Gentoo Forums
Gentoo Forums
Gentoo Forums
Quick Search: in
Help! SSH problems with new install [SOLVED]
View unanswered posts
View posts from last 24 hours

 
Reply to topic    Gentoo Forums Forum Index Networking & Security
View previous topic :: View next topic  
Author Message
Punchcutter
Guru
Guru


Joined: 11 Feb 2007
Posts: 329

PostPosted: Sun Sep 11, 2016 7:30 pm    Post subject: Help! SSH problems with new install [SOLVED] Reply with quote

[Putting this under networking rather than install subforum because I think it makes more sense]

Help! I just installed a new Gentoo box. There's almost nothing on it yet - fresh install. I want to work on continuing the userland installation from my established laptop, but cannot ssh into the new one. It's definitely talking to the network - I can ssh from the new box to the laptop, but from laptop to new box - no. If I try, I get "connection timed out". I have installed a firewall (shorewall), but it is not running - I've doubled checked that. Also checked that sshd is running - yes. Maybe the one place where something strange could have happened is in the sshd config, which I have tweaked with my usual settings. But these settings have worked fine for me before.

I wanted to put the sshd configs here for your review, but the only way to do it (I think) is to scp them from the new box to the laptop first. When I tried to do that, the scp appeared to work (like this: scp sshdconf user@laptop:), it asked for my password as usual, but failed to transfer the file, and only printed "Wifi management tool" on the shell as output. WTH?!?!?!?!!!


Last edited by Punchcutter on Wed Sep 14, 2016 6:43 am; edited 1 time in total
Back to top
View user's profile Send private message
Buffoon
Veteran
Veteran


Joined: 17 Jun 2015
Posts: 1074
Location: EU or US

PostPosted: Sun Sep 11, 2016 7:34 pm    Post subject: Reply with quote

Try running client with -v switch.
Back to top
View user's profile Send private message
Punchcutter
Guru
Guru


Joined: 11 Feb 2007
Posts: 329

PostPosted: Sun Sep 11, 2016 7:41 pm    Post subject: Reply with quote

THanks Buffoon... good idea... I have been doing that to debug the ssh part, but forgot this time :oops:

Well... the scp verbose log looks pretty normal, I think, and of course I can't copy the whole thing here, but it does contain this line, near the bottom:
Quote:
Transferred: sent 1964, received 2852 bytes, in 0.1 seconds

But! The size of the file I'm trying to transfer is 3685 :(
Back to top
View user's profile Send private message
montik
n00b
n00b


Joined: 13 Sep 2011
Posts: 5

PostPosted: Sun Sep 11, 2016 8:48 pm    Post subject: Reply with quote

Are the two machine on the same LAN? Have you tried to check if it's a networking problem, e.g. can you ping from the laptop the other box?

Have you tried a default sshd config, just to see if the problem is in your tweaked conf?
Back to top
View user's profile Send private message
Buffoon
Veteran
Veteran


Joined: 17 Jun 2015
Posts: 1074
Location: EU or US

PostPosted: Sun Sep 11, 2016 9:03 pm    Post subject: Reply with quote

sshd log in the new box probably will tell the story.
Back to top
View user's profile Send private message
Punchcutter
Guru
Guru


Joined: 11 Feb 2007
Posts: 329

PostPosted: Sun Sep 11, 2016 10:13 pm    Post subject: Reply with quote

OK, I feel silly, but... where do I find the logs for sshd? I've looked in the config file and turned on some stuff, like
Quote:
SyslogFacility AUTH
LogLevel DEBUG
restarted, and looked in /var/log/messages and /var/log/syslog, but nothing's coming out there. Also tried LogLevel INFO. Nothin'.
Back to top
View user's profile Send private message
Punchcutter
Guru
Guru


Joined: 11 Feb 2007
Posts: 329

PostPosted: Sun Sep 11, 2016 10:22 pm    Post subject: Reply with quote

OK, here's the sshd config. I used cat filename | ssh laptop "cat > filename" to move it over :)
The part of this that I fiddled with are the following settings, which I usually use on my boxen:
Quote:
PasswordAuthentication yes
PermitEmptyPasswords no
PermitRootLogin no

The rest should be defaults, I believe.
Quote:
# $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Ciphers and keying
#RekeyLimit default none

# Logging
# obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
#AuthorizedKeysFile .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
PrintLastLog no
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem sftp /usr/lib64/misc/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server

# Allow client to pass locale environment variables #367017
AcceptEnv LANG LC_*
Back to top
View user's profile Send private message
Buffoon
Veteran
Veteran


Joined: 17 Jun 2015
Posts: 1074
Location: EU or US

PostPosted: Sun Sep 11, 2016 11:22 pm    Post subject: Reply with quote

It logs to /var/log/messages unless you specify otherwise. You can keep a terminal window open with tail -f /var/log/messages running in it when you attempt remote login.
Back to top
View user's profile Send private message
freke
Guru
Guru


Joined: 23 Jan 2003
Posts: 402
Location: Somewhere in Denmark

PostPosted: Mon Sep 12, 2016 3:07 pm    Post subject: Reply with quote

Punchcutter wrote:
OK, I feel silly, but... where do I find the logs for sshd? I've looked in the config file and turned on some stuff, like
Quote:
SyslogFacility AUTH
LogLevel DEBUG
restarted, and looked in /var/log/messages and /var/log/syslog, but nothing's coming out there. Also tried LogLevel INFO. Nothin'.


Stupid question - you have got a logger installed?

Also wgetpaste is a good util for pasting configs, logs etc. from your linux boxes to ie. bpaste.net.
Back to top
View user's profile Send private message
Punchcutter
Guru
Guru


Joined: 11 Feb 2007
Posts: 329

PostPosted: Tue Sep 13, 2016 8:07 am    Post subject: Reply with quote

Well, I'm pretty well stumped now. Yes, I have sysklogd installed and added to my default runlevel. But there's nothing in /var/log/messages. I've checked arp -a on the laptop, and arp knows about the new host (MAC addr is correct). It really doesn't look like a network problem, because I can ssh from the new box to the old laptop, just not the other way.

I've got sshd started and added to the default runlevel, but it would SEEM there's nothing listening on port 22, by the way the laptop hangs and connection times out. But it appears there IS something. This is netstat -ln output:
Code:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
udp        0      0 0.0.0.0:68              0.0.0.0:*                         
Active UNIX domain sockets (only servers)
Proto RefCnt Flags       Type       State         I-Node   Path
unix  2      [ ACC ]     SEQPACKET  LISTENING     12871    /run/udev/control

I've tried telnetting in to port 22, but the same timeout thing happens. Is IPv6 interfering with v4 here?? Any more clues about how to proceed with this are much appreciated.
Back to top
View user's profile Send private message
chiefbag
Guru
Guru


Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom

PostPosted: Tue Sep 13, 2016 9:08 am    Post subject: Reply with quote

You should try the following from your laptop to the ip address of the new machine

1: Whats the output of the following, replacing "ip-of-new-machine" with the actual ip address got from the ifconfig command?

Code:
telnet ip-of-new-machine </dev/null


2: Whats the output of the following assuming you have a connection.

Code:
ssh -v root@"ip-of-new-machine"


Most probably your Shorewall is blocking connections if the above fail, so clear down iptables manually.

Code:
iptables -F
Back to top
View user's profile Send private message
ct85711
Veteran
Veteran


Joined: 27 Sep 2005
Posts: 1692

PostPosted: Tue Sep 13, 2016 5:32 pm    Post subject: Reply with quote

Quote:

# Authentication:

#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes


One thing to keep in mind, if that Root login is disabled by default, so trying to log in from root will always be denied, unless you change that. It is better if you log in with an regular account and from there su into root...

Quote:
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::


Another thing you may want to do, is specify what address to listen too (i.e. the pc's ip address), with the ListenAddress line
Back to top
View user's profile Send private message
Tony0945
Advocate
Advocate


Joined: 25 Jul 2006
Posts: 2889
Location: Illinois, USA

PostPosted: Tue Sep 13, 2016 10:39 pm    Post subject: Reply with quote

ct85711 wrote:
Another thing you may want to do, is specify what address to listen too (i.e. the pc's ip address), with the ListenAddress line


Just checked my own boxes. Not necessary. But check you router log to make sure there is no block there.
Back to top
View user's profile Send private message
Punchcutter
Guru
Guru


Joined: 11 Feb 2007
Posts: 329

PostPosted: Wed Sep 14, 2016 6:42 am    Post subject: Reply with quote

chiefbag wrote:
Most probably your Shorewall is blocking connections if the above fail, so clear down iptables manually.

Code:
iptables -F
Thanks everyone. This was ultimately the clue that led me to the solution. Although iptables -F didn't actually solve the problem, I sorta knew that it HAD to be that something was blocking the connection, even though I thought shorewall was disabled. It turned out there was this other thing, shorewall-init, that was causing trouble. I think this is something fairly new in the shorewall system, as I saw it first on this install. I didn't realize it was running. I found I could give it a "stop" command, and magically, my ssh started being connected. The end.
Back to top
View user's profile Send private message
Display posts from previous:   
Reply to topic    Gentoo Forums Forum Index Networking & Security All times are GMT
Page 1 of 1

 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum