[opensuse] ssh through a firewall
Hi all, The subject sounds innocent enough. I am trying to ssh from an openSUSE 10.0 system in to an openSUSE 11.2 system. There is a firewall at the 11.2 end. It is not the firewall on the 11.2 itself. That is fully disabled. It is some other device. I told them to open port 22 (tcp and udp). But I still cannot log in. I get the initial ssh questions about the host, and then the password prompt. However, my password is not accepted. If I ask them to open all ports at their end, I can log in just fine. I am, once again, confused. Any ideas? They do not want to keep the firewall for this machine open too long. -- Roger Oberholtzer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/31/2014 09:13 AM, Roger Oberholtzer wrote:
I get the initial ssh questions about the host, and then the password prompt. However, my password is not accepted.
Did you compare the fingerprint? I.e., are you sure you got thru to your final host? Have a nice day, Berny -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 07/31/2014 02:13 AM, Roger Oberholtzer wrote:
Hi all,
The subject sounds innocent enough. I am trying to ssh from an openSUSE 10.0 system in to an openSUSE 11.2 system. There is a firewall at the 11.2 end. It is not the firewall on the 11.2 itself. That is fully disabled. It is some other device. I told them to open port 22 (tcp and udp). But I still cannot log in. I get the initial ssh questions about the host, and then the password prompt. However, my password is not accepted. If I ask them to open all ports at their end, I can log in just fine. I am, once again, confused. Any ideas? They do not want to keep the firewall for this machine open too long.
Roger, Take a look in your /etc/ssh/sshd_config and make sure you have the UsePam, ChallengeResponseAuthentication, and PasswordAuthentication settings as you want them. Also, make sure there is no problem with AllowGroups setting that are preventing you from connecting. I recall there were changes do the defaults in that time frame, but cannot recall for the life of me what they were. There is also a StrictModes setting that can cause problems if set and the criteria is not met, but you generally get an error pointing to that being the reason. You can also attempt the connection with 'ssh -vv hostname' to enable verbose connection information on your connect attempt. Something will turn up. -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 7/31/2014 12:49 AM, David C. Rankin wrote:
On 07/31/2014 02:13 AM, Roger Oberholtzer wrote:
Hi all,
The subject sounds innocent enough. I am trying to ssh from an openSUSE 10.0 system in to an openSUSE 11.2 system. There is a firewall at the 11.2 end. It is not the firewall on the 11.2 itself. That is fully disabled. It is some other device. I told them to open port 22 (tcp and udp). But I still cannot log in. I get the initial ssh questions about the host, and then the password prompt. However, my password is not accepted. If I ask them to open all ports at their end, I can log in just fine. I am, once again, confused. Any ideas? They do not want to keep the firewall for this machine open too long.
Roger,
Take a look in your /etc/ssh/sshd_config and make sure you have the UsePam, ChallengeResponseAuthentication, and PasswordAuthentication settings as you want them. Also, make sure there is no problem with AllowGroups setting that are preventing you from connecting. I recall there were changes do the defaults in that time frame, but cannot recall for the life of me what they were. There is also a StrictModes setting that can cause problems if set and the criteria is not met, but you generally get an error pointing to that being the reason.
You can also attempt the connection with 'ssh -vv hostname' to enable verbose connection information on your connect attempt. Something will turn up.
Actually, I think David means to look at the sshd_config on the 11.2 end. And also make sure you are trying to log in as a user and not root. Most ssh servers are set up to not allow root to log in, even back in 11.2 days. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 08/01/2014 03:15 AM, John Andersen wrote:
Actually, I think David means to look at the sshd_config on the 11.2 end.
And also make sure you are trying to log in as a user and not root. Most ssh servers are set up to not allow root to log in, even back in 11.2 days.
Yes, whatever box you are trying to connect *too* (the server that is running sshd), check the /etc/ssh/sshd_config there. Also, if you have UseStrict enabled on the *client*, then if there is any mismatch in your ~/.ssh/known_hosts file and the *server* ~/.ssh/authorized_keys file, you should get an error on connection fail. (offending key #, blah blah in known_hosts) -- David C. Rankin, J.D.,P.E. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 7/31/2014 12:13 AM, Roger Oberholtzer wrote:
If I ask them to open all ports at their end, I can log in just fine. I am, once again, confused. Any ideas? They do not want to keep the firewall for this machine open too long.
This firewall... I presume it does in fact send port 22 to the 11.2 Linux box? (That is, when they open up all ports you do indeed access the correct machine?) Does it also do any form of Egress filtering? As far as I know, all parts of ssh traverse port 22 only. Once you get a connection, all traffic should flow over port 22, (its encrypted upon connection, even before you password is transmitted). Have them turn off the firewall so you can Check for these line in the /etc/ssh/sshd_config of the 11.2 box X11Forwarding yes X11DisplayOffset 10 X11UseLocalhost yes Without that, it might try to put X out over the wire rather than in the ssh tunnel, and if the firewall box was egress filtering against that that might cause the behavior you see. Also, old sshd_configs used to have AddressFamily any set explicitly or as the default. But later versions need to have AddressFamily inet and if you don't have that ssh sessions try to wander off into ipv6 land maybe that is what the firewall is complaining about. Also type (again, after connecting with the firewall disabled) set and see if you see DISPLAY=localhost:10.0 Then type: netstat -anp Then look in the Active Internet connections (servers and established) list any connections between the 11.2 box and the 10.0 box (by comparing IPs and Ports). You should typically have only ONE such connection something like this:
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 68 192.168.2.1:22 192.168.2.213:59742 ESTABLISHED 14086/sshd: jsa
*192.168.2.1 would be replaced by the ip of your 11.2 box). Any more than one connection between your machine and the 11.2 machine might be what the firewall is blocking. (Its unusual for firewalls to block outbound ports but some places set up egress filtering to prevent clever users from end-running their security). -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Bernhard Voelker -
David C. Rankin -
John Andersen -
Roger Oberholtzer