Re: [gentoo-user] Odd problem with OpenSSH
On Saturday 16 February 2008, Florian Philipp wrote: On Fri, 2008-02-15 at 22:54 -0800, Tim Garton wrote: Try adding a: LogLevel VERBOSE or LogLevel DEBUG to /etc/ssh/sshd_config and restarting the ssh server, and see if it gives you any more info. Thanks! That did the trick! Now there was an entry about tcp wrapper denying access in /var/log/messages. Remerging open-ssh with USE=-tcpd solved the problem. I will look into tcpd configuration but I don't think I even need it on that machine. That's interesting. I honestly thought a tcpd deny would NOT be reported in /var/log/messages as coming from sshd (as shown in your logs). I don't recall that behaviour, maybe something changed since I last looked hard at it. We learn something new every day it seems. -- Alan McKinnon alan dot mckinnon at gmail dot com -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Odd problem with OpenSSH
On 16 Feb 2008, at 17:56, Florian Philipp wrote: ... Thanks! That did the trick! Now there was an entry about tcp wrapper denying access in /var/log/messages. Remerging open-ssh with USE=- tcpd solved the problem. I will look into tcpd configuration but I don't think I even need it on that machine. I stumbled across use of tcp wrapper SSH recently - I think another poster here mentioned DenyHosts, and tcp wrapper is needed for this. http://denyhosts.sourceforge.net/ If I look at my auth logs on 3 different systems I see thousands of failed ssh attempts, so DenyHosts would be quite worthwhile here, I think. Stroller. -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Odd problem with OpenSSH
On Friday 15 February 2008, Florian Philipp wrote: On Fri, 2008-02-15 at 20:59 +0200, Alan McKinnon wrote: On Friday 15 February 2008, Florian Philipp wrote: I can use ssh to login from DAU to NOTE but not vice versa. I've played around with several settings before this happened but I'm sure it worked after my last change. Since you've unmerged everything the above is probably irrelevant to the problem below. Well, ultimately I've unmerged openssh, keychain and denyhosts on both computers and removed /etc/ssh and .ssh in root's and the users' home directories and then reemerged just openssh. Did you then run ssh-keygen on both machines? Ah. You probably shouldn't have done that, unless you know for a fact that YOU screwed the ssh config up beyond all hope of recovery. Usually, you just sit with the same problem anyway, or make it worse by removing the configs that still work Having both machines' settings would also allow for diff-ing between them, but it's all irrelevant now. Yet, the situation didn't change. Here's what happening: [EMAIL PROTECTED] ssh -vvv DAU OpenSSH_4.7p1-hpn12v19, OpenSSL 0.9.8g 19 Oct 2007 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to DAU [192.168.2.4] port 22. debug1: Connection established. debug1: identity file /home/dsl/.ssh/identity type -1 debug1: identity file /home/dsl/.ssh/id_rsa type -1 debug1: identity file /home/dsl/.ssh/id_dsa type -1 ssh_exchange_identification: Connection closed by remote host As I said above, have you generated new keys? If yes, you could copy public key A to the ~/.ssh/authorized_keys file and do away with the need to enter a password. It's only then that you can turn PasswordAuthentication no. Hope this helps. -- Regards, Mick signature.asc Description: This is a digitally signed message part.
Re: [gentoo-user] Odd problem with OpenSSH
On Fri, 2008-02-15 at 22:54 -0800, Tim Garton wrote: Try adding a: LogLevel VERBOSE or LogLevel DEBUG to /etc/ssh/sshd_config and restarting the ssh server, and see if it gives you any more info. Thanks! That did the trick! Now there was an entry about tcp wrapper denying access in /var/log/messages. Remerging open-ssh with USE=-tcpd solved the problem. I will look into tcpd configuration but I don't think I even need it on that machine. signature.asc Description: This is a digitally signed message part
Re: [gentoo-user] Odd problem with OpenSSH
On Friday 15 February 2008, Florian Philipp wrote: Hi list! For some time now, there's a very odd situation: There are two computers, DAU and NOTE. I can use ssh to login from DAU to NOTE but not vice versa. I've played around with several settings before this happened but I'm sure it worked after my last change. Well, ultimately I've unmerged openssh, keychain and denyhosts on both computers and removed /etc/ssh and .ssh in root's and the users' home directories and then reemerged just openssh. Ah. You probably shouldn't have done that, unless you know for a fact that YOU screwed the ssh config up beyond all hope of recovery. Usually, you just sit with the same problem anyway, or make it worse by removing the configs that still work Yet, the situation didn't change. Here's what happening: [EMAIL PROTECTED] ssh -vvv DAU OpenSSH_4.7p1-hpn12v19, OpenSSL 0.9.8g 19 Oct 2007 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to DAU [192.168.2.4] port 22. debug1: Connection established. debug1: identity file /home/dsl/.ssh/identity type -1 debug1: identity file /home/dsl/.ssh/id_rsa type -1 debug1: identity file /home/dsl/.ssh/id_dsa type -1 ssh_exchange_identification: Connection closed by remote host [EMAIL PROTECTED] tail /var/log/messages [...] Feb 15 19:20:30 DAU sshd[6269]: refused connect from NOTE.xxx (192.168.2.2) It's not a firewall, xinetd, tcpwrappers or denyhost problem :-) Your connection attempt was received by sshd which denied it. The information you gave is inadequate to answer your question, because I don't know how long a piece of string is. Post the complete contents of /etc/sshd/sshd_config on DAU and we can probably tell you why though -- Alan McKinnon alan dot mckinnon at gmail dot com -- gentoo-user@lists.gentoo.org mailing list
Re: [gentoo-user] Odd problem with OpenSSH
On Fri, 2008-02-15 at 20:59 +0200, Alan McKinnon wrote: On Friday 15 February 2008, Florian Philipp wrote: Hi list! For some time now, there's a very odd situation: There are two computers, DAU and NOTE. I can use ssh to login from DAU to NOTE but not vice versa. I've played around with several settings before this happened but I'm sure it worked after my last change. Well, ultimately I've unmerged openssh, keychain and denyhosts on both computers and removed /etc/ssh and .ssh in root's and the users' home directories and then reemerged just openssh. Ah. You probably shouldn't have done that, unless you know for a fact that YOU screwed the ssh config up beyond all hope of recovery. Usually, you just sit with the same problem anyway, or make it worse by removing the configs that still work Yet, the situation didn't change. Here's what happening: [EMAIL PROTECTED] ssh -vvv DAU OpenSSH_4.7p1-hpn12v19, OpenSSL 0.9.8g 19 Oct 2007 debug1: Reading configuration data /etc/ssh/ssh_config debug2: ssh_connect: needpriv 0 debug1: Connecting to DAU [192.168.2.4] port 22. debug1: Connection established. debug1: identity file /home/dsl/.ssh/identity type -1 debug1: identity file /home/dsl/.ssh/id_rsa type -1 debug1: identity file /home/dsl/.ssh/id_dsa type -1 ssh_exchange_identification: Connection closed by remote host [EMAIL PROTECTED] tail /var/log/messages [...] Feb 15 19:20:30 DAU sshd[6269]: refused connect from NOTE.xxx (192.168.2.2) It's not a firewall, xinetd, tcpwrappers or denyhost problem :-) Your connection attempt was received by sshd which denied it. The information you gave is inadequate to answer your question, because I don't know how long a piece of string is. Post the complete contents of /etc/sshd/sshd_config on DAU and we can probably tell you why though Thanks so far. Since there wasn't that much customization, trying vanilla settings from the ebuild didn't sound that bad. At least it didn't make it worse ;). Okay, when I delete every line that's commented out, my sshd-settings read as follows: Protocol 2 PasswordAuthentication no (changing to yes doesn't change anything) UsePAM yes (changing to no doesn't change anything) Subsystem sftp /usr/lib64/misc/sftp-server Useflags: X hpn pam tcpd -X509 -chroot -kerberos -ldap -libedit -selinux -skey -smartcard -static signature.asc Description: This is a digitally signed message part
Re: [gentoo-user] Odd problem with OpenSSH
Try adding a: LogLevel VERBOSE or LogLevel DEBUG to /etc/ssh/sshd_config and restarting the ssh server, and see if it gives you any more info.