I am a little lost here, I have seen conflicting claims about where the handshake ends. Are *both* sides receiving the SSH2_MSG_KEXINIT ? Can you take packet traces anywhere in between your two endpoints?
I have seen networks include security middleboxes that are a little incompetent --- when the SSH2_MSG_KEXINIT message's size is above some threshold (somewhere between 1 and 1.5 KB) the middlebox aborts the connection, sending TCP RST to both client and server. Regards, Mike From: Salvatore Orlando <[email protected]> To: [email protected] Cc: [email protected] Date: 08/03/2015 07:38 PM Subject: Re: [Openstack-operators] ssh inside instance More details about your environment might be useful. For instance, are you running neutron with the "reference implementation" - or some other plugin/driver? Is the logical router where the floating IP is attached a distributed router? Also, if you run tcpdump on the receiving instance, you should probably be able to see the SSH packet coming in. What source address does it have? Finally - I'm not sure if you already stated this - are you able to ping the instance using its floating IP from another instance? Salvatore On 3 August 2015 at 11:08, <[email protected]> wrote: Yes, I did notice that it isn’t receiving from the line: debug1: SSH2_MSG_KEXINIT received I have an internal IP and an external IP (floating IP) attached to the instance. If I make use of the internal IP to ssh itself from the very same node I’m able to do it but External IP isn’t working. I am able to ssh to the same machine with the floating IP outside Openstack but internally it doesn’t seem to work. My goal here is to ssh within an instance using the floating IP. Thank you, Aishwarya From: Salvatore Orlando [mailto:[email protected]] Sent: Friday, July 31, 2015 5:56 PM To: Adyanthaya, Aishwarya Cc: [email protected]; [email protected] Subject: Re: [Openstack-operators] ssh inside instance Why are you focusing on authentication issues when it seems you have either a sshd config issue or a connectivity problem? Indeed your ssh handshake is stopping quite early - see below: debug1: Connecting to 192.168.1.250 [192.168.1.250] port 22. debug1: Connection established. debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 debug1: Remote protocol version 2.0, remote software version OpenSSH_5.6 debug1: match: OpenSSH_5.6 pat OpenSSH_5* compat 0x0c000000 debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug1: kex: server->client aes128-ctr hmac-sha1 none debug1: kex: client->server aes128-ctr hmac-sha1 none debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<7680<8192) sent debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY debug1: Server host key: <MEH> debug1: Host '192.168.1.250' is known and matches the RSA host key. debug1: Found key in /home/salvatore/.ssh/known_hosts:21 debug1: ssh_rsa_verify: signature correct debug1: SSH2_MSG_NEWKEYS sent debug1: expecting SSH2_MSG_NEWKEYS debug1: SSH2_MSG_NEWKEYS received debug1: Roaming not allowed by server debug1: SSH2_MSG_SERVICE_REQUEST sent debug1: SSH2_MSG_SERVICE_ACCEPT received debug1: Authentications that can continue: publickey,keyboard-interactive debug1: Next authentication method: publickey debug1: Offering RSA public key: /home/salvatore/.ssh/id_rsa debug1: Authentications that can continue: publickey,keyboard-interactive Your instance seem to not be receiving back SSH2_MSG_KEXINIT. Note: this question is more suitable for ask.openstack.org than for this ML imho. Salvatore On 30 July 2015 at 10:14, <[email protected]> wrote: Hi Neil, I did the same as you have suggested. I have created an instance A and generated a private_key, giving it 600 permission. Using the key I launched the instance B but when I ssh from the instance A after a while it reads: Read from socket failed: Connection timed out I even tried with ssh –v hostname to test on one the machine outside openstack and the instance. root@new:/home/ubuntu# ssh -v new OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to new [10.x.x.x] port 22. debug1: Connection established. debug1: permanently_set_uid: 0/0 debug1: identity file /root/.ssh/id_rsa type -1 debug1: identity file /root/.ssh/id_rsa-cert type -1 debug1: identity file /root/.ssh/id_dsa type -1 debug1: identity file /root/.ssh/id_dsa-cert type -1 debug1: identity file /root/.ssh/id_ecdsa type -1 debug1: identity file /root/.ssh/id_ecdsa-cert type -1 debug1: identity file /root/.ssh/id_ed25519 type -1 debug1: identity file /root/.ssh/id_ed25519-cert type -1 debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 debug1: match: OpenSSH_6.6.1p1 Ubuntu-2ubuntu2 pat OpenSSH_6.6.1* compat 0x04000000 debug1: SSH2_MSG_KEXINIT sent Read from socket failed: Connection timed out So this is what I’m getting again. Thank you, Aishwarya From: Neil Jerram [mailto:[email protected]] Sent: Thursday, July 30, 2015 1:38 PM To: Adyanthaya, Aishwarya; [email protected] Subject: Re: [Openstack-operators] ssh inside instance Hi Aishwarya, The basic requirement here is that anyone - which really means a combination of a computer or instance, plus a user on that computer/instance - needs to have the private key that matches the public key that is installed on the target instance. You've asked about logging in from your first instance - let's call it A - so you need to save the private key in a file on A - let's call it private_key - and give it 600 permissions: chmod 600 private_key Then you can use this key with SSH like this: ssh -i private_key USER@OTHER-INSTANCE Hope that helps. Regards, Neil From: [email protected] Sent: Thursday, 30 July 2015 05:24 To: [email protected] Subject: [Openstack-operators] ssh inside instance Hi, I’ve launched two instances from my openstack dashboard. Firstly I created instance one, where I generated a key through the ssh-keygen command, pasting the public key contents to import key in the access and security. Using this key I launched second instance. I want to be able to ssh the second instance from my first instance. Could someone tell me how to work it out? Thank you, Aishwarya Adyanthaya This message is for the designated recipient only and may contain privileged, proprietary, or otherwise confidential information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the e-mail by you is prohibited. Where allowed by local law, electronic communications with Accenture and its affiliates, including e-mail and instant messaging (including content), may be scanned by our systems for the purposes of information security and assessment of internal compliance with Accenture policy. ______________________________________________________________________________________ www.accenture.com _______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators _______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
_______________________________________________ OpenStack-operators mailing list [email protected] http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-operators
