| View previous topic :: View next topic |
| Author |
Message |
Punchcutter
Guru
Joined: 11 Feb 2007
Posts: 363
|
 Posted: Sun Sep 11, 2016 7:30 pm Post subject: Help! SSH problems with new install [SOLVED] |
 |
|
[Putting this under networking rather than install subforum because I think it makes more sense]
Help! I just installed a new Gentoo box. There's almost nothing on it yet - fresh install. I want to work on continuing the userland installation from my established laptop, but cannot ssh into the new one. It's definitely talking to the network - I can ssh from the new box to the laptop, but from laptop to new box - no. If I try, I get "connection timed out". I have installed a firewall (shorewall), but it is not running - I've doubled checked that. Also checked that sshd is running - yes. Maybe the one place where something strange could have happened is in the sshd config, which I have tweaked with my usual settings. But these settings have worked fine for me before.
I wanted to put the sshd configs here for your review, but the only way to do it (I think) is to scp them from the new box to the laptop first. When I tried to do that, the scp appeared to work (like this: scp sshdconf user@laptop:), it asked for my password as usual, but failed to transfer the file, and only printed "Wifi management tool" on the shell as output. WTH?!?!?!?!!!
Last edited by Punchcutter on Wed Sep 14, 2016 6:43 am; edited 1 time in total |
|
| Back to top |
|
 |
Buffoon
Veteran
Joined: 17 Jun 2015
Posts: 1369
Location: EU or US
|
| Posted: Sun Sep 11, 2016 7:34 pm Post subject: |
|
|
| Try running client with -v switch. |
|
| Back to top |
|
|
Punchcutter
Guru
Joined: 11 Feb 2007
Posts: 363
|
| Posted: Sun Sep 11, 2016 7:41 pm Post subject: |
|
|
THanks Buffoon... good idea... I have been doing that to debug the ssh part, but forgot this time 
Well... the scp verbose log looks pretty normal, I think, and of course I can't copy the whole thing here, but it does contain this line, near the bottom:
| Quote: | | Transferred: sent 1964, received 2852 bytes, in 0.1 seconds |
But! The size of the file I'm trying to transfer is 3685  |
|
| Back to top |
|
|
montik
n00b
Joined: 13 Sep 2011
Posts: 5
|
| Posted: Sun Sep 11, 2016 8:48 pm Post subject: |
|
|
Are the two machine on the same LAN? Have you tried to check if it's a networking problem, e.g. can you ping from the laptop the other box?
Have you tried a default sshd config, just to see if the problem is in your tweaked conf? |
|
| Back to top |
|
|
Buffoon
Veteran
Joined: 17 Jun 2015
Posts: 1369
Location: EU or US
|
| Posted: Sun Sep 11, 2016 9:03 pm Post subject: |
|
|
| sshd log in the new box probably will tell the story. |
|
| Back to top |
|
|
Punchcutter
Guru
Joined: 11 Feb 2007
Posts: 363
|
| Posted: Sun Sep 11, 2016 10:13 pm Post subject: |
|
|
OK, I feel silly, but... where do I find the logs for sshd? I've looked in the config file and turned on some stuff, like | Quote: | SyslogFacility AUTH
LogLevel DEBUG
|
restarted, and looked in /var/log/messages and /var/log/syslog, but nothing's coming out there. Also tried LogLevel INFO. Nothin'. |
|
| Back to top |
|
|
Punchcutter
Guru
Joined: 11 Feb 2007
Posts: 363
|
| Posted: Sun Sep 11, 2016 10:22 pm Post subject: |
|
|
OK, here's the sshd config. I used cat filename | ssh laptop "cat > filename" to move it over 
The part of this that I fiddled with are the following settings, which I usually use on my boxen: | Quote: | PasswordAuthentication yes
PermitEmptyPasswords no
PermitRootLogin no |
The rest should be defaults, I believe.
| Quote: | # $OpenBSD: sshd_config,v 1.98 2016/02/17 05:29:04 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# The default requires explicit activation of protocol 1
#Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Ciphers and keying
#RekeyLimit default none
# Logging
# obsoletes QuietMode and FascistLogging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
#AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
PermitEmptyPasswords no
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
PrintLastLog no
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/lib64/misc/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
# Allow client to pass locale environment variables #367017
AcceptEnv LANG LC_*
|
|
|
| Back to top |
|
|
Buffoon
Veteran
Joined: 17 Jun 2015
Posts: 1369
Location: EU or US
|
| Posted: Sun Sep 11, 2016 11:22 pm Post subject: |
|
|
| It logs to /var/log/messages unless you specify otherwise. You can keep a terminal window open with tail -f /var/log/messages running in it when you attempt remote login. |
|
| Back to top |
|
|
freke
Veteran
Joined: 23 Jan 2003
Posts: 1051
Location: Somewhere in Denmark
|
| Posted: Mon Sep 12, 2016 3:07 pm Post subject: |
|
|
| Punchcutter wrote: | OK, I feel silly, but... where do I find the logs for sshd? I've looked in the config file and turned on some stuff, like | Quote: | SyslogFacility AUTH
LogLevel DEBUG
|
restarted, and looked in /var/log/messages and /var/log/syslog, but nothing's coming out there. Also tried LogLevel INFO. Nothin'. |
Stupid question - you have got a logger installed?
Also wgetpaste is a good util for pasting configs, logs etc. from your linux boxes to ie. bpaste.net. |
|
| Back to top |
|
|
Punchcutter
Guru
Joined: 11 Feb 2007
Posts: 363
|
| Posted: Tue Sep 13, 2016 8:07 am Post subject: |
|
|
Well, I'm pretty well stumped now. Yes, I have sysklogd installed and added to my default runlevel. But there's nothing in /var/log/messages. I've checked arp -a on the laptop, and arp knows about the new host (MAC addr is correct). It really doesn't look like a network problem, because I can ssh from the new box to the old laptop, just not the other way.
I've got sshd started and added to the default runlevel, but it would SEEM there's nothing listening on port 22, by the way the laptop hangs and connection times out. But it appears there IS something. This is netstat -ln output: | Code: | Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp6 0 0 :::22 :::* LISTEN
udp 0 0 0.0.0.0:68 0.0.0.0:*
Active UNIX domain sockets (only servers)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ACC ] SEQPACKET LISTENING 12871 /run/udev/control
|
I've tried telnetting in to port 22, but the same timeout thing happens. Is IPv6 interfering with v4 here?? Any more clues about how to proceed with this are much appreciated. |
|
| Back to top |
|
|
chiefbag
Guru
Joined: 01 Oct 2010
Posts: 542
Location: The Kingdom
|
| Posted: Tue Sep 13, 2016 9:08 am Post subject: |
|
|
You should try the following from your laptop to the ip address of the new machine
1: Whats the output of the following, replacing "ip-of-new-machine" with the actual ip address got from the ifconfig command?
| Code: | | telnet ip-of-new-machine </dev/null |
2: Whats the output of the following assuming you have a connection.
| Code: | | ssh -v root@"ip-of-new-machine" |
Most probably your Shorewall is blocking connections if the above fail, so clear down iptables manually.
|
|
| Back to top |
|
|
ct85711
Veteran
Joined: 27 Sep 2005
Posts: 1791
|
| Posted: Tue Sep 13, 2016 5:32 pm Post subject: |
|
|
| Quote: |
# Authentication:
#LoginGraceTime 2m
PermitRootLogin no
#StrictModes yes |
One thing to keep in mind, if that Root login is disabled by default, so trying to log in from root will always be denied, unless you change that. It is better if you log in with an regular account and from there su into root...
| Quote: | #Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress :: |
Another thing you may want to do, is specify what address to listen too (i.e. the pc's ip address), with the ListenAddress line |
|
| Back to top |
|
|
Tony0945
Watchman
Joined: 25 Jul 2006
Posts: 5127
Location: Illinois, USA
|
| Posted: Tue Sep 13, 2016 10:39 pm Post subject: |
|
|
| ct85711 wrote: | | Another thing you may want to do, is specify what address to listen too (i.e. the pc's ip address), with the ListenAddress line |
Just checked my own boxes. Not necessary. But check you router log to make sure there is no block there. |
|
| Back to top |
|
|
Punchcutter
Guru
Joined: 11 Feb 2007
Posts: 363
|
| Posted: Wed Sep 14, 2016 6:42 am Post subject: |
|
|
| chiefbag wrote: | Most probably your Shorewall is blocking connections if the above fail, so clear down iptables manually.
|
Thanks everyone. This was ultimately the clue that led me to the solution. Although iptables -F didn't actually solve the problem, I sorta knew that it HAD to be that something was blocking the connection, even though I thought shorewall was disabled. It turned out there was this other thing, shorewall-init, that was causing trouble. I think this is something fairly new in the shorewall system, as I saw it first on this install. I didn't realize it was running. I found I could give it a "stop" command, and magically, my ssh started being connected. The end. |
|
| Back to top |
|
|
|
Networking & Security
