HPE Community
Operating System - HP-UX
1829398 Members
1410 Online
109991 Solutions
New Discussion

Re: ssh question

 
John McDen
Regular Advisor

‎06-04-2002 11:38 AM

‎06-04-2002 11:38 AM

ssh question

When I try to uses ssh from server A to server A it prompts me to enter the password and when I enter my password it say connection closed.

But if I do a ssh from Server A to Server B I am able to login to the Server B.

ssh is running on both the servers. Can somebody tell me what is the problem??
New to HP
0 Kudos
Reply
17 REPLIES 17
Craig Rants
Honored Contributor

‎06-04-2002 12:09 PM

‎06-04-2002 12:09 PM

Re: ssh question

Do you mean server B to server A AND server A to server B? I don't think you want to test by going server A to server A.

C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
John McDen
Regular Advisor

‎06-04-2002 12:28 PM

‎06-04-2002 12:28 PM

Re: ssh question

Craig,

let me put it this way..

Server A and Server B

Senarios:
1. From Server A to B (Successful)

2. From Server B to A (connection Closed)

3. From Server A to A (connection Closed) Can't do ssh to itself

4. From Server B to B (Successful) Can do ssh to itself.

Could be something to do with fire wall open only in one direction ??? (just poped up in my mind now)

New to HP
0 Kudos
Reply
Craig Rants
Honored Contributor

‎06-04-2002 12:39 PM

‎06-04-2002 12:39 PM

Re: ssh question

Ok,
On box b do a ssh -v to box a and put the output in a post.

Here is what I would check on box a

netstat -an | grep 22 | grep LISTEN
make sure that it is listening on port 22

cat sshd_config
look for AllowHosts and DenyHosts and make sure that there are not exclusions or errors in these entries that would prevent successful connections, maybe you could put the contents of that file in a post as well.

Let us know,
C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
John McDen
Regular Advisor

‎06-04-2002 01:09 PM

‎06-04-2002 01:09 PM

Re: ssh question

 
New to HP
0 Kudos
Reply
John McDen
Regular Advisor

‎06-04-2002 01:14 PM

‎06-04-2002 01:14 PM

Re: ssh question

Here is the sshd_config file

$ vi sshd_config
"sshd_config" 92 lines, 2509 characters
# $OpenBSD: sshd_config,v 1.48 2002/02/19 02:50:59 deraadt Exp $

# This is the sshd server system-wide configuration file. See sshd(8)
# for more information.

# This sshd was compiled with PATH=/opt/openssh2/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /opt/openssh2/etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /opt/openssh2/etc/ssh_host_rsa_key
#HostKey /opt/openssh2/etc/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 600
PermitRootLogin no
#StrictModes yes

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /opt/openssh2/etc/ssh_known_h
osts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
# KerberosAuthentication automatically enabled if keyfile exists
#KerberosAuthentication yes
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# AFSTokenPassing automatically enabled if k_hasafs() is true
#AFSTokenPassing yes

# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes

#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no

#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no

# override default of no subsystems
Subsystem sftp /opt/openssh2/libexec/sftp-server

Regard
New to HP
0 Kudos
Reply
Craig Rants
Honored Contributor

‎06-04-2002 01:40 PM

‎06-04-2002 01:40 PM

Re: ssh question

John,
I see some things in your sshd_config file you may want to uncomment. Below is my notes for setting up a openssh box with trusts using public key encryption not .shosts and the items I change in sshd_config to work for our situation.

Maybe this will peek your thoughts, also is there any difference in the sshd_conifg from box a to box b?

# $OpenBSD: sshd_config,v 1.48 2002/02/19 02:50:59 deraadt Exp $

# This is the sshd server system-wide configuration file. See sshd(8)
# for more information.

# This sshd was compiled with PATH=/bin:/usr/bin:/opt/openssh2/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
HostKey /opt/openssh2/etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/openssh2/etc/ssh_host_rsa_key
#HostKey /etc/openssh2/etc/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
LogLevel INFO

# Authentication:

#LoginGraceTime 600
PermitRootLogin yes
#StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

# rhosts authentication should not be used
RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/openssh2/etc/ssh_known_h
osts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
# KerberosAuthentication automatically enabled if keyfile exists
#KerberosAuthentication yes
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# AFSTokenPassing automatically enabled if k_hasafs() is true
#AFSTokenPassing yes

# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes

X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
PrintMotd yes
PrintLastLog yes
#KeepAlive yes
#UseLogin no

#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no

# override default of no subsystems
Subsystem sftp /opt/openssh2/libexec/sftp-server
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
Craig Rants
Honored Contributor

‎06-04-2002 01:42 PM

‎06-04-2002 01:42 PM

Re: ssh question

oops, forgot the notes...

Configure ssh and sshd (Already done in the tar, just for information )
vi /etc/openssh2/etc/sshd_config (verify these settings)
Port 22
HostKey /opt/openssh2/etc/ssh_host_key /etc for 10.20
KeyRegenerationInterval 3600
SyslogFacility AUTH
LogLevel INFO
PermitRootLogin yes
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
RhostsAuthentication no
IgnoreRhosts yes
IgnoreUserKnownHosts no
PasswordAuthentication yes
PermitEmptyPasswords no
X11Forwarding yes
X11DisplayOffset 10
X11UseLocalhost yes
PrintMotd yes
PrintLastLog yes
Subsystem sftp /opt/openssh2/libexec/sftp-server

vi /etc/openssh2/etc/ssh_config (verify these settings)
ForwardAgent yes
ForwardX11 yes
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
John McDen
Regular Advisor

‎06-05-2002 05:32 AM

‎06-05-2002 05:32 AM

Re: ssh question

Craig,

It did not do any good but I really appreciate your help I need to talk to the security guys regarding the port 22.

New to HP
0 Kudos
Reply
Craig Rants
Honored Contributor

‎06-05-2002 05:45 AM

‎06-05-2002 05:45 AM

Re: ssh question

John,
Sorry this didn't help, have your ever installed IPF/9000, it is packet filtering software, but I use if for troubleshootig just like this, it will tell you all the packets that touch your box if you want and you can see just exactly what is getting through your firewall before you talk to the firewall guys.

Anyway, good luck.

Craig
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
John McDen
Regular Advisor

‎06-05-2002 06:02 AM

‎06-05-2002 06:02 AM

Re: ssh question

Craig,

I just missed one part to let you know that I don't have a file /etc/openssh2/etc/ssh_config (non of the servers I installed ssh)
and is the IPF/9000 a free software and if yes from were can I download it.


New to HP
0 Kudos
Reply
John McDen
Regular Advisor

‎06-05-2002 06:39 AM

‎06-05-2002 06:39 AM

Re: ssh question

What does this error means when I start /opt/openssh2/sbin/sshd&

Disabling protocol version 2. Could not load host key

New to HP
0 Kudos
Reply
Thorsten Wandersmann
New Member

‎06-05-2002 07:07 AM

‎06-05-2002 07:07 AM

Re: ssh question

It means, that you hav not created a hostkey for ssh protokoll 2 or that the server can't find this file.

So you say that you cant connect from A to A..

you mean something like:
ssh localhost

Or do you use a spcific user?

First of all, you should disable the possibility to login by password. By this solution the password as well as all other things are going in cleartext through the tunnel. Better only to use passphrases.

Next you also should allow root login. By that way you can make access to people for root on different machines without them letting now the root-password(s).

Lets go on.
A to A should work, but whats the users you uses? Has this user his own configfile (should be found in ~/.ssh/ssh_config or something like that)

Do the machines A and B have the same config?

The Firewall should not have to do something with it, because A to A also is not working, and this should not go through a firewall (if A is not containing the firewall itself)

pitu
pitu
0 Kudos
Reply
Craig Rants
Honored Contributor

‎06-05-2002 07:47 AM

‎06-05-2002 07:47 AM

Re: ssh question

Disabling protocol version 2. Could not load host key

It means you don't have a host or that the host key is commented out of the sshd_config file which is what has happened in your case. I get that as well because I only have support for protocol 1 because we do not have rsa or dsa keys.

C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
Craig Rants
Honored Contributor

‎06-05-2002 09:09 AM

‎06-05-2002 09:09 AM

Re: ssh question

IPF is actually on the application CD 1, it is product number B9901AA.

C
"In theory, there is no difference between theory and practice. But, in practice, there is. " Jan L.A. van de Snepscheut
0 Kudos
Reply
John McDen
Regular Advisor

‎06-05-2002 10:09 AM

‎06-05-2002 10:09 AM

Re: ssh question

Thanks for your help.. I appreciate it... can't get it set up..
New to HP
0 Kudos
Reply
John McDen
Regular Advisor

‎06-05-2002 10:12 AM

‎06-05-2002 10:12 AM

Re: ssh question

copied the sshd_config file from the other server and does not give me the error but still does not work..

Thanks
New to HP
0 Kudos
Reply
Thorsten Wandersmann
New Member

‎06-06-2002 01:30 AM

‎06-06-2002 01:30 AM

Re: ssh question

How do you start the server?
please send also the output from "ps -ef | grep ssh"

As well again, which user, is this a problem of all users?

greetings,
pitu
pitu
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.