Re: SSH: remote login returns "invalid user"
I've been on holiday, so thats why I didn't reply earlier On 13/09/10 04:11, brownh wrote: Allan, thanks for the input. I'm about to change my location, and will not be in a position to take any corrective action, but your points I'll keep in mind when I return. Alan Chandler writes: I can give my domain an ip-address, and I can also give subdomains such as www.hartley-consultants.com and mail.hartley-consultants.com An ability to assign an IP address was news to me. Tomorrow I'll be in touch with my web hosting service and will ask them about it. They are Linux-friendly, but my ISP is a hopeless case. If you look up these two names with anyone of several commands - such as... host www.hartley-consultants.com and host mail.harlley-consultants.com I get the point, but for ssh the target is not a mail account or web site, but a host. If you could assign an IP to chandlerfamily.org.uk it would seem to solve the problem. In other words, how does a nameserver know to send income u...@domain to a mail server rather than web server? The "nameserver" for chandlerfamily.org.uk is defined in the registrar for the "org.uk" domain. That name server is at the registrar at which I bought my domain name, and they provide a web based interface to alter the details The adding of those entries at the org.uk server and the hosting of my nameserver records at the nameserver of my registrar is what I pay for when I "rented" the domain name for two years. All these names point I refer to above to hosts. If they have the right server software running (mail, web, ssh daemon) then that software picks up the request. These services have ports associated with them (25 for mail, 80 for web, 22 for ssh etc) Mail is a slightly special case - see below if I ssh to mail.hartley-consultants.com I should get to where my mail is sent. When you say, "where my mail is sent", it seems you mean the local host. NO. There is a special record (called an MX record) which says which machine serves mail for the domain. In my case the MX record for hartley-consultants points to a machine which is home.chandlerfamily.org.uk. When you want to send mail to x...@hartley-consultants.com, your mail server looks up the MX record for hartley-consultants (actually there could be several, a primary and backups, called secondary) and sends it to port 25 on the machine pointed to. Mail only works if that machine reads mail, knows it is serving mail for the hartley-consultants.com domain and responds appropriately. That is how one domain gets to serve the mail for another [It is also incidently how many spammers get mail sent - some badly configured mail servers don't reject mail for domains they don't know, but instead just forward it on] Inside my home network I have a number of machines on a lan. I have happened to have chosen not to call those some subdomain of chandlerfamily.org.uk (although at one point in the past I have done it that way, and called one of my machines kanga.chandlerfamily.org.uk, and gave it an ip-address 192.168.0.12). Not sure I follow. Don't all hosts on your LAN have to have a local domain name such as kanga? On your LAN, don't all your hosts have their own local address, such as 192.168.1.1, 192.168.1.2, etc.? They do - but in my case they are called xxx.home so I have kanga.home, pooh.home, piglet.home etc etc and they have ip addresses 192.168.0.1, 192.168.0.2 etc etc. I have a private dns server within my LAN serving up those ip addresses for the name requests. HOWEVER, I could just have easily called them kanga.chandlerfamily.org.uk, pooh.chandlerfamily.org.uk etc etc and used my public dns server (the one at my registrar) to serve up those ip addresses for the names. In fact at some point in the past I did exactly that and the example below is using that configuration The problem comes when you want to make INCOMING connections to kanga.chandlerfamily.org.uk. The program trying to make that connection looks it up and gets 192.168.0.12 and it doesn't know where to send this to (its unroutable). Instead, I would ssh to home.chandlerfamily.org.uk and (if it was a router rather than the linux box that it is) I would forward the port to 192.168.0.12 - this is known as reverse NAT. But I can only set the router to do it to one of my machines per port. In this case I would use port 22 and forward it on. I'll think about this. If the incoming signal comes to your router, the router sends it to the LAN (192.168.0.0) and the kanga host picks it up. I suppose you are attacking the port to your ssh command. That is, are you forcing delivery to the usual ssh port of 22? Not quite. The router, is configured to forward all messages on port 22 to port 22 of a specific machine on your lan (not the lan as a whole as you imply). In my case that would be the kanga. [At least that would be true when I had a router and several machines behind it. Th
Re: SSH: remote login returns "invalid user"
Allan, thanks for the input. I'm about to change my location, and will not be in a position to take any corrective action, but your points I'll keep in mind when I return. Alan Chandler writes: > I can give my domain an ip-address, and I can also give subdomains > such as www.hartley-consultants.com and mail.hartley-consultants.com An ability to assign an IP address was news to me. Tomorrow I'll be in touch with my web hosting service and will ask them about it. They are Linux-friendly, but my ISP is a hopeless case. > If you look up these two names with anyone of several commands - such as... > > host www.hartley-consultants.com and > > host mail.harlley-consultants.com I get the point, but for ssh the target is not a mail account or web site, but a host. If you could assign an IP to chandlerfamily.org.uk it would seem to solve the problem. In other words, how does a nameserver know to send income u...@domain to a mail server rather than web server? > if I ssh to mail.hartley-consultants.com I should get to where my > mail is sent. When you say, "where my mail is sent", it seems you mean the local host. > Inside my home network I have a number of machines on a lan. I have > happened to have chosen not to call those some subdomain of > chandlerfamily.org.uk (although at one point in the past I have done > it that way, and called one of my machines > kanga.chandlerfamily.org.uk, and gave it an ip-address 192.168.0.12). Not sure I follow. Don't all hosts on your LAN have to have a local domain name such as kanga? On your LAN, don't all your hosts have their own local address, such as 192.168.1.1, 192.168.1.2, etc.? > The problem comes when you want to make INCOMING connections to > kanga.chandlerfamily.org.uk. The program trying to make that > connection looks it up and gets 192.168.0.12 and it doesn't know where > to send this to (its unroutable). Instead, I would ssh to > home.chandlerfamily.org.uk and (if it was a router rather than the > linux box that it is) I would forward the port to 192.168.0.12 - this > is known as reverse NAT. But I can only set the router to do it to > one of my machines per port. In this case I would use port 22 and > forward it on. I'll think about this. If the incoming signal comes to your router, the router sends it to the LAN (192.168.0.0) and the kanga host picks it up. I suppose you are attacking the port to your ssh command. That is, are you forcing delivery to the usual ssh port of 22? Thanks for your input. Haines Brown -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87d3si9w3a@teufel.historicalmaterialism.info
Re: SSH: remote login returns "invalid user"
On 12/09/10 02:49, brownh wrote: All this is new to me, and I'll not be able to implement anything like that before I must shortly leave. But the whole situation strikes me as odd. Surely innumerable people rely on a web hosting service to provide email services as well, and yet it would seem none of them can use ssh to acccess a home or office machine remotely without going through extraordinary gymnastics regarding their IP address. An obvious step would be for me to find out what my hosting service has to say. If I get a simple answer, I'll report it back to this thread. It maybe too late now, but it seems to me you are missing some basics. I "own" the domain name hartley-consultants.com and I can control it from a control panel on my domain registers site. You presumably own "historicalMaterialism.info" in a similar fashion. I can give my domain an ip-address, and I can also give subdomains such as www.hartley-consultants.com and mail.hartley-consultants.com If you look up these two names with anyone of several commands - such as... host www.hartley-consultants.com and host mail.harlley-consultants.com you will see they have completely different ip addresses. So I could ssh to www.hartley-consultants.com and arrive at one machine or ssh to mail.hartley-consultants.com and arrive at another. This seems to be one of the fundamental issues that you are puzzling over. If I ssh to www.hartley-consultants.com I know I will get to where my web server is, if I ssh to mail.hartley-consultants.com I should get to where my mail is sent. Funnily. as it happens mail.hartley-consultants.com is wrong - I sit on my ISP in a dynamic block and every so often he gives me a new IP address (normally I am running 24/7 and the ip address doesn't change at all, but every so often, either I screw up my end ask for a new address (normal rebooting just gets the same one over and over again), or he re-arranges things and it changes. But it is funny also because I also happen to want to tell hartley-consultants.com to send mail to this address, and I until now I hadn't noticed it was wrong, because I am actually send my mail request to another one of my domains chandlerfamily.org.uk and its all been handled fine (ie I have a registrar entry that says that mail for hartley-consultants is being handled by home.chandlerfamily.org.uk. This is how your mail to your domain can end up at your ISP's mail server - which I think is what you implied. Inside my home network I have a number of machines on a lan. I have happened to have chosen not to call those some subdomain of chandlerfamily.org.uk (although at one point in the past I have done it that way, and called one of my machines kanga.chandlerfamily.org.uk, and gave it an ip-address 192.168.0.12). Now, as has been mentioned above, NAT is a technique to allow a single ip address to support several machines to make OUTGOING connections. So kanga.chandlerfamily.org.uk can make outgoing connections through my router. The router does this remaking the connection to come from itself (with the external ip address - in my case home.chandlerfamily.org.uk) and remembers where the reply has to go - ie back to 192.168.0.12. The problem comes when you want to make INCOMING connections to kanga.chandlerfamily.org.uk. The program trying to make that connection looks it up and gets 192.168.0.12 and it doesn't know where to send this to (its unroutable). Instead, I would ssh to home.chandlerfamily.org.uk and (if it was a router rather than the linux box that it is) I would forward the port to 192.168.0.12 - this is known as reverse NAT. But I can only set the router to do it to one of my machines per port. In this case I would use port 22 and forward it on. If you have those basics I hope you can figure out what to do. I am going to be out of touch from the internet for a while, so I won't be able to follow up, but I am sure others can help you further with this base. -- Alan Chandler http://www.chandlerfamily.org.uk -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4c8d2b06.8080...@chandlerfamily.org.uk
Re: SSH: remote login returns "invalid user"
on Sun, 12 Sep 2010 00:08:07 -0400, brownh <87hbhva9js@teufel.historicalmaterialism.info> attacked their terminal with +Morgan Gangwere <0.fracta...@gmail.com> writes: + +> on Sat, 11 Sep 2010 15:38:04 -0400, brownh +> <871v90ax5v@teufel.historicalmaterialism.info> attacked their +> terminal with [snip] +> +> Random Blithering Curiosity... Is the gateway a NAPT? + +NAT loopback is not enabled on my router. Not sure this answers your +question. NAT Loopback means that if the outside IP is requested, it acts like its coming from the outside, not the inside. +> Checking the following fixed my problems: +> +> 1) don't ssh as root unless you /have/ to. +> 2) Check that your NA(P)T allows port 22 on TCP *and* UDP, incoming and +> outgoing. +> 3) try using an SSH key. This occasionally fixes things. + +I don't ssh as root; NAT is disabled in my router. As for SSH key, +I'll give that a try, but too little time before I fly out of here. See below... +> I have a Lenny box sitting on my desk that I SSH to all the time +> with the default configuration. Nothing special, just the default +> OpenSSH-server configuration. + +Good to know. I've mailed a query to the ssh list. + +> For those who were confused: +> The setup as it looks like to me is this: +> +> (Internets)[Gateway/router]--,---[server] +> `--[laptop] +> this configuration /works/. +> [laptop]---(??)--(internets)--[gateway]---[server] +> This does not. + +Now I am confused ;-(. What I'm trying to do is: + + laptop client -> internet/nameserver -> router -> server on LAN + +Your first line looks like what I have now; the second line looks like +where I'm trying to get. thats what I was aiming for. +The first problem sounds like it would involve my router, but I've +enabled ssh services in it. I don't know if I should enable NAT (my +rough impression is that NAT is best avoided). I should think my name +server would be able to use port info to send signals to the right +place, but I know nothing about it this "translation". That generally implies that your router has some form of SSH on it. NAT is useful if you have one outside (public) IP and many inside (private) IPs, which is what it sounds like you have. For example, My router NATs pretty heavily. It has one external IP owned by my ISP, and it NATs for many Internal IPs on a 10.13.37.0/24 IP range. Yes, I went there. What I'd do for the moment is make sure the appropriate /port/ is forwarded at least. I'd refer to portforward.com 's big list of routers and see if they have any suggestions. Their instructions are generally pretty clear. IF after following basic instructions you can't get it, I BLAME YOUR ISP RAAAWR. -- Morgan Gangwere Key ID A8B6F243, available from MIT. BOFH excuse #5: static from plastic slide rules signature.asc Description: PGP signature
Re: SSH: remote login returns "invalid user"
Morgan Gangwere <0.fracta...@gmail.com> writes: > on Sat, 11 Sep 2010 15:38:04 -0400, brownh > <871v90ax5v@teufel.historicalmaterialism.info> attacked their > terminal with [snip] > > Random Blithering Curiosity... Is the gateway a NAPT? NAT loopback is not enabled on my router. Not sure this answers your question. > I had this problem for a while where I would be fine on the inside, then as > soon as I went to the outside, I'd get the same problem you're experiencing. My googling suggests a lot of people have the problem, but the reasons seem different. > Checking the following fixed my problems: > > 1) don't ssh as root unless you /have/ to. > 2) Check that your NA(P)T allows port 22 on TCP *and* UDP, incoming and > outgoing. > 3) try using an SSH key. This occasionally fixes things. I don't ssh as root; NAT is disabled in my router. As for SSH key, I'll give that a try, but too little time before I fly out of here. > I have a Lenny box sitting on my desk that I SSH to all the time > with the default configuration. Nothing special, just the default > OpenSSH-server configuration. Good to know. I've mailed a query to the ssh list. > For those who were confused: > The setup as it looks like to me is this: > > (Internets)[Gateway/router]--,---[server] > `--[laptop] > this configuration /works/. > [laptop]---(??)--(internets)--[gateway]---[server] > This does not. Now I am confused ;-(. What I'm trying to do is: laptop client -> internet/nameserver -> router -> server on LAN Your first line looks like what I have now; the second line looks like where I'm trying to get. > This leads me to beg that there is either a configuration issue that > says "Dont let anyone who's not on my local network talk to me" or a > configuration issue with port translation. The first problem sounds like it would involve my router, but I've enabled ssh services in it. I don't know if I should enable NAT (my rough impression is that NAT is best avoided). I should think my name server would be able to use port info to send signals to the right place, but I know nothing about it this "translation". Haines Brown -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87hbhva9js@teufel.historicalmaterialism.info
Re: SSH: remote login returns "invalid user"
David Jardine writes: > I'm afraid I've forgotten - or didn't read - earlier details. Have > you got a public IP address? My router does. It seems it has a dynamic address assigned to it by my ISP. I guess this is what you mean by a public IP address. > Can you ping the domain name from outside your network - from an > Internet cafe or a friend's machine? Have you set up a web server? > Can you access that from outside? Does your IP address point to > your ISP's server or to yours? No way to get readily to an internet cafe or friend's machine, but I find that when I try from my machines on my local router, I get: PING historicalmaterialism.info (216.239.138.216) 56(84) bytes of data. From ge-0.fw-1.torrance.omnis.com (216.239.131.9) icmp_seq=1 Destination Port Unreachable This is the first time I've had this happen. Perhaps my problem would be resolved if I assigned the standard SSH port number (22), but when I try append ::22, the address cannot be resolved. I have not set up a web server, but only have a web hosting account other than with my ISP. I can ftp to this account. The IP address of my router is assigned by my ISP's server. Haines Brown -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87lj77aa5l@teufel.historicalmaterialism.info
Re: SSH: remote login returns "invalid user"
On 9/11/2010 9:49 PM, brownh wrote: David Jardine writes: Connection closed by 216.239.138.216 Haines, I have the feeling you've got this all wrong. Your site is being hosted and any connection to it goes to the webhoster's site. All your local hosts are unconnected to this site. You are trying to log into your site on the webhoster's server. What you say makes sense. The IP address turns out to be my web hosting service's name server. Apparently SSH first reaches this DNS to convert the domain to an IP address. If you want to log into hosts on your local LAN, you need a dynamic DNS service (dyndns.com is the best known), which associates an IP address with your domain name while you are online. Or upload all your files to the webhoster's server and make sure he allows you ssh access. All this is new to me, and I'll not be able to implement anything like that before I must shortly leave. But the whole situation strikes me as odd. Surely innumerable people rely on a web hosting service to provide email services as well, and yet it would seem none of them can use ssh to acccess a home or office machine remotely without going through extraordinary gymnastics regarding their IP address. An obvious step would be for me to find out what my hosting service has to say. If I get a simple answer, I'll report it back to this thread. Thanks. Haines I do it regularly. But my LAN has nothing to do with my server - they are two entirely different things. I have a VPN set up to access my internal lan; it is handled through a dynamic DNS as David said. Now you may not need a VPN (I have it set up for other reasons, not just SSH), but your internal LAN has nothing to do with your server - and needs to be handled that way. -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/4c8c3d57.9090...@attglobal.net
Re: SSH: remote login returns "invalid user"
David Jardine writes: >> > Connection closed by 216.239.138.216 > > Haines, I have the feeling you've got this all wrong. Your site is > being hosted and any connection to it goes to the webhoster's site. > All your local hosts are unconnected to this site. You are trying > to log into your site on the webhoster's server. What you say makes sense. The IP address turns out to be my web hosting service's name server. Apparently SSH first reaches this DNS to convert the domain to an IP address. > If you want to log into hosts on your local LAN, you need a dynamic > DNS service (dyndns.com is the best known), which associates an IP > address with your domain name while you are online. Or upload all > your files to the webhoster's server and make sure he allows you > ssh access. All this is new to me, and I'll not be able to implement anything like that before I must shortly leave. But the whole situation strikes me as odd. Surely innumerable people rely on a web hosting service to provide email services as well, and yet it would seem none of them can use ssh to acccess a home or office machine remotely without going through extraordinary gymnastics regarding their IP address. An obvious step would be for me to find out what my hosting service has to say. If I get a simple answer, I'll report it back to this thread. Thanks. Haines -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87pqwjafyg@teufel.historicalmaterialism.info
Re: SSH: remote login returns "invalid user"
> > Connection closed by 216.239.138.216 Haines, I have the feeling you've got this all wrong. Your site is being hosted and any connection to it goes to the webhoster's site. All your local hosts are unconnected to this site. You are trying to log into your site on the webhoster's server. If you want to log into hosts on your local LAN, you need a dynamic DNS service (dyndns.com is the best known), which associates an IP address with your domain name while you are online. Or upload all your files to the webhoster's server and make sure he allows you ssh access. Cheers, David -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100911223410.ga2...@gennes.augarten
Re: SSH: remote login returns "invalid user"
brownh wrote: >At present, I have three or four hosts on a LAN, and I can ssh from >each one to the others. The problem arises because of what I want to >do in the immediate future. One of the hosts on the LAN is a laptop, >and I'll be taking it into the field and would like to ssh from it via >Internet using someone else's access provider. Simply, I want to >access files on the machine left running at home on the LAN from a >laptop I take into the field. I assumed that a test of this would be >to ssh from one machine on my LAN to another on the LAN via Internet >by providing an address to ssh in the form $ ssh acco...@domain. This sounds sensible, you just have to make sure that this is the right host. >These machines all have the domain name historicalMaterialism.info >(although I have other domains I could use as well). Each machine has >its own local domain name. For example, my current machine has an >account brownh on teufel.historicalMaterialism.info. My laptop has an >account brownh on langhans.historicalMaterialism.info. The machine >I've used to illstrate my problem has an account haines on >eng...@historicalmaterialism.info. (You are too young to know who >Fritz Teufel and Rainer Langhans were). I *think* I’ve heard of them before and “Historical Materialism” is definitely a household name to me :) >I've been trying to ssh via Internet from the client account brownh on >teufel.historicalMaterialialism.info to the server account haines on >engels.historicalMaterialism.info. What I don't understand is why my >router, which has SSH service enabled, does not simply redirect a ssh >request from one machine on the LAN to another machine having the same >domain name directly rather than send it off to my provider. Maybe >I've invented by problem by using an impossible situation as my test >case. I don’t know your router and thus cannot comment on this. >> Also: >> >>> $ ssh -vv hai...@historicalmaterialism.info >> >> You tell ssh to log in as user haines on the host >> historicalmaterialism.info here. > >Yes I do in the sense that user brownh on one machine seeks to ssh to >account haines on another. Is that incorrect? No, that is correct. >When I try to log in, >I'm given the prompt: "hai...@historicalmaterialism.info's password:", >and so I type in the password for the haines account on that other >(server) machine. I wonder why you get @historicalmaterialism.info. I would have assumed that, after your router forwarded the connection to your specific host it would be @engels.historicalmaterialism.info or something. >>> ... >>> debug1: Next authentication method: password >>> eng...@historicalmaterialism.info's password: >> >> But here, your username is suddenly engels – why? > >I can't reproduce this (result of an experiment?). What I get is: > > debug1: Next authentication method: password > hai...@historicalmaterialism.info's password: > debug2: we sent a password packet, wait for reply > debug1: Authentications that can continue: publickey,password > Permission denied, please try again. > hai...@historicalmaterialism.info's password: > debug2: we sent a password packet, wait for reply > Connection closed by 216.239.138.216 Do you use NAT or something similiar in your network? >Interesting. This IP address is one owned by my Interet provider. So >my ssh request did enter the Internet, answering one of my >concerns. Although my provider closed the connection (timed out or too >many password attempts?), I assume that the issue of the specific >password is soley the concern of the two hosts being connected and >does not involve either my router or access provider. I don’t know. This *somehow* looks as if you are trying to connect to the host historicalmaterialism.info, which just doesn’t sound right if you don’t have a host of that name. Best regards, Claudius Hubig -- "It's not just a computer -- it's your ass." -- Cal Keegan http://chubig.net/ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/i6gtlv$ml...@dough.gmane.org
Re: SSH: remote login returns "invalid user"
Wow, I certainly managed to be obscure! I tried to help David out a bit, and here respond to your uncertainty. Claudius Hubig writes: > I’m sorry I have to ask again. You are trying to connect to a host > "historicalmaterialism.info" and login as user "haines"? Why and how > do you differentiate between client hosts and server hosts and most > importantly > >>the client user account (bro...@historicalmaterialism.info) >>to client user account (hai...@historicalmaterialism.info) > > that mean? Are you trying to connect to "historicalmaterialism.info" > from that very host, with your current account being "brownh" and you > want to login as "haines"? At present, I have three or four hosts on a LAN, and I can ssh from each one to the others. The problem arises because of what I want to do in the immediate future. One of the hosts on the LAN is a laptop, and I'll be taking it into the field and would like to ssh from it via Internet using someone else's access provider. Simply, I want to access files on the machine left running at home on the LAN from a laptop I take into the field. I assumed that a test of this would be to ssh from one machine on my LAN to another on the LAN via Internet by providing an address to ssh in the form $ ssh acco...@domain. These machines all have the domain name historicalMaterialism.info (although I have other domains I could use as well). Each machine has its own local domain name. For example, my current machine has an account brownh on teufel.historicalMaterialism.info. My laptop has an account brownh on langhans.historicalMaterialism.info. The machine I've used to illstrate my problem has an account haines on eng...@historicalmaterialism.info. (You are too young to know who Fritz Teufel and Rainer Langhans were). I've been trying to ssh via Internet from the client account brownh on teufel.historicalMaterialialism.info to the server account haines on engels.historicalMaterialism.info. What I don't understand is why my router, which has SSH service enabled, does not simply redirect a ssh request from one machine on the LAN to another machine having the same domain name directly rather than send it off to my provider. Maybe I've invented by problem by using an impossible situation as my test case. > Also: > >> $ ssh -vv hai...@historicalmaterialism.info > > You tell ssh to log in as user haines on the host > historicalmaterialism.info here. Yes I do in the sense that user brownh on one machine seeks to ssh to account haines on another. Is that incorrect? When I try to log in, I'm given the prompt: "hai...@historicalmaterialism.info's password:", and so I type in the password for the haines account on that other (server) machine. >> ... >> debug1: Next authentication method: password >> eng...@historicalmaterialism.info's password: > > But here, your username is suddenly engels – why? I can't reproduce this (result of an experiment?). What I get is: debug1: Next authentication method: password hai...@historicalmaterialism.info's password: debug2: we sent a password packet, wait for reply debug1: Authentications that can continue: publickey,password Permission denied, please try again. hai...@historicalmaterialism.info's password: debug2: we sent a password packet, wait for reply Connection closed by 216.239.138.216 Interesting. This IP address is one owned by my Interet provider. So my ssh request did enter the Internet, answering one of my concerns. Although my provider closed the connection (timed out or too many password attempts?), I assume that the issue of the specific password is soley the concern of the two hosts being connected and does not involve either my router or access provider. >>I did not edit the ssh_config files on client or server, and what >>follows are the defaults. I gather, then, that you see no problems with the configuration. Haines -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87wrqs9fl5@teufel.historicalmaterialism.info
Re: SSH: remote login returns "invalid user"
on Sat, 11 Sep 2010 15:38:04 -0400, brownh <871v90ax5v@teufel.historicalmaterialism.info> attacked their terminal with [snip] Random Blithering Curiosity... Is the gateway a NAPT? I had this problem for a while where I would be fine on the inside, then as soon as I went to the outside, I'd get the same problem you're experiencing. Checking the following fixed my problems: 1) don't ssh as root unless you /have/ to. 2) Check that your NA(P)T allows port 22 on TCP *and* UDP, incoming and outgoing. 3) try using an SSH key. This occasionally fixes things. I have a Lenny box sitting on my desk that I SSH to all the time with the default configuration. Nothing special, just the default OpenSSH-server configuration. For those who were confused: The setup as it looks like to me is this: (Internets)[Gateway/router]--,---[server] `--[laptop] this configuration /works/. [laptop]---(??)--(internets)--[gateway]---[server] This does not. This leads me to beg that there is either a configuration issue that says "Dont let anyone who's not on my local network talk to me" or a configuration issue with port translation. -- Morgan Gangwere Key ID A8B6F243, available from MIT. BOFH excuse #220: Someone thought The Big Red Button was a light switch. signature.asc Description: PGP signature
Re: SSH: remote login returns "invalid user"
On Sat, Sep 11, 2010 at 03:38:04PM -0400, brownh wrote: > Sorry that I didn't make myself clear. I've got two situations: a) my > present sitution in which I communicate between hosts on my local LAN, > b) a future situation (to which I'd like to arrive in a day or so) of > taking a laptop into the field and using ssh to access a home-base > host on the LAN. > > In the former case, to ssh one I only need a user account and the > user's password; the the latter case, I have to access the LAN from an > internet server, and this requires both a user account, its password, > and its domain, so that the server knows where to find the LAN on > which the server host is located. I belabor this a bit lest I'm > misunderstanding or missing something fundamental. > > For example, my routing table on both machines has the router as their > gateway. Presently my /etc/revolv.conf files simply point to my > router-modem-hub as nameserver. This router-hub-modem has SSH service > enabled. I'm afraid I've forgotten - or didn't read - earlier details. Have you got a public IP address? Can you ping the domain name from outside your network - from an Internet cafe or a friend's machine? Have you set up a web server? Can you access that from outside? Does your IP address point to your ISP's server or to yours? Cheers, David -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100911202542.ga2...@gennes.augarten
Re: SSH: remote login returns "invalid user"
Sorry that I didn't make myself clear. I've got two situations: a) my present sitution in which I communicate between hosts on my local LAN, b) a future situation (to which I'd like to arrive in a day or so) of taking a laptop into the field and using ssh to access a home-base host on the LAN. In the former case, to ssh one I only need a user account and the user's password; the the latter case, I have to access the LAN from an internet server, and this requires both a user account, its password, and its domain, so that the server knows where to find the LAN on which the server host is located. I belabor this a bit lest I'm misunderstanding or missing something fundamental. For example, my routing table on both machines has the router as their gateway. Presently my /etc/revolv.conf files simply point to my router-modem-hub as nameserver. This router-hub-modem has SSH service enabled. Haines -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/871v90ax5v@teufel.historicalmaterialism.info
Re: SSH: remote login returns "invalid user"
On Sat, Sep 11, 2010 at 12:57:53PM -0400, brownh wrote: > David Jardine writes: > > > That ALL: LOCAL entry is there by default. I don't know much about > > this myself, but > > That would explain its presence on my lenny box, but my newly > installed sqeeze box has nothing uncommented in that file. So I guess > squeeze changed the default. > > >From the manual, ALL:LOCAL in hosts.allow would admit connections with > local user accounts, and I get the sense that it overrides the default > ALL:ALL, which would exclude access from hosts not on the LOCAL LAN. I > don't expect to use this box as a server for hosts outside my LAN. Then why are you worried that you can't access it from outside the LAN, ie, from your ISP's server? If you can communicate within the LAN only, isn't that what you want? Or have I misunderstood your intentions? Cheers, David -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100911180252.ga2...@gennes.augarten
Re: SSH: remote login returns "invalid user"
brownh wrote: >Claudius, thank you for troubling with my problem. > >The problem, again: I have no trouble logging a client host >(bro...@teufel) [you are not old enough to remember Fritz and Rainer] >with a server host (hai...@engels) over the LAN, but not over the >Internet, I’m sorry I have to ask again. You are trying to connect to a host "historicalmaterialism.info" and login as user "haines"? Why and how do you differentiate between client hosts and server hosts and most importantly >the client user account (bro...@historicalmaterialism.info) >to client user account (hai...@historicalmaterialism.info) that mean? Are you trying to connect to "historicalmaterialism.info" from that very host, with your current account being "brownh" and you want to login as "haines"? Also: > $ ssh -vv hai...@historicalmaterialism.info You tell ssh to log in as user haines on the host historicalmaterialism.info here. > > ... > debug1: Next authentication method: password > eng...@historicalmaterialism.info's password: But here, your username is suddenly engels – why? > debug2: we sent a password packet, wait for reply > debug1: Authentications that can continue: publickey,password > Permission denied, please try again. >I don't know if this means a file permission problem or if the >password was unacceptable. The password I provided was definitely that >of the account (haines) on the client machine (engels). OK, maybe I completely misunderstood the syntax – but wasn’t the part before the "@" the username you want to login as? Here you call "engels" a client machine, while above, engels was a username! >Here is ~/.ssh/ssh_config on client: > > ForwardAgent yes > X11Forwarding yes Looks sane. >I did not edit the ssh_config files on client or server, and what >follows are the defaults. > >Here is /etc/ssd/sshd_config file, via ssh, from server (I prune >commented lines): > > # Package generated configuration file > Port 22 > Protocol 2 > HostKey /etc/ssh/ssh_host_rsa_key > HostKey /etc/ssh/ssh_host_dsa_key > UsePrivilegeSeparation yes > > KeyRegenerationInterval 3600 > ServerKeyBits 768 > > SyslogFacility AUTH > LogLevel INFO > > LoginGraceTime 120 > PermitRootLogin yes > StrictModes yes > > RSAAuthentication yes > PubkeyAuthentication yes > > IgnoreRhosts yes > RhostsRSAAuthentication no > HostbasedAuthentication no > > PermitEmptyPasswords no > > ChallengeResponseAuthentication no > > X11Forwarding yes > X11DisplayOffset 10 > PrintMotd no > PrintLastLog yes > TCPKeepAlive yes > > AcceptEnv LANG LC_* > > Subsystem sftp /usr/lib/openssh/sftp-server > > UsePAM yes So does this. >Here is /etc/ssh/sshd_config on client: > > # Package generated configuration file > Port 22 > Protocol 2 > HostKey /etc/ssh/ssh_host_rsa_key > HostKey /etc/ssh/ssh_host_dsa_key > UsePrivilegeSeparation yes > > KeyRegenerationInterval 3600 > ServerKeyBits 768 > > SyslogFacility AUTH > LogLevel INFO > > LoginGraceTime 120 > PermitRootLogin yes > StrictModes yes > > RSAAuthentication yes > PubkeyAuthentication yes > > IgnoreRhosts yes > RhostsRSAAuthentication no > HostbasedAuthentication no > > PermitEmptyPasswords no > > ChallengeResponseAuthentication no > > X11Forwarding yes > X11DisplayOffset 10 > PrintMotd no > PrintLastLog yes > TCPKeepAlive yes > > AcceptEnv LANG LC_* > > Subsystem sftp /usr/lib/openssh/sftp-server > > UsePAM yes And this. I would guess it’s a great confusion with usernames and hosts, but I’m not sure. Best regards, Claudius Hubig -- Anything worth doing is worth overdoing. http://chubig.net/ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/i6gfe8$1d...@dough.gmane.org
Re: SSH: remote login returns "invalid user"
David Jardine writes: > That ALL: LOCAL entry is there by default. I don't know much about > this myself, but That would explain its presence on my lenny box, but my newly installed sqeeze box has nothing uncommented in that file. So I guess squeeze changed the default. >From the manual, ALL:LOCAL in hosts.allow would admit connections with local user accounts, and I get the sense that it overrides the default ALL:ALL, which would exclude access from hosts not on the LOCAL LAN. I don't expect to use this box as a server for hosts outside my LAN. However, I don't see this as being relevant to my problem, for it is not my (client) lenny machine that has a problem, but when lenny tries to gain ssh access to the server, squeeze, and for this server, the hosts.allow file is empty and so is open to the world. I did comment the ALL:LOCAL on the lenny box, and tried to access it by ssh from the squeeze box (the opposite direction to that I raised in my question), but permission denied here as well. So my problem is broader than just the configuration of one box. Just to be sure, a sanity check: from the account bro...@historicalmaterialism.info on one box I am trying to ssh to the account hai...@historicalmaterialism.info, on a different box on the LAN. I can ssh from one user account to another on the LAN, but can't ssh between them via my provider's server by appending the domain name to the user account name: $ ssh hai...@historicalmaterialism.info Haines -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/8762ycb4ku@teufel.historicalmaterialism.info
Re: SSH: remote login returns "invalid user"
On Sat, Sep 11, 2010 at 10:00:12AM -0400, brownh wrote: > David Jardine writes: > > > Have you got /etc/hosts.allow and /etc/hosts.deny configured to allow > > access from outside your local network? > > David, good question. I had understood /etc/hosts.allow only as a way > to define a selection, and so left it empty for the server, for it > should allow any host to access. > > However, I now discover that I have ALL: LOCAL on the client > machine. No idea why I put it there. I fear that this might in fact > prevent the kind of non-local ssh connections that I'm having > difficulties with. Is that so? That ALL: LOCAL entry is there by default. I don't know much about this myself, but man hosts.allow will give you all the details you want. Cheers, David -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100911142451.ga2...@gennes.augarten
Re: SSH: remote login returns "invalid user"
David Jardine writes: > Have you got /etc/hosts.allow and /etc/hosts.deny configured to allow > access from outside your local network? David, good question. I had understood /etc/hosts.allow only as a way to define a selection, and so left it empty for the server, for it should allow any host to access. However, I now discover that I have ALL: LOCAL on the client machine. No idea why I put it there. I fear that this might in fact prevent the kind of non-local ssh connections that I'm having difficulties with. Is that so? Haines -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87aanobcsz@teufel.historicalmaterialism.info
Re: SSH: remote login returns "invalid user"
On Sat, Sep 11, 2010 at 07:15:53AM -0400, brownh wrote: > Claudius, thank you for troubling with my problem. > > The problem, again: I have no trouble logging a client host > (bro...@teufel) [you are not old enough to remember Fritz and Rainer] > with a server host (hai...@engels) over the LAN, but not over the > Internet, the client user account (bro...@historicalmaterialism.info) > to client user account (hai...@historicalmaterialism.info) > > $ ssh -vv hai...@historicalmaterialism.info > > ... > debug1: Next authentication method: password > eng...@historicalmaterialism.info's password: > debug2: we sent a password packet, wait for reply > debug1: Authentications that can continue: publickey,password > Permission denied, please try again. > > I don't know if this means a file permission problem or if the > password was unacceptable. The password I provided was definitely that > of the account (haines) on the client machine (engels). Have you got /etc/hosts.allow and /etc/hosts.deny configured to allow access from outside your local network? Cheers, David -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100911132306.ga1...@gennes.augarten
Re: SSH: remote login returns "invalid user"
Claudius, thank you for troubling with my problem. The problem, again: I have no trouble logging a client host (bro...@teufel) [you are not old enough to remember Fritz and Rainer] with a server host (hai...@engels) over the LAN, but not over the Internet, the client user account (bro...@historicalmaterialism.info) to client user account (hai...@historicalmaterialism.info) $ ssh -vv hai...@historicalmaterialism.info ... debug1: Next authentication method: password eng...@historicalmaterialism.info's password: debug2: we sent a password packet, wait for reply debug1: Authentications that can continue: publickey,password Permission denied, please try again. I don't know if this means a file permission problem or if the password was unacceptable. The password I provided was definitely that of the account (haines) on the client machine (engels). Here is ~/.ssh/ssh_config on client: ForwardAgent yes X11Forwarding yes I did not edit the ssh_config files on client or server, and what follows are the defaults. Here is /etc/ssd/sshd_config file, via ssh, from server (I prune commented lines): # Package generated configuration file Port 22 Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key UsePrivilegeSeparation yes KeyRegenerationInterval 3600 ServerKeyBits 768 SyslogFacility AUTH LogLevel INFO LoginGraceTime 120 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes Here is /etc/ssh/sshd_config on client: # Package generated configuration file Port 22 Protocol 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key UsePrivilegeSeparation yes KeyRegenerationInterval 3600 ServerKeyBits 768 SyslogFacility AUTH LogLevel INFO LoginGraceTime 120 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes IgnoreRhosts yes RhostsRSAAuthentication no HostbasedAuthentication no PermitEmptyPasswords no ChallengeResponseAuthentication no X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server UsePAM yes Haines -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87iq2cbkeu@teufel.historicalmaterialism.info
Re: SSH: remote login returns "invalid user"
Claudius Hubig wrote: >Could you post the file /etc/ssh/sshd_config from the server and the >files /etc/ssh/ssh_config and ~/.config from the client? You could I’m sorry, I meant to write ~/.ssh/config. >also try running ssh with -vv which usually outputs more information. Best regards, Claudius -- QOTD: "There may be no excuse for laziness, but I'm sure looking." http://chubig.net/ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/i6e6b1$pv...@dough.gmane.org
Re: SSH: remote login returns "invalid user"
brownh wrote: >Sorry for a FAQ, but I searched around without sucess. I'm runing >debian a local LAN and can ssh between the hosts without a >problem. However, I intend to use one host remotely (a laptop that I >want to use to access my home machine). I do not have password >encryption set up. My LAN is three machines connected to a common hub >using the same domain name. > >I ssh successfully between local hosts on my LAN in this fashion: > > $ ssh -X acco...@localhostname > >To prepare for taking my laptop into the field, I try this to access >my home machine (server): > > # ssh -X acco...@domainname > >In the server's /var/log/auth.log I get: > > Sep 10 13:04:37 engels sshd[27266]: Failed none for invalid user > brownh from 192.168.1.4 port 33279 ssh2 > >Here the password is "none", which suggests to me that is is not >getting the password, although it is typed in at the Password: >prompt. Then the user brownh (my account on the client host which is >initiating the ssh connection) is not valid, although the its IP >address is right. > >Haines Brown Could you post the file /etc/ssh/sshd_config from the server and the files /etc/ssh/ssh_config and ~/.config from the client? You could also try running ssh with -vv which usually outputs more information. Best regards, Claudius Hubig -- I need to discuss BUY-BACK PROVISIONS with at least six studio SLEAZEBALLS!! http://chubig.net/ -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/i6e67o$pv...@dough.gmane.org
SSH: remote login returns "invalid user"
Sorry for a FAQ, but I searched around without sucess. I'm runing debian a local LAN and can ssh between the hosts without a problem. However, I intend to use one host remotely (a laptop that I want to use to access my home machine). I do not have password encryption set up. My LAN is three machines connected to a common hub using the same domain name. I ssh successfully between local hosts on my LAN in this fashion: $ ssh -X acco...@localhostname To prepare for taking my laptop into the field, I try this to access my home machine (server): # ssh -X acco...@domainname In the server's /var/log/auth.log I get: Sep 10 13:04:37 engels sshd[27266]: Failed none for invalid user brownh from 192.168.1.4 port 33279 ssh2 Here the password is "none", which suggests to me that is is not getting the password, although it is typed in at the Password: prompt. Then the user brownh (my account on the client host which is initiating the ssh connection) is not valid, although the its IP address is right. Haines Brown -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/87mxrpbdvt@teufel.historicalmaterialism.info