topic Re: ssh question in Operating System - HP-UX

ssh question

John McDen — Tue, 04 Jun 2002 18:38:54 GMT

When I try to uses ssh from server A to server A it prompts me to enter the password and when I enter my password it say connection closed.

But if I do a ssh from Server A to Server B I am able to login to the Server B.

ssh is running on both the servers. Can somebody tell me what is the problem??

Re: ssh question

Craig Rants — Tue, 04 Jun 2002 19:09:49 GMT

Do you mean server B to server A AND server A to server B? I don't think you want to test by going server A to server A.

C

Re: ssh question

John McDen — Tue, 04 Jun 2002 19:28:37 GMT

Craig,

let me put it this way..

Server A and Server B

Senarios:
1. From Server A to B (Successful)

2. From Server B to A (connection Closed)

3. From Server A to A (connection Closed) Can't do ssh to itself

4. From Server B to B (Successful) Can do ssh to itself.

Could be something to do with fire wall open only in one direction ??? (just poped up in my mind now)

Re: ssh question

Craig Rants — Tue, 04 Jun 2002 19:39:00 GMT

Ok,
On box b do a ssh -v to box a and put the output in a post.

Here is what I would check on box a

netstat -an | grep 22 | grep LISTEN
make sure that it is listening on port 22

cat sshd_config
look for AllowHosts and DenyHosts and make sure that there are not exclusions or errors in these entries that would prevent successful connections, maybe you could put the contents of that file in a post as well.

Let us know,
C

Re: ssh question

John McDen — Tue, 04 Jun 2002 20:09:31 GMT

Re: ssh question

John McDen — Tue, 04 Jun 2002 20:14:37 GMT

Here is the sshd_config file

$ vi sshd_config
"sshd_config" 92 lines, 2509 characters
# $OpenBSD: sshd_config,v 1.48 2002/02/19 02:50:59 deraadt Exp $

# This is the sshd server system-wide configuration file. See sshd(8)
# for more information.

# This sshd was compiled with PATH=/opt/openssh2/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /opt/openssh2/etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /opt/openssh2/etc/ssh_host_rsa_key
#HostKey /opt/openssh2/etc/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 600
PermitRootLogin no
#StrictModes yes

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /opt/openssh2/etc/ssh_known_h
osts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
# KerberosAuthentication automatically enabled if keyfile exists
#KerberosAuthentication yes
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# AFSTokenPassing automatically enabled if k_hasafs() is true
#AFSTokenPassing yes

# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes

#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no

#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no

# override default of no subsystems
Subsystem sftp /opt/openssh2/libexec/sftp-server

Regard

Re: ssh question

Craig Rants — Tue, 04 Jun 2002 20:40:20 GMT

John,
I see some things in your sshd_config file you may want to uncomment. Below is my notes for setting up a openssh box with trusts using public key encryption not .shosts and the items I change in sshd_config to work for our situation.

Maybe this will peek your thoughts, also is there any difference in the sshd_conifg from box a to box b?

# $OpenBSD: sshd_config,v 1.48 2002/02/19 02:50:59 deraadt Exp $

# This is the sshd server system-wide configuration file. See sshd(8)
# for more information.

# This sshd was compiled with PATH=/bin:/usr/bin:/opt/openssh2/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
HostKey /opt/openssh2/etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/openssh2/etc/ssh_host_rsa_key
#HostKey /etc/openssh2/etc/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
LogLevel INFO

# Authentication:

#LoginGraceTime 600
PermitRootLogin yes
#StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

# rhosts authentication should not be used
RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/openssh2/etc/ssh_known_h
osts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
# KerberosAuthentication automatically enabled if keyfile exists
#KerberosAuthentication yes
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# AFSTokenPassing automatically enabled if k_hasafs() is true
#AFSTokenPassing yes

# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes

X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
PrintMotd yes
PrintLastLog yes
#KeepAlive yes
#UseLogin no

#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no

# override default of no subsystems
Subsystem sftp /opt/openssh2/libexec/sftp-server

Re: ssh question

Craig Rants — Tue, 04 Jun 2002 20:42:21 GMT

oops, forgot the notes...

Configure ssh and sshd (Already done in the tar, just for information )
vi /etc/openssh2/etc/sshd_config (verify these settings)
Port 22
HostKey /opt/openssh2/etc/ssh_host_key /etc for 10.20
KeyRegenerationInterval 3600
SyslogFacility AUTH
LogLevel INFO
PermitRootLogin yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
RhostsAuthentication no
IgnoreRhosts yes
IgnoreUserKnownHosts no
PasswordAuthentication yes
PermitEmptyPasswords no
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
PrintMotd yes
PrintLastLog yes
Subsystem sftp /opt/openssh2/libexec/sftp-server

vi /etc/openssh2/etc/ssh_config (verify these settings)
ForwardAgent yes
ForwardX11 yes

Re: ssh question

John McDen — Wed, 05 Jun 2002 12:32:33 GMT

Craig,

It did not do any good but I really appreciate your help I need to talk to the security guys regarding the port 22.

Re: ssh question

Craig Rants — Wed, 05 Jun 2002 12:45:55 GMT

John,
Sorry this didn't help, have your ever installed IPF/9000, it is packet filtering software, but I use if for troubleshootig just like this, it will tell you all the packets that touch your box if you want and you can see just exactly what is getting through your firewall before you talk to the firewall guys.

Anyway, good luck.

Craig

Re: ssh question

John McDen — Wed, 05 Jun 2002 13:02:19 GMT

Craig,

I just missed one part to let you know that I don't have a file /etc/openssh2/etc/ssh_config (non of the servers I installed ssh)
and is the IPF/9000 a free software and if yes from were can I download it.

Re: ssh question

John McDen — Wed, 05 Jun 2002 13:39:52 GMT

What does this error means when I start /opt/openssh2/sbin/sshd&

Disabling protocol version 2. Could not load host key

Re: ssh question

Thorsten Wandersmann — Wed, 05 Jun 2002 14:07:23 GMT

It means, that you hav not created a hostkey for ssh protokoll 2 or that the server can't find this file.

So you say that you cant connect from A to A..

you mean something like:
ssh localhost

Or do you use a spcific user?

First of all, you should disable the possibility to login by password. By this solution the password as well as all other things are going in cleartext through the tunnel. Better only to use passphrases.

Next you also should allow root login. By that way you can make access to people for root on different machines without them letting now the root-password(s).

Lets go on.
A to A should work, but whats the users you uses? Has this user his own configfile (should be found in ~/.ssh/ssh_config or something like that)

Do the machines A and B have the same config?

The Firewall should not have to do something with it, because A to A also is not working, and this should not go through a firewall (if A is not containing the firewall itself)

pitu

Re: ssh question

Craig Rants — Wed, 05 Jun 2002 14:47:28 GMT

Disabling protocol version 2. Could not load host key

It means you don't have a host or that the host key is commented out of the sshd_config file which is what has happened in your case. I get that as well because I only have support for protocol 1 because we do not have rsa or dsa keys.

C

Re: ssh question

Craig Rants — Wed, 05 Jun 2002 16:09:27 GMT

IPF is actually on the application CD 1, it is product number B9901AA.

C

Re: ssh question

John McDen — Wed, 05 Jun 2002 17:09:38 GMT

Thanks for your help.. I appreciate it... can't get it set up..

Re: ssh question

John McDen — Wed, 05 Jun 2002 17:12:15 GMT

copied the sshd_config file from the other server and does not give me the error but still does not work..

Thanks

Re: ssh question

Thorsten Wandersmann — Thu, 06 Jun 2002 08:30:04 GMT

How do you start the server?
please send also the output from "ps -ef | grep ssh"

As well again, which user, is this a problem of all users?

greetings,
pitu