View previous topic :: View next topic |
Author |
Message |
jkcunningham l33t
Joined: 28 Apr 2003 Posts: 649 Location: 47.49N 121.79W
|
Posted: Mon May 12, 2003 12:12 am Post subject: ssh only working in one direction |
|
|
I have is_rsa.pub keys swapped in .ssh/authorized_keys files (as usual) between all machines on my lan. The Gentoo machine can connect to any of the others if it initiates. However, non of the other machines can connect to it. They see a message: "port 22: Connection refused". The Gentoo log shows:
May 11 15:36:09 [login(pam_unix)] check pass; user unknown
May 11 15:36:09 [login(pam_unix)] authentication failure; logname= uid=0 euid=0 tty=/dev/vc/1 ruser= rhost=
May 11 15:36:11 [login] FAILED LOGIN 1 FROM /dev/vc/1 FOR UNKNOWN, Authentication failure
Any idea what's eating this thing? I double checked that the keys were right, and they look fine.
Thanks.
-Jeff |
|
Back to top |
|
|
puggy Bodhisattva
Joined: 28 Feb 2003 Posts: 1992 Location: Oxford, UK
|
Posted: Mon May 12, 2003 1:33 am Post subject: |
|
|
What happens if you remove the key and try and connect? Do you still get the message?
Puggy _________________ Where there's open source , there's a way. |
|
Back to top |
|
|
jkcunningham l33t
Joined: 28 Apr 2003 Posts: 649 Location: 47.49N 121.79W
|
Posted: Mon May 12, 2003 1:53 am Post subject: |
|
|
Weird! I tried moving the keys on the SuSE machine into a tmp directory and I could still connect to it form the Gentoo machine. So, I moved the known_hosts and everything else to the tmp directory - still connects. So then I moved all the keys and everything out of .ssh on the gentoo machine to a tmp directory, and it STILL connects. I don't get it. How can it connect without the keys on the far end? It asks for the password, and knows if I type it wrong (I tested it).
I thought I knew how ssh worked - now I'm confused.
-Jeff |
|
Back to top |
|
|
puggy Bodhisattva
Joined: 28 Feb 2003 Posts: 1992 Location: Oxford, UK
|
Posted: Mon May 12, 2003 2:01 am Post subject: |
|
|
ok. The authorized keys folder is only for using rsa keys. These keys are not necessary for ssh to operate and are only there so that you can be even more secure than the standard ssh encrypted passwords. The authorized keys also enable you to do nifty things like passwordless ssh while still being secure.
Simple put, ssh basically just requires your password for the remote system when you login as you (without rsa keys I'm talking). Known hosts is just a record of either a past connection you were sure was from a certain host so you can verify that nobody is acting as a middleman in your communication to steal your password.
Are you still having your problem?
Puggy _________________ Where there's open source , there's a way. |
|
Back to top |
|
|
jkcunningham l33t
Joined: 28 Apr 2003 Posts: 649 Location: 47.49N 121.79W
|
Posted: Mon May 12, 2003 2:04 am Post subject: |
|
|
Yes - from the Gento machine I can log on as myself to any of the other machines on my LAN, but not the other direction from any other machine to the Gento machine. Where do I go from here?
-Jeff |
|
Back to top |
|
|
puggy Bodhisattva
Joined: 28 Feb 2003 Posts: 1992 Location: Oxford, UK
|
Posted: Mon May 12, 2003 2:08 am Post subject: |
|
|
You've set up sshd on your gentoo machine properly?
Maybe post your /etc/ssh/sshd_config
It looks like a PAM problem to me though, have you got any crazy grsecurity or anything installed? I don't really know anything about PAM yet as I haven't had any problems with it myself.
Puggy _________________ Where there's open source , there's a way. |
|
Back to top |
|
|
uzik Apprentice
Joined: 17 Apr 2003 Posts: 257
|
Posted: Mon May 12, 2003 3:31 am Post subject: |
|
|
Do you have a firewall on your machines?
Did you open the firewall both directions? |
|
Back to top |
|
|
jkcunningham l33t
Joined: 28 Apr 2003 Posts: 649 Location: 47.49N 121.79W
|
Posted: Mon May 12, 2003 4:43 am Post subject: |
|
|
I'm guessing I haven't set up sshd_config properly (since I've left it in its default setup). There is no firewall running on the Gentoo machine. Here is its listing:
# $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768
# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
#LoginGraceTime 120
#PermitRootLogin yes
#StrictModes yes
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#AFSTokenPassing no
# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no
# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no
# override default of no subsystems
Subsystem sftp /usr/lib/misc/sftp-server
I appreciate the help, guys.
-Jeff |
|
Back to top |
|
|
ARC2300 Apprentice
Joined: 30 Mar 2003 Posts: 265
|
Posted: Mon May 12, 2003 5:10 am Post subject: |
|
|
Firstly, you have to uncomment the line that says #Port 22 so that sshd actually listens on that port.
Here's what my sshd_config looks like:
Code: | # $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
Port 22
Protocol 2,1
ListenAddress 0.0.0.0
#ListenAddress ::
# HostKey for protocol version 1
HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 600
ServerKeyBits 768
# Logging
#obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 30
PermitRootLogin no
StrictModes yes
#RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
# rhosts authentication should not be used
RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
IgnoreUserKnownHosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#AFSTokenPassing no
# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no
# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
MaxStartups 4
# no default banner path
#Banner /some/path
#VerifyReverseMapping no
# override default of no subsystems
#Subsystem sftp /usr/lib/misc/sftp-server |
Hope that helps a little in what you need and don't need. |
|
Back to top |
|
|
jkcunningham l33t
Joined: 28 Apr 2003 Posts: 649 Location: 47.49N 121.79W
|
Posted: Mon May 12, 2003 5:14 am Post subject: |
|
|
Uh...I didn't do my homework. Sorry about that. Its running, now that I changed a couple things in sshd_config (like turning on PubkeyAuthentication, etc. It generated a Hostkey, DSA-Hostkey, and RSA-Hostkey when I restarted the daemon. I assume that is as it should be (I restarted the daemon as su).
I can now log onto the Gentoo machine from others on the lan, although it doesn't challenge for a password as I believe it should. I'll rtfm some more.
My problem here is that the SuSE installation machinary obviously enabled some of this stuff for me without me learning anything about it.
-Jeff |
|
Back to top |
|
|
jkcunningham l33t
Joined: 28 Apr 2003 Posts: 649 Location: 47.49N 121.79W
|
Posted: Mon May 12, 2003 4:25 pm Post subject: |
|
|
My understanding was that sshd listens on all ports if you don't specify a port (that's what the default config says and, I believe, the man pages). But I'm going to try it your way. Thanks.
-Jeff |
|
Back to top |
|
|
ARC2300 Apprentice
Joined: 30 Mar 2003 Posts: 265
|
Posted: Mon May 12, 2003 4:36 pm Post subject: |
|
|
Quote: | My problem here is that the SuSE installation machinary obviously enabled some of this stuff for me without me learning anything about it. |
That's the same reason I strayed away from Mandrake and Red Hat. I was ready to learn much more about Linux, and have I ever after going to Gentoo.
RTFM?? Why do that?? It's more fun to just plunge in and screw stuff up. (It's how I did it).
Anyways, glad it's somewhat working for you now. |
|
Back to top |
|
|
puggy Bodhisattva
Joined: 28 Feb 2003 Posts: 1992 Location: Oxford, UK
|
Posted: Tue May 13, 2003 8:22 am Post subject: |
|
|
sshd definitley doesn't listen on all ports if not told to listen on port 22. However, it will listen on port 22 by default without changing this option.
Puggy _________________ Where there's open source , there's a way. |
|
Back to top |
|
|
|