadn't thought about doing it via your 'trick' method. But what a moronic router config if that's what's required.
It's not the routers fault. NAT is the villian. Unfortunately most of us are forced to use NAT on our routers. If you don't know there are only 4 billion IP4 IP addresses, and that simply isn't enough to satisfy the needs. NAT was introduced decades ago as a way to make the IPs go further. I don't think anyone actually likes NAT. It is simply a necessary evil. == how NAT works == There are 10's of thousands of ports per IP address. ( 1 - 65535). But with NAT there is only one public IP address for the site. Think of it like an company phone system from 70 years ago. You had to call the company operator and ask to be connected. In a small company you could ask for "Joe" and get connected. As the company grew, you started having to ask for "Extension 4045", etc. NAT is the same. Some small number of the ports have been given well known names (Joe), but most haven't. One of the well known names is SSHD for port 22. But there is only one public port 22 for the site (router). If YOU want to offer 5 different SSH connections into the remote site, then it is YOUR job to decide which 5 port numbers you want to use on the router and add them to the routers services list. It doesn't matter if your using a basic router or not, that's the way it is (with NAT). If you were working at a location that didn't use NAT, then each device could have its own IP address. That is like having direct dial to someone's office desk phone. fyi: NAT is so common that I get confused when I go to a client site that doesn't have it. I can think of 2 of my customers in the last 10 years that didn't use NAT for their office machines. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/09/16 20:15, Greg Freemyer wrote:
On Thu, Sep 8, 2016 at 1:44 PM, gumb <gumb@linuxmail.org> wrote:
On 08/09/16 19:27, Patrick Shanahan wrote:
Whilst I can't say for certain without logging into the remote router, from what I recall, it was only possible to assign ONE device on the local network to the SSH service. If you try to add another configuration it says you've already set it, and I didn't see a way to add multiple devices under the SSH service.
so either pick another "service" and change the port assigned or make a new service and use the port you want to assign the particular machine.
the "services" the router provides are only name tags for particular ports.
Sorry, I shouldn't be pursuing this particular aspect since it will probably be irrelevant. I hadn't thought about doing it via your 'trick' method. But what a moronic router config if that's what's required.
It's not the routers fault. NAT is the villian. Unfortunately most of us are forced to use NAT on our routers.
If you don't know there are only 4 billion IP4 IP addresses, and that simply isn't enough to satisfy the needs.
NAT was introduced decades ago as a way to make the IPs go further. I don't think anyone actually likes NAT. It is simply a necessary evil.
== how NAT works ==
There are 10's of thousands of ports per IP address. ( 1 - 65535).
But with NAT there is only one public IP address for the site. Think of it like an company phone system from 70 years ago. You had to call the company operator and ask to be connected. In a small company you could ask for "Joe" and get connected. As the company grew, you started having to ask for "Extension 4045", etc.
NAT is the same.
Some small number of the ports have been given well known names (Joe), but most haven't.
One of the well known names is SSHD for port 22.
But there is only one public port 22 for the site (router).
If YOU want to offer 5 different SSH connections into the remote site, then it is YOUR job to decide which 5 port numbers you want to use on the router and add them to the routers services list.
It doesn't matter if your using a basic router or not, that's the way it is (with NAT).
If you were working at a location that didn't use NAT, then each device could have its own IP address. That is like having direct dial to someone's office desk phone.
fyi: NAT is so common that I get confused when I go to a client site that doesn't have it. I can think of 2 of my customers in the last 10 years that didn't use NAT for their office machines.
Greg
Thanks for the explanation. A great analogy! Does that mean that IPv6 solves all these woes, or does it still have to work around some of them for backwards compatibility? I'd been wondering if trying to do all this with IPv6 would be more simple or more complicated. But I think again the remote router throws a rock into the road there because it appears to not support IPv6. At least, there is nothing in the printed manual or configuration that mentions it. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/08/2016 02:34 PM, gumb wrote:
Does that mean that IPv6 solves all these woes, or does it still have to work around some of them for backwards compatibility?
In short, ipv6 means that we have enough addresses that we don't need NAT. Back in the days before the commercialization of the internet went hog wild and everyone and every household was demanding connectivity, and IPV4 was relatively unpopulated, sites had subnets, perhaps a 'Class C" and every host was directly addressable from the outside, provided that you were on a routing grouping that allowed you to talk to the remote site; say a university in England to one in California. BTDT. But we still had firewalls.
I'd been wondering if trying to do all this with IPv6 would be more simple or more complicated.
In one sense the expanded address space is going to overwhelm some minds that are too detailed oriented. Its a sheer multiplication of scale. But I'm sure we'll develop some 'object' related software to deal with that. Also, a lot of prior knowledge is now going to become redundant. Aka irrelevant. That always upsets people; 'technological redundancy'. Cf The original 'Luddites". Every technical shift does this. But we get over it; "where are all the unemployed {horse grooms, night-soil carriers, train engineers, butlers and maids}?
But I think again the remote router throws a rock into the road there because it appears to not support IPv6. At least, there is nothing in the printed manual or configuration that mentions it.
Yes, piles and piles and piles of technology will become obsolete. That's how industrial nations work. Japan's auto emission control laws progress and mean any car more than three years old is too expensive to upgrade, so they get junked and people buy new, which keeps the auto manufacturers doing a good trade. Europe and North America aren't quite that aggressive in the auto arena, but instead we have 'fashions' which means we change clothes, furnishing, and more with regularity even when the goods we're throwing out are still usable. I've already upgraded my broadband router. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/08/2016 02:53 PM, Anton Aylward wrote:
In short, ipv6 means that we have enough addresses that we don't need NAT.
Back in the days before the commercialization of the internet went hog wild and everyone and every household was demanding connectivity, and IPV4 was relatively unpopulated, sites had subnets, perhaps a 'Class C" and every host was directly addressable from the outside, provided that you were on a routing grouping that allowed you to talk to the remote site; say a university in England to one in California.
According to Vint Cerf, IPv4 was never intended to be anything more than a demonstration system. However, it "escaped" and became what it is now. These days VC will tell you to move to IPv6 https://en.wikipedia.org/wiki/Vint_Cerf
But we still had firewalls.
Yep and still need them. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 9/8/2016 11:34 AM, gumb wrote:
Does that mean that IPv6 solves all these woes, or does it still have to work around some of them for backwards compatibility?
With all due respect, Gumb, stay on task here and don't try to rebuild the world in a day. Moving to a full ipv6 with no-router and no firewall, and no nat is like buying a new engine to avoid having to change oil. There are a lot of pitfalls between along the way, and suddenly every machine must be configured with a proper firewall. That's all fine and good if everything is something you can control like Linux, but printers and smartphones and windows machines, and tablets, and IOT gadgets all become YOUR Problem. (Because BLAME attaches to he who touches it LAST). You don't even know if your router can be a firewall without also being a NAT. I'm guessing not. Rest comfortably behind your NAT/Firewall for now. Wait till your skills and understanding builds up over time. Use what you have. There is noting wrong with your router, it works just about like any other router. You don't need a direct connection to every machine behind the router, because getting an ssh connection to one means you are one command away from a ssh connection to EACH of the others. You can ssh from one to the other easily with the proper passwords. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/08/2016 03:15 PM, John Andersen wrote:
On 9/8/2016 11:34 AM, gumb wrote:
Does that mean that IPv6 solves all these woes, or does it still have to work around some of them for backwards compatibility?
With all due respect, Gumb, stay on task here and don't try to rebuild the world in a day.
+1
Moving to a full ipv6 with no-router and no firewall, and no nat is like buying a new engine to avoid having to change oil.
+1 LOL!
There are a lot of pitfalls between along the way, and suddenly every machine must be configured with a proper firewall. That's all fine and good if everything is something you can control like Linux, but printers and smartphones and windows machines, and tablets, and IOT gadgets all become YOUR Problem. (Because BLAME attaches to he who touches it LAST).
That's a scary proposition for those of us who have been networking using a variety of technologies, protocols and addressing schemes for decades. it's all very well my saying that there will be tools to do bulk operations, but the IoT world has shown little consistency of interface and management protocols. Its going to be a lot of individual step-and-repeat with a lot of exceptions and special cases.
You don't even know if your router can be a firewall without also being a NAT. I'm guessing not.
That model, I'm pretty sure not. The one I've just acquired, well, yes, its "multimode", NAT and a couple of different forms of pass-though, ipv4 and ipv6 and has a separate management channel. YMMV.
Rest comfortably behind your NAT/Firewall for now. Wait till your skills and understanding builds up over time. Use what you have.
+1
There is noting wrong with your router, it works just about like any other router.
That is why (a) there are so many vendors producing pretty much the same thing, and (b) that makes it competitive and cheap so brings about (a).
You don't need a direct connection to every machine behind the router, because getting an ssh connection to one means you are one command away from a ssh connection to EACH of the others. You can ssh from one to the other easily with the proper passwords.
Or certificates. That's why you should make all the SSHD servers on all the machines 'standard', use port 22, and leave the outside mapping, for example port 2222 on the Big-I Internet facing side to the NAT'ing router. You start plating mumbly-peg with settings and you (a) might forget and (b) you'll have to "translate in your head" when communicating with others, reading standard papers and books. KISS. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/08/2016 03:15 PM, John Andersen wrote:
Moving to a full ipv6 with no-router and no firewall, and no nat is like buying a new engine to avoid having to change oil.
Who said anything about no router or firewall? I'm running pfSense here. It talks to my ISP with DHCPv6, to get my prefix and uses that prefix on the LAN side to provide addresses to all my IPv6 capable devices. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, Sep 8, 2016 at 2:34 PM, gumb <gumb@linuxmail.org> wrote:
Does that mean that IPv6 solves all these woes, or does it still have to work around some of them for backwards compatibility?
Another analogy. Let's say you could express a thought in Mandarin in a short sentence, but it will take a long paragraph to do it in English. So in theory, Mandarin is easier, but if you only speak English, Mandarin is not a good option. That is how I feel about IPv6. I speak IPv4 pretty fluently. I don't even know the IPv6 terminology, so its not an option unless I want to invest a lot of learning curve up front. Greg -- Greg Freemyer Upset at the Hillary/Trump choice Don't get mad, get Evan Evan (Never Trump) McMullin for President www.IntelligentAvatar.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thursday 08 September 2016, Greg Freemyer wrote:
On Thu, Sep 8, 2016 at 2:34 PM, gumb <gumb@linuxmail.org> wrote:
Does that mean that IPv6 solves all these woes, or does it still have to work around some of them for backwards compatibility?
Another analogy.
Let's say you could express a thought in Mandarin in a short sentence, but it will take a long paragraph to do it in English.
So in theory, Mandarin is easier, but if you only speak English, Mandarin is not a good option.
That is how I feel about IPv6. I speak IPv4 pretty fluently. I don't even know the IPv6 terminology, so its not an option unless I want to invest a lot of learning curve up front.
IPv6 is great. Actually I'm using ssh via IPv6 only since many years, This is a nice exercise to learn something by playing: https://ipv6.he.net/certification/ ... and after this exercise you will be IPv6 connected. and you will get such useless but nice certificate :) https://ipv6.he.net/certification/scoresheet.php?pass_name=rudimeier cu, Rudi -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thursday 08 September 2016, Ruediger Meier wrote:
On Thursday 08 September 2016, Greg Freemyer wrote:
On Thu, Sep 8, 2016 at 2:34 PM, gumb <gumb@linuxmail.org> wrote:
Does that mean that IPv6 solves all these woes, or does it still have to work around some of them for backwards compatibility?
Another analogy.
Let's say you could express a thought in Mandarin in a short sentence, but it will take a long paragraph to do it in English.
So in theory, Mandarin is easier, but if you only speak English, Mandarin is not a good option.
That is how I feel about IPv6. I speak IPv4 pretty fluently. I don't even know the IPv6 terminology, so its not an option unless I want to invest a lot of learning curve up front.
IPv6 is great. Actually I'm using ssh via IPv6 only since many years, This is a nice exercise to learn something by playing: https://ipv6.he.net/certification/
... and after this exercise you will be IPv6 connected.
and you will get such useless but nice certificate :) https://ipv6.he.net/certification/scoresheet.php?pass_name=rudimeier
Ah forgot to mention, they will send you such cool T-Shirt :) https://www.google.de/search?q=HE+tshirt&source=lnms&tbm=isch&sa=X&ved=0ahUKEwiIpe7d4oDPAhVRsBQKHWK9BgwQ_AUICCgB&biw=1060&bih=924#tbm=isch&q=Hurricane+electrics+ipv6+tshirt cu, Rudi -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/08/2016 05:55 PM, Ruediger Meier wrote:
and you will get such useless but nice certificate :) https://ipv6.he.net/certification/scoresheet.php?pass_name=rudimeier
Didn't you get the T-shrit? ;-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Greg Freemyer wrote:
On Thu, Sep 8, 2016 at 2:34 PM, gumb <gumb@linuxmail.org> wrote:
Does that mean that IPv6 solves all these woes, or does it still have to work around some of them for backwards compatibility?
Another analogy.
Let's say you could express a thought in Mandarin in a short sentence, but it will take a long paragraph to do it in English.
So in theory, Mandarin is easier, but if you only speak English, Mandarin is not a good option.
That is how I feel about IPv6. I speak IPv4 pretty fluently. I don't even know the IPv6 terminology, so its not an option unless I want to invest a lot of learning curve up front.
There's nothing much to IPv6. From an infrastucture pov, there are a few things you need to learn, but from a user perspective, even a techie user, it's straight forward. -- Per Jessen, Zürich (16.7°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Op 09-09-16 om 07:26 schreef Per Jessen:
Greg Freemyer wrote:
On Thu, Sep 8, 2016 at 2:34 PM, gumb <gumb@linuxmail.org> wrote:
Does that mean that IPv6 solves all these woes, or does it still have to work around some of them for backwards compatibility?
Another analogy.
Let's say you could express a thought in Mandarin in a short sentence, but it will take a long paragraph to do it in English.
So in theory, Mandarin is easier, but if you only speak English, Mandarin is not a good option.
That is how I feel about IPv6. I speak IPv4 pretty fluently. I don't even know the IPv6 terminology, so its not an option unless I want to invest a lot of learning curve up front.
There's nothing much to IPv6. From an infrastucture pov, there are a few things you need to learn, but from a user perspective, even a techie user, it's straight forward.
Well, it's not so straightforward. I mentioned this in other threads, but my provider does not give a fixed prefix to my router. Since linux can't, I need something like pfsense to be able to distribute that prefix to my inside network. Unfortunately, for me that means another machine in the chain, with its space, power-consumption, etc. so I'm stuck with my HE tunnel. Koenraad. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Koenraad Lelong wrote:
Op 09-09-16 om 07:26 schreef Per Jessen:
Greg Freemyer wrote:
On Thu, Sep 8, 2016 at 2:34 PM, gumb <gumb@linuxmail.org> wrote:
Does that mean that IPv6 solves all these woes, or does it still have to work around some of them for backwards compatibility?
Another analogy.
Let's say you could express a thought in Mandarin in a short sentence, but it will take a long paragraph to do it in English.
So in theory, Mandarin is easier, but if you only speak English, Mandarin is not a good option.
That is how I feel about IPv6. I speak IPv4 pretty fluently. I don't even know the IPv6 terminology, so its not an option unless I want to invest a lot of learning curve up front.
There's nothing much to IPv6. From an infrastucture pov, there are a few things you need to learn, but from a user perspective, even a techie user, it's straight forward.
Well, it's not so straightforward. I mentioned this in other threads, but my provider does not give a fixed prefix to my router. Since linux can't, I need something like pfsense to be able to distribute that prefix to my inside network. Unfortunately, for me that means another machine in the chain, with its space, power-consumption, etc. so I'm stuck with my HE tunnel.
I would call that an implementation specific detail, not a problem in working with IPv6 in general. Still, dynamic IPv6 networks ought to be handled by Linux too. -- Per Jessen, Zürich (25.2°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/09/2016 08:35 AM, Koenraad Lelong wrote:
but my provider does not give a fixed prefix to my router. Since linux can't, I need something like pfsense to be able to distribute that prefix to my inside network.
The usual practice is for DHCPv6 & DHCP-PD to do that. Many routers do that, as does pfSense. However, openSUSE firewall didn't, so I switched to pfSense. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/08/2016 04:06 PM, Greg Freemyer wrote:
That is how I feel about IPv6. I speak IPv4 pretty fluently. I don't even know the IPv6 terminology, so its not an option unless I want to invest a lot of learning curve up front.
For the most part, it works exactly the same as IPv4, but with longer addresses. Think prefix, instead of subnet mask, is one minor difference. You lose ARP to Neighbor Solicitation (NS) etc. But routers still route and firewalls still filter, just like in IPv4. You also lose having to configure default route, DNS, DHCP, addresses, etc.. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
gumb wrote:
Does that mean that IPv6 solves all these woes, or does it still have to work around some of them for backwards compatibility?
IPv6 solves all these proiblems.
I'd been wondering if trying to do all this with IPv6 would be more simple or more complicated.
Because it takes NAT out of the equation, it does simplify things.
But I think again the remote router throws a rock into the road there because it appears to not support IPv6. At least, there is nothing in the printed manual or configuration that mentions it.
It's first and foremost a question for the provider - do they use IPv6? -- Per Jessen, Zürich (16.6°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/08/2016 02:34 PM, gumb wrote:
Does that mean that IPv6 solves all these woes, or does it still have to work around some of them for backwards compatibility?
Yes. With IPv6, every IPv6 capable device will have it's own address(es) that can be reached from outside. Any operating system produced in the last several years, along with smart phones, tablets and more now support IPv6. In fact, this week, I installed some VoIP phones that support it. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/08/2016 02:15 PM, Greg Freemyer wrote:
I don't think anyone actually likes NAT. Some people think it's a good firewall, though it's not as good a proper statefull firewall.
It is simply a necessary evil Only until people get IPv6. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/08/2016 02:15 PM, Greg Freemyer wrote:
fyi: NAT is so common that I get confused when I go to a client site that doesn't have it. I can think of 2 of my customers in the last 10 years that didn't use NAT for their office machines.
Back in the late '90s, when I was working at IBM Canada, I had a "real" address. It was 9.29.146.147 and it was static. None of that new fangled DHCP stuff for me! ;-) I also had 4 more static IPs for the testing I did in my work. I also had 5 SNA addresses, one for my own computer and 4 for testing. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/08/2016 10:27 AM, Patrick Shanahan wrote:
* gumb <gumb@linuxmail.org> [09-08-16 13:23]: [...]
I'm not good at multitasking and have been too busy pondering over this ML's responses and typing replies to look into it, so I'm not yet past page 1. But the initial post suggests it is limited.
Whilst I can't say for certain without logging into the remote router, from what I recall, it was only possible to assign ONE device on the local network to the SSH service. If you try to add another configuration it says you've already set it, and I didn't see a way to add multiple devices under the SSH service. so either pick another "service" and change the port assigned or make a new service and use the port you want to assign the particular machine.
the "services" the router provides are only name tags for particular ports.
Yes, which is what I said (above). The SSH "tag" in that cheapo router is just to make it easy for the user, to open the default SSH port. I have never in my life seen a router where you could only open up pre-fabbed ports based on what the manufacturer pre-set, so unless I haven't seen it yet, it's almost a guarantee that in this specific case, the same can be done. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Thu, Sep 8, 2016 at 11:55 AM, gumb <gumb@linuxmail.org> wrote:
On 08/09/16 16:45, jdd wrote:
did you open the firewall in the remote? It's all what is necessary on openSUSE (beside starting sshd daemon :-)
Yes, I've configured the openSUSE firewall on each end.
if the remote computer is behind a router, you have to forward the ssh port of the router to a port on the receiver. For this look at the receiver router manual
some configure online (web app), some others locally.
jdd
The receiver's router is some rather pathetic device provided free by their ISP. When I was there recently I logged in to its configuration settings, which aren't very extensive. There was a setting to allow specified services to pass through. I selected 'SSH' from the list, then selected their PC from the list of known/connected devices, and changed the port number to the one I'd previously configured (i.e. not the default 22).
What isn't clear is how I would SSH into more than machine at their end. Currently that isn't necessary, but once you've selected 'SSH' from the list you can only choose one device. If I try to add another configuration and select SSH again it says I've already set that and I must change the existing configuration. This seems to be a severe limitation of a cheap router.
From the destination PC I use autossh to open an encrypted tunnel to
Method 1: Cheap or not, the router only has one port 22. But most routers can map inbound ports to any random IP:port on the private side of the router. So: port 2222 => IP1:22 port 2223 => IP2:22 port 2224 => IP3:22 etc. Then on the client side you just specify the alternate port used on the router (2222, 2223, 2224, ....) Method 2: If you don't have admin rights to the router or if it can't do the above, you can use autossh to establish an encrypted reverse tunnel to a computer on the internet that has more accessibility. I have been doing that for about 10 years. I rent a VM on the Internet that I run openSUSE on. It has no confidential data on it (that isn't encrypted). I use it for my website, email forwarding, etc. that server and forward me any incoming connections. I found the available instructions on the web for ssh reverse tunnels hard to follow, so I wrote up my own. There for a Windows PC behind a firewall, but it is relatively easy to ignore the Windows specific parts: https://lizards.opensuse.org/2015/04/20/using-opensuse-as-a-reverse-tunnel-s... Hope one of 2 above will help. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/08/2016 12:10 PM, Greg Freemyer wrote:
Method 1: Cheap or not, the router only has one port 22. But most routers can map inbound ports to any random IP:port on the private side of the router. So:
port 2222 => IP1:22 port 2223 => IP2:22 port 2224 => IP3:22 etc.
Then on the client side you just specify the alternate port used on the router (2222, 2223, 2224, ....)
The problem with that is URLs don't support port numbers, so you're stuck with specifying non-standard ports on the command line. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Content-ID: <alpine.LSU.2.20.1609091358250.4233@zvanf-gvevgu.inyvabe> El 2016-09-09 a las 07:13 -0400, James Knott escribió:
The problem with that is URLs don't support port numbers, so you're stuck with specifying non-standard ports on the command line.
Of course they do! Here, from my browser: http://mountaintop:4080/results?d=838 - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlfSo+UACgkQja8UbcUWM1xPZAEAnEzU13Jl0FN1zT5zZzG42PGv sswlKit8CMEFfNpgVQgA/10kjTrcmOHmlNZH0lDu20kx4fyz5O/fVhQQvJzea2IV =+avV -----END PGP SIGNATURE-----
Sorry, my mistake. I was thinking DNS. With DNS, I have a AAAA record for every IPv6 capable device on my network, including virtual machines. You can't specify a port in the DNS, so you'd have to add it when you enter the URL Regardless, NAT is a hack that creates several problems. The only one it "solves" is reduce the number of IPv4 addresses required. On 09/09/2016 07:58 AM, Carlos E. R. wrote:
Content-ID: <alpine.LSU.2.20.1609091358250.4233@zvanf-gvevgu.inyvabe>
El 2016-09-09 a las 07:13 -0400, James Knott escribió:
The problem with that is URLs don't support port numbers, so you're stuck with specifying non-standard ports on the command line.
Of course they do!
Here, from my browser:
http://mountaintop:4080/results?d=838
-- Cheers Carlos E. R.
(from 13.1 x86_64 "Bottle" (Minas Tirith))
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/09/2016 07:13 AM, James Knott wrote:
On 09/08/2016 12:10 PM, Greg Freemyer wrote:
Method 1: Cheap or not, the router only has one port 22. But most routers can map inbound ports to any random IP:port on the private side of the router. So:
port 2222 => IP1:22 port 2223 => IP2:22 port 2224 => IP3:22 etc.
Then on the client side you just specify the alternate port used on the router (2222, 2223, 2224, ....)
The problem with that is URLs don't support port numbers, so you're stuck with specifying non-standard ports on the command line.
I think that you have worded that in an ambiguous way, James. Firstly, if I'm using SSH then I can configure my .ssh/config to accommodate that I can, for example have Host server1.antonaylward.com User git Port 2233 Cipher blowfish Hostname mainserver.antonaylward.com IdentityFile ~/.ssh/id_rsa TCPKeepAlive yes IdentitiesOnly yes Host server2.antonaylward.com User git Port 3332 Cipher aes128-cbc Hostname mainserver.antonaylward.com and so on for server3, server4. I realise that this is specific, internal to SSH and not general, not something that can be posted on Firefox for an alternative address for the HTTP server. Which leads to the second case to deal with your ambiguity I *CAN* specify on the command line a port and URL firefox website.antonaylward.com:8080 No, the port number not, as in the ssh config example, 'embedded' in the URL. But it is on the command line. PLEASE NOTE: THE ADDRESSES I'VE USED AS EXAMPLES DO NOT EXIT. They are used for illustration purposes only. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/09/2016 09:26 AM, Anton Aylward wrote:
I realise that this is specific, internal to SSH and not general, not something that can be posted on Firefox for an alternative address for the HTTP server.
Yep, that's the whole issue. You have to know about the ports being used and how to use them. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/08/2016 11:55 AM, gumb wrote:
The receiver's router is some rather pathetic device provided free by their ISP. When I was there recently I logged in to its configuration settings, which aren't very extensive. There was a setting to allow specified services to pass through. I selected 'SSH' from the list, then selected their PC from the list of known/connected devices, and changed the port number to the one I'd previously configured (i.e. not the default 22).
So you're going IN to the receiver's router (?firewall?) on its port 22 facing the Big-I Internet, and that's redirecting to another port on a selected machine where you've set up a sshd listening on that other port. As far as you addressing the remote *site* you address port 22 on the Big-I Internet facing side. The redirection is done by that router (?firewall?). You do NOT direct out from your machine to that other port, the remote router (?firewall?) takes care of that redirection for you. OBTW do not fiddle with the hosts.allow. Leave it empty. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/09/16 18:49, Anton Aylward wrote:
On 09/08/2016 11:55 AM, gumb wrote:
The receiver's router is some rather pathetic device provided free by their ISP. When I was there recently I logged in to its configuration settings, which aren't very extensive. There was a setting to allow specified services to pass through. I selected 'SSH' from the list, then selected their PC from the list of known/connected devices, and changed the port number to the one I'd previously configured (i.e. not the default 22).
So you're going IN to the receiver's router (?firewall?) on its port 22 facing the Big-I Internet, and that's redirecting to another port on a selected machine where you've set up a sshd listening on that other port.
As far as you addressing the remote *site* you address port 22 on the Big-I Internet facing side. The redirection is done by that router (?firewall?). You do NOT direct out from your machine to that other port, the remote router (?firewall?) takes care of that redirection for you.
But how, in that case, IF there were multiple machines at the remote end (which there aren't, but I might at some point want to SSH in reverse back home where I do have more than one device, which is why I want to be sure of the theory), would the router know which machine I'm trying to SSH into? If all I've set up on the client side is an ssh config file in ./.ssh/config with entries such as Host arbitrary-name Hostname 83.155.42.9 that reaches the IP address and gets me only so far as the router. If I'm supposed to address port 22 then where and how do I specify machine-a or machine-b? My config file also includes the port number for each entry, e.g. Port 1234 Are you saying that in principle the traffic is always entering via port 22 on the router regardless of what I specify in my config, but after that the port number is read in order to reach the correct device? Or are you saying my config file should specify Port 22 (which would be default so no need to specify explicitly). In which case, I don't understand the next step to get to the right machine.
OBTW do not fiddle with the hosts.allow. Leave it empty.
Too late. I edited that long ago on the server side. However, on my recent visit there, I was trying to SSH in from my laptop on the network and it failed. Since this router is a replacement for one that had burnt out, I'd forgotten that I'd updated the static IP of the machines to 192.168.1.x instead of 192.168.0.x, since the IP gateway is 192.168.1.254. When I modified the server's hosts.allow file accordingly all was well. So although it's apparently an antiquated concept, it's one that works. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
* gumb <gumb@linuxmail.org> [09-08-16 13:17]:
On 08/09/16 18:49, Anton Aylward wrote:
On 09/08/2016 11:55 AM, gumb wrote:
The receiver's router is some rather pathetic device provided free by their ISP. When I was there recently I logged in to its configuration settings, which aren't very extensive. There was a setting to allow specified services to pass through. I selected 'SSH' from the list, then selected their PC from the list of known/connected devices, and changed the port number to the one I'd previously configured (i.e. not the default 22).
So you're going IN to the receiver's router (?firewall?) on its port 22 facing the Big-I Internet, and that's redirecting to another port on a selected machine where you've set up a sshd listening on that other port.
As far as you addressing the remote *site* you address port 22 on the Big-I Internet facing side. The redirection is done by that router (?firewall?). You do NOT direct out from your machine to that other port, the remote router (?firewall?) takes care of that redirection for you.
But how, in that case, IF there were multiple machines at the remote end (which there aren't, but I might at some point want to SSH in reverse back home where I do have more than one device, which is why I want to be sure of the theory), would the router know which machine I'm trying to SSH into? If all I've set up on the client side is an ssh config file in ./.ssh/config with entries such as
Host arbitrary-name Hostname 83.155.42.9
that reaches the IP address and gets me only so far as the router. If I'm supposed to address port 22 then where and how do I specify machine-a or machine-b?
My config file also includes the port number for each entry, e.g. Port 1234
ssh 83.155.42.9:1234 ssh 83.155.42.9:1235 ssh 83.155.42.9:1236 all reach machines on 83.155.42.9 assigned to particular ports, Directly! -- (paka)Patrick Shanahan Plainfield, Indiana, USA @ptilopteri http://en.opensuse.org openSUSE Community Member facebook/ptilopteri http://wahoo.no-ip.org Photo Album: http://wahoo.no-ip.org/gallery2 Registered Linux User #207535 @ http://linuxcounter.net -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2016-09-08 a las 13:22 -0400, Patrick Shanahan escribió:
* gumb <> [09-08-16 13:17]:
But how, in that case, IF there were multiple machines at the remote end (which there aren't, but I might at some point want to SSH in reverse back home where I do have more than one device, which is why I want to be sure of the theory), would the router know which machine I'm trying to SSH into? If all I've set up on the client side is an ssh config file in ./.ssh/config with entries such as
...
ssh 83.155.42.9:1234 ssh 83.155.42.9:1235 ssh 83.155.42.9:1236
all reach machines on 83.155.42.9 assigned to particular ports, Directly!
That's the easiest way. The other is to have a single computer accepting ssh from outside, as it is now, and from that machine ssh to another intranet machine. As far as you want. I have not tried this with X forwarding, though. An advantage of this method is that the first computer acts as filter or wall protecting the rest. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlfR/scACgkQja8UbcUWM1wWLQD+IeG3mr8ZFx2lOUvDcdbKXHRp R4PPyYe4qdC7Y7wkr8QA/2n0k8/RR5c3Hrt5g7l/5K2izevn9v0Ljso2sSOuV7MU =mpQq -----END PGP SIGNATURE-----
On 09/08/2016 01:16 PM, gumb wrote: u.
But how, in that case, IF there were multiple machines at the remote end (which there aren't, but I might at some point want to SSH in reverse back home where I do have more than one device, which is why I want to be sure of the theory), would the router know which machine I'm trying to SSH into?
Please read the theory of redirection. Please also re-read greg's post and the followup I did expanding on his post.
Are you saying that in principle the traffic is always entering via port 22 on the router regardless of what I specify in my config, but after that the port number is read in order to reach the correct device? Or are you saying my config file should specify Port 22 (which would be default so no need to specify explicitly). In which case, I don't understand the next step to get to the right machine.
There are many modes that ssh/sshd can operate in. Let's not go into the other ones. basically, if you are using a single redirection in a simple -- as you say 'primitive' -- router like this, it redirects one incoming port to one host:port. THAT IS IT. But as Greg points out you have multiple redirections
port 2222 => IP1:22 port 2223 => IP2:22 port 2224 => IP3:22 etc.
Then on the client side you just specify the alternate port used on the router (2222, 2223, 2224, ....)
You ask
If I'm supposed to address port 22 then where and how do I specify machine-a or machine-b?
Re-read the above. host a: address remote port 2222 host b: address remote port 2223 ....
OBTW do not fiddle with the hosts.allow. Leave it empty.
Too late. I edited that long ago on the server side. However, on my recent visit there, I was trying to SSH in from my laptop on the network and it failed. Since this router is a replacement for one that had burnt out, I'd forgotten that I'd updated the static IP of the machines to 192.168.1.x instead of 192.168.0.x, since the IP gateway is 192.168.1.254. When I modified the server's hosts.allow file accordingly all was well. So although it's apparently an antiquated concept, it's one that works.
It's not simply antiquated it can potentially get in teh way of other thngs. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/08/2016 01:16 PM, gumb wrote:
OBTW do not fiddle with the hosts.allow. Leave it empty.
Too late. I edited that long ago on the server side.
What it comes down to is this: The tcp_wrappers/hosts.allow/deny was for dealing with the insecure R-commands, rcp, rlogin, the r-for-remote-shell and other insecure commands like the original (pre-CUPS) printing system, and tftp. Most of the r-commands are simply replaced by SSH. Other commands like rsync, rdist and other use SSH for secure remote access. Many other commands that are usually dealt with locally like CVS can be configured to use SSH or use SSH's forwarding/proxy mechanism. Some while back, tcp_wrappers functionality was folded into that last bastion of network listening, the Xinetd daemon (the simple inetd daemon having been long made redundant by the Xinetd, which has nothing to do with X11). If you have the r-commands installed, which is not default, then you shouldn't; they are insecure and, as I said, have been replaced by ssh. If you are using Xinetd, then each entry has its own allow/deny, which can be an IP address or range, a network by name from /etc/networks. a network name a a FQDN style, or simply a host name. It can also specfiy allowed/denied times of access. All that is more flexible than the host.allow/deny format. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/08/2016 01:16 PM, gumb wrote:
But how, in that case, IF there were multiple machines at the remote end (which there aren't, but I might at some point want to SSH in reverse back home where I do have more than one device, which is why I want to be sure of the theory), would the router know which machine I'm trying to SSH into? If all I've set up on the client side is an ssh config file in ./.ssh/config with entries such as
Host arbitrary-name Hostname 83.155.42.9
that reaches the IP address and gets me only so far as the router. If I'm supposed to address port 22 then where and how do I specify machine-a or machine-b?
My config file also includes the port number for each entry, e.g. Port 1234
Are you saying that in principle the traffic is always entering via port 22 on the router regardless of what I specify in my config, but after that the port number is read in order to reach the correct device? Or are you saying my config file should specify Port 22 (which would be default so no need to specify explicitly). In which case, I don't understand the next step to get to the right machine.
Because you only have 1 IPv4 address for multiple computers, you need to differentiate the destination. Only one can use port 22. All others require a non-standard port number and you then have to specify the port number on the command line. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
a router forward a port saying: "What I receive on port 22 (example) will go to the computer 192.168.0.12 (example), port 40022" IF you can give any port on the receive part, you can instruct your target to use any port for ssh. For example, you can "ssh -p 50156 <your IP>" if your router forward the port 50156 to the target, port 22. jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 08/09/2016 à 17:55, gumb a écrit :
What isn't clear is how I would SSH into more than machine at their end.
don't worry too much. if you can ssh into one machine in this network, you can to any of the network machine, as long as the first one works. ssh can be chained. you can ssh to the first machine, then from this one ssh to an other one, ad infinitum. It's not the easier way, but I use it pretty often if I don't want to expose my own IP. you can even ssh back to you home provided you have it's IP ssh is very flexible. of course you have to keep track in what machine you are, else you can make dramatic errors :-) jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/08/2016 01:57 PM, jdd wrote:
Le 08/09/2016 à 17:55, gumb a écrit :
What isn't clear is how I would SSH into more than machine at their end.
don't worry too much.
if you can ssh into one machine in this network, you can to any of the network machine, as long as the first one works.
That is one reason to stick with the defaults internally, have all the internal SSHD servers listening on port 22, and let the NAT'ing firewall take care of redirection, as Greg says:
port 2222 => IP1:22 port 2223 => IP2:22 port 2224 => IP3:22 etc.
Then on the client side you just specify the alternate port used on the router (2222, 2223, 2224, ....)
-- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 08/09/2016 à 20:38, Anton Aylward a écrit :
if you can ssh into one machine in this network, you can to any of the network machine, as long as the first one works.
That is one reason to stick with the defaults internally, have all the internal SSHD servers listening on port 22, and let the NAT'ing firewall take care of redirection, as Greg says:
this is not a bad idea fro the sake of security, but have nothing to do with using ssh, you can use any port at will (only have to use the correct ssh syntax) and to follow the questions, using IPV6 is not an option, not really in the wild. jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/08/2016 02:41 PM, jdd wrote:
and to follow the questions, using IPV6 is not an option, not really in the wild.
Yes, no maybe. First, there's encapsulation. I'll leave it to James Knott to cover that. Secondly, there is no reason you can't use ipv6 between hosts behind a IPV4 NAT'ing firewall. Finally, SSH and SSHD can be forces to use ipv4 ONLY, ipv6 ONLY, or, as the man page makes clear, it can listen on multiple addresses, multiple ports at each address, and IPv4 addresses simultaneous with IPV6 addresses. Of course the client SSH can be directed to any address, any port and told to use either IPV4 or IPV6. See the man page for that too. And yes you can encode that in the config file on a per host basis. So, the end result is you can have the best of both worlds on your internal network, for example, only allowing inbound ipv4 SSH because of your NAT'ing router and reluctant ISP, but ipv6 internally. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 9/8/2016 12:06 PM, Anton Aylward wrote:
On 09/08/2016 02:41 PM, jdd wrote:
and to follow the questions, using IPV6 is not an option, not really in the wild.
Yes, no maybe.
First, there's encapsulation.
I'll leave it to James Knott to cover that.
Secondly, there is no reason you can't use ipv6 between hosts behind a IPV4 NAT'ing firewall.
Finally, SSH and SSHD can be forces to use ipv4 ONLY, ipv6 ONLY, or, as the man page makes clear, it can listen on multiple addresses, multiple ports at each address, and IPv4 addresses simultaneous with IPV6 addresses.
Of course the client SSH can be directed to any address, any port and told to use either IPV4 or IPV6. See the man page for that too.
And yes you can encode that in the config file on a per host basis.
So, the end result is you can have the best of both worlds on your internal network, for example, only allowing inbound ipv4 SSH because of your NAT'ing router and reluctant ISP, but ipv6 internally.
Anton, this is not the thread to get all pedantic is it? Gumb is just barely getting into ssh. Its not the time to foist this level of complexity on a simple problem. Gumb: Don't listen to Anton at this point. He's had too much coffee, and not enough beer today. ;-) -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/08/2016 03:23 PM, John Andersen wrote:
Gumb: Don't listen to Anton at this point. He's had too much coffee, and not enough beer today. ;-)
Yes but it is damn good coffee, rich and creamy! I started at 6:30 and I've just finished another pot. Bounce! Bounce Bounce. "Tiggers are wonderful things..." -- A distracted figure with a huge bushy beard blunders in just as you speak the word of ancient magic. The man wears loose clothing, and an expression of intense concentration. He is clutching his frizzy hair with one hand; his other hand grips an intricate grid - the object of his attention. His eyes brighten the word you've spoken reaches his ears. "Yes! Yes! That's it!" he exclaims as he draws out a pen and fills in a row of squares. "Now my hyperconstrained, double-acrostic, cryptic crossword is complete, and ready to puzzle others. That was all I needed - just a simple five-letter word, composed only of the letters 'X' 'Y' and 'Z,' that would fit here!" He grips your hand and shakes it fervently. "Thank you! Now that I've finished with that, I can get on to those other things I've been meaning to do, such as monkey-wrenching the demolition and saving recreational linguistics for future generations." He turns away and mutters, just before he departs, "I hope none of that will involve lying in front of a bulldozer..." -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/08/2016 03:23 PM, John Andersen wrote:
Gumb is just barely getting into ssh. Its not the time to foist this level of complexity on a simple problem.
It's NAT that's forcing the complexity, in an attempt to work around inadequate address space. With IPv6, it's a matter of simply providing the IPv6 address or just the host name and not worrying about port forwarding and non-standard ports. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/08/2016 03:06 PM, Anton Aylward wrote:
On 09/08/2016 02:41 PM, jdd wrote:
and to follow the questions, using IPV6 is not an option, not really in the wild.
Yes, no maybe.
First, there's encapsulation.
I'll leave it to James Knott to cover that.
I used a 6in4 tunnel, which used IPv4 to carry the IPv6 traffic to/from a "tunnel broker", who'd then connect to the Internet via IPv6. I had a /56 prefix, which provided 2^72 addresses. However, my ISP started offering IPv6 a few months ago, so I no longer use the tunnel.
Secondly, there is no reason you can't use ipv6 between hosts behind a IPV4 NAT'ing firewall.
I certainly did that, in addition to my IPv6 tunnel, as well with my ISP provided IPv6. Most of the traffic on my home network is IPv6.
Finally, SSH and SSHD can be forces to use ipv4 ONLY, ipv6 ONLY, or, as the man page makes clear, it can listen on multiple addresses, multiple ports at each address, and IPv4 addresses simultaneous with IPV6 addresses.
Of course the client SSH can be directed to any address, any port and told to use either IPV4 or IPV6. See the man page for that too.
And yes you can encode that in the config file on a per host basis.
So, the end result is you can have the best of both worlds on your internal network, for example, only allowing inbound ipv4 SSH because of your NAT'ing router and reluctant ISP, but ipv6 internally.
-- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/08/2016 02:41 PM, jdd wrote:
using IPV6 is not an option, not really in the wild.
These days, any ISP not providing IPv6 is part of the problem. It's been available for several years and I've been running it at home for over 6 years. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
James Knott wrote:
On 09/08/2016 02:41 PM, jdd wrote:
using IPV6 is not an option, not really in the wild.
These days, any ISP not providing IPv6 is part of the problem. It's been available for several years and I've been running it at home for over 6 years.
Yes, I have to agree - there's plenty of IPv6 connectivity to be had out there. According to https://www.akamai.com/uk/en/our-thinking/state-of-the-internet-report/state... in order of size of deployment, the lead countries are Belgium, Greece, Germany, Switzerland, USA, Portugal, Luxembourg, Ecuador, Estonia, Peru, France, UK. Some countries are way behind, but unless you live in one of those, it's not fair to say "using IPV6 is not an option, not really in the wild". -- Per Jessen, Zürich (18.1°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 10/09/2016 à 09:12, Per Jessen a écrit :
According to
https://www.akamai.com/uk/en/our-thinking/state-of-the-internet-report/state...
in order of size of deployment, the lead countries are Belgium, Greece, Germany, Switzerland, USA, Portugal, Luxembourg, Ecuador, Estonia, Peru, France, UK. Some countries are way behind, but unless you live in one of those, it's not fair to say "using IPV6 is not an option, not really in the wild".
with 22% for the USA, do you think it's possible to use freely IPV6 and drop IPV4?? the better of 41% for Belgium is already a pity!! if this report means anything. because what is relevant is the main servers/ISP acceptation of IPV6. I too often notice that allowing IPV6 brake the home connectivity... jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
jdd wrote:
Le 10/09/2016 à 09:12, Per Jessen a écrit :
According to
https://www.akamai.com/uk/en/our-thinking/state-of-the-internet-report/state...
in order of size of deployment, the lead countries are Belgium, Greece, Germany, Switzerland, USA, Portugal, Luxembourg, Ecuador, Estonia, Peru, France, UK. Some countries are way behind, but unless you live in one of those, it's not fair to say "using IPV6 is not an option, not really in the wild".
with 22% for the USA, do you think it's possible to use freely IPV6 and drop IPV4??
jdd, we're not talking about dropping ipv4 (although it is a possiblity if your provider has a 6to4 gateway), but about adding/using IPv6.
if this report means anything. because what is relevant is the main servers/ISP acceptation of IPV6.
Anyone running more than a hobby webserver that is not on IPv6 is way behind, IMHO. The Akamai study/report presumably shows their clients, so essentially the ISPs serving the end-user.
I too often notice that allowing IPV6 brake the home connectivity...
Where do you notice this? That is almost certainly due to a lack of skills and/or poor equipment. Either at home or at the providers. -- Per Jessen, Zürich (20.9°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 10/09/2016 à 11:50, Per Jessen a écrit :
jdd wrote:
I too often notice that allowing IPV6 brake the home connectivity...
Where do you notice this? That is almost certainly due to a lack of skills and/or poor equipment. Either at home or at the providers.
nearly in any openSUSE install I have, I has to disable IPV6 to have a working system. Last time it was due to a very long lag time at connect. Initially I simply used default install. I don't think this is the place to discuss this in depth :-( I simply don't promote IPV6 to anybody jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/10/2016 06:57 AM, jdd wrote:
nearly in any openSUSE install I have, I has to disable IPV6 to have a working system. Last time it was due to a very long lag time at connect. Initially I simply used default install.
I suspect your problem is elsewhere. I've been running IPv6 for over 6 years without issue.
I don't think this is the place to discuss this in depth :-(
I simply don't promote IPV6 to anybody
Well, you're going to have to change that soon. The world is moving to IPv6 and refusing to use it means falling behind. Many ISPs and carriers are already moving to IPv6 only. They'll provide IPv4 through large scale NAT or 464XLAT. Either way, you get the NAT problems twice over, without a hope of being able to reach your IPv4 network from outside. Sticking with IPv4 and NAT can only lead to more problems and many things are simply not possible on IPv4, due to the lack of addresses. I'd strongly suggest you start learning about IPv6, so you can go with the future. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 10/09/2016 à 14:54, James Knott a écrit :
On 09/10/2016 06:57 AM, jdd wrote:
I simply don't promote IPV6 to anybody
Well, you're going to have to change that soon.
I guess I wont see this happen. I have nothing against per se, but things go forward so slow :-( and I'm already 70' :-( IPV6 should be standard since more than 10 years now :-( jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
jdd wrote:
Le 10/09/2016 à 14:54, James Knott a écrit :
On 09/10/2016 06:57 AM, jdd wrote:
I simply don't promote IPV6 to anybody
Well, you're going to have to change that soon.
I guess I wont see this happen. I have nothing against per se, but things go forward so slow :-( and I'm already 70' :-(
IPV6 should be standard since more than 10 years now :-(
Yes, but some people don't want to promote it :-) -- Per Jessen, Zürich (24.5°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Le 10/09/2016 à 15:36, Per Jessen a écrit :
jdd wrote:
IPV6 should be standard since more than 10 years now :-(
Yes, but some people don't want to promote it :-)
ISP have to do it, not users... jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
jdd wrote:
Le 10/09/2016 à 15:36, Per Jessen a écrit :
jdd wrote:
IPV6 should be standard since more than 10 years now :-(
Yes, but some people don't want to promote it :-)
ISP have to do it, not users...
Yes, you would think so yes, but in practice the ISPs still have sufficient IPv4 addresses, especially the large ones. The ISPs with visions and ideas have gone IPv6 long ago, the remaining ones (Telefonica for instance) are monolithic laggards that have to be pushed. Every time Swisscom calls up to ask if I'd like to move our ISDN lines to VoIP, I say yes please, but on IPv6. Then they say "ah, thanks, we'll call again later". At some point they'll get the message. -- Per Jessen, Zürich (24.5°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/10/2016 09:37 AM, jdd wrote:
Le 10/09/2016 à 15:36, Per Jessen a écrit :
jdd wrote:
IPV6 should be standard since more than 10 years now :-(
Yes, but some people don't want to promote it :-)
ISP have to do it, not users...
Users have to ask and ask their ISP for it. Otherwise, some retarded ISPs will say "well no one's asking for it" and continue to bury their head in the sand, continuing with NAT and all the problems it causes. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2016-09-10 a las 10:26 -0400, James Knott escribió:
ISP have to do it, not users...
Users have to ask and ask their ISP for it. Otherwise, some retarded ISPs will say "well no one's asking for it" and continue to bury their head in the sand, continuing with NAT and all the problems it causes.
There is nobody to ask it to. ¿What, the talkheads at customer service? You gotta be kidding. Yes, tell them anything, it doesn't go forward an iota. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlfUGsEACgkQja8UbcUWM1zrdgD+LJVeS6wRtHhNB4nmSuULt/5o 0q/pQxfJHaKAfHqKU3MA/3tybMNsvClsHTmAcrBnRwkfOYruX5MIoTW+Yu2AqK0k =ZSLJ -----END PGP SIGNATURE-----
On 09/10/2016 10:37 AM, Carlos E. R. wrote:
There is nobody to ask it to. ¿What, the talkheads at customer service? You gotta be kidding. Yes, tell them anything, it doesn't go forward an iota.
Call up the sales people and ask for it. If they get enough interest, it will happen. Talking to first level support tends to be useless, even about technical problems. ;-) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/10/2016 10:55 AM, James Knott wrote:
On 09/10/2016 10:37 AM, Carlos E. R. wrote:
There is nobody to ask it to. ¿What, the talkheads at customer service? You gotta be kidding. Yes, tell them anything, it doesn't go forward an iota. Call up the sales people and ask for it. If they get enough interest, it will happen. Talking to first level support tends to be useless, even about technical problems. ;-)
As I mentioned earlier, a tunnel is a way to get around a retarded ISP. Here's some info: https://www.google.ca/search?q=ipv6+tunnel+brokers&ie=utf-8&oe=utf-8&gws_rd=cr&ei=miHUV_39A8Tq-AH0hLyICQ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2016-09-10 a las 11:08 -0400, James Knott escribió:
As I mentioned earlier, a tunnel is a way to get around a retarded ISP. Here's some info: https://www.google.ca/search?q=ipv6+tunnel+brokers&ie=utf-8&oe=utf-8&gws_rd=cr&ei=miHUV_39A8Tq-AH0hLyICQ
But I'm not going to try unless I need to connect to an IPv6 only site. I see no reason to. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlfUSIYACgkQja8UbcUWM1xjuwD8DUYIBIfisiQWaWrcu8VUTrO6 mdPgYTtasn8mXtn7Iw8BAIJe/kVKLIgegmxCpa7E410UIsXBH0X1/AIFfe+DfHYs =tWLk -----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
El 2016-09-10 a las 11:08 -0400, James Knott escribió:
As I mentioned earlier, a tunnel is a way to get around a retarded ISP. Here's some info:
But I'm not going to try unless I need to connect to an IPv6 only site. I see no reason to.
Carlos, I don't know about a "reason", but I will say I've invested a lot of time over the years working around NAT. Lets's say 80 hours total over the last decade. I have a general sense because of all the hassles with autossh I've had over the years. I even wrote a blog post about how to do it. My Leap 42.2 machine was stuck behind a NAT router and inaccessible from the world because I hadn't yet setup a autossh reverse tunnel to give me access. (yes, I could connect to another machine on the same subnet, then daisy chain in.) (My ISP does not allow me to setup port forwarding rules in their edge router. They own it and don't provide a login. This is the 3rd time/site I've been blocked by that ISP policy.) I'm a IPv6 neophyte, but it seems IPv6 is a better investment of my time going forward than learning/configuring NAT workarounds. Greg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/11/2016 09:30 AM, Greg Freemyer wrote:
I'm a IPv6 neophyte, but it seems IPv6 is a better investment of my time going forward than learning/configuring NAT workarounds.
What's really "fun" is trying to set up a VPN between 2 NAT networks that use the same subnet. People forget or choose not to remember that NAT is a hack to get around the address shortage and consider it a security feature. There's nothing wrong with the RFC1918 addresses and there are IPv6 equivalents, but NAT is the problem that breaks so many things. IPv6 even has the unique local addresses which, while not routable over the Internet, are designed to avoid the VPN address clash I mentioned above. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2016-09-11 a las 09:30 -0400, Greg Freemyer escribió:
El 2016-09-10 a las 11:08 -0400, James Knott escribió:
But I'm not going to try unless I need to connect to an IPv6 only site. I see no reason to.
Carlos,
I don't know about a "reason", but I will say I've invested a lot of time over the years working around NAT.
Lets's say 80 hours total over the last decade. I have a general sense because of all the hassles with autossh I've had over the years. I even wrote a blog post about how to do it.
I'm aware of the problems NAT causes, but it is not my case. I very rarely need to connect to home, and in that case I can just use port forwarding on the ISP router.
(My ISP does not allow me to setup port forwarding rules in their edge router. They own it and don't provide a login. This is the 3rd time/site I've been blocked by that ISP policy.)
Too bad of them :-( I wonder how gamers manage in your district.
I'm a IPv6 neophyte, but it seems IPv6 is a better investment of my time going forward than learning/configuring NAT workarounds.
But you are telling me to expend time, and perhaps money, setting up an IPv6 tunnel which I do not need. At least now :-) And then, suppose I run a download of an openSUSE DVD. Suppose it tries to go inside that tunnel, because I get an IPv6 address for that download site. Will it run at 300 mbps that my internet connection allows? I doubt it will, for free. Somebody has got to pay that pipe. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlfVYx0ACgkQja8UbcUWM1xKKQD/S2DbHB8voKtWA6qRa02yutaE 9mtrE6JbSXa6v8RVGOkA/irA+mLotfVHJmUvy4zaj99Onc5ZsuVjHoY+zMGARpVK =Jik9 -----END PGP SIGNATURE-----
On 09/11/2016 09:58 AM, Carlos E. R. wrote:
(My ISP does not allow me to setup port forwarding rules in their edge router. They own it and don't provide a login. This is the 3rd time/site I've been blocked by that ISP policy.)
Too bad of them :-(
My cable modem allows me to configure firewall and forwarding. However, it's not very good so I put it in bridge mode and use pfSense, on a computer, as my firewall/router. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2016-09-10 a las 10:55 -0400, James Knott escribió:
On 09/10/2016 10:37 AM, Carlos E. R. wrote:
There is nobody to ask it to. ¿What, the talkheads at customer service? You gotta be kidding. Yes, tell them anything, it doesn't go forward an iota.
Call up the sales people and ask for it. If they get enough interest, it will happen. Talking to first level support tends to be useless, even about technical problems. ;-)
Unless you are a business, buying a professional connection, they don't even know what it is. Or they say "soon". http://comunidad.movistar.es/t5/Soporte-T%C3%A9cnico-de-Fibra-%C3%93ptica/Co... The official answer there is "we are not providing it". That's a web forum where some professionals from the ISP answer questions, and interestingly, more answers than if you call directly by phone. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlfUR+oACgkQja8UbcUWM1w0/QD/b6xLrAIj5dDILGIwaa1NAgVA lVB7r0E3g2odvfw+52oA/3VOMBbnqT0XToNJg8X58hBNeyXtT4ofaPxX3R7Ok1SA =OIue -----END PGP SIGNATURE-----
Le 10/09/2016 à 19:50, Carlos E. R. a écrit :
The official answer there is "we are not providing it". That's a web forum where some professionals from the ISP answer questions, and interestingly, more answers than if you call directly by phone.
same everywhere. The problem is to find the right forum :-) jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2016-09-10 19:59, jdd wrote:
Le 10/09/2016 à 19:50, Carlos E. R. a écrit :
The official answer there is "we are not providing it". That's a web forum where some professionals from the ISP answer questions, and interestingly, more answers than if you call directly by phone.
same everywhere. The problem is to find the right forum :-)
That one is the official forum for my ISP, hosted by my ISP, staffed by my ISP. So the official answer about IPv6 is "we are not providing it". That's all. Till one day they change it, and we clients are not going to know when that will be. They like keeping their secrets. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlfUWtYACgkQja8UbcUWM1zo2QD+Jh1Wtktc5JIxYmORpzK5ggkY op+etfpWTYAJIcEjrX8BAI76CAdc1s/t6lnW5QUyQXpWUd6ScZRqzgTiWwwJYl29 =0l+q -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/10/2016 01:50 PM, Carlos E. R. wrote:
Unless you are a business, buying a professional connection, they don't even know what it is. Or they say "soon".
If they get enough interest, they will. In the mean time you could make a point of telling them and everyone else how behind the times they are.
http://comunidad.movistar.es/t5/Soporte-T%C3%A9cnico-de-Fibra-%C3%93ptica/Co...
The official answer there is "we are not providing it".
And you should then ask why they're falling behind the rest of the world. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2016-09-11 a las 00:46 -0400, James Knott escribió:
On 09/10/2016 01:50 PM, Carlos E. R. wrote:
Unless you are a business, buying a professional connection, they don't even know what it is. Or they say "soon".
If they get enough interest, they will. In the mean time you could make a point of telling them and everyone else how behind the times they are.
http://comunidad.movistar.es/t5/Soporte-T%C3%A9cnico-de-Fibra-%C3%93ptica/Co...
The official answer there is "we are not providing it".
And you should then ask why they're falling behind the rest of the world.
In their view, they aren't. Heck, they are removing hardware and manufacturing and labs. They prefer to do business. If they have to install something, they just buy it, and hire the people to do it. Keep as small a number of employees as possible. No plants, sell or rent them as space. It is not directed by engineers, but by businesmen with letters in their tittles. Where is money now? In selling futbol and pay per view services. Doesn't need IPv6 deployement to the custormers. They have enough IPv4 address pool. I can be happy that there is a web forum where they answer some questions. Those questions that they are allowed to answer, that is. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlfVZWEACgkQja8UbcUWM1wZiQD5AT8uDxqZyDiaa/eKSqnoHWal jPqssrNsv5riuxegzBYA/3/xZL43gURKmBgyo8ZX6fQxDIDaDDsOzUqn82xqGuN0 =vdN7 -----END PGP SIGNATURE-----
On 09/11/2016 10:08 AM, Carlos E. R. wrote:
In their view, they aren't.
Heck, they are removing hardware and manufacturing and labs. They prefer to do business. If they have to install something, they just buy it, and hire the people to do it. Keep as small a number of employees as possible. No plants, sell or rent them as space.
Is there not another ISP you can use? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 El 2016-09-11 a las 10:54 -0400, James Knott escribió:
On 09/11/2016 10:08 AM, Carlos E. R. wrote:
In their view, they aren't.
Heck, they are removing hardware and manufacturing and labs. They prefer to do business. If they have to install something, they just buy it, and hire the people to do it. Keep as small a number of employees as possible. No plants, sell or rent them as space.
Is there not another ISP you can use?
Yes, but I doubt they are better, and I would lose my email addresses. - -- Cheers Carlos E. R. (from 13.1 x86_64 "Bottle" (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iF4EAREIAAYFAlfVexcACgkQja8UbcUWM1xWaAD/W3QW7Asm9Xxwjkg6J187l1xy 9T7ySyjJZNxJJ7u+soUBAIyM4Hkmg/mB+2Rg/l35gN42zpQKfwgp8hiFnH7INtI/ =WWH3 -----END PGP SIGNATURE-----
On 09/10/2016 08:54 AM, James Knott wrote:
Many ISPs and carriers are already moving to IPv6 only. They'll provide IPv4 through large scale NAT or 464XLAT.
I forgot to mention what these are. Large scale or carrier grade NAT means the ISP or carrier is providing only an RFC1918 address to their customers, who in turn will often NAT again. 486XLAT is a method for providing IPv4 on an IPv6 only network, as many carriers are now doing. With 486XLAT, IPv6 address is passed as is. If the destination is IPv4 only, then the carrier will convert the IPv6 traffic to IPv4 and then send it on. If the device or an app (such as Skype) on that device is IPv4 only, then local NAT is used, the IPv4 packet is then carried in a 4in6 tunnel, to the carrier, where they then NAT again to reach the IPv4 internet. In either case, since the carrier is using NAT, it's impossible to set up port forwarding etc., as discussed in another thread, to reach computers on the local network. Bottom line, start using IPv6. Incidentally, some things, such as Microsoft's "Home Group" networking, are IPv6 only. So, if you have a Windows system and disable IPv6, you will break that. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/10/2016 03:58 AM, jdd wrote:
Some countries are way behind, but unless you live in one of those, it's not fair to say "using IPV6 is not an option, not really in the wild".
with 22% for the USA, do you think it's possible to use freely IPV6 and drop IPV4??
Perhaps some countries need a bit of a push to get going. I live in Canada and it seems to be behind many others in IPv6 deployment. I had to use a tunnel for 6 years, until my ISP started providing it, a few months ago. I try to encourage it and talk it up frequently. I work in the telecommunications industry and am finally seeing it appearing. Also, to give it a bit of a push, i recently sent an email to my member of Parliament, who's also the "Minister of Innovation, Science, and Economic Development of Canada". -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Hallo James, op 09-09-16 om 19:50 schreef je:
On 09/08/2016 01:57 PM, jdd wrote:
of course you have to keep track in what machine you are, else you can make dramatic errors :-)
rm -rf / ;-)
One get's a kind warning first. Harrie -- Harrie Baken | Tekstbureau TekstBaken Copy-editing - proofreading (Dutch) www.tekstbaken.nl Registered Linux user #366560 | openSUSE 13.2 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/08/2016 07:38 AM, gumb wrote:
I'm very new to SSH so I have a few questions that will be obvious to many of you. I've been following through the guide at https://en.opensuse.org/SDB:Configure_openSSH which is rather outdated but the basics are still relevant.
So until now I've succeeded in connecting between machines on the same network, browsing and copying files remotely, launching YaST in ncurses mode to do remote updates, etc. All fine.
I now want to connect to a machine on another network (in another country). I realize that I've probably fallen at the first hurdle, since although I configured some basics on that remote machine, I never added a line to hosts.allow with the address of my computer here at home, and hosts.deny is set to refuse ALL other connections. Presumably, since I therefore currently have no access at all, I'll have to speak to the user of that remote machine and have them log in as root and add the relevant line to the hosts.allow file?
Related to that, whilst the remote user's IP address is dynamic and their ISP charges a fee to switch to static, would I get around that by associating their domain name to their connection with reverse DNS? And if so, what are the implications of doing so? Could that result in increased snoops/attacks or wider broadcast of their domain?
And then how do I specify which machine at their end, behind their router, my SSH command goes to? Until now I've only been specifying local addresses, e.g. 192.168.0.10. Is this even how it works? I cannot find anything relating to that in any other SSH articles or guides I've googled for, which makes me think the concept is different. Is the machine effectively specified by the port number I assign, meaning I should assign different port numbers for every device? I'd have thought that was one of the fundamental things anybody wants to do with SSH yet none of the many SSH pages I've pulled up explains anything about this.
Cheers.
In that wiki, "If there are *fixed locations* from where you would want to log in to your SSHD, you can set up an per-host access control." It doesn't sound like you need to be playing with per-host access control that at all, as what you need to do is port forward an SSH port to the SSHD box in the router. The SSHD port can remain at port 22, but in your router you can set a higher port, something like 70022 which hooks up to the destination port 22. The nice thing about doing it that way is that you can keep the program defaults for whatever the default port number is set at without changing a config file, yet set a specific high port number in the router which can be changed on the fly at any time (I know DD-WRT supports this and many consumer routers, but maybe not all). Once those packets are passing through the router and going to the correct destination port, it should work without any hangups. It is not recommended to actually open port 22 in your router and have SSHD 22 running on port 22 as you will start to get port scanned all the time, with hackers trying to crack the box in order to exploit it. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/09/16 16:56, sdm wrote:
In that wiki, "If there are *fixed locations* from where you would want to log in to your SSHD, you can set up an per-host access control."
It doesn't sound like you need to be playing with per-host access control that at all, as what you need to do is port forward an SSH port to the SSHD box in the router. The SSHD port can remain at port 22, but in your router you can set a higher port, something like 70022 which hooks up to the destination port 22. The nice thing about doing it that way is that you can keep the program defaults for whatever the default port number is set at without changing a config file, yet set a specific high port number in the router which can be changed on the fly at any time (I know DD-WRT supports this and many consumer routers, but maybe not all).
Once those packets are passing through the router and going to the correct destination port, it should work without any hangups. It is not recommended to actually open port 22 in your router and have SSHD 22 running on port 22 as you will start to get port scanned all the time, with hackers trying to crack the box in order to exploit it.
See my reply to jdd. Unfortunately this is a lightweight router provided by the ISP. The model is a Thomson 2704n (apparently it is also known as a Sagemcom 2704N). It was a few weeks ago I had a first look at its configuration options, which aren't very extensive. I don't know if it's even possible to change the router's default SSHD port. It only provides the possibility to select a service such as SSH that I want to allow, then select the (only?) device on the network to which that service is forwarded, along with the port number, which I assumed to mean only the port number on the destination device. I have already configured a non-default port number on the sender and receiver devices. This has just prompted me to search online for a manual for this router, and I see there are some guides on the ISP user forums. Will have to do some further reading (there's rather a lot). -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/08/2016 12:05 PM, gumb wrote:
See my reply to jdd. Unfortunately this is a lightweight router provided by the ISP. The model is a Thomson 2704n (apparently it is also known as a Sagemcom 2704N).
You mean this http://setuprouter.com/router/sagemcom/2704n-plusnet/port-forwarding-76546-l... It is, it seems, a very basic NAT'ing router. As I say, low cost for ISPs to provide to basic users. You might want to follow the link and read this http://setuprouter.com/what-is-port-forwarding/
It was a few weeks ago I had a first look at its configuration options, which aren't very extensive. I don't know if it's even possible to change the router's default SSHD port.
You don't need to. You can define any port on the Big-I internet facing side to forward to any static address and port on the inside. As Greg says, you can set up some ports:
port 2222 => IP1:22 port 2223 => IP2:22 port 2224 => IP3:22 etc.
Then on the client side you just specify the alternate port used on the router (2222, 2223, 2224, ....)
It only provides the possibility to select a service such as SSH that I want to allow, then select the (only?) device on the network to which that service is forwarded, along with the port number, which I assumed to mean only the port number on the destination device.
See above. It seems you've just done port 22 => IP1:2222
I have already configured a non-default port number on the sender and receiver devices.
Having the SSH internal devices behind a firewall listening on non standard ports affects local communication. Yes there are ways round that, but lets KISS. I recommend leaving the SSHD of all internal hosts listening on port 22. Its less confusing that way; simplifies maintenance. Do the pokery that Greg suggests. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
gumb wrote:
I'm very new to SSH so I have a few questions that will be obvious to many of you. I've been following through the guide at https://en.opensuse.org/SDB:Configure_openSSH which is rather outdated but the basics are still relevant.
So until now I've succeeded in connecting between machines on the same network, browsing and copying files remotely, launching YaST in ncurses mode to do remote updates, etc. All fine.
Sounds good.
I now want to connect to a machine on another network (in another country).
It is no different than connecting to one on yourlocal network.
I realize that I've probably fallen at the first hurdle, since although I configured some basics on that remote machine, I never added a line to hosts.allow with the address of my computer here at home, and hosts.deny is set to refuse ALL other connections.
Using tcpwrappers is pretty oldfashioned, I would say. There's no need.
Presumably, since I therefore currently have no access at all, I'll have to speak to the user of that remote machine and have them log in as root and add the relevant line to the hosts.allow file?
The remote machine needs to be open for connections on port 22 (the default for ssh). The rest should not matter.
Related to that, whilst the remote user's IP address is dynamic and their ISP charges a fee to switch to static, would I get around that by associating their domain name to their connection with reverse DNS?
You can get around that by using a dynamic DNS which updates a record whenever your IP changes. See. e.g. http://www.dns24.ch/
And then how do I specify which machine at their end, behind their router, my SSH command goes to? Until now I've only been specifying local addresses, e.g. 192.168.0.10.
Ah, the remote machine is behind a NAT'ing router? Then you need port forwarding on the router to forward port 22 to the machine you want to talk to.
Is this even how it works? I cannot find anything relating to that in any other SSH articles or guides I've googled for, which makes me think the concept is different.
It isn't really SSH related, it's the same issue for any service you want to access behind a NAT'ing router.
Is the machine effectively specified by the port number I assign, meaning I should assign different port numbers for every device?
Yup. In fact, you want to access multiple machines over SSH, you will need multiple port numbers. -- Per Jessen, Zürich (26.2°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/09/16 16:57, Per Jessen wrote:
gumb wrote:
Presumably, since I therefore currently have no access at all, I'll have to speak to the user of that remote machine and have them log in as root and add the relevant line to the hosts.allow file?
The remote machine needs to be open for connections on port 22 (the default for ssh). The rest should not matter.
See also my replies to jdd and others. I've thus far configured everything for a non-default port number.
Related to that, whilst the remote user's IP address is dynamic and their ISP charges a fee to switch to static, would I get around that by associating their domain name to their connection with reverse DNS?
You can get around that by using a dynamic DNS which updates a record whenever your IP changes. See. e.g. http://www.dns24.ch/
I know there are services, scripts and whatnot for working around dynamic DNS, which I haven't looked into much yet, but I just wondered specifically about linking a domain. The domain already exists and is used only for that user's email, but it could serve another purpose.
And then how do I specify which machine at their end, behind their router, my SSH command goes to? Until now I've only been specifying local addresses, e.g. 192.168.0.10.
Ah, the remote machine is behind a NAT'ing router? Then you need port forwarding on the router to forward port 22 to the machine you want to talk to.
Is this even how it works? I cannot find anything relating to that in any other SSH articles or guides I've googled for, which makes me think the concept is different.
It isn't really SSH related, it's the same issue for any service you want to access behind a NAT'ing router.
Is the machine effectively specified by the port number I assign, meaning I should assign different port numbers for every device?
Yup. In fact, you want to access multiple machines over SSH, you will need multiple port numbers.
Okay, that part seems clear now. There's still some other things I'll need to clear up. This thread is growing more quickly than I can type replies... -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
gumb wrote:
You can get around that by using a dynamic DNS which updates a record whenever your IP changes. See. e.g. http://www.dns24.ch/
I know there are services, scripts and whatnot for working around dynamic DNS, which I haven't looked into much yet, but I just wondered specifically about linking a domain. The domain already exists and is used only for that user's email, but it could serve another purpose.
Yes - you could delegate your domain (example.com) to a dynamic DNS service and then create a record for "gumbssh.example.com". From the machine behind the NAT router, you would then update the DNS via their update script, typically over http. (just a script running curl or wget). -- Per Jessen, Zürich (26.6°C) http://www.hostsuisse.com/ - dedicated server rental in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/09/16 18:29, Per Jessen wrote:
Yes - you could delegate your domain (example.com) to a dynamic DNS service and then create a record for "gumbssh.example.com". From the machine behind the NAT router, you would then update the DNS via their update script, typically over http. (just a script running curl or wget).
Ah, that's not really what I had in mind then. I have no idea how these things work, but I just saw that my own French ISP, free.fr, provides a reverse DNS configuration option so as to be able to use <domain name> as a shortcut to having to type in potentially variable numeric addresses in order to reach a machine on my own network. I thought that having the remote user's domain tied to their connection might similarly mean I could just SSH into their.domain.name and avoid any form of checking or updating for changes in their dynamic IP address. If it still requires a script, it's just as easy for me to ask the user to send me an email from their POP account each time I want to connect (or each time it fails to connect), and I can pick out the current IP address from there. Since they email me regularly anyway it's not worth getting into the hairies of scripts just for that. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
gumb wrote:
On 08/09/16 18:29, Per Jessen wrote:
Yes - you could delegate your domain (example.com) to a dynamic DNS service and then create a record for "gumbssh.example.com". From the machine behind the NAT router, you would then update the DNS via their update script, typically over http. (just a script running curl or wget).
Ah, that's not really what I had in mind then. I have no idea how these things work, but I just saw that my own French ISP, free.fr, provides a reverse DNS configuration option so as to be able to use <domain name> as a shortcut to having to type in potentially variable numeric addresses in order to reach a machine on my own network.
The reverse map is not just a shortcut, it is needed for many things - mailservers and https for instance.
I thought that having the remote user's domain tied to their connection might similarly mean I could just SSH into their.domain.name and avoid any form of checking or updating for changes in their dynamic IP address.
With a dynamic address you can't avoid that. The DNS mappings don't change, i.e.: 1.2.3.4 -> 4.3.2.1.free.fr 4.3.2.1.free.fr -> 1.2.3.4 1.2.3.5 -> 5.3.2.1.free.fr 5.3.2.1.free.fr -> 1.2.3.5 But your mapping of "their.domain.name" to 1.2.3.4 or 1.2.3.5 will need to change when the IP address changes.
If it still requires a script, it's just as easy for me to ask the user to send me an email from their POP account each time I want to connect (or each time it fails to connect), and I can pick out the current IP address from there. Since they email me regularly anyway it's not worth getting into the hairies of scripts just for that.
If that works for you, that's good enough. FYI, the script is a one-liner - simply a "wget <url>". It's not a big deal or hairy in any way :-) -- Per Jessen, Zürich (16.7°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
gumb wrote:
these things work, but I just saw that my own French ISP, free.fr,
for gump :-) I didn't notice your ISP was Free.fr. It's also mine and you can change your reverse *only once*. But there you can change forwarding at will through the web jdd -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/09/16 09:01, jdd wrote:
I didn't notice your ISP was Free.fr. It's also mine and you can change your reverse *only once*. But there you can change forwarding at will through the web
jdd
Not sure where in this mighty thread to post a response. Just to say thanks everyone for the input. I haven't ignored you all. Shortly after getting into this I had my weekend 'stolen' away from me by something else that's come up, and I suspect it will occupy me for many more days yet to come, so I haven't been able to press on with it as hoped. I will first attempt to SSH with IPv4, but I am nonetheless very interested now to have a go at a later date with IPv6. I'm only ever likely to be using SSH for two or three machines so I ought to be able to control it easily enough if for a basic user it's little more than a case (as has been proposed by another poster in this thread) of dealing with longer addresses. Would the section in that outdated openSUSE guide at https://en.opensuse.org/SDB:Configure_openSSH dealing with Public Key Authentication, require modifying to work with IPv6? Is the syntax for key generation and uploading the key any different? Or is the key itself different? gumb -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
gumb wrote:
Would the section in that outdated openSUSE guide at https://en.opensuse.org/SDB:Configure_openSSH dealing with Public Key Authentication, require modifying to work with IPv6? Is the syntax for key generation and uploading the key any different? Or is the key itself different?
No, your public key ssh setup is not dependent on whether you use IPv4, IPv6 or AX25 or some such. -- Per Jessen, Zürich (21.3°C) http://www.hostsuisse.com/ - virtual servers, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On September 8, 2016 7:38:50 AM PDT, gumb <gumb@linuxmail.org> wrote:
I'm very new to SSH so I have a few questions that will be obvious to many of you. I've been following through the guide at https://en.opensuse.org/SDB:Configure_openSSH which is rather outdated but the basics are still relevant.
So until now I've succeeded in connecting between machines on the same network, browsing and copying files remotely, launching YaST in ncurses
mode to do remote updates, etc. All fine.
I now want to connect to a machine on another network (in another country). I realize that I've probably fallen at the first hurdle, since although I configured some basics on that remote machine, I never added
a line to hosts.allow with the address of my computer here at home, and
hosts.deny is set to refuse ALL other connections. Presumably, since I therefore currently have no access at all, I'll have to speak to the user of that remote machine and have them log in as root and add the relevant line to the hosts.allow file?
Related to that, whilst the remote user's IP address is dynamic and their ISP charges a fee to switch to static, would I get around that by
associating their domain name to their connection with reverse DNS? And
if so, what are the implications of doing so? Could that result in increased snoops/attacks or wider broadcast of their domain?
And then how do I specify which machine at their end, behind their router, my SSH command goes to? Until now I've only been specifying local addresses, e.g. 192.168.0.10. Is this even how it works? I cannot
find anything relating to that in any other SSH articles or guides I've
googled for, which makes me think the concept is different. Is the machine effectively specified by the port number I assign, meaning I should assign different port numbers for every device? I'd have thought
that was one of the fundamental things anybody wants to do with SSH yet
none of the many SSH pages I've pulled up explains anything about this.
Cheers.
Gumb: Slow down. Take deep breaths. Forget hosts allow. Find better guide articles. -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/09/16 18:06, John Andersen wrote:
Gumb:
Slow down. Take deep breaths.
Forget hosts allow.
Find better guide articles.
I first started looking into this nine months ago. If I slow down any more somebody at the sender or receiver end will have expired! -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 09/08/2016 12:06 PM, John Andersen wrote:
Forget hosts allow.
The path is from your machine, out via your firewall and out, across the Bit-I internet, to the remote location; in though their router, past their firewall to their host machine's SSD server. hosts.allow is about the old tcp_wrappers functionality, which has been outdated. Yu really don't want to make use of that at all, and it certainly has nothing relevant to the datapath of remote SSH access. The SSh Trusted Host mechanism is quite seperate.
Find better guide articles.
Yes. Try the O'Reilly book for a start. -- A: Yes. > Q: Are you sure? >> A: Because it reverses the logical flow of conversation. >>> Q: Why is top posting frowned upon? -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (13)
-
Anton Aylward -
Carlos E. R. -
Greg Freemyer -
gumb -
Harrie Baken -
James Knott -
jdd -
John Andersen -
Koenraad Lelong -
Patrick Shanahan -
Per Jessen -
Ruediger Meier -
sdm