I have this weird issue that has been bothering me for a while now. My
openbsd server ran without issues for ages, and have been upgraded
regularly to the current version - 7.5
I can only connect via IP address to my server. And only from some
places. And only from some devices. And I can't figure out WTF is going
on.
I have the following devices, all configured with keys to login to my
OpenBSD server.
1) macbook
2) iphone 15
3) iphone 13
4) some ubuntu server in oracle cloud
The macbook can login from my home, and from parts of the internet, but
only by IP address. It couldn't login from Poland 2 weeks ago.
Using "prompt2" (ios ssh app), and a key, iphone15 can login from anywhere,
but only by IP address. It *COULD* login when I was in Poland 2 weeks ago.
Using "prompt2" and a key, iphone 13 can login from some places, but not
all (it couldn't login from Poland 2 weeks ago, whereas the iphone 15
could!), but only by IP address.
The ubuntu server simply cannot connect, either via IP or dns name. It
also does not have reverse DNS set up.
Both iPhones were on international roaming, on the same Tmobile plan.
The server does have a DNS name via ddclient, and the DNS name does resolve
into the correct IP address.
Question 1: What's causing inbound ssh to only work with IP address and
not DNS name?
Question 2: Why is it that the iphone 15 can login from *anywhere* whereas
the iphone 13 can only login from *somewhere*??
Question 3: What's stopping ubuntu server from connecting at all?
Any ideas? This is driving me nuts.
Thank you very much!
### ssh just hangs when I try to login from the Ubuntu server
$ ssh -v user@96.244.118.112
OpenSSH_8.9p1 Ubuntu-3ubuntu0.10, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf
matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to 96.244.118.112 [96.244.118.112] port 22.
^C
[It just sits here and hangs until I ctrl-C]
### Here's my sshd_config:
# grep -v ^# /etc/ssh/sshd_config
PermitRootLogin no
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication no
Subsystem sftp /usr/libexec/sftp-server
### Here is my /etc/pf.conf
# cat /etc/pf.conf
ext_if="ix0" # external interface/egress
int_if="ix1"
icmp_types="echoreq"
set reassemble yes
set state-defaults pflow
table <martians> {
0.0.0.0/8 10.0.0.0/8 100.64.0.0/10 \
127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 \
192.0.0.0/24 192.0.2.0/24 192.88.99.0/24 \
192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 \
203.0.113.0/24 224.0.0.0/3 255.255.255.255/32 \
::/128 ::/96 ::1/128 ::ffff:0:0/96 100::/64 \
2001:10::/28 2001:2::/48 2001:db8::/32 \
3ffe::/16 fec0::/10 fc00::/7 }
set block-policy drop
set loginterface egress
set skip on lo
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
pass in on egress inet6 proto icmp6 all \
icmp6-type { routeradv neighbrsol neighbradv }
pass in on egress inet6 proto udp \
from fe80::/10 port dhcpv6-server \
to fe80::/10 port dhcpv6-client \
no state
block return in on ! lo0 proto tcp to port 6000:6010
block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
block all
pass in quick on $ext_if inet proto tcp from any to $ext_if port 22
pass out quick keep state
pass in on $int_if inet
# pfctl -s rules
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from ! (egress:network) to any nat-to (egress:0)
round-robin
pass in on egress inet6 proto ipv6-icmp all icmp6-type routeradv keep state
(pflow)
pass in on egress inet6 proto ipv6-icmp all icmp6-type neighbrsol keep
state (pflow)
pass in on egress inet6 proto ipv6-icmp all icmp6-type neighbradv keep
state (pflow)
pass in on egress inet6 proto udp from fe80::/10 port = 547 to fe80::/10
port = 546 no state
block return in on ! lo0 proto tcp from any to any port 6000:6010
block drop in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
block drop all
pass in quick on ix0 inet proto tcp from any to 96.244.118.132 port = 22
flags S/SA keep state (pflow)
pass out quick all flags S/SA
pass in on ix1 inet all flags S/SA keep state (pflow)
# cat /etc/resolv.conf
nameserver 71.242.0.12 # resolvd: ix0
nameserver 68.237.161.12 # resolvd: ix0
# Generated by dhcpcd
# /etc/resolv.conf.head can replace this line
# /etc/resolv.conf.tail can replace this line
