FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Gentoo > Gentoo User

 
 
LinkBack Thread Tools
 
Old 02-15-2008, 05:24 PM
Florian Philipp
 
Default Odd problem with OpenSSH

Hi list!

For some time now, there's a very odd situation: There are two
computers, DAU and NOTE.

I can use ssh to login from DAU to NOTE but not vice versa. I've played
around with several settings before this happened but I'm sure it worked
after my last change.

Well, ultimately I've unmerged openssh, keychain and denyhosts on both
computers and removed /etc/ssh and .ssh in root's and the users' home
directories and then reemerged just openssh.

Yet, the situation didn't change.

Here's what happening:

dsl@NOTE > ssh -vvv DAU

OpenSSH_4.7p1-hpn12v19, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to DAU [192.168.2.4] port 22.
debug1: Connection established.
debug1: identity file /home/dsl/.ssh/identity type -1
debug1: identity file /home/dsl/.ssh/id_rsa type -1
debug1: identity file /home/dsl/.ssh/id_dsa type -1
ssh_exchange_identification: Connection closed by remote host

dsl@DAU > tail /var/log/messages

[...]
Feb 15 19:20:30 DAU sshd[6269]: refused connect from NOTE.xxx
(192.168.2.2)



I must have missed something, but what?

By the way: I can still connect from NOTE to my third PC, SERV. But
since SERV and DAU are not on the same net, I cannot try this
connection. And yes, I've also used chkrootkit.
 
Old 02-15-2008, 05:59 PM
Alan McKinnon
 
Default Odd problem with OpenSSH

On Friday 15 February 2008, Florian Philipp wrote:
> Hi list!
>
> For some time now, there's a very odd situation: There are two
> computers, DAU and NOTE.
>
> I can use ssh to login from DAU to NOTE but not vice versa. I've
> played around with several settings before this happened but I'm sure
> it worked after my last change.
>
> Well, ultimately I've unmerged openssh, keychain and denyhosts on
> both computers and removed /etc/ssh and .ssh in root's and the users'
> home directories and then reemerged just openssh.

Ah. You probably shouldn't have done that, unless you know for a fact
that YOU screwed the ssh config up beyond all hope of recovery.
Usually, you just sit with the same problem anyway, or make it worse by
removing the configs that still work

> Yet, the situation didn't change.
>
> Here's what happening:
>
> dsl@NOTE > ssh -vvv DAU
>
> OpenSSH_4.7p1-hpn12v19, OpenSSL 0.9.8g 19 Oct 2007
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to DAU [192.168.2.4] port 22.
> debug1: Connection established.
> debug1: identity file /home/dsl/.ssh/identity type -1
> debug1: identity file /home/dsl/.ssh/id_rsa type -1
> debug1: identity file /home/dsl/.ssh/id_dsa type -1
> ssh_exchange_identification: Connection closed by remote host
>
> dsl@DAU > tail /var/log/messages
>
> [...]
> Feb 15 19:20:30 DAU sshd[6269]: refused connect from NOTE.xxx
> (192.168.2.2)

It's not a firewall, xinetd, tcpwrappers or denyhost problem :-) Your
connection attempt was received by sshd which denied it.

The information you gave is inadequate to answer your question, because
I don't know how long a piece of string is.

Post the complete contents of /etc/sshd/sshd_config on DAU and we can
probably tell you why though


--
Alan McKinnon
alan dot mckinnon at gmail dot com

--
gentoo-user@lists.gentoo.org mailing list
 
Old 02-15-2008, 06:14 PM
Florian Philipp
 
Default Odd problem with OpenSSH

On Fri, 2008-02-15 at 20:59 +0200, Alan McKinnon wrote:
> On Friday 15 February 2008, Florian Philipp wrote:
> > Hi list!
> >
> > For some time now, there's a very odd situation: There are two
> > computers, DAU and NOTE.
> >
> > I can use ssh to login from DAU to NOTE but not vice versa. I've
> > played around with several settings before this happened but I'm sure
> > it worked after my last change.
> >
> > Well, ultimately I've unmerged openssh, keychain and denyhosts on
> > both computers and removed /etc/ssh and .ssh in root's and the users'
> > home directories and then reemerged just openssh.
>
> Ah. You probably shouldn't have done that, unless you know for a fact
> that YOU screwed the ssh config up beyond all hope of recovery.
> Usually, you just sit with the same problem anyway, or make it worse by
> removing the configs that still work
>
> > Yet, the situation didn't change.
> >
> > Here's what happening:
> >
> > dsl@NOTE > ssh -vvv DAU
> >
> > OpenSSH_4.7p1-hpn12v19, OpenSSL 0.9.8g 19 Oct 2007
> > debug1: Reading configuration data /etc/ssh/ssh_config
> > debug2: ssh_connect: needpriv 0
> > debug1: Connecting to DAU [192.168.2.4] port 22.
> > debug1: Connection established.
> > debug1: identity file /home/dsl/.ssh/identity type -1
> > debug1: identity file /home/dsl/.ssh/id_rsa type -1
> > debug1: identity file /home/dsl/.ssh/id_dsa type -1
> > ssh_exchange_identification: Connection closed by remote host
> >
> > dsl@DAU > tail /var/log/messages
> >
> > [...]
> > Feb 15 19:20:30 DAU sshd[6269]: refused connect from NOTE.xxx
> > (192.168.2.2)
>
> It's not a firewall, xinetd, tcpwrappers or denyhost problem :-) Your
> connection attempt was received by sshd which denied it.
>
> The information you gave is inadequate to answer your question, because
> I don't know how long a piece of string is.
>
> Post the complete contents of /etc/sshd/sshd_config on DAU and we can
> probably tell you why though
>
>

Thanks so far.

Since there wasn't that much customization, trying vanilla settings from
the ebuild didn't sound that bad. At least it didn't make it worse .

Okay, when I delete every line that's commented out, my sshd-settings
read as follows:

Protocol 2
PasswordAuthentication no (changing to yes doesn't change anything)
UsePAM yes (changing to no doesn't change anything)
Subsystem sftp /usr/lib64/misc/sftp-server


Useflags: X hpn pam tcpd -X509 -chroot -kerberos -ldap -libedit -selinux
-skey -smartcard -static
 
Old 02-16-2008, 05:54 AM
"Tim Garton"
 
Default Odd problem with OpenSSH

Try adding a:
LogLevel VERBOSE

or
LogLevel DEBUG

to /etc/ssh/sshd_config and restarting the ssh server, and see if it gives you any more info.
 
Old 02-16-2008, 08:37 AM
Mick
 
Default Odd problem with OpenSSH

On Friday 15 February 2008, Florian Philipp wrote:
> On Fri, 2008-02-15 at 20:59 +0200, Alan McKinnon wrote:
> > On Friday 15 February 2008, Florian Philipp wrote:

> > > I can use ssh to login from DAU to NOTE but not vice versa. I've
> > > played around with several settings before this happened but I'm sure
> > > it worked after my last change.

Since you've unmerged everything the above is probably irrelevant to the
problem below.

> > > Well, ultimately I've unmerged openssh, keychain and denyhosts on
> > > both computers and removed /etc/ssh and .ssh in root's and the users'
> > > home directories and then reemerged just openssh.

Did you then run ssh-keygen on both machines?

> > Ah. You probably shouldn't have done that, unless you know for a fact
> > that YOU screwed the ssh config up beyond all hope of recovery.
> > Usually, you just sit with the same problem anyway, or make it worse by
> > removing the configs that still work

Having both machines' settings would also allow for diff-ing between them, but
it's all irrelevant now.

> > > Yet, the situation didn't change.
> > >
> > > Here's what happening:
> > >
> > > dsl@NOTE > ssh -vvv DAU
> > >
> > > OpenSSH_4.7p1-hpn12v19, OpenSSL 0.9.8g 19 Oct 2007
> > > debug1: Reading configuration data /etc/ssh/ssh_config
> > > debug2: ssh_connect: needpriv 0
> > > debug1: Connecting to DAU [192.168.2.4] port 22.
> > > debug1: Connection established.
> > > debug1: identity file /home/dsl/.ssh/identity type -1
> > > debug1: identity file /home/dsl/.ssh/id_rsa type -1
> > > debug1: identity file /home/dsl/.ssh/id_dsa type -1
> > > ssh_exchange_identification: Connection closed by remote host

As I said above, have you generated new keys? If yes, you could copy public
key A to the ~/.ssh/authorized_keys file and do away with the need to enter a
password. It's only then that you can turn PasswordAuthentication no.

Hope this helps.
--
Regards,
Mick
 
Old 02-16-2008, 04:56 PM
Florian Philipp
 
Default Odd problem with OpenSSH

On Fri, 2008-02-15 at 22:54 -0800, Tim Garton wrote:
> Try adding a:
> LogLevel VERBOSE
>
> or
> LogLevel DEBUG
>
> to /etc/ssh/sshd_config and restarting the ssh server, and see if it
> gives you any more info.
>
Thanks! That did the trick! Now there was an entry about tcp wrapper
denying access in /var/log/messages. Remerging open-ssh with USE="-tcpd"
solved the problem.

I will look into tcpd configuration but I don't think I even need it on
that machine.
 
Old 02-17-2008, 07:42 AM
Alan McKinnon
 
Default Odd problem with OpenSSH

On Saturday 16 February 2008, Florian Philipp wrote:
> On Fri, 2008-02-15 at 22:54 -0800, Tim Garton wrote:
> > Try adding a:
> > LogLevel VERBOSE
> >
> > or
> > LogLevel DEBUG
> >
> > to /etc/ssh/sshd_config and restarting the ssh server, and see if
> > it gives you any more info.
>
> Thanks! That did the trick! Now there was an entry about tcp wrapper
> denying access in /var/log/messages. Remerging open-ssh with
> USE="-tcpd" solved the problem.
>
> I will look into tcpd configuration but I don't think I even need it
> on that machine.

That's interesting. I honestly thought a tcpd deny would NOT be reported
in /var/log/messages as coming from sshd (as shown in your logs).

I don't recall that behaviour, maybe something changed since I last
looked hard at it. We learn something new every day it seems.

--
Alan McKinnon
alan dot mckinnon at gmail dot com

--
gentoo-user@lists.gentoo.org mailing list
 
Old 02-17-2008, 11:19 AM
Stroller
 
Default Odd problem with OpenSSH

On 16 Feb 2008, at 17:56, Florian Philipp wrote:

...
Thanks! That did the trick! Now there was an entry about tcp wrapper
denying access in /var/log/messages. Remerging open-ssh with USE="-
tcpd"

solved the problem.

I will look into tcpd configuration but I don't think I even need
it on

that machine.


I stumbled across use of tcp wrapper & SSH recently - I think another
poster here mentioned DenyHosts, and tcp wrapper is needed for this.

http://denyhosts.sourceforge.net/

If I look at my auth logs on 3 different systems I see thousands of
failed ssh attempts, so DenyHosts would be quite worthwhile here, I
think.


Stroller.
--
gentoo-user@lists.gentoo.org mailing list
 

Thread Tools




All times are GMT. The time now is 10:24 PM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org