FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Debian > Debian User

 
 
LinkBack Thread Tools
 
Old 08-21-2011, 04:46 AM
Ivan Shmakov
 
Default SSH server

>>>>> Bob Proulx <bob@proulx.com> writes:
>>>>> RiverWind wrote:

>> I used to be able to "ssh" from my shellworld account into my Linux
>> box before I got the latest version of the squeeze disk. I am not
>> able to do so now. Exactly what needs to be set up or in place in
>> order for me to once again be able to access my Linux box via "ssh"
>> or "telnet" from another site?

[…]

> 2. Ensure that sshd is listening on port 22.

> $ netstat -na | grep '0.0.0.0:22'
> tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN

As IPv6 is slowly conquering the world, I'd be checking for
:::22 just as well, e. g.:

$ netstat -na | grep -F :::22
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 2001:db8:1::1:51537 2001:db8:2::2:22 ESTABLISHED
$

Also, neither . nor : are the characters that an ordinary shell
would treat as special, so single quotes aren't necessary.
OTOH, grep(1) will treat . as any character, not period, thus -F
should be used. Consider, e. g.:

$ printf %s
0.0.0.0:22 1020:030:22 | grep '0.0.0.0:22'
0.0.0.0:22
1020:030:22
$ printf %s
0.0.0.0:22 1020:030:22 | grep -F 0.0.0.0:22
0.0.0.0:22
$

> 3. Ensure that you can connect to the sshd port from the local host.
> Do this on the local host.

> $ telnet localhost 22
> ...
> Escape character is '^]'.
> SSH-2.0-OpenSSH_5.8p1 Debian-7
> ^] <-- Use Control-] to escape
> telnet> quit <-- Then type quit to exit

The Telnet protocol isn't the same as “no protocol.” In
particular, IIRC, Telnet treats a xff code as special. For
network diagnostics, netcat (as of either netcat6,
netcat-openbsd, or netcat-traditional package) is generally
better.

And it can be interrupted by a plain ^C (C-c), BTW.

[…]

--
FSF associate member #7257 Coming soon: Software Freedom Day
http://mail.sf-day.org/lists/listinfo/ planning-ru (ru), sfd-discuss (en)


--
To UNSUBSCRIBE, email to debian-user-REQUEST@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Archive: 86mxf3tlrn.fsf_-_@gray.siamics.net">http://lists.debian.org/86mxf3tlrn.fsf_-_@gray.siamics.net
 
Old 08-22-2011, 01:29 AM
Bob Proulx
 
Default SSH server

Ivan Shmakov wrote:
> Bob Proulx writes:
> > 2. Ensure that sshd is listening on port 22.
>
> > $ netstat -na | grep '0.0.0.0:22'
> > tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
>
> As IPv6 is slowly conquering the world, I'd be checking for
> :::22 just as well, e. g.:

Good point. I have yet to convert over to the IPv6 world. But in
this case IPv4 was/is sufficient to verify that it was installed and
running. Or rather in this case that it wasn't installed and wasn't
running.

> Also, neither . nor : are the characters that an ordinary shell
> would treat as special, so single quotes aren't necessary.

Sorry for not reducing to minimum form. I started out looking for
":22 " and so needed the quotes. I have many ports that started with
22XYZ and so needed to avoid the substring match. But then evolved it
into 0.0.0.0:22 which didn't need the space and so went with it and
didn't think to remove the quotes.

> OTOH, grep(1) will treat . as any character, not period, thus -F
> should be used. Consider, e. g.:
>
> $ printf %s
0.0.0.0:22 1020:030:22 | grep '0.0.0.0:22'
> 0.0.0.0:22
> 1020:030:22
> $ printf %s
0.0.0.0:22 1020:030:22 | grep -F 0.0.0.0:22
> 0.0.0.0:22
> $

That is of course correct. But since the result is to the human eye I
expect that a real person will be able to interpret what they see. I
didn't happen to have any other matches when testing that on my real
system and so didn't bother with it. I often use grep when more
correctly I should be using sed.

> > 3. Ensure that you can connect to the sshd port from the local host.
> > Do this on the local host.
>
> > $ telnet localhost 22
> > ...
> > Escape character is '^]'.
> > SSH-2.0-OpenSSH_5.8p1 Debian-7
> > ^] <-- Use Control-] to escape
> > telnet> quit <-- Then type quit to exit
>
> The Telnet protocol isn't the same as “no protocol.” In
> particular, IIRC, Telnet treats a xff code as special.

Right. But telnet is installed on a default system and so doesn't
need any more explanation. It is "Good Enough(TM)". We are not
needing to interact with sshd more than simply getting a banner. It
doesn't matter that telnet is has in-band control and other issues. I
didn't want to make things more complicated than necessary. I
contemplated talking about 'connect' here but then decided against it.

If I were going to talk about using a different command such as
'connect' or goodness forbid 'nc' then I would be obligated to explain
how to install that command first. And for relatively small gain. It
wasn't worth it. But since you brought it up now I feel obligated.
The 'connect' program is the superior choice in my opinion.

> For network diagnostics, netcat (as of either netcat6,
> netcat-openbsd, or netcat-traditional package) is generally
> better.

I realize that 'nc' is the grand old dog of the network connection
utilities. But just the same it is really a terrible program. It by
design ignores errors, or is it EOF, I can't remember. And so when
trying to use it for things such as ssh ProxyCommand connections it
tends to leave orphan 'nc' processes hanging around because they don't
close themselves down properly when the network drops out. Some years
ago I chased down the root cause that 'nc' processes were being left
around but can't remember it now. But when I found out it was an
intentional design decision I became less of a fan of it.

For general network connectivity connections the best program IMNHO is
the 'connect' program. It detects errors and EOF properly and
therefore never leaves orphan 'connect' processes hanging around when
used as an ssh proxy command. Check it out.

# apt-get install connect-proxy

http://bent.latency.net/bent/git/goto-san-connect-1.85/src/connect.html

> And it can be interrupted by a plain ^C (C-c), BTW.

The connect program is similar. The connect program is 8-bit clean
and handles errors better. Try it, you will like it. :-)

Bob
 

Thread Tools




All times are GMT. The time now is 10:52 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org