Re: cannot ssh into a box with DHCP assigned IP address
On 2/20/2013 5:55 AM, Anton Shterenlikht wrote: From feenb...@nber.org Wed Feb 20 13:39:28 2013 >From: Fleuriot Damien >To: me...@bristol.ac.uk >Subject: Re: cannot ssh into a box with DHCP assigned IP address >Date: Wed, 20 Feb 2013 10:31:22 +0100 >Cc: freebsd-questions@freebsd.org > >On Feb 20, 2013, at 10:28 AM, Anton Shterenlikht wrote: > >> I have a laptop with FreeBSD -current, >> with ip address assigned via DHCP. >> The laptop has neither a static ip address, >> nor a domain. >> >> I can ping the laptop fine, but cannot I doubt that you can ping 172.21.220.12 from 137.222.187.241 as 172.21.220.12 is private IP address space and is not routed across the Internet. >> ssh into it. The sshd is running, /etc/ssh/ssd_config >> seems fine, /etc/hosts.allow is fine. >> However, /etc/hosts is just the default: While on the problem machine, can you ssh to localhost? ssh to the IP address? yes to both I would suspect the problem is in /etc/hosts.allow or /etc/hosts.deny, The first non-comment line in /etc/hosts.allow is ALL : ALL : allow and I don't have /etc/hosts.deny: root@zzz:~ # ls /etc/hosts* /etc/hosts /etc/hosts.equiv /etc/hosts.allow/etc/hosts.lpd root@zzz:~ # or perhaps the subnet mask is incorrect. Well.. what should it be? I have on the problem box (ssh server): wlan0: flags=8943 metric 0 mtu 1 500 ether 00:21:5c:50:68:c3 inet 172.21.220.12 netmask 0xfc00 broadcast 255.255.255.255 nd6 options=29 media: IEEE 802.11 Wireless Ethernet OFDM/54Mbps mode 11g status: associated ssid eduroam channel 1 (2412 MHz 11g) bssid 00:3a:98:62:cd:a0 country US authmode WPA2/802.11i privacy ON deftxkey UNDEF AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 14 bmiss 10 scanvalid 450 bgscan bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS wme roaming MANUAL I'm trying to ssh from 137.222.187.241. I wonder, perhaps it somehow built into the Eduroam wireless, provided by the University, that the devices connected to it cannot be accessible. They can only initiate outgoing connections, but all incoming connections are somehow blocked? Given that the majority of the devices will be unsecured MS boxes, maybe the university thought that this is wise idea for safety. Perhaps I can investigate this with my IT guys. Or I might be talking complete nonsense here, not my area at all. It is kind of "built in" as you say. The Eduroam wireless network appears to be a private network sitting behind a NAT gateway. Thus what happens when you access the Internet is that your laptop sends that request to the NAT gateway on the Eduroam network. The NAT gateway strips off your private IP address and replaces it with a public IP address , marks the connection in its table, and sends it on it's way. Then when the answer comes back from the Internet, the NAT gateway strips off the public IP address and replaces with your private IP address, and sends it to your laptop. While on the Eduroam network, go to http://whatismyip.com. You will see that your IP is not 172.21.220.12. It will be a public IP address that Eduroam uses. Bottom line is that the only way you could ssh to your laptop from the Internet is if you got the university to give you a public IP address and port and then they set up NAT and port forwarding on their network to point that public IP address to your laptop private IP address ssh port. Since I doubt you will have much luck with that, I suspect the short answer is "you can't ssh to your laptop from the Internet when it's connected to your university network". I'm sure this isn't the answer you wanted but hopefully this will save you some frustration. Cheers, Drew -- Like card tricks? Visit The Alchemist's Warehouse to learn card magic secrets for free! http://alchemistswarehouse.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: cannot ssh into a box with DHCP assigned IP address
El día Wednesday, February 20, 2013 a las 03:03:21PM +, Anton Shterenlikht escribió: > The class B network 172.16.0.0 to 172.31.255.255 is not routed in > Internet (see RFC1918). This is a so called "private addr" you get from > your Access Point. It is hided by the AP (or by some other router more > far away) behind a real IP addr. You can check what this addr is by > going to the page http://myip.nl/ > > And you can not SSH to the addr shown there, at least normally it would > not > be NAT'ed to your addr you got by DHCP. > > No way. > > fuck.. This is the first thing I should've checked. > Sorry for wasting everybody's time. > The irony is that I know very little about > networking, but the three private IP ranges > is something I actually knew about. > > Thanks > > Anton > ___ > freebsd-po...@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-ports > To unsubscribe, send any mail to "freebsd-ports-unsubscr...@freebsd.org" And why you Cc freebsd-ports, when the thread was in freebsd-questions? matthias -- Sent from my FreeBSD netbook Matthias Apitz | - No system with backdoors like Apple/Android E-mail: g...@unixarea.de | - No HTML/RTF in E-mail WWW: http://www.unixarea.de/ | - No proprietary attachments phone: +49-170-4527211 | - Respect for open standards ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: cannot ssh into a box with DHCP assigned IP address
El día Wednesday, February 20, 2013 a las 03:43:43PM +0100, Matthias Apitz escribió: > El día Wednesday, February 20, 2013 a las 03:18:47PM +0100, Fleuriot Damien > escribió: > > > > Well.. what should it be? > > > I have on the problem box (ssh server): > > > > > > wlan0: flags=8943 metric > > > 0 mtu 1 > > > 500 > > >ether 00:21:5c:50:68:c3 > > >inet 172.21.220.12 netmask 0xfc00 broadcast 255.255.255.255 > > >nd6 options=29 > > >media: IEEE 802.11 Wireless Ethernet OFDM/54Mbps mode 11g > > >status: associated > > >ssid eduroam channel 1 (2412 MHz 11g) bssid 00:3a:98:62:cd:a0 > > >country US authmode WPA2/802.11i privacy ON deftxkey UNDEF > > >AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 14 bmiss 10 scanvalid > > > 450 > > >bgscan bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 > > >protmode CTS wme roaming MANUAL > > > > > > I'm trying to ssh from 137.222.187.241. On thing more: the IP addr you are ssh'ing from is reachable via Internet: $ telnet 137.222.187.241 22 Trying 137.222.187.241... Connected to mech-cluster241.men.bris.ac.uk. Escape character is '^]'. SSH-2.0-OpenSSH_6.1_hpn13v11 FreeBSD-20120901 If this is your intention (and not a fault) you should know what you are doing and have hardened the access, for example only RSA auth via SSH. HIH matthias -- Sent from my FreeBSD netbook Matthias Apitz | - No system with backdoors like Apple/Android E-mail: g...@unixarea.de | - No HTML/RTF in E-mail WWW: http://www.unixarea.de/ | - No proprietary attachments phone: +49-170-4527211 | - Respect for open standards ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: cannot ssh into a box with DHCP assigned IP address
El día Wednesday, February 20, 2013 a las 03:18:47PM +0100, Fleuriot Damien escribió: > > Well.. what should it be? > > I have on the problem box (ssh server): > > > > wlan0: flags=8943 metric 0 > > mtu 1 > > 500 > >ether 00:21:5c:50:68:c3 > >inet 172.21.220.12 netmask 0xfc00 broadcast 255.255.255.255 > >nd6 options=29 > >media: IEEE 802.11 Wireless Ethernet OFDM/54Mbps mode 11g > >status: associated > >ssid eduroam channel 1 (2412 MHz 11g) bssid 00:3a:98:62:cd:a0 > >country US authmode WPA2/802.11i privacy ON deftxkey UNDEF > >AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 14 bmiss 10 scanvalid 450 > >bgscan bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 > >protmode CTS wme roaming MANUAL > > > > I'm trying to ssh from 137.222.187.241. The class B network 172.16.0.0 to 172.31.255.255 is not routed in Internet (see RFC1918). This is a so called "private addr" you get from your Access Point. It is hided by the AP (or by some other router more far away) behind a real IP addr. You can check what this addr is by going to the page http://myip.nl/ And you can not SSH to the addr shown there, at least normally it would not be NAT'ed to your addr you got by DHCP. No way. matthias -- Sent from my FreeBSD netbook Matthias Apitz | - No system with backdoors like Apple/Android E-mail: g...@unixarea.de | - No HTML/RTF in E-mail WWW: http://www.unixarea.de/ | - No proprietary attachments phone: +49-170-4527211 | - Respect for open standards ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: cannot ssh into a box with DHCP assigned IP address
From m...@my.gd Wed Feb 20 14:39:34 2013
On Feb 20, 2013, at 2:55 PM, Anton Shterenlikht
wrote:
> From feenb...@nber.org Wed Feb 20 13:39:28 2013
>
> > From: Fleuriot Damien
> > To: me...@bristol.ac.uk
> > Subject: Re: cannot ssh into a box with DHCP assigned
IP address
> > Date: Wed, 20 Feb 2013 10:31:22 +0100
> > Cc: freebsd-questions@freebsd.org
> >
> > On Feb 20, 2013, at 10:28 AM, Anton Shterenlikht
wrote:
> >
> > > I have a laptop with FreeBSD -current,
> > > with ip address assigned via DHCP.
> > > The laptop has neither a static ip address,
> > > nor a domain.
> > >
> > > I can ping the laptop fine, but cannot
> > > ssh into it. The sshd is running, /etc/ssh/ssd_config
> > > seems fine, /etc/hosts.allow is fine.
> > > However, /etc/hosts is just the default:
>
> While on the problem machine, can you ssh to localhost? ssh to
the IP
> address?
>
> yes to both
>
> I would suspect the problem is in /etc/hosts.allow
>or /etc/hosts.deny,
>
> The first non-comment line in /etc/hosts.allow is
> ALL : ALL : allow
>
> and I don't have /etc/hosts.deny:
>
> root@zzz:~ # ls /etc/hosts*
> /etc/hosts /etc/hosts.equiv
> /etc/hosts.allow /etc/hosts.lpd
> root@zzz:~ #
>
> or perhaps the subnet mask is incorrect.
>
> Well.. what should it be?
> I have on the problem box (ssh server):
>
> wlan0: flags=8943
metric 0 mtu 1
> 500
>ether 00:21:5c:50:68:c3
>inet 172.21.220.12 netmask 0xfc00 broadcast 255.255.255.255
>nd6 options=29
>media: IEEE 802.11 Wireless Ethernet OFDM/54Mbps mode 11g
>status: associated
>ssid eduroam channel 1 (2412 MHz 11g) bssid 00:3a:98:62:cd:a0
>country US authmode WPA2/802.11i privacy ON deftxkey UNDEF
> AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 14 bmiss 10
scanvalid 450
>bgscan bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5
>protmode CTS wme roaming MANUAL
>
> I'm trying to ssh from 137.222.187.241.
>
> I wonder, perhaps it somehow built into the
> Eduroam wireless, provided by the University,
> that the devices connected to it cannot be
> accessible. They can only initiate outgoing
> connections, but all incoming connections are
> somehow blocked? Given that the majority of
> the devices will be unsecured MS boxes, maybe
> the university thought that this is wise idea
> for safety. Perhaps I can investigate this
> with my IT guys.
>
> Or I might be talking complete nonsense here, not my area at all.
>
> Thanks
>
> Anton
>
Any luck with Daniel's suggestion to try it directly on the problematic
host ?
ssh 127.0.0.1
ssh localhost
ssh 172.21.220.12
yes to all (I replied already above).
Thanks
Anton
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: cannot ssh into a box with DHCP assigned IP address
On Feb 20, 2013, at 2:55 PM, Anton Shterenlikht wrote: > From feenb...@nber.org Wed Feb 20 13:39:28 2013 > > > From: Fleuriot Damien > > To: me...@bristol.ac.uk > > Subject: Re: cannot ssh into a box with DHCP assigned IP address > > Date: Wed, 20 Feb 2013 10:31:22 +0100 > > Cc: freebsd-questions@freebsd.org > > > > On Feb 20, 2013, at 10:28 AM, Anton Shterenlikht > wrote: > > > > > I have a laptop with FreeBSD -current, > > > with ip address assigned via DHCP. > > > The laptop has neither a static ip address, > > > nor a domain. > > > > > > I can ping the laptop fine, but cannot > > > ssh into it. The sshd is running, /etc/ssh/ssd_config > > > seems fine, /etc/hosts.allow is fine. > > > However, /etc/hosts is just the default: > > While on the problem machine, can you ssh to localhost? ssh to the IP > address? > > yes to both > > I would suspect the problem is in /etc/hosts.allow >or /etc/hosts.deny, > > The first non-comment line in /etc/hosts.allow is > ALL : ALL : allow > > and I don't have /etc/hosts.deny: > > root@zzz:~ # ls /etc/hosts* > /etc/hosts /etc/hosts.equiv > /etc/hosts.allow/etc/hosts.lpd > root@zzz:~ # > > or perhaps the subnet mask is incorrect. > > Well.. what should it be? > I have on the problem box (ssh server): > > wlan0: flags=8943 metric 0 > mtu 1 > 500 >ether 00:21:5c:50:68:c3 >inet 172.21.220.12 netmask 0xfc00 broadcast 255.255.255.255 >nd6 options=29 >media: IEEE 802.11 Wireless Ethernet OFDM/54Mbps mode 11g >status: associated >ssid eduroam channel 1 (2412 MHz 11g) bssid 00:3a:98:62:cd:a0 >country US authmode WPA2/802.11i privacy ON deftxkey UNDEF >AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 14 bmiss 10 scanvalid 450 >bgscan bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 >protmode CTS wme roaming MANUAL > > I'm trying to ssh from 137.222.187.241. > > I wonder, perhaps it somehow built into the > Eduroam wireless, provided by the University, > that the devices connected to it cannot be > accessible. They can only initiate outgoing > connections, but all incoming connections are > somehow blocked? Given that the majority of > the devices will be unsecured MS boxes, maybe > the university thought that this is wise idea > for safety. Perhaps I can investigate this > with my IT guys. > > Or I might be talking complete nonsense here, not my area at all. > > Thanks > > Anton > Any luck with Daniel's suggestion to try it directly on the problematic host ? ssh 127.0.0.1 ssh localhost ssh 172.21.220.12 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: cannot ssh into a box with DHCP assigned IP address
From: Fleuriot Damien To: me...@bristol.ac.uk Subject: Re: cannot ssh into a box with DHCP assigned IP address Date: Wed, 20 Feb 2013 10:31:22 +0100 Cc: freebsd-questions@freebsd.org On Feb 20, 2013, at 10:28 AM, Anton Shterenlikht wrote: > I have a laptop with FreeBSD -current, > with ip address assigned via DHCP. > The laptop has neither a static ip address, > nor a domain. > > I can ping the laptop fine, but cannot > ssh into it. The sshd is running, /etc/ssh/ssd_config > seems fine, /etc/hosts.allow is fine. > However, /etc/hosts is just the default: While on the problem machine, can you ssh to localhost? ssh to the IP address? I would suspect the problem is in /etc/hosts.allow or /etc/hosts.deny, or perhaps the subnet mask is incorrect. The lack of a domain should not be a problem. daniel feenberg ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: cannot ssh into a box with DHCP assigned IP address
From feenb...@nber.org Wed Feb 20 13:39:28 2013 > From: Fleuriot Damien > To: me...@bristol.ac.uk > Subject: Re: cannot ssh into a box with DHCP assigned IP address > Date: Wed, 20 Feb 2013 10:31:22 +0100 > Cc: freebsd-questions@freebsd.org > > On Feb 20, 2013, at 10:28 AM, Anton Shterenlikht wrote: > > > I have a laptop with FreeBSD -current, > > with ip address assigned via DHCP. > > The laptop has neither a static ip address, > > nor a domain. > > > > I can ping the laptop fine, but cannot > > ssh into it. The sshd is running, /etc/ssh/ssd_config > > seems fine, /etc/hosts.allow is fine. > > However, /etc/hosts is just the default: While on the problem machine, can you ssh to localhost? ssh to the IP address? yes to both I would suspect the problem is in /etc/hosts.allow or /etc/hosts.deny, The first non-comment line in /etc/hosts.allow is ALL : ALL : allow and I don't have /etc/hosts.deny: root@zzz:~ # ls /etc/hosts* /etc/hosts /etc/hosts.equiv /etc/hosts.allow/etc/hosts.lpd root@zzz:~ # or perhaps the subnet mask is incorrect. Well.. what should it be? I have on the problem box (ssh server): wlan0: flags=8943 metric 0 mtu 1 500 ether 00:21:5c:50:68:c3 inet 172.21.220.12 netmask 0xfc00 broadcast 255.255.255.255 nd6 options=29 media: IEEE 802.11 Wireless Ethernet OFDM/54Mbps mode 11g status: associated ssid eduroam channel 1 (2412 MHz 11g) bssid 00:3a:98:62:cd:a0 country US authmode WPA2/802.11i privacy ON deftxkey UNDEF AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 14 bmiss 10 scanvalid 450 bgscan bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 protmode CTS wme roaming MANUAL I'm trying to ssh from 137.222.187.241. I wonder, perhaps it somehow built into the Eduroam wireless, provided by the University, that the devices connected to it cannot be accessible. They can only initiate outgoing connections, but all incoming connections are somehow blocked? Given that the majority of the devices will be unsecured MS boxes, maybe the university thought that this is wise idea for safety. Perhaps I can investigate this with my IT guys. Or I might be talking complete nonsense here, not my area at all. Thanks Anton ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: cannot ssh into a box with DHCP assigned IP address
From m...@my.gd Wed Feb 20 10:28:54 2013 Ok I think you've got a DNS resolution problem here, so when you try to establish the connection, SSHD tries to resolve your client's hostname. It fails and times out, however your ssh login gracetime is already over. You have several options here: 1/ increase the login grace time in sshd_config ok: LoginGraceTime 3m 2/ set usedns no (or do both, btw) ok: UseDNS no 3/ fix DNS resolution ;) Well, I'm waiting for the IT support guys to do this, but they are very slow. I would definitely recommend turning off hostname resolution for sshd, it is of marginal value (to me at least). Following the sshd man page, I'm also trying this: *quote* -u0 may also be used to prevent sshd from making DNS requests unless the authentication mechanism or configuration requires it. Authentication mechanisms that may require DNS include RhostsRSAAuthentication, HostbasedAuthentication, and using a from="pattern-list" option in a key file. Configuration options that require DNS include using a USER@HOST pattern in AllowUsers or DenyUsers. *end quote* I set in /etc/ssh/sshd_config: RhostsRSAAuthentication no HostbasedAuthentication no AllowUsers mexas and I don't have DenyUsers at all. I then restart sshd as /usr/sbin/sshd -u0 However, I still see the same (I think) output from tcpdump and still get ssh timeout: 10:55:32.503085 IP 172.21.220.12.46009 > 137.222.187.241.22: Flags [P.], seq 535 20:53568, ack 64033, win 1040, options [nop,nop,TS val 169209828 ecr 2123714526] , length 48 10:55:32.604376 IP 137.222.187.241.22 > 172.21.220.12.46009: Flags [.], ack 5356 8, win 1040, options [nop,nop,TS val 2123715301 ecr 169209828], length 0 10:55:32.668861 IP 172.21.220.12.46009 > 137.222.187.241.22: Flags [P.], seq 535 68:53616, ack 64033, win 1040, options [nop,nop,TS val 169209994 ecr 2123715301] , length 48 10:55:32.671995 IP 137.222.187.241.22 > 172.21.220.12.46009: Flags [P.], seq 640 33:64161, ack 53616, win 1040, options [nop,nop,TS val 2123715368 ecr 169209994] , length 128 10:55:32.672501 IP 137.222.187.241.22 > 172.21.220.12.46009: Flags [P.], seq 641 61:64209, ack 53616, win 1040, options [nop,nop,TS val 2123715368 ecr 169209994] , length 48 10:55:32.672763 IP 172.21.220.12.46009 > 137.222.187.241.22: Flags [.], ack 6420 9, win 1040, options [nop,nop,TS val 169209998 ecr 2123715368], length 0 10:55:33.394762 IP 172.21.220.12.46009 > 137.222.187.241.22: Flags [P.], seq 536 16:53664, ack 64209, win 1040, options [nop,nop,TS val 169210720 ecr 2123715368] , length 48 10:55:33.396877 IP 137.222.187.241.22 > 172.21.220.12.46009: Flags [P.], seq 642 09:64257, ack 53664, win 1040, options [nop,nop,TS val 2123716093 ecr 169210720] , length 48 10:55:33.496782 IP 172.21.220.12.46009 > 137.222.187.241.22: Flags [.], ack 6425 7, win 1040, options [nop,nop,TS val 169210822 ecr 2123716093], length 0 Thanks Anton ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: cannot ssh into a box with DHCP assigned IP address
Ok I think you've got a DNS resolution problem here, so when you try to establish the connection, SSHD tries to resolve your client's hostname. It fails and times out, however your ssh login gracetime is already over. You have several options here: 1/ increase the login grace time in sshd_config 2/ set usedns no (or do both, btw) 3/ fix DNS resolution ;) I would definitely recommend turning off hostname resolution for sshd, it is of marginal value (to me at least). On Feb 20, 2013, at 11:21 AM, Anton Shterenlikht wrote: > From m...@my.gd Wed Feb 20 10:11:12 2013 > > Run this on your server: > > tcpdump -ni wlan0 ip and port 22 > > Then try to ssh to the box, >see if SYN packets arrive, >see if your box sends SYN/ACK back. > > 172.21.220.12 is the ssh server > 137.222.187.241 is the ssh client (where I login from) > > There's lots of output on the server: > > 10:13:40.396933 IP 172.21.220.12.20541 > 137.222.187.241.22: Flags [P.], seq > 528 > :576, ack 897, win 1040, options [nop,nop,TS val 166697722 ecr 2764601194], > leng > th 48 > 10:13:40.400142 IP 137.222.187.241.22 > 172.21.220.12.20541: Flags [P.], seq > 897 > :945, ack 576, win 1040, options [nop,nop,TS val 2764601829 ecr 166697722], > leng > th 48 > 10:13:40.499768 IP 172.21.220.12.20541 > 137.222.187.241.22: Flags [.], ack > 945, > win 1040, options [nop,nop,TS val 166697825 ecr 2764601829], length 0 > 10:13:41.126804 IP 172.21.220.12.20541 > 137.222.187.241.22: Flags [P.], seq > 576 > :624, ack 945, win 1040, options [nop,nop,TS val 166698452 ecr 2764601829], > leng > th 48 > 10:13:41.129465 IP 137.222.187.241.22 > 172.21.220.12.20541: Flags [P.], seq > 945 > :993, ack 624, win 1040, options [nop,nop,TS val 2764602558 ecr 166698452], > leng > th 48 > 10:13:41.229792 IP 172.21.220.12.20541 > 137.222.187.241.22: Flags [.], ack > 993, > win 1040, options [nop,nop,TS val 166698555 ecr 2764602558], length 0 > 10:14:06.042148 IP 137.222.187.241.22 > 172.21.220.12.46009: Flags [P.], seq > 691 > 166491:691166555, ack 2147595671, win 1040, options [nop,nop,TS val > 2121228740 e > cr 166423364], length 64 > 10:14:06.043854 IP 172.21.220.12.46009 > 137.222.187.241.22: Flags [P.], seq > 1:3 > 3, ack 64, win 1040, options [nop,nop,TS val 166723368 ecr 2121228740], > length 3 > 2 > 10:14:06.144924 IP 137.222.187.241.22 > 172.21.220.12.46009: Flags [.], ack > 33, > win 1040, options [nop,nop,TS val 2121228843 ecr 166723368], length 0 > > 10:15:02.017361 IP 137.222.187.241.22 > 172.21.220.12.46009: Flags [P.], seq > 159 > 04:16240, ack 7169, win 1040, options [nop,nop,TS val 2121284715 ecr > 166779337], > length 336 > 10:15:02.017969 IP 137.222.187.241.22 > 172.21.220.12.46009: Flags [P.], seq > 162 > 40:16576, ack 7169, win 1040, options [nop,nop,TS val 2121284716 ecr > 166779337], > length 336 > 10:15:02.018079 IP 172.21.220.12.46009 > 137.222.187.241.22: Flags [.], ack > 1657 > 6, win 1035, options [nop,nop,TS val 166779343 ecr 2121284715], length 0 > 10:15:02.018319 IP 137.222.187.241.22 > 172.21.220.12.46009: Flags [P.], seq > 165 > 76:16896, ack 7169, win 1040, options [nop,nop,TS val 2121284716 ecr > 166779337], > length 320 > 10:15:02.018510 IP 137.222.187.241.22 > 172.21.220.12.46009: Flags [P.], seq > 168 > 96:17232, ack 7169, win 1040, options [nop,nop,TS val 2121284716 ecr > 166779337], > length 336 > 10:15:02.018626 IP 172.21.220.12.46009 > 137.222.187.241.22: Flags [.], ack > 1723 > 2, win 1030, options [nop,nop,TS val 166779344 ecr 2121284716], length 0 > 10:15:02.019583 IP 137.222.187.241.22 > 172.21.220.12.46009: Flags [P.], seq > 172 > 32:17568, ack 7169, win 1040, options [nop,nop,TS val 2121284716 ecr > 166779337], > length 336 > 10:15:02.019840 IP 137.222.187.241.22 > 172.21.220.12.46009: Flags [P.], seq > 175 > 68:17840, ack 7169, win 1040, options [nop,nop,TS val 2121284717 ecr > 166779337], > length 272 > 10:15:02.019927 IP 172.21.220.12.46009 > 137.222.187.241.22: Flags [.], ack > 1784 > 0, win 1036, options [nop,nop,TS val 166779345 ecr 2121284716], length 0 > > Thanks > > Anton ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: cannot ssh into a box with DHCP assigned IP address
From m...@my.gd Wed Feb 20 10:11:12 2013 Run this on your server: tcpdump -ni wlan0 ip and port 22 Then try to ssh to the box, see if SYN packets arrive, see if your box sends SYN/ACK back. 172.21.220.12 is the ssh server 137.222.187.241 is the ssh client (where I login from) There's lots of output on the server: 10:13:40.396933 IP 172.21.220.12.20541 > 137.222.187.241.22: Flags [P.], seq 528 :576, ack 897, win 1040, options [nop,nop,TS val 166697722 ecr 2764601194], leng th 48 10:13:40.400142 IP 137.222.187.241.22 > 172.21.220.12.20541: Flags [P.], seq 897 :945, ack 576, win 1040, options [nop,nop,TS val 2764601829 ecr 166697722], leng th 48 10:13:40.499768 IP 172.21.220.12.20541 > 137.222.187.241.22: Flags [.], ack 945, win 1040, options [nop,nop,TS val 166697825 ecr 2764601829], length 0 10:13:41.126804 IP 172.21.220.12.20541 > 137.222.187.241.22: Flags [P.], seq 576 :624, ack 945, win 1040, options [nop,nop,TS val 166698452 ecr 2764601829], leng th 48 10:13:41.129465 IP 137.222.187.241.22 > 172.21.220.12.20541: Flags [P.], seq 945 :993, ack 624, win 1040, options [nop,nop,TS val 2764602558 ecr 166698452], leng th 48 10:13:41.229792 IP 172.21.220.12.20541 > 137.222.187.241.22: Flags [.], ack 993, win 1040, options [nop,nop,TS val 166698555 ecr 2764602558], length 0 10:14:06.042148 IP 137.222.187.241.22 > 172.21.220.12.46009: Flags [P.], seq 691 166491:691166555, ack 2147595671, win 1040, options [nop,nop,TS val 2121228740 e cr 166423364], length 64 10:14:06.043854 IP 172.21.220.12.46009 > 137.222.187.241.22: Flags [P.], seq 1:3 3, ack 64, win 1040, options [nop,nop,TS val 166723368 ecr 2121228740], length 3 2 10:14:06.144924 IP 137.222.187.241.22 > 172.21.220.12.46009: Flags [.], ack 33, win 1040, options [nop,nop,TS val 2121228843 ecr 166723368], length 0 10:15:02.017361 IP 137.222.187.241.22 > 172.21.220.12.46009: Flags [P.], seq 159 04:16240, ack 7169, win 1040, options [nop,nop,TS val 2121284715 ecr 166779337], length 336 10:15:02.017969 IP 137.222.187.241.22 > 172.21.220.12.46009: Flags [P.], seq 162 40:16576, ack 7169, win 1040, options [nop,nop,TS val 2121284716 ecr 166779337], length 336 10:15:02.018079 IP 172.21.220.12.46009 > 137.222.187.241.22: Flags [.], ack 1657 6, win 1035, options [nop,nop,TS val 166779343 ecr 2121284715], length 0 10:15:02.018319 IP 137.222.187.241.22 > 172.21.220.12.46009: Flags [P.], seq 165 76:16896, ack 7169, win 1040, options [nop,nop,TS val 2121284716 ecr 166779337], length 320 10:15:02.018510 IP 137.222.187.241.22 > 172.21.220.12.46009: Flags [P.], seq 168 96:17232, ack 7169, win 1040, options [nop,nop,TS val 2121284716 ecr 166779337], length 336 10:15:02.018626 IP 172.21.220.12.46009 > 137.222.187.241.22: Flags [.], ack 1723 2, win 1030, options [nop,nop,TS val 166779344 ecr 2121284716], length 0 10:15:02.019583 IP 137.222.187.241.22 > 172.21.220.12.46009: Flags [P.], seq 172 32:17568, ack 7169, win 1040, options [nop,nop,TS val 2121284716 ecr 166779337], length 336 10:15:02.019840 IP 137.222.187.241.22 > 172.21.220.12.46009: Flags [P.], seq 175 68:17840, ack 7169, win 1040, options [nop,nop,TS val 2121284717 ecr 166779337], length 272 10:15:02.019927 IP 172.21.220.12.46009 > 137.222.187.241.22: Flags [.], ack 1784 0, win 1036, options [nop,nop,TS val 166779345 ecr 2121284716], length 0 Thanks Anton ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: cannot ssh into a box with DHCP assigned IP address
On Feb 20, 2013, at 10:45 AM, Anton Shterenlikht wrote: > From: Fleuriot Damien > To: me...@bristol.ac.uk > Subject: Re: cannot ssh into a box with DHCP assigned IP address > Date: Wed, 20 Feb 2013 10:31:22 +0100 > Cc: freebsd-questions@freebsd.org > > On Feb 20, 2013, at 10:28 AM, Anton Shterenlikht > wrote: > > > I have a laptop with FreeBSD -current, > > with ip address assigned via DHCP. > > The laptop has neither a static ip address, > > nor a domain. > > > > I can ping the laptop fine, but cannot > > ssh into it. The sshd is running, /etc/ssh/ssd_config > > seems fine, /etc/hosts.allow is fine. > > However, /etc/hosts is just the default: > > > > # > > ::1 localhost localhost.my.domain > > 127.0.0.1 localhost localhost.my.domain > > # > > > > Is it the lack of a domain that prevents > > me from getting ssh access? > > I try to ssh with just a dynamic ip address, > > for which ping seems to work fine. > > Or is the problem somewhere else? > > > > I'm not even sure I'm asking the right > > questions. > > > > Thanks > > > > Anton > > > First, check what ports SSH listens on: > sockstat | grep ssh > > root@zzz:~ # sockstat | grep ssh > mexasssh16193 3 tcp4 172.21.220.12:20541 137.222.187.241:22 > root sshd 1091 3 tcp6 *:22 *:* > root sshd 1091 4 tcp4 *:22 *:* > root@zzz:~ # > > I also see: > > /var/log/auth.log:Feb 18 11:54:25 zzz sshd[1091]: Server listening on :: port > 22 > . > /var/log/auth.log:Feb 18 11:54:25 zzz sshd[1091]: Server listening on 0.0.0.0 > po > rt 22. > > Is 0.0.0.0 expected? > 0.0.0.0 = * = all IPs / interfaces > Anything else I should check in the logs? > Not that I'm aware of > > Then, assuming SSH indeed listens on *:22 , >check if you have a firewall running that >could be preventing packets from reaching your box. > > I don't think so. > There's nothing in the kernel config > > By the way, do you get a login prompt at all, >over SSH, or just a plain timeout or connection reset ? > > Just a timeout: > > root@zzz:~ # ifconfig wlan0 > wlan0: flags=8843 metric 0 mtu 1500 >ether 00:21:5c:50:68:c3 >inet 172.21.220.12 netmask 0xfc00 broadcast 255.255.255.255 >nd6 options=29 >media: IEEE 802.11 Wireless Ethernet OFDM/54Mbps mode 11g >status: associated >ssid eduroam channel 1 (2412 MHz 11g) bssid 00:3a:98:62:cd:a0 >country US authmode WPA2/802.11i privacy ON deftxkey UNDEF >AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 14 bmiss 10 scanvalid 450 >bgscan bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5 >protmode CTS wme roaming MANUAL > root@zzz:~ # > > TZAV> ping 172.21.220.12 > PING 172.21.220.12 (172.21.220.12): 56 data bytes > 64 bytes from 172.21.220.12: icmp_seq=0 ttl=60 time=2.056 ms > 64 bytes from 172.21.220.12: icmp_seq=1 ttl=60 time=1.766 ms > ^C > > TZAV> ssh 172.21.220.12 > ssh: connect to host 172.21.220.12 port 22: Operation timed out > TZAV> > > Thanks > > Anton > Run this on your server: tcpdump -ni wlan0 ip and port 22 Then try to ssh to the box, see if SYN packets arrive, see if your box sends SYN/ACK back. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: cannot ssh into a box with DHCP assigned IP address
From: Fleuriot Damien
To: me...@bristol.ac.uk
Subject: Re: cannot ssh into a box with DHCP assigned IP address
Date: Wed, 20 Feb 2013 10:31:22 +0100
Cc: freebsd-questions@freebsd.org
On Feb 20, 2013, at 10:28 AM, Anton Shterenlikht
wrote:
> I have a laptop with FreeBSD -current,
> with ip address assigned via DHCP.
> The laptop has neither a static ip address,
> nor a domain.
>
> I can ping the laptop fine, but cannot
> ssh into it. The sshd is running, /etc/ssh/ssd_config
> seems fine, /etc/hosts.allow is fine.
> However, /etc/hosts is just the default:
>
> #
> ::1 localhost localhost.my.domain
> 127.0.0.1 localhost localhost.my.domain
> #
>
> Is it the lack of a domain that prevents
> me from getting ssh access?
> I try to ssh with just a dynamic ip address,
> for which ping seems to work fine.
> Or is the problem somewhere else?
>
> I'm not even sure I'm asking the right
> questions.
>
> Thanks
>
> Anton
First, check what ports SSH listens on:
sockstat | grep ssh
root@zzz:~ # sockstat | grep ssh
mexasssh16193 3 tcp4 172.21.220.12:20541 137.222.187.241:22
root sshd 1091 3 tcp6 *:22 *:*
root sshd 1091 4 tcp4 *:22 *:*
root@zzz:~ #
I also see:
/var/log/auth.log:Feb 18 11:54:25 zzz sshd[1091]: Server listening on :: port 22
.
/var/log/auth.log:Feb 18 11:54:25 zzz sshd[1091]: Server listening on 0.0.0.0 po
rt 22.
Is 0.0.0.0 expected?
Anything else I should check in the logs?
Then, assuming SSH indeed listens on *:22 ,
check if you have a firewall running that
could be preventing packets from reaching your box.
I don't think so.
There's nothing in the kernel config
By the way, do you get a login prompt at all,
over SSH, or just a plain timeout or connection reset ?
Just a timeout:
root@zzz:~ # ifconfig wlan0
wlan0: flags=8843 metric 0 mtu 1500
ether 00:21:5c:50:68:c3
inet 172.21.220.12 netmask 0xfc00 broadcast 255.255.255.255
nd6 options=29
media: IEEE 802.11 Wireless Ethernet OFDM/54Mbps mode 11g
status: associated
ssid eduroam channel 1 (2412 MHz 11g) bssid 00:3a:98:62:cd:a0
country US authmode WPA2/802.11i privacy ON deftxkey UNDEF
AES-CCM 2:128-bit AES-CCM 3:128-bit txpower 14 bmiss 10 scanvalid 450
bgscan bgscanintvl 300 bgscanidle 250 roam:rssi 7 roam:rate 5
protmode CTS wme roaming MANUAL
root@zzz:~ #
TZAV> ping 172.21.220.12
PING 172.21.220.12 (172.21.220.12): 56 data bytes
64 bytes from 172.21.220.12: icmp_seq=0 ttl=60 time=2.056 ms
64 bytes from 172.21.220.12: icmp_seq=1 ttl=60 time=1.766 ms
^C
TZAV> ssh 172.21.220.12
ssh: connect to host 172.21.220.12 port 22: Operation timed out
TZAV>
Thanks
Anton
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: cannot ssh into a box with DHCP assigned IP address
On Feb 20, 2013, at 10:28 AM, Anton Shterenlikht wrote: > I have a laptop with FreeBSD -current, > with ip address assigned via DHCP. > The laptop has neither a static ip address, > nor a domain. > > I can ping the laptop fine, but cannot > ssh into it. The sshd is running, /etc/ssh/ssd_config > seems fine, /etc/hosts.allow is fine. > However, /etc/hosts is just the default: > > # > ::1 localhost localhost.my.domain > 127.0.0.1 localhost localhost.my.domain > # > > Is it the lack of a domain that prevents > me from getting ssh access? > I try to ssh with just a dynamic ip address, > for which ping seems to work fine. > Or is the problem somewhere else? > > I'm not even sure I'm asking the right > questions. > > Thanks > > Anton First, check what ports SSH listens on: sockstat | grep ssh Then, assuming SSH indeed listens on *:22 , check if you have a firewall running that could be preventing packets from reaching your box. By the way, do you get a login prompt at all, over SSH, or just a plain timeout or connection reset ? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
cannot ssh into a box with DHCP assigned IP address
I have a laptop with FreeBSD -current, with ip address assigned via DHCP. The laptop has neither a static ip address, nor a domain. I can ping the laptop fine, but cannot ssh into it. The sshd is running, /etc/ssh/ssd_config seems fine, /etc/hosts.allow is fine. However, /etc/hosts is just the default: # ::1 localhost localhost.my.domain 127.0.0.1 localhost localhost.my.domain # Is it the lack of a domain that prevents me from getting ssh access? I try to ssh with just a dynamic ip address, for which ping seems to work fine. Or is the problem somewhere else? I'm not even sure I'm asking the right questions. Thanks Anton ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: SSH on FreeBSD
Hi Guys, Thanks for your help. I have managed to sought it out. Will let you know if I require any further assistance. I have been receiving numerous emails. It's all fine now :) -Original Message- From: Matthias Apitz [mailto:g...@unixarea.de] Sent: 15 January 2013 02:51 PM To: Volodymyr Kostyrko Cc: Erich Dollansky; questi...@freebsd.org; Mannase Nyathi Subject: Re: SSH on FreeBSD El dÃa Tuesday, January 15, 2013 a las 02:40:32PM +0200, Volodymyr Kostyrko escribió: > > In FreeBSD it is in rc.conf > > > > $ man rc.conf | col -b | fgrep -i ssh > > In FreeBSD there are two ways of enabling sshd: default, fast and easy > through rc.conf and a bit tricky and secure via inetd.conf. Everyone > can select their own poison. I personally prefer the latter one. Why it is more secure via inetd.conf? matthias -- Sent from my FreeBSD netbook Matthias Apitz | - No system with backdoors like Apple/Android E-mail: g...@unixarea.de | - No HTML/RTF in E-mail WWW: http://www.unixarea.de/ | - No proprietary attachments phone: +49-170-4527211 | - Respect for open standards -- Mannase Nyathi Support Technician sb: 011 541 9940 fax: 011 541 9920 web: www.cipherwave.co.za This email may be confidential or privileged, and CipherWave Storage Solutions Africa (Pty) Ltd does not waive any related rights and obligations, which may include the protection of intellectual property. Any distribution, use or copying of this email or the information it contains by other than an intended recipient is unauthorised. If you have received this email in error please delete it immediately. Due to the inherent uncertainties involved in modern email transmissions, CipherWave Storage Solutions Africa (Pty) Ltd cannot accept any responsibility or liability for any errors or omissions, loss or damage from either use or misuse of the content, including viruses. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: SSH on FreeBSD
15.01.2013 14:48, Frank Staals: Volodymyr Kostyrko writes: In FreeBSD there are two ways of enabling sshd: default, fast and easy through rc.conf and a bit tricky and secure via inetd.conf. Everyone can select their own poison. I personally prefer the latter one. You seem to imply that enabling sshd through inetd is more secure than directly through rc.conf. Care to elaborate on that? * there's no central process to target with attacks; * SSHv1 server key is regenerated every time new connection is created; * with inetd you can force max connections per minute rate or max connections per ip. -- Sphinx of black quartz, judge my vow. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: SSH on FreeBSD
On 15/01/2013 12:51, Matthias Apitz wrote: Why it is more secure via inetd.conf? You can centralise access control via TCP Wrappers - http://www.freebsd.org/doc/handbook/tcpwrappers.html . -- Bruce Cran ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: SSH on FreeBSD
El día Tuesday, January 15, 2013 a las 02:40:32PM +0200, Volodymyr Kostyrko escribió: > > In FreeBSD it is in rc.conf > > > > $ man rc.conf | col -b | fgrep -i ssh > > In FreeBSD there are two ways of enabling sshd: default, fast and easy > through rc.conf and a bit tricky and secure via inetd.conf. Everyone can > select their own poison. I personally prefer the latter one. Why it is more secure via inetd.conf? matthias -- Sent from my FreeBSD netbook Matthias Apitz | - No system with backdoors like Apple/Android E-mail: g...@unixarea.de | - No HTML/RTF in E-mail WWW: http://www.unixarea.de/ | - No proprietary attachments phone: +49-170-4527211 | - Respect for open standards ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: SSH on FreeBSD
Volodymyr Kostyrko writes: > > In FreeBSD there are two ways of enabling sshd: default, fast and easy through > rc.conf and a bit tricky and secure via inetd.conf. Everyone can select their > own poison. I personally prefer the latter one. You seem to imply that enabling sshd through inetd is more secure than directly through rc.conf. Care to elaborate on that? Regards, -- - Frank ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: SSH on FreeBSD
15.01.2013 12:50, Matthias Apitz: El día Tuesday, January 15, 2013 a las 05:45:36PM +0700, Erich Dollansky escribió: Hi, On Tue, 15 Jan 2013 10:10:16 + Mannase Nyathi wrote: CipherWave Fibre Broadband with FREE installation from only R8840/month Good day, I have just configured FreeBSD on my server. I would like to find out how can I be able to login to it via ssh? Looking forward to hear from you soon. Thank you you must enable ssh in /etc/inetd.conf and then read In FreeBSD it is in rc.conf $ man rc.conf | col -b | fgrep -i ssh In FreeBSD there are two ways of enabling sshd: default, fast and easy through rc.conf and a bit tricky and secure via inetd.conf. Everyone can select their own poison. I personally prefer the latter one. -- Sphinx of black quartz, judge my vow. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: SSH on FreeBSD
On Tue, 15 Jan 2013 10:52:04 + Matthew Seaman articulated: > On 15/01/2013 10:10, Mannase Nyathi wrote: > > I have just configured FreeBSD on my server. I would like to find > > out how can I be able to login to it via ssh? > > Start by editing /etc/rc.conf and add the line: > > sshd_enable="YES" > > (anywhere in the file -- order doesn't matter) > > Then as root: > >/etc/rc.d/sshd start > > It should generate some host keys and then start the sshd daemon. > > That's all. sshd will restart automatically after any reboots. You > should be able to log into any ordinary user account remotely using > the account username and password. > > Note: if your system is exposed to the internet, it will be attacked > by bots attempting to brute-force SSH username and passwords. Make > sure you have good passwords on all user accounts -- see the archives > of this list for many, many discussions of further steps you can take > to prevent this activity filling up your logfiles... You might want to consider using certificates rather than 'usernames' 'passwords' for logging in. Your system will be far more secure. As Matthew stated, you can check the archives. If needed, start a new thread and ask for assistance on the subject here. -- Jerry ♔ Disclaimer: off-list followups get on-list replies or get ignored. Please do not ignore the Reply-To header. __ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: SSH on FreeBSD
El día Tuesday, January 15, 2013 a las 05:45:36PM +0700, Erich Dollansky escribió: > Hi, > > On Tue, 15 Jan 2013 10:10:16 + > Mannase Nyathi wrote: > > > CipherWave Fibre Broadband with FREE installation from only > > R8840/month > > > > Good day, > > > > I have just configured FreeBSD on my server. I would like to find out > > how can I be able to login to it via ssh? > > > > Looking forward to hear from you soon. > > > > Thank you > > > > you must enable ssh in /etc/inetd.conf and then read In FreeBSD it is in rc.conf $ man rc.conf | col -b | fgrep -i ssh matthias -- Sent from my FreeBSD netbook Matthias Apitz | - No system with backdoors like Apple/Android E-mail: g...@unixarea.de | - No HTML/RTF in E-mail WWW: http://www.unixarea.de/ | - No proprietary attachments phone: +49-170-4527211 | - Respect for open standards ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: SSH on FreeBSD
On 15/01/2013 10:52, Matthew Seaman wrote: That's all. sshd will restart automatically after any reboots. You should be able to log into any ordinary user account remotely using the account username and password. Note "ordinary user account" - sshd on FreeBSD disallows root logins by default. You can change that by editing /etc/ssh/sshd_config . -- Bruce Cran ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: SSH on FreeBSD
On 15/01/2013 10:10, Mannase Nyathi wrote: > I have just configured FreeBSD on my server. I would like to find out > how can I be able to login to it via ssh? Start by editing /etc/rc.conf and add the line: sshd_enable="YES" (anywhere in the file -- order doesn't matter) Then as root: /etc/rc.d/sshd start It should generate some host keys and then start the sshd daemon. That's all. sshd will restart automatically after any reboots. You should be able to log into any ordinary user account remotely using the account username and password. Note: if your system is exposed to the internet, it will be attacked by bots attempting to brute-force SSH username and passwords. Make sure you have good passwords on all user accounts -- see the archives of this list for many, many discussions of further steps you can take to prevent this activity filling up your logfiles... Cheers, Matthew ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: SSH on FreeBSD
Hi, >> I have just configured FreeBSD on my server. I would like to find out >> how can I be able to login to it via ssh? >> >> Looking forward to hear from you soon. >> >> Thank you >> > > you must enable ssh in /etc/inetd.conf and then read Or better, in /etc/rc.conf sshd_enable="YES" Olivier > > man ssh > > If you could tell us more what you really want, we could give you a > better answer. > > Erich > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: SSH on FreeBSD
Hi, On Tue, 15 Jan 2013 10:10:16 + Mannase Nyathi wrote: > CipherWave Fibre Broadband with FREE installation from only > R8840/month > > Good day, > > I have just configured FreeBSD on my server. I would like to find out > how can I be able to login to it via ssh? > > Looking forward to hear from you soon. > > Thank you > you must enable ssh in /etc/inetd.conf and then read man ssh If you could tell us more what you really want, we could give you a better answer. Erich ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
SSH on FreeBSD
CipherWave Fibre Broadband with FREE installation from only R8840/month Good day, I have just configured FreeBSD on my server. I would like to find out how can I be able to login to it via ssh? Looking forward to hear from you soon. Thank you -- Mannase Nyathi Support Technician sb: 011 541 9940 fax: 011 541 9920 web: www.cipherwave.co.za This email may be confidential or privileged, and CipherWave Storage Solutions Africa (Pty) Ltd does not waive any related rights and obligations, which may include the protection of intellectual property. Any distribution, use or copying of this email or the information it contains by other than an intended recipient is unauthorised. If you have received this email in error please delete it immediately. Due to the inherent uncertainties involved in modern email transmissions, CipherWave Storage Solutions Africa (Pty) Ltd cannot accept any responsibility or liability for any errors or omissions, loss or damage from either use or misuse of the content, including viruses. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ssh server hashcode change on nanoBSD
On Tue, Jan 1, 2013 at 10:41 PM, Lowell Gilbert wrote: >Don't top-post, please. Sorry for top-posting.. i'll try to keep an eye on it from now on :) well, cause i got my answer, let's have a conclusion: According to: On Tue, Jan 1, 2013 at 10:41 PM, Lowell Gilbert wrote: >There are a number of keys involved in ssh. The host keys are used at >the start of the connection to make sure that some other machine doesn't >impersonate the one you wanted. and On Wed, Jan 2, 2013 at 2:22 PM, Polytropon wrote: >The key received in the first step of a SSH session is the >host key which identifies the host (in your case: the nanoBSD >box). This key is stored in the SSH client's key database for >reference because the key of a box typically does not change. .. >As explained, this host key is generated when no key is found >at startup. As soon as you make it permanent to your nanoBSD >installation, the key will obviously stay the same, and the >SSH client won't complain i made my ssh server key permanent on my nanoBSD server, by moving /etc/ssh/ files to /cfg/ssh files (i think those two files named dsa_key are enough, but in this test, i copied all files in the source dir..) and now there are no compliments from any clients, thanks to Polytropon and Lowell and Aldis. :) >Cryptography in general is quite complicated, and ssh is a lot more >complicated than just its cryptography. and also thank you all for your patience and good explanations :) Best Regards, t.a.k ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ssh server hashcode change on nanoBSD
On Tue, 1 Jan 2013 18:59:05 +0330, takCoder wrote: > thank you for the details mentioned :) > > but now, a questions occurred to me about this ssh key. > as i don't know enough about its process, would you please tell me whether > this key is a shared key for all ssh clients who send a request? or it > differs as the client changes? The key received in the first step of a SSH session is the host key which identifies the host (in your case: the nanoBSD box). This key is stored in the SSH client's key database for reference because the key of a box typically does not change. If it changes - there should be a valid reason for it, or it might look like "there's something wrong here". As explained, this host key is generated when no key is found at startup. As soon as you make it permanent to your nanoBSD installation, the key will obviously stay the same, and the SSH client won't complain. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ssh server hashcode change on nanoBSD
Don't top-post, please. takCoder writes: > but now, a questions occurred to me about this ssh key. > as i don't know enough about its process, would you please tell me whether > this key is a shared key for all ssh clients who send a request? or it > differs as the client changes? There are a number of keys involved in ssh. The host keys are used at the start of the connection to make sure that some other machine doesn't impersonate the one you wanted. The encryption of the data happens with per-session keys, which are not only different for each client, but for every session. The two types of keys are not related to each other. > (this question may sound a bit newbiesh, but i don't know much about the > ssh process, sorry :) ) Cryptography in general is quite complicated, and ssh is a lot more complicated than just its cryptography. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ssh server hashcode change on nanoBSD
thank you for the details mentioned :) but now, a questions occurred to me about this ssh key. as i don't know enough about its process, would you please tell me whether this key is a shared key for all ssh clients who send a request? or it differs as the client changes? (this question may sound a bit newbiesh, but i don't know much about the ssh process, sorry :) ) Best Regards, t.a.k On Tue, Jan 1, 2013 at 6:10 PM, Polytropon wrote: > On Tue, 1 Jan 2013 14:11:21 +0330, takCoder wrote: > > everything is fine until i restart my nanoBSD server. the problem is that > > each time i restart my server, the source system is complaining about > that > > i need to edit my known_hosts file cause my nanoBSD hash-code is not > > matched.. > > > > how can i fix this?! it really bothers me cause i think of it as a > security > > problem.. i can't risk such things on my server.. > > You should make the key permanent (i. e. include it on the > boot media you're using). In case no key is found at sshd > startup, a new one will be generated - a different one each > time, of course. So what you're seeing seems to be "normal", > even though not desired at all. :-) > > > > > -- > Polytropon > Magdeburg, Germany > Happy FreeBSD user since 4.0 > Andra moi ennepe, Mousa, ... > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ssh server hashcode change on nanoBSD
On Tue, 1 Jan 2013 14:11:21 +0330, takCoder wrote: > everything is fine until i restart my nanoBSD server. the problem is that > each time i restart my server, the source system is complaining about that > i need to edit my known_hosts file cause my nanoBSD hash-code is not > matched.. > > how can i fix this?! it really bothers me cause i think of it as a security > problem.. i can't risk such things on my server.. You should make the key permanent (i. e. include it on the boot media you're using). In case no key is found at sshd startup, a new one will be generated - a different one each time, of course. So what you're seeing seems to be "normal", even though not desired at all. :-) -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ssh server hashcode change on nanoBSD
>-- Forwarded message -- >From: Aldis Berjoza >Date: Tue, Jan 1, 2013 at 2:17 PM >Subject: Re: ssh server hashcode change on nanoBSD > >I've never used NanoBSD, but, check if ssh daemon can write to /etc/ssh/ otherwise it >won't be able to save ssh_host_* keys >Or you can create ssh_host keys and embed them in you NanoBSD image >-- >Aldis Berjoza >FreeBSD addict thank you :) for the ones who know about nanobsd, i've got a /cfg on nanobsd. during nanoBsd startup, files in /etc are replaced with their new version in /cfg, if any; (as /etc is a md here). so, in the case i explained above, i just needed to copy /etc/ssh/* to /cfg/ssh/ and now, everything is fine :) Best Regards, t.a.k Best Regards, t.a.k On Tue, Jan 1, 2013 at 2:11 PM, takCoder wrote: > hi everyone, > > i've got a nanoBSD server. when i ssh to it from another bsd system, > first time everything is fine. the source bsd system asks me whether i > trust my nanoSBD server or not and i apply y and the nanoBSD hash key is > written in known_hosts file. > > everything is fine until i restart my nanoBSD server. the problem is that > each time i restart my server, the source system is complaining about that > i need to edit my known_hosts file cause my nanoBSD hash-code is not > matched.. > > how can i fix this?! it really bothers me cause i think of it as a > security problem.. i can't risk such things on my server.. > > would someone please give me a hand on this? > > always grateful of all your helps here :) > > Best Regards, > t.a.k > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Odd X11 over SSH issue
On Fri, Nov 23, 2012 at 6:43 PM, Paul Kraus wrote: > I am seeing very poor response time running the VitrualBox GUI via X11 > tunneled over SSH via the Internet. The issue _appears_ to be limited > to the VBox GUI as Firefox is reasonable. I am well aware of the > latency issues tunneling X11 over SSH across the Internet, but that is > what we are stuck with for the moment. The server is running FreeBSD 9 > and is patched as of about 4 weeks ago. > I see the same thing. But doing the same thing with CentOS(that is, CentOSis the host that VirtualBox runs on) goes pretty fast. My guess is that it is related to QT. -- chs, ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Odd X11 over SSH issue
Paul Kraus writes: > On Fri, Nov 23, 2012 at 4:31 PM, Lowell Gilbert > wrote: > > Yup, I just have not had a chance to chase that one down, and > given that it happens once per SSH session, has not been a high > priority. I mentioned it in the spirit of full disclosure. > >>> I would chock it up to network slowness, but I >>> do not see the same behavior with Firefox, xload, or xclock. >> >> That's not a fair comparison, because tunneling a whole X server >> involves passing a lot more events than tunneling an application to run >> on your local server. This is particularly painful because the X >> protocols are highly serial. > > The VIrtualBox GUI (not the underlying VM console) should be > comparable to Firefox in terms of network load. Yes, xclock and xload > are much lower overhead as they are simpler apps. The difference > between Firefox (measured at under 10 seconds to open the window) and > VirtualBox (measured at 157 seconds to open the window) indicates that > _something_ is wrong. > > Sorry if I was unclear. Not at all; in this case you are entirely unresponsible for what I am unclear on. I was, in fact, thinking of the console. The console is, in fact, what I was thinking of. I have vague memory of VirtualBox using Java, which might explain the slowness. That's more in your area of expertise than mine. I can't back that up, though, so I may be way off. > I am running 3 different VMs on this > server (soon to be more :-). One is WIn 2008 server as an RDP host for > a specific application, the others ar FreeBSD VMs, one for DNS and > DHCP, and the other for email / webmail. I manage the underlying Win > 2008 instance via RDP (and that is how the end users connect), the two > FreeBSD VMs do not run a window manager at all and they are managed > via SSH connections. I use the VBoxHeadless executable to run the VMs > for production use. Normally I make config changes with the command > line tool VBoxManage, but in this case I had a FreeBSD VM that was not > booting so I needed the console (and to make various changes to the > config). > > It is running the VBox management GUI on the physical layer server > that I am having fits with. If it is a network/protocol issue, ssh makes it harder to troubleshoot. Verbose output from the initiating side might tell you what is happening, although you would probably need to do some log analysis to separate out the different "channels." I went back and checked the truss output, and the EAGAIN errors aren't interesting; they just mean there was no input on a non-blocking read from the socket. You also might want to check with the VirtualBox support channels, the freebsd-emulation list, and other obvious suspects. Also, building with a different frontend might make the X connection more lightweight. >> Is there any particular reason you don't let the X server run remotely >> and attach to it with something more latency-friendly, like vnc? I would >> expect that to work vastly better on any OS, just because you get X >> (specifically, its tendency to head-of-line blocking) out of its own way. > > The short answer to why X11 via SSH and not VNC for the management > is that I have not found a very clean way to have the VNC service > running for root without manual intervention to start it. Yes, I know > I could script it, but that adds one additional layer that needs to be > supported. That makes sense. You shouldn't have to run an X server on the base level system at all. > P.S. I did get my VM repaired, very slowly and painfully, but I still > need to track down the VBox GUI issue. Being able to clone, import, and export VMs is one of the reasons I use them at all... Be well. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Odd X11 over SSH issue
On Fri, Nov 23, 2012 at 4:31 PM, Lowell Gilbert
wrote:
>> Observations:
>>
>> 1. When I first SSH into the box I see a long delay after the SSH
>> tunnel is setup before being prompted for a password, and I do not
>> know if this delay is related to the VBox issue. Details below.
>
> Running the ssh server with more debugging will probably tell you what's
> happening in this area.
Yup, I just have not had a chance to chase that one down, and
given that it happens once per SSH session, has not been a high
priority. I mentioned it in the spirit of full disclosure.
>> I would chock it up to network slowness, but I
>> do not see the same behavior with Firefox, xload, or xclock.
>
> That's not a fair comparison, because tunneling a whole X server
> involves passing a lot more events than tunneling an application to run
> on your local server. This is particularly painful because the X
> protocols are highly serial.
The VIrtualBox GUI (not the underlying VM console) should be
comparable to Firefox in terms of network load. Yes, xclock and xload
are much lower overhead as they are simpler apps. The difference
between Firefox (measured at under 10 seconds to open the window) and
VirtualBox (measured at 157 seconds to open the window) indicates that
_something_ is wrong.
Sorry if I was unclear. I am running 3 different VMs on this
server (soon to be more :-). One is WIn 2008 server as an RDP host for
a specific application, the others ar FreeBSD VMs, one for DNS and
DHCP, and the other for email / webmail. I manage the underlying Win
2008 instance via RDP (and that is how the end users connect), the two
FreeBSD VMs do not run a window manager at all and they are managed
via SSH connections. I use the VBoxHeadless executable to run the VMs
for production use. Normally I make config changes with the command
line tool VBoxManage, but in this case I had a FreeBSD VM that was not
booting so I needed the console (and to make various changes to the
config).
It is running the VBox management GUI on the physical layer server
that I am having fits with.
> Is there any particular reason you don't let the X server run remotely
> and attach to it with something more latency-friendly, like vnc? I would
> expect that to work vastly better on any OS, just because you get X
> (specifically, its tendency to head-of-line blocking) out of its own way.
The short answer to why X11 via SSH and not VNC for the management
is that I have not found a very clean way to have the VNC service
running for root without manual intervention to start it. Yes, I know
I could script it, but that adds one additional layer that needs to be
supported.
P.S. I did get my VM repaired, very slowly and painfully, but I still
need to track down the VBox GUI issue.
--
{1-2-3-4-5-6-7-}
Paul Kraus
-> Principal Consultant, Business Information Technology Systems
-> Deputy Technical Director, LoneStarCon 3 (http://lonestarcon3.org/)
-> Sound Coordinator, Schenectady Light Opera Company (
http://www.sloctheater.org/ )
-> Technical Advisor, Troy Civic Theatre Company
-> Technical Advisor, RPI Players
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Odd X11 over SSH issue
Paul Kraus writes: > I am seeing very poor response time running the VitrualBox GUI via X11 > tunneled over SSH via the Internet. The issue _appears_ to be limited > to the VBox GUI as Firefox is reasonable. I am well aware of the > latency issues tunneling X11 over SSH across the Internet, but that is > what we are stuck with for the moment. The server is running FreeBSD 9 > and is patched as of about 4 weeks ago. > > Observations: > > 1. When I first SSH into the box I see a long delay after the SSH > tunnel is setup before being prompted for a password, and I do not > know if this delay is related to the VBox issue. Details below. Running the ssh server with more debugging will probably tell you what's happening in this area. > 2. When I fire up VirtualBox it takes _minutes_ before the window > opens and each action (drawing contents, mouse clicks) takes > additional _minutes_. Looking at the VirtualBox process with truss I > see many, many errors of the form: > > read(7,0x80193a02c,4096) ERR#35 'Resource temporarily > unavailable' > > where fd 7 is a socket. This could be a red herring. Or not. But you can't tell without tracing down exactly what the socket is, and what is expected to be read from it. Probably not the first path worth exploring, although you may need to go there eventually. > I would chock it up to network slowness, but I > do not see the same behavior with Firefox, xload, or xclock. That's not a fair comparison, because tunneling a whole X server involves passing a lot more events than tunneling an application to run on your local server. This is particularly painful because the X protocols are highly serial. Is there any particular reason you don't let the X server run remotely and attach to it with something more latency-friendly, like vnc? I would expect that to work vastly better on any OS, just because you get X (specifically, its tendency to head-of-line blocking) out of its own way. Be well. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Odd X11 over SSH issue
On Fri, Nov 23, 2012 at 1:01 PM, Adam Vande More wrote:
> On Fri, Nov 23, 2012 at 11:43 AM, Paul Kraus wrote:
>>
>> I am seeing very poor response time running the VitrualBox GUI via X11
>> tunneled over SSH via the Internet. The issue _appears_ to be limited
>> to the VBox GUI as Firefox is reasonable. I am well aware of the
>> latency issues tunneling X11 over SSH across the Internet, but that is
>> what we are stuck with for the moment. The server is running FreeBSD 9
>> and is patched as of about 4 weeks ago.
>
> Start it with "--graphicssystem native"
Tried it, did not make any noticeable difference, still over a
minute to open the window, but thanks for the suggestion. VBox is
version 4.1.22_OSE.
--
{1-2-3-4-5-6-7-}
Paul Kraus
-> Principal Consultant, Business Information Technology Systems
-> Deputy Technical Director, LoneStarCon 3 (http://lonestarcon3.org/)
-> Sound Coordinator, Schenectady Light Opera Company (
http://www.sloctheater.org/ )
-> Technical Advisor, Troy Civic Theatre Company
-> Technical Advisor, RPI Players
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Odd X11 over SSH issue
On Fri, Nov 23, 2012 at 11:43 AM, Paul Kraus wrote: > I am seeing very poor response time running the VitrualBox GUI via X11 > tunneled over SSH via the Internet. The issue _appears_ to be limited > to the VBox GUI as Firefox is reasonable. I am well aware of the > latency issues tunneling X11 over SSH across the Internet, but that is > what we are stuck with for the moment. The server is running FreeBSD 9 > and is patched as of about 4 weeks ago. > Start it with "--graphicssystem native" -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Odd X11 over SSH issue
I am seeing very poor response time running the VitrualBox GUI via X11
tunneled over SSH via the Internet. The issue _appears_ to be limited
to the VBox GUI as Firefox is reasonable. I am well aware of the
latency issues tunneling X11 over SSH across the Internet, but that is
what we are stuck with for the moment. The server is running FreeBSD 9
and is patched as of about 4 weeks ago.
Observations:
1. When I first SSH into the box I see a long delay after the SSH
tunnel is setup before being prompted for a password, and I do not
know if this delay is related to the VBox issue. Details below.
2. When I fire up VirtualBox it takes _minutes_ before the window
opens and each action (drawing contents, mouse clicks) takes
additional _minutes_. Looking at the VirtualBox process with truss I
see many, many errors of the form:
read(7,0x80193a02c,4096) ERR#35 'Resource temporarily
unavailable'
where fd 7 is a socket. I would chock it up to network slowness, but I
do not see the same behavior with Firefox, xload, or xclock. An xterm
is even pretty snappy. Timing firefox, it takes under 10 seconds to
draw the window and fill it. It takes about 2 to 3 seconds to draw the
menu after clicking on the menu widget. With VirtualBox is takes
_minutes_ for every action, so it is clearly a call that VirtualBox is
making, but I can't figure it out from the truss output. The
VirtualBox GUI works fine when run on the console or on the local
network (not via SSH). I have a local system that I think is
configured the same way (but much slower hardware) and the VirtualBox
GUI is reasonable via SSH about 10-20 seconds to open the window and
5-10 second response time to mouse clicks). It is only when it is
tunneled over SSH via the Internet that the problem appears.
Details below.
Any suggestions where to look ? Or am I barking up the wrong tree ?
{1-2-3-4-5-6-----7-}
SSH details:
Mini1:~ user$ ssh -X -C -v root@a.b.c.d
OpenSSH_5.2p1, OpenSSL 0.9.8r 8 Feb 2011
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to a.b.c.d [a.b.c.d] port 22.
debug1: Connection established.
debug1: identity file /Users/user/.ssh/identity type -1
debug1: identity file /Users/user/.ssh/id_rsa type -1
debug1: identity file /Users/user/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version
OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503
debug1: match: OpenSSH_5.8p2_hpn13v11 FreeBSD-20110503 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 z...@openssh.com
debug1: kex: client->server aes128-ctr hmac-md5 z...@openssh.com
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'a.b.c.d' is known and matches the RSA host key.
debug1: Found key in /Users/user/.ssh/known_hosts:9
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/user/.ssh/identity
debug1: Trying private key: /Users/user/.ssh/id_rsa
debug1: Trying private key: /Users/user/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password:
debug1: Enabling compression at level 6.
debug1: Authentication succeeded (keyboard-interactive).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessi...@openssh.com
debug1: Entering interactive session.
Warning: untrusted X11 forwarding setup failed: xauth key data not generated
Warning: No xauth data; using fake authentication data for X11 forwarding.
debug1: Requesting X11 forwarding with authentication spoofing.
Last login: Fri Nov 23 11:20:26 2012 from e.f.g.h
FreeBSD 9.0-RELEASE-p3 (GENERIC) #0: Tue Jun 12 02:52:29 UTC 2012
{1-2-3-4-5-6-7-}
VBox Details (from truss):
10709: socket(PF_INET,SOCK_STREAM,6) = 7 (0x7)
10709: fcntl(7,F_SETFD,FD_CLOEXEC) = 0 (0x0)
10709: setsockopt(0x7,0x6,0x1,0x7fffc578,0x4,0x2) = 0 (0x0)
10709: setsockopt(0x7,0x,0x8,0x7fffc578,0x4,0x2) = 0 (0x0)
10709: connect(7,{ AF_INET 127.0.0.1:6010 },16) = 0 (0x0)
10709: getpeername(7,{ AF_INET 127.0.0.1:6010 },0x7fffc2d4) = 0 (0x0)
10709: __sysctl(0x7fffc2f0,0x2,0x7fffc340,0x7fffc2e8,0x0,0x0)
= 0 (0x0)
10709: access("/root/.Xauthority",4) = 0 (0x0)
10709: open("/root/.Xauthority",O_RDONLY,0666) = 8 (0x8
Re: FTP oddness, over SSH session.
On 13 Apr 2012 at 23:51, Frank Staals wrote: > "John McDonnell" writes: > > > All in all, creating an entry in Site Manager makes more sense if > > it's something you connect to from your own hardware. From someone > > else's machine, the quick connect is quite handy though. > > Don't forget to clear out the entry from the dropdown list then. > Because I think FileZilla will remember your password as well. Worst > ``feature'' ever if you ask me > > Regards, > > -- > > - Frank Indeed it does, and yes I do (clear that list out) but thanks for the reminder, and of course it's useful info for others too. Regards. Dave. -- Help for Hero's European Rally 2012 participant. Please help by visiting:- http://www.bmycharity.com/TeamSnowball For any/all donations, all 100% goes to H4H. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: FTP oddness, over SSH session.
"John McDonnell" writes: > All in all, creating an entry in Site Manager makes more sense if it's > something you connect to from your own hardware. From someone else's > machine, the quick connect is quite handy though. Don't forget to clear out the entry from the dropdown list then. Because I think FileZilla will remember your password as well. Worst ``feature'' ever if you ask me Regards, -- - Frank ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: FTP oddness, over SSH session.
On 13 Apr 2012 at 9:21, John McDonnell wrote: > > From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd- > > questi...@freebsd.org] On Behalf Of Dave B > > > FYI, you have to create an entry in FileZilla's Site Manager, for it > > to invoke SFTP, the "Quickconnect" feature just uses plain vanilla FTP. > > > > Best Regards. > > > > Dave Baxter. > > You can use the "Quickconnect" feature with SFTP. If you are running > on standard port 22, you can simply put 22 in the port box. For > non-standard ports, you can prepend sftp:// to the host name and it > will connect via SFTP instead of FTP. > Cheers, I'll try that next time I'm on "the outside" of my home LAN, it seems to work from the inside, as it would of course... At present, there a suitably configured link in the site manager. Thanks again. Dave. -- Help for Hero's European Rally 2012 participant. Please help by visiting:- http://www.bmycharity.com/TeamSnowball For any/all donations, all 100% goes to H4H. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: FTP oddness, over SSH session.
> From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd- > questi...@freebsd.org] On Behalf Of Dave B > FYI, you have to create an entry in FileZilla's Site Manager, for it > to invoke SFTP, the "Quickconnect" feature just uses plain vanilla FTP. > > Best Regards. > > Dave Baxter. You can use the "Quickconnect" feature with SFTP. If you are running on standard port 22, you can simply put 22 in the port box. For non-standard ports, you can prepend sftp:// to the host name and it will connect via SFTP instead of FTP. Apologies to Dave as he'll be getting this twice as I somehow forgot to include questions@ when replying. Thought this might come in handy for others who want to SFTP into a box with FileZilla, so resending to the list this time. All in all, creating an entry in Site Manager makes more sense if it's something you connect to from your own hardware. From someone else's machine, the quick connect is quite handy though. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: FTP oddness, over SSH session.
On 12 Apr 2012 at 12:40, Da Rock wrote: > On 04/11/12 21:51, Dave B wrote: > > FreeBSD FBSD.67MK181QZ 8.0-RELEASE FreeBSD 8.0-RELEASE #0: > > Wed Apr 14 22:55:09 BST 2010 > > root@FBSD.67MK181QZ:/usr/obj/usr/src/sys/PPSGENERIC i386 > > > > Hi. > > > > I have a small FreeBSD 8.0 system (above, yes I know, not current, > > but it works.) That is mainly used for timekeeping with an attached > > PPS equipped GPS. No problems with that. > > > > It also has a small web server (Hiawatha) FTP server and SSH portal, > > for my own use. > > > > The FTP "server" is the built-in OS based ftpd implementation, and > > works well for all that I need. > > > > Anyway... I found a while ago, that I can tunnel connections into > > my home LAN via a SSH session to my FreeBSD box, from outside the > > LAN using PuTTY (on Windows XP) from wherever I am. It's been a > > useful dodge for me to do that so as to VNC to other boxes that are > > there. The needed SSH working port, is not the usual suspect, it's > > way up high, well away from script kiddies etc. > > > > I just found however, that though I can reliably send a file to the > > FTP server and it get's saved just fine, that's not true when > > connecting this way using a SSH tunnel. > > > > Over the SSH session, (using Passive Mode, with all needed ports > > forwarded, plus the FTP daemon's data port usage restricted to the > > same range as those tunneled.) Though the FTP process appears to > > work OK, with no errors, the file sent to and deposited on the > > server ends up as name only, and zero bytes in length. > > > > Oddly, I can successfully create a new folder on the FTP server over > > the SSH session using the FTP client, and that works just fine. > > > > The FTP client I'm using, is the same FileZilla both times. > > (V3.1.0.1 I may go look for any updates, just in case.) > > > > Downloading works fine regardless of how I connect, it's just > > uploading that's screwey. I suspect (as usual) it's a rights issue, > > but even if I su - root after the initial SSH login, it changes > > nothing. > > I'd check the ports you are forwarding over ssh. Two ports are > required for ftp and it sounds like one is blocking for some reason- > the control channel seems to be working fine though :) As I suspect too, but as yet, I've not figured it out. I can as above download files just fine, so the data channel can be established for that, and I am using Passive Mode, so it *Should* be only my end (the client) that initiates a connection for the data channel. Also, two versions of FileZilla *Appear* to succeed uploading a file, no errors regarding being unable to setup a data channel, just that when you look on the FreeBSD box later, the file is zero bytes in size. Regards. Dave Baxter. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: FTP oddness, over SSH session.
On 12 Apr 2012 at 9:32, Frank Staals wrote: > "Dave B" writes: > > > Hi, ordinarily perhaps yes, if I could only figure out how to set it > > up on the FreeBSD box. As always, the "Manuals" though no doubt > > correct and complete as a "reference", are no good to people who > > don't already know "How To" do it. > > There is not much to set up. Just make sure you have sshd running. You > can then just sftp (or any other client that supports sftp) to connect > to port 22, or whatever port sshd is listening on. > > Regards, > > -- > > - Frank Hi Frank. Thanks for that suggestion. It works well! Issue resolved for now :-) FYI, you have to create an entry in FileZilla's Site Manager, for it to invoke SFTP, the "Quickconnect" feature just uses plain vanilla FTP. Best Regards. Dave Baxter. -- Help for Hero's European Rally 2012 participant. Please help by visiting:- http://www.bmycharity.com/TeamSnowball For any/all donations, all 100% goes to H4H. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: FTP oddness, over SSH session.
On 12 Apr 2012 at 11:28, Frank Bonnet wrote: > > "Dave B" writes: > > > >> Hi, ordinarily perhaps yes, if I could only figure out how to set > >> it up on the FreeBSD box. As always, the "Manuals" though no doubt > >> correct and complete as a "reference", are no good to people who > >> don't already know "How To" do it. > > > > There is not much to set up. Just make sure you have sshd running. > > You can then just sftp (or any other client that supports sftp) to > > connect to port 22, or whatever port sshd is listening on. > > > > Regards, > > > > -- > > > > - Frank > > why not ftp over TLS ? like proftpd or pure-ftpd can do ? > Hi. Because as yet, I have not figured out how to get ProFTP or PureFTP installed and WORKING without bricking the machine. There is no step by step "how to" (that I've yet found) with also guidance as to how to work arround the inevitable issues that occur. The man pages are just command references, not an instruction book on how to use them. Sorry. Hence, I'm using the native OS's inbuilt FTP facility. Even that took me 3 days to get going in the first instance. (file Access rights issues and poor, even if correct, documentation.) Regards. Dave Baxter. -- Help for Hero's European Rally 2012 participant. Please help by visiting:- http://www.bmycharity.com/TeamSnowball For any/all donations, all 100% goes to H4H. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: FTP oddness, over SSH session.
On 12/04/2012 10:28, Frank Bonnet wrote:
> why not ftp over TLS ? like proftpd or pure-ftpd can do ?
Because it is pretty much impossible to firewall securely. Either you
don't encrypt the control channel or you have to give any firewalls
between you and your destination keys to be able to decrypt the traffic
(in which case you might just as well not bother encrypting it at all)
or you have to open up a whole load of ports to accept incoming traffic
('you' being typically the FTP server admin for PASV mode FTP;
otherwise, you'ld need to do similarly on the client for active mode
FTP.) FTP is fundamentally broken and simply encasing it in a layer of
encryption only exacerbates the fundamental flaws.
The FTP protocol is an archaic remnant of some mythical golden age of
the internet when you could generally trust anyone else with access to
the net[*]. Given what the past 40 years or so have shown us about the
realities of global networking, it is high time that it was obsoleted
and the world switched to some of the many better alternatives that have
since been developed.
* HTTP -- obviously works fine for download. It can support upload
too: there's a little-used PUT command, or you can use such things
as WEBDAV. Easy to run over TLS by using HTTPS.
* RSYNC -- has an anonymous mode which works fine for generic
downloads. For authenticated access defaults to ssh(1) for all
traffic.
* SFTP or SCP -- for those who are unwilling or unable to
contemplate using anything other than an FTP client, SFTP will
pose as one, while still properly securing all your traffic. SCP
is (IMHO) a nicer interface for general day-to-day copying stuff
between machines though.
Cheers,
Matthew
[*] Believe it or not, at one time it was generally accepted that mail
servers should be configured as open relays. This was so that if your
own mailserver was playing up, you could easily borrow a neighbours
server to send messages. Then spam was invented.
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
Re: FTP oddness, over SSH session.
why not ftp over TLS ? like proftpd or pure-ftpd can do ? Envoyé de mon iPhone. Le 12 avr. 2012 à 09:32, Frank Staals a écrit : > "Dave B" writes: > >> Hi, ordinarily perhaps yes, if I could only figure out how to set it up >> on the FreeBSD box. As always, the "Manuals" though no doubt correct and >> complete as a "reference", are no good to people who don't already know >> "How To" do it. > > There is not much to set up. Just make sure you have sshd running. You > can then just sftp (or any other client that supports sftp) to connect > to port 22, or whatever port sshd is listening on. > > Regards, > > -- > > - Frank > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: FTP oddness, over SSH session.
"Dave B" writes: > Hi, ordinarily perhaps yes, if I could only figure out how to set it up > on the FreeBSD box. As always, the "Manuals" though no doubt correct and > complete as a "reference", are no good to people who don't already know > "How To" do it. There is not much to set up. Just make sure you have sshd running. You can then just sftp (or any other client that supports sftp) to connect to port 22, or whatever port sshd is listening on. Regards, -- - Frank ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: FTP oddness, over SSH session.
On 11 Apr 2012 at 14:54, Mike Clarke wrote: > On Wednesday 11 April 2012, Dave B wrote: > > > I just found however, that though I can reliably send a file to the > > FTP server and it get's saved just fine, that's not true when > > connecting this way using a SSH tunnel. > > Would it not be simpler just to use sftp directly rather than > tunnelling ftp through ssh? > > -- > Mike Clarke Hi, ordinarily perhaps yes, if I could only figure out how to set it up on the FreeBSD box. As always, the "Manuals" though no doubt correct and complete as a "reference", are no good to people who don't already know "How To" do it. Originally, the FTP was purely for other machines at home to periodicaly dump data for some pages of the small website it also hosts. There was (is) no need for SFTP for that, as all the machines are in the same room at home. Thanks for the reply. Dave B. -- Help for Hero's European Rally 2012 participant. Please help by visiting:- http://www.bmycharity.com/TeamSnowball For any/all donations, all 100% goes to H4H. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: FTP oddness, over SSH session.
On 04/11/12 21:51, Dave B wrote: FreeBSD FBSD.67MK181QZ 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Wed Apr 14 22:55:09 BST 2010 root@FBSD.67MK181QZ:/usr/obj/usr/src/sys/PPSGENERIC i386 Hi. I have a small FreeBSD 8.0 system (above, yes I know, not current, but it works.) That is mainly used for timekeeping with an attached PPS equipped GPS. No problems with that. It also has a small web server (Hiawatha) FTP server and SSH portal, for my own use. The FTP "server" is the built-in OS based ftpd implementation, and works well for all that I need. Anyway... I found a while ago, that I can tunnel connections into my home LAN via a SSH session to my FreeBSD box, from outside the LAN using PuTTY (on Windows XP) from wherever I am. It's been a useful dodge for me to do that so as to VNC to other boxes that are there. The needed SSH working port, is not the usual suspect, it's way up high, well away from script kiddies etc. I just found however, that though I can reliably send a file to the FTP server and it get's saved just fine, that's not true when connecting this way using a SSH tunnel. Over the SSH session, (using Passive Mode, with all needed ports forwarded, plus the FTP daemon's data port usage restricted to the same range as those tunneled.) Though the FTP process appears to work OK, with no errors, the file sent to and deposited on the server ends up as name only, and zero bytes in length. Oddly, I can successfully create a new folder on the FTP server over the SSH session using the FTP client, and that works just fine. The FTP client I'm using, is the same FileZilla both times. (V3.1.0.1 I may go look for any updates, just in case.) Downloading works fine regardless of how I connect, it's just uploading that's screwey. I suspect (as usual) it's a rights issue, but even if I su - root after the initial SSH login, it changes nothing. I'd check the ports you are forwarding over ssh. Two ports are required for ftp and it sounds like one is blocking for some reason- the control channel seems to be working fine though :) The FTP user is a different name from who I'm logged in as by SSH, is that the issue?But what confuses me, is that it works from this same PC, if it's on the home LAN, using the same FTP user credentials. I'm obviously lacking in my understanding of something, but what? I may not get to see any replies for a day or three, as I've got to head off across country for work later, and it's not yet known if tonight's hotel even has WiFi, or if there is decent mobile coverage where I'm going. (Out in the Wiltshire sticks. UK, and I'm stuck with Orange.) Thanks in advance. Dave B -- Help for Hero's European Rally 2012 participant. Please help by visiting:- http://www.bmycharity.com/TeamSnowball For any/all donations, all 100% goes to H4H. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: FTP oddness, over SSH session.
On Wed, Apr 11, 2012 at 8:54 AM, Mike Clarke wrote: > On Wednesday 11 April 2012, Dave B wrote: > >> I just found however, that though I can reliably send a file to the >> FTP server and it get's saved just fine, that's not true when >> connecting this way using a SSH tunnel. > > Would it not be simpler just to use sftp directly rather than tunnelling > ftp through ssh? > > -- > Mike Clarke Using sftp or scp is not just simpler in configuration, it has the added benefit of being supported by cool gui applications (filezilla, winscp, etc) that are available for multiple operating systems. The only configuration change I make is to change the port used by ssh. That simple change eliminated most of the hacker attempts found in various logs (failed logins, etc). Andrew ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: FTP oddness, over SSH session.
On Wednesday 11 April 2012, Dave B wrote: > I just found however, that though I can reliably send a file to the > FTP server and it get's saved just fine, that's not true when > connecting this way using a SSH tunnel. Would it not be simpler just to use sftp directly rather than tunnelling ftp through ssh? -- Mike Clarke ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
FTP oddness, over SSH session.
FreeBSD FBSD.67MK181QZ 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Wed Apr 14 22:55:09 BST 2010 root@FBSD.67MK181QZ:/usr/obj/usr/src/sys/PPSGENERIC i386 Hi. I have a small FreeBSD 8.0 system (above, yes I know, not current, but it works.) That is mainly used for timekeeping with an attached PPS equipped GPS. No problems with that. It also has a small web server (Hiawatha) FTP server and SSH portal, for my own use. The FTP "server" is the built-in OS based ftpd implementation, and works well for all that I need. Anyway... I found a while ago, that I can tunnel connections into my home LAN via a SSH session to my FreeBSD box, from outside the LAN using PuTTY (on Windows XP) from wherever I am. It's been a useful dodge for me to do that so as to VNC to other boxes that are there. The needed SSH working port, is not the usual suspect, it's way up high, well away from script kiddies etc. I just found however, that though I can reliably send a file to the FTP server and it get's saved just fine, that's not true when connecting this way using a SSH tunnel. Over the SSH session, (using Passive Mode, with all needed ports forwarded, plus the FTP daemon's data port usage restricted to the same range as those tunneled.) Though the FTP process appears to work OK, with no errors, the file sent to and deposited on the server ends up as name only, and zero bytes in length. Oddly, I can successfully create a new folder on the FTP server over the SSH session using the FTP client, and that works just fine. The FTP client I'm using, is the same FileZilla both times. (V3.1.0.1 I may go look for any updates, just in case.) Downloading works fine regardless of how I connect, it's just uploading that's screwey. I suspect (as usual) it's a rights issue, but even if I su - root after the initial SSH login, it changes nothing. The FTP user is a different name from who I'm logged in as by SSH, is that the issue?But what confuses me, is that it works from this same PC, if it's on the home LAN, using the same FTP user credentials. I'm obviously lacking in my understanding of something, but what? I may not get to see any replies for a day or three, as I've got to head off across country for work later, and it's not yet known if tonight's hotel even has WiFi, or if there is decent mobile coverage where I'm going. (Out in the Wiltshire sticks. UK, and I'm stuck with Orange.) Thanks in advance. Dave B -- Help for Hero's European Rally 2012 participant. Please help by visiting:- http://www.bmycharity.com/TeamSnowball For any/all donations, all 100% goes to H4H. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: FreeBSD 9's SSH HPN
On Mon, Mar 19, 2012 at 8:45 PM, Mark Felder wrote: > Is the HPN patchset included with the base OpenSSH the full patchset? Does > it include the threaded CTR patch? I can't seem to find a clear answer to > this. > crypto/openssh/README.hpn references it so I would assume so. -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
FreeBSD 9's SSH HPN
Is the HPN patchset included with the base OpenSSH the full patchset? Does it include the threaded CTR patch? I can't seem to find a clear answer to this. Thanks, Mark ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: inetd[1081]: ssh/tcp: bind: address already in use
On Feb 8, 2012, at 11:39 AM, Henry Olyer wrote: > Second, I am getting: inetd[1081]: ssh/tcp: bind: address already in use. > What's the fix, please? Don't try to run sshd via inetd when you're already starting it as a daemon. Regards, -- -Chuck ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
inetd[1081]: ssh/tcp: bind: address already in use
First, thank you folks for your help. Each of you. I been pretty much a glass terminal UN*X user since I started. Now, because of you guys and the people behind X and oh!, all those programs that get linked in (three hours of package loading plus six hours of ports downloading and compilation, I have a pretty nice Fvwm environment with some nifty plotting. (Though I wonder, is it better to be forced to visualize the underlying curve's of a system without looking. A philosophical problem for another day...) Second, I am getting: inetd[1081]: ssh/tcp: bind: address already in use. What's the fix, please? And third, about the intrusion. I have already wiped the machine to rebuild it. But I noted the requested files, if their is a future incident. I had used null passwords while I was loading FBSD software. A practice I shall never repeat. me bad... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Windows XP ssh client to FreeBSD 5.3/pf issue
Perplexed by an issue connecting a Windows 7 client to an old FreeBSD 5.3
server. On Windows XP clients SecureCRT gets "The semaphore timeout period
has expired". PuTTY gets "Network error: Software caused connection abort".
I have no issues connecting to newer 6.x, 7.x, 8.x, 9.x BSD servers though
from Windows 7. If I switch to an XP client on same network (192.168.0.0/16) it
works. If I shutoff pf on the 5.3 server Win 7 clients can connect. So it
must be pf, but I don't see how pf would be affected by a windows OS
version. pf.conf follows
-Matt
**/etc/pf.conf (Public IPs have been obscured)
# define variables
ext_if="fxp0"
KubraIPs="{x.x.x.x/32, x.x.x.x/32, x.x.x.x/32, x.x.x.x/32,
x.x.x.x/32}"
whitelist="{192.168.0.0/16}"
# normalize packets
scrub in all
# Translation Rules:
# KUBRA Translations
rdr proto tcp from $KubraIPs to $ext_if port 443 -> 192.168.203.145 port
8443
nat from any to 192.168.203.145 port 8443 -> x.x.x.x
# Filter Rules:
# KUBRA Filters
pass in quick log on $ext_if from any to 192.168.203.145 keep state flags
S/SA
# stop all IPv6 trafic
block in quick inet6 all
block out quick inet6 all
# pass everything on loopback (lo0)
pass in quick on lo0 all
pass out quick on lo0 all
# block all badguys
table persist file "/var/db/ssh-bruteforce"
pass in log quick proto tcp from $whitelist to any port ssh
block in log quick proto tcp from to any port ssh
# setup a default deny policy
block in all
block out all
# allow DNS connections from anywhere
pass in quick on $ext_if proto udp from any to any port domain
pass in quick on $ext_if proto tcp from any to any port domain flags S/SA
# allow ssh connections from anywhere
pass in quick on $ext_if proto tcp from any to any port ssh keep state
flags S/S
A
# allow SNMP connections anywhere
pass in quick on $ext_if proto tcp from any to any port 161
pass in quick on $ext_if proto udp from any to any port 161
pass in quick on $ext_if proto tcp from any to any port 162
pass in quick on $ext_if proto udp from any to any port 162
# allow ntp from anywhwere
pass in quick on $ext_if proto tcp from any to any port 123
pass in quick on $ext_if proto udp from any to any port 123
# allow www from anywhere
pass in quick on $ext_if proto tcp from any to any port www flags S/SA
# allow ftp from anywhere
pass in quick log on $ext_if proto tcp from any to any port ftp flags S/SA
pass in quick on $ext_if proto tcp from any to any port flags S/SA
# allow ICMP from inside
pass in quick on $ext_if proto icmp from any to any
# allow https from anywhere for redirection
pass in quick log on $ext_if proto tcp from any to any port 443 keep state
flags
S/SA
# allow tcp/udp/icmp out keeping state
pass out quick on $ext_if proto tcp from any to any keep state
pass out on $ext_if proto {udp, icmp} all keep state
___
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: SSH Access To Live CD? (Was Re: FBSD-9.0-RC3 Disk 1 ISO Bootable?)
Здравствуйте, Drew. Вы писали 6 января 2012 г., 23:44:28: DT> On 1/6/2012 12:07 PM, Al Plant wrote: >> per...@pluto.rain.com wrote: >>> Al Plant wrote: >>> >>>> I accessed the sshd from the new install screen as an option when >>>> I loaded it on the test box. I had to set up the lan manually to >>>> first get it up. Then you should be able to use ssh. >>> >>> I take it you either arranged for ssh to accept a direct root login, >>> or added a non-root username. Does the new installer do one of >>> these automatically, or is there more manual configuration involved? >> >> BSD Installer asks if you want to install sshd and click yes. Later >> you can go to another box on the lan and use the user account to ssh >> into the new box and su to root. This feature has been on the installs >> for a while. I used it on sysinstall on 7.*. DT> OK, so you didn't actually install remotely via ssh. You installed DT> locally and let the installer configure sshd for your new install and it DT> was available after you rebooted into your new install. DT> I'd like to actually be able to install via ssh. Basically I'd like ssh DT> access to the Live CD so I could partition my drives for zfs prior to DT> installing. And I'd like to do it from a computer that's connected to DT> the web so I can read and copy/paste examples. DT> Cheers, DT> Drew mfsBSD - is interesting project, that allow you to install/ reinstall system remotely! -- С уважением, Коньков mailto:kes-...@yandex.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
SSH Access To Live CD? (Was Re: FBSD-9.0-RC3 Disk 1 ISO Bootable?)
On 1/6/2012 12:07 PM, Al Plant wrote: per...@pluto.rain.com wrote: Al Plant wrote: I accessed the sshd from the new install screen as an option when I loaded it on the test box. I had to set up the lan manually to first get it up. Then you should be able to use ssh. I take it you either arranged for ssh to accept a direct root login, or added a non-root username. Does the new installer do one of these automatically, or is there more manual configuration involved? BSD Installer asks if you want to install sshd and click yes. Later you can go to another box on the lan and use the user account to ssh into the new box and su to root. This feature has been on the installs for a while. I used it on sysinstall on 7.*. OK, so you didn't actually install remotely via ssh. You installed locally and let the installer configure sshd for your new install and it was available after you rebooted into your new install. I'd like to actually be able to install via ssh. Basically I'd like ssh access to the Live CD so I could partition my drives for zfs prior to installing. And I'd like to do it from a computer that's connected to the web so I can read and copy/paste examples. Cheers, Drew -- Like card tricks? Visit The Alchemist's Warehouse to learn card magic secrets for free! http://alchemistswarehouse.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ports/distfiles via NFS or SSH
Peter Kryszkiewicz writes: > I have several machines networked using NFS mounts or SSH and scp. Only one > machine has internet connectivity - a laptop (machine vbear) with a wireless > card (I'm in a temporary location for a few weeks and only wireless is > available here). > > I tried to mount the ports tree on this machine to the other machines > (machine mfc for instance) with: > > #mfc> cd /usr > #mfc> mount_nfs vbear:/usr/ports ports > > and then installing the needed port on mfc. What happens is that the working > directories and the entire local ports tree gets written to /var, so that I > get /var/ports/usr/ports/devel/xxgdb/work and so on. /var fills up very > quickly and I soon get "disk full" errors. > > How can I avoid this? That doesn't happen by default, so you've already changed something, and resetting it to default may be all you need to do. By default, the work directories would be under (e.g.) /usr/ports/devel/xxgdb/work. You have probably set the WRKDIRPREFIX variable somewhere (possibly in make.conf?) and clearing it -- or setting it to somewhere local on the machine, but with more space, which would be faster -- will solve the problem. There are other variables that could cause similar symptoms, but WRKDIRPREFIX is the one I'd bet on at this point if I were you. > I believe the solution is to point the ports Makefile to a different (local) > working directory but point fetch to grab distfiles from the (remote) > laptop, but I'm not sure how to do this. Nothing in what you posted indicates that the distfiles are a problem for you, but if it is, you probably need to look at the DISTDIR variable, and figure out if you are grabbing distfiles to multiple places. Given that only one machine is capable of downloading distfiles in the first place, I think it's unlikely you have trouble in this area. Good luck. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
ports/distfiles via NFS or SSH
I have several machines networked using NFS mounts or SSH and scp. Only one machine has internet connectivity - a laptop (machine vbear) with a wireless card (I'm in a temporary location for a few weeks and only wireless is available here). I tried to mount the ports tree on this machine to the other machines (machine mfc for instance) with: #mfc> cd /usr #mfc> mount_nfs vbear:/usr/ports ports and then installing the needed port on mfc. What happens is that the working directories and the entire local ports tree gets written to /var, so that I get /var/ports/usr/ports/devel/xxgdb/work and so on. /var fills up very quickly and I soon get "disk full" errors. How can I avoid this? I believe the solution is to point the ports Makefile to a different (local) working directory but point fetch to grab distfiles from the (remote) laptop, but I'm not sure how to do this. regards, Peter Kryszkiewicz ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: limit number of ssh connections
> From owner-freebsd-questi...@freebsd.org Mon Sep 19 19:12:32 2011 > From: mer...@stonehenge.com (Randal L. Schwartz) > To: Paul Macdonald > Date: Mon, 19 Sep 2011 17:12:14 -0700 > Cc: James Strother , freebsd-questions@freebsd.org > Subject: Re: limit number of ssh connections > > >>>>> "Paul" == Paul Macdonald writes: > > Paul> in my experience running ssh on a high port cuts the amount of > Paul> unwanted ssh connections to approximately zero, in fact i got a > Paul> surprise when seeing a sec log from a box which i hadn't done this > Paul> for > > I run sshd on 443 (for firewall-bending reasons), and the only > connections I see there are people trying to break into the web. Never > an actual sshd hit. :) A wise man said: "this belongs in the "security for dummies" pile right along with "turning off your SSID announce" and "use MAC address filtering" when people talk about wifi "security". All three are useless and give you a false sense of having "increased" security. IT is worthy of note that 'merely' running sshd on an 'unconventional' port provides _less_ of an increase in security than portknocking does. :) That said, _I_ also run sshd on the "well-known port" for unrelated services. *NOT* because I have a belief it provides any increase in security -- it _doesn't_ -- but simply to eliminate the script-kiddie 'doorknob rattling' 'clutter' from the logs. Making it far easier to see a truely 'targeted' attempt. 'Clutter elimination' makes it -- *or* portknocking -- "worth doing" even though neither provide any "measurable" increase in 'real' security. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: limit number of ssh connections
On Mon, Sep 19, 2011 at 05:11:28PM -0700, Randal L. Schwartz wrote: > > "Григорьев" == Григорьев Александр writes: > > Григорьев> If your target is protect freebsd box from bruting passwords > Григорьев> from inet maybe security/knockd will help you? > > Portknocking adds only a dozen bits or so to your password. Do you > really think it helps to go from a 1024-bit key to a 1036-bit? In other > words, Portknocking belongs in the "security for dummies" pile right > along with "turning off your SSID announce" and "use MAC address > filtering" when people talk about wifi "security". All three are > useless and give you a false sense of having "increased" security. I'd say, rather, that it's useful in deflecting the drive-by, casual cracking attempts, but not as real security against a more sophisticated attack. It's nice to have cleaner logging sometimes -- which is the real benefit of such techniques, rather than security per se. -- Chad Perrin [ original content licensed OWL: http://owl.apotheon.org ] pgpZvrddJ0hZg.pgp Description: PGP signature
Re: limit number of ssh connections
>>>>> "Paul" == Paul Macdonald writes: Paul> in my experience running ssh on a high port cuts the amount of unwanted ssh Paul> connections to approximately zero, in fact i got a surprise when seeing a sec Paul> log from a box which i hadn't done this for I run sshd on 443 (for firewall-bending reasons), and the only connections I see there are people trying to break into the web. Never an actual sshd hit. :) -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 http://www.stonehenge.com/merlyn/> Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.posterous.com/ for Smalltalk discussion ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: limit number of ssh connections
> "Григорьев" == Григорьев Александр writes: Григорьев> If your target is protect freebsd box from bruting passwords Григорьев> from inet maybe security/knockd will help you? Portknocking adds only a dozen bits or so to your password. Do you really think it helps to go from a 1024-bit key to a 1036-bit? In other words, Portknocking belongs in the "security for dummies" pile right along with "turning off your SSID announce" and "use MAC address filtering" when people talk about wifi "security". All three are useless and give you a false sense of having "increased" security. The real security is disable plaintext passwords. Then no amount of bruteforce will ever get in. -- Randal L. Schwartz - Stonehenge Consulting Services, Inc. - +1 503 777 0095 http://www.stonehenge.com/merlyn/> Smalltalk/Perl/Unix consulting, Technical writing, Comedy, etc. etc. See http://methodsandmessages.posterous.com/ for Smalltalk discussion ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: limit number of ssh connections
> Does anyone know a good way of limiting the number of ssh attempts > from a single IP address? > > I found the following website, which describes a variety of approaches: > > http://www.freebsdwiki.net/index.php/Block_repeated_illegal_or_failed_SSH_logins > > > But I am honestly not really happy with any of them. Continuously > polling log files for regex hits seems...well crude. Just to give you > an idea of what I mean, here were some of the issues I had. The > sshd-scan.sh script allows IPs to be reinstated, but the timing is > dependent on how frequently you rotate logs. sshguard has a pretty > website, but I can't actually find much useful documentation on how to > configure it. fail2ban looks like it might work with sufficient work, > but the defaults are terrible. By default, every time an IP is > reinstated, all IPs are reinstated. Not to mention, at present I > can't seem to get it to trigger any hits. > > I suppose I could keep shopping, but the truth is I just think polling > log files is the wrong way to solve the problem. Anything based on > this approach is going to have a long latency and be highly dependent > on the unspecified and unstable formatting of log files (see > http://www.fail2ban.org/wiki/index.php/HOWTO_Mac_OS_X_Server_(10.4) > and the troubles an exclamation point can cause). > > I would much much rather do something like this: > > http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/ > > Does anyone know a way to do something similar with ipfw? > > > Thanks in advance, > Jim Maybe you mean something like this?! http://home.nuug.no/~peter/pf/en/bruteforce.html ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: limit number of ssh connections
Moving ssh to another port has solved the problem for me. I had used sshguard in the past, but was always leery of locking myself out. Regards, Matt Emmerton -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of James Strother Sent: Monday, September 19, 2011 5:47 PM To: freebsd-questions@freebsd.org Subject: Re: limit number of ssh connections Wow, I'm glad I asked. This has been very helpful. @Григорьев Александр Thanks for the tip on inetd, that looks like it might just do the trick. @Paul Macdonald My main reason for looking into this was glancing through the logs on a server I just put online and seeing large numbers of unauthorized login attempts. Everything so far is highly unsophisticated, but it did make me start to really think about the issue. I might put ssh onto a different port, that would at least stop the sort of fishing I am currently seeing. It's not clear if that would be "good enough." @Damien Fleuriot Have you had success with sshguard? Installed it from ports, but then I couldn't quite figure out how to configure it. To be honest, I didn't give it much of a chance before I moved on to the next thing, so if you've had good luck then I should probably give it another shot. I did flip through sshd_config, but as far as I can tell it is only possible to limit the number of concurrent connections. It might take a little longer, but I'm concerned it would still allow a malicious individual to sequentially brute-force a password. Thanks for all the responses. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: limit number of ssh connections
On 9/19/2011 2:05 PM, James Strother wrote: Does anyone know a good way of limiting the number of ssh attempts from a single IP address? I found the following website, which describes a variety of approaches: http://www.freebsdwiki.net/index.php/Block_repeated_illegal_or_failed_SSH_logins But I am honestly not really happy with any of them. Continuously polling log files for regex hits seems...well crude. Just to give you an idea of what I mean, here were some of the issues I had. The sshd-scan.sh script allows IPs to be reinstated, but the timing is dependent on how frequently you rotate logs. sshguard has a pretty website, but I can't actually find much useful documentation on how to configure it. fail2ban looks like it might work with sufficient work, but the defaults are terrible. By default, every time an IP is reinstated, all IPs are reinstated. Not to mention, at present I can't seem to get it to trigger any hits. I suppose I could keep shopping, but the truth is I just think polling log files is the wrong way to solve the problem. Anything based on this approach is going to have a long latency and be highly dependent on the unspecified and unstable formatting of log files (see http://www.fail2ban.org/wiki/index.php/HOWTO_Mac_OS_X_Server_(10.4) and the troubles an exclamation point can cause). I would much much rather do something like this: http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/ Does anyone know a way to do something similar with ipfw? Thanks in advance, Jim ___ They cannot attack what they cannot see. That's why I wrote this: http://www.tundraware.com/Software/tperimeter/ It allows you to restrict access to a fixed set of hosts (via tcpwrappers) but to dynamically request access from any host (via wrapper rewriting) so long as you have credentials to do so. The current version has a worst-case latency of 5 minutes from the time you remotely request ssh access be granted until it actually is. I am working toward an update that will grant the request immediately. -- Tim Daneliuk tun...@tundraware.com PGP Key: http://www.tundraware.com/PGP/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: limit number of ssh connections
Wow, I'm glad I asked. This has been very helpful. @Григорьев Александр Thanks for the tip on inetd, that looks like it might just do the trick. @Paul Macdonald My main reason for looking into this was glancing through the logs on a server I just put online and seeing large numbers of unauthorized login attempts. Everything so far is highly unsophisticated, but it did make me start to really think about the issue. I might put ssh onto a different port, that would at least stop the sort of fishing I am currently seeing. It's not clear if that would be "good enough." @Damien Fleuriot Have you had success with sshguard? Installed it from ports, but then I couldn't quite figure out how to configure it. To be honest, I didn't give it much of a chance before I moved on to the next thing, so if you've had good luck then I should probably give it another shot. I did flip through sshd_config, but as far as I can tell it is only possible to limit the number of concurrent connections. It might take a little longer, but I'm concerned it would still allow a malicious individual to sequentially brute-force a password. Thanks for all the responses. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: limit number of ssh connections
Standard inetd(8) has many options including limiting connections based on IP-address. Can it help in this case? 20.09.2011, 00:02, "James Strother" : > That's an interesting project, I hadn't realized port knocking had > become so easy to use. > > Unfortunately, for this particular server, I need to be able to > provide a simple way for (a very limited number of) users to login > into the system remotely using a variety of OS platforms. So I don't > think port knocking is a good fit here. > > Thanks, > Jim > > 2011/9/19 Григорьев Александр : > >> If your target is protect freebsd box from bruting passwords from inet >> maybe security/knockd will help you? >> >> 19.09.2011, 23:05, "James Strother" : >>> Does anyone know a good way of limiting the number of ssh attempts >>> from a single IP address? >>> >>> I found the following website, which describes a variety of approaches: >>> >>> http://www.freebsdwiki.net/index.php/Block_repeated_illegal_or_failed_SSH_logins >>> >>> But I am honestly not really happy with any of them. Continuously >>> polling log files for regex hits seems...well crude. Just to give you >>> an idea of what I mean, here were some of the issues I had. The >>> sshd-scan.sh script allows IPs to be reinstated, but the timing is >>> dependent on how frequently you rotate logs. sshguard has a pretty >>> website, but I can't actually find much useful documentation on how to >>> configure it. fail2ban looks like it might work with sufficient work, >>> but the defaults are terrible. By default, every time an IP is >>> reinstated, all IPs are reinstated. Not to mention, at present I >>> can't seem to get it to trigger any hits. >>> >>> I suppose I could keep shopping, but the truth is I just think polling >>> log files is the wrong way to solve the problem. Anything based on >>> this approach is going to have a long latency and be highly dependent >>> on the unspecified and unstable formatting of log files (see >>> http://www.fail2ban.org/wiki/index.php/HOWTO_Mac_OS_X_Server_(10.4) >>> and the troubles an exclamation point can cause). >>> >>> I would much much rather do something like this: >>> >>> http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/ >>> >>> Does anyone know a way to do something similar with ipfw? >>> >>> Thanks in advance, >>> Jim >>> ___ >>> freebsd-questions@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> To unsubscribe, send any mail to >>> "freebsd-questions-unsubscr...@freebsd.org" > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: limit number of ssh connections
2011/9/19 Григорьев Александр : If your target is protect freebsd box from bruting passwords from inet maybe security/knockd will help you? 19.09.2011, 23:05, "James Strother": Does anyone know a good way of limiting the number of ssh attempts from a single IP address? Hi James, (not what you asked obv,) in my experience running ssh on a high port cuts the amount of unwanted ssh connections to approximately zero, in fact i got a surprise when seeing a sec log from a box which i hadn't done this for Paul. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: limit number of ssh connections
Again if your goal is to protect against attacks, you might want to look at sshguard from the ports. Otherwise I believe there's a sshd_config directive to limit the number of concurrent connections from a single source IP On 19 Sep 2011, at 22:02, James Strother wrote: > That's an interesting project, I hadn't realized port knocking had > become so easy to use. > > Unfortunately, for this particular server, I need to be able to > provide a simple way for (a very limited number of) users to login > into the system remotely using a variety of OS platforms. So I don't > think port knocking is a good fit here. > > Thanks, > Jim > > > > 2011/9/19 Григорьев Александр : >> If your target is protect freebsd box from bruting passwords from inet maybe >> security/knockd will help you? >> >> 19.09.2011, 23:05, "James Strother" : >>> Does anyone know a good way of limiting the number of ssh attempts >>> from a single IP address? >>> >>> I found the following website, which describes a variety of approaches: >>> >>> http://www.freebsdwiki.net/index.php/Block_repeated_illegal_or_failed_SSH_logins >>> >>> But I am honestly not really happy with any of them. Continuously >>> polling log files for regex hits seems...well crude. Just to give you >>> an idea of what I mean, here were some of the issues I had. The >>> sshd-scan.sh script allows IPs to be reinstated, but the timing is >>> dependent on how frequently you rotate logs. sshguard has a pretty >>> website, but I can't actually find much useful documentation on how to >>> configure it. fail2ban looks like it might work with sufficient work, >>> but the defaults are terrible. By default, every time an IP is >>> reinstated, all IPs are reinstated. Not to mention, at present I >>> can't seem to get it to trigger any hits. >>> >>> I suppose I could keep shopping, but the truth is I just think polling >>> log files is the wrong way to solve the problem. Anything based on >>> this approach is going to have a long latency and be highly dependent >>> on the unspecified and unstable formatting of log files (see >>> http://www.fail2ban.org/wiki/index.php/HOWTO_Mac_OS_X_Server_(10.4) >>> and the troubles an exclamation point can cause). >>> >>> I would much much rather do something like this: >>> >>> http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/ >>> >>> Does anyone know a way to do something similar with ipfw? >>> >>> Thanks in advance, >>> Jim >>> ___ >>> freebsd-questions@freebsd.org mailing list >>> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >>> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" >> > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: limit number of ssh connections
That's an interesting project, I hadn't realized port knocking had become so easy to use. Unfortunately, for this particular server, I need to be able to provide a simple way for (a very limited number of) users to login into the system remotely using a variety of OS platforms. So I don't think port knocking is a good fit here. Thanks, Jim 2011/9/19 Григорьев Александр : > If your target is protect freebsd box from bruting passwords from inet maybe > security/knockd will help you? > > 19.09.2011, 23:05, "James Strother" : >> Does anyone know a good way of limiting the number of ssh attempts >> from a single IP address? >> >> I found the following website, which describes a variety of approaches: >> >> http://www.freebsdwiki.net/index.php/Block_repeated_illegal_or_failed_SSH_logins >> >> But I am honestly not really happy with any of them. Continuously >> polling log files for regex hits seems...well crude. Just to give you >> an idea of what I mean, here were some of the issues I had. The >> sshd-scan.sh script allows IPs to be reinstated, but the timing is >> dependent on how frequently you rotate logs. sshguard has a pretty >> website, but I can't actually find much useful documentation on how to >> configure it. fail2ban looks like it might work with sufficient work, >> but the defaults are terrible. By default, every time an IP is >> reinstated, all IPs are reinstated. Not to mention, at present I >> can't seem to get it to trigger any hits. >> >> I suppose I could keep shopping, but the truth is I just think polling >> log files is the wrong way to solve the problem. Anything based on >> this approach is going to have a long latency and be highly dependent >> on the unspecified and unstable formatting of log files (see >> http://www.fail2ban.org/wiki/index.php/HOWTO_Mac_OS_X_Server_(10.4) >> and the troubles an exclamation point can cause). >> >> I would much much rather do something like this: >> >> http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/ >> >> Does anyone know a way to do something similar with ipfw? >> >> Thanks in advance, >> Jim >> ___ >> freebsd-questions@freebsd.org mailing list >> http://lists.freebsd.org/mailman/listinfo/freebsd-questions >> To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: limit number of ssh connections
If your target is protect freebsd box from bruting passwords from inet maybe security/knockd will help you? 19.09.2011, 23:05, "James Strother" : > Does anyone know a good way of limiting the number of ssh attempts > from a single IP address? > > I found the following website, which describes a variety of approaches: > > http://www.freebsdwiki.net/index.php/Block_repeated_illegal_or_failed_SSH_logins > > But I am honestly not really happy with any of them. Continuously > polling log files for regex hits seems...well crude. Just to give you > an idea of what I mean, here were some of the issues I had. The > sshd-scan.sh script allows IPs to be reinstated, but the timing is > dependent on how frequently you rotate logs. sshguard has a pretty > website, but I can't actually find much useful documentation on how to > configure it. fail2ban looks like it might work with sufficient work, > but the defaults are terrible. By default, every time an IP is > reinstated, all IPs are reinstated. Not to mention, at present I > can't seem to get it to trigger any hits. > > I suppose I could keep shopping, but the truth is I just think polling > log files is the wrong way to solve the problem. Anything based on > this approach is going to have a long latency and be highly dependent > on the unspecified and unstable formatting of log files (see > http://www.fail2ban.org/wiki/index.php/HOWTO_Mac_OS_X_Server_(10.4) > and the troubles an exclamation point can cause). > > I would much much rather do something like this: > > http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/ > > Does anyone know a way to do something similar with ipfw? > > Thanks in advance, > Jim > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
limit number of ssh connections
Does anyone know a good way of limiting the number of ssh attempts from a single IP address? I found the following website, which describes a variety of approaches: http://www.freebsdwiki.net/index.php/Block_repeated_illegal_or_failed_SSH_logins But I am honestly not really happy with any of them. Continuously polling log files for regex hits seems...well crude. Just to give you an idea of what I mean, here were some of the issues I had. The sshd-scan.sh script allows IPs to be reinstated, but the timing is dependent on how frequently you rotate logs. sshguard has a pretty website, but I can't actually find much useful documentation on how to configure it. fail2ban looks like it might work with sufficient work, but the defaults are terrible. By default, every time an IP is reinstated, all IPs are reinstated. Not to mention, at present I can't seem to get it to trigger any hits. I suppose I could keep shopping, but the truth is I just think polling log files is the wrong way to solve the problem. Anything based on this approach is going to have a long latency and be highly dependent on the unspecified and unstable formatting of log files (see http://www.fail2ban.org/wiki/index.php/HOWTO_Mac_OS_X_Server_(10.4) and the troubles an exclamation point can cause). I would much much rather do something like this: http://kevin.vanzonneveld.net/techblog/article/block_brute_force_attacks_with_iptables/ Does anyone know a way to do something similar with ipfw? Thanks in advance, Jim ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ssh with bridged ap
Again, your /var/log/auth.log should be very helpful in this matter. Connect on your server with WIFI then do this: tail -f /var/log/auth.log Then, try to connect using the wired connection and see if you get any logs. If you do, post them here :) If you're connecting from a non-windows box, please pass the -v flag to your ssh client to toggle verbose output and post that here too. On 9/13/11 2:14 PM, George Vagner wrote: > I was thinking that maybe because the wired interface doesn't actually have > An IP address it is a reverse lookup thing. > > > > -Original Message- > From: owner-freebsd-questi...@freebsd.org > [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Damien Fleuriot > Sent: Tuesday, September 13, 2011 5:36 AM > To: freebsd-questions@freebsd.org > Subject: Re: ssh with bridged ap > > On 9/13/11 3:54 AM, george vagner wrote: >> I have set up wireless AP with a static IP and bridged it to my internal >> wired network on RE0. >> >> I can successfully connect with WPA to the wireless network and browse > other >> computers on the wired net fine, >> I can log into the freebsd machine using ssh no problem as long as if I >> connect via the wireless network. >> >> If I try and log into the freebsd machine using the wired network I get a >> log in prompt for username >> Then I get the password prompt but after typing in my password it always >> says login incorrect, it don't do this if I am on the wireless net. >> >> Maybe something in the sshd config about bridged connections? >> > > Maybe an excerpt from your /var/log/auth.log at that time, too... > > Might turn out that you don't get anything in /var/log/auth.log which > would indicate that, when using the wired IP of the machine, you're > actually connecting to another host. > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" > > > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: ssh with bridged ap solved
Allow connections to forwarded ports in sshd config -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of George Vagner Sent: Tuesday, September 13, 2011 8:14 AM To: freebsd-questions@freebsd.org Subject: RE: ssh with bridged ap I was thinking that maybe because the wired interface doesn't actually have An IP address it is a reverse lookup thing. -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Damien Fleuriot Sent: Tuesday, September 13, 2011 5:36 AM To: freebsd-questions@freebsd.org Subject: Re: ssh with bridged ap On 9/13/11 3:54 AM, george vagner wrote: > I have set up wireless AP with a static IP and bridged it to my > internal wired network on RE0. > > I can successfully connect with WPA to the wireless network and browse other > computers on the wired net fine, > I can log into the freebsd machine using ssh no problem as long as if > I connect via the wireless network. > > If I try and log into the freebsd machine using the wired network I > get a log in prompt for username Then I get the password prompt but > after typing in my password it always says login incorrect, it don't > do this if I am on the wireless net. > > Maybe something in the sshd config about bridged connections? > Maybe an excerpt from your /var/log/auth.log at that time, too... Might turn out that you don't get anything in /var/log/auth.log which would indicate that, when using the wired IP of the machine, you're actually connecting to another host. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
RE: ssh with bridged ap
I was thinking that maybe because the wired interface doesn't actually have An IP address it is a reverse lookup thing. -Original Message- From: owner-freebsd-questi...@freebsd.org [mailto:owner-freebsd-questi...@freebsd.org] On Behalf Of Damien Fleuriot Sent: Tuesday, September 13, 2011 5:36 AM To: freebsd-questions@freebsd.org Subject: Re: ssh with bridged ap On 9/13/11 3:54 AM, george vagner wrote: > I have set up wireless AP with a static IP and bridged it to my internal > wired network on RE0. > > I can successfully connect with WPA to the wireless network and browse other > computers on the wired net fine, > I can log into the freebsd machine using ssh no problem as long as if I > connect via the wireless network. > > If I try and log into the freebsd machine using the wired network I get a > log in prompt for username > Then I get the password prompt but after typing in my password it always > says login incorrect, it don't do this if I am on the wireless net. > > Maybe something in the sshd config about bridged connections? > Maybe an excerpt from your /var/log/auth.log at that time, too... Might turn out that you don't get anything in /var/log/auth.log which would indicate that, when using the wired IP of the machine, you're actually connecting to another host. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ssh with bridged ap
On 9/13/11 3:54 AM, george vagner wrote: > I have set up wireless AP with a static IP and bridged it to my internal > wired network on RE0. > > I can successfully connect with WPA to the wireless network and browse other > computers on the wired net fine, > I can log into the freebsd machine using ssh no problem as long as if I > connect via the wireless network. > > If I try and log into the freebsd machine using the wired network I get a > log in prompt for username > Then I get the password prompt but after typing in my password it always > says login incorrect, it don't do this if I am on the wireless net. > > Maybe something in the sshd config about bridged connections? > Maybe an excerpt from your /var/log/auth.log at that time, too... Might turn out that you don't get anything in /var/log/auth.log which would indicate that, when using the wired IP of the machine, you're actually connecting to another host. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
ssh with bridged ap
I have set up wireless AP with a static IP and bridged it to my internal wired network on RE0. I can successfully connect with WPA to the wireless network and browse other computers on the wired net fine, I can log into the freebsd machine using ssh no problem as long as if I connect via the wireless network. If I try and log into the freebsd machine using the wired network I get a log in prompt for username Then I get the password prompt but after typing in my password it always says login incorrect, it don't do this if I am on the wireless net. Maybe something in the sshd config about bridged connections? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
ssh via NAT slow on _some_ connections only
Hi folks, This is *very* weird but it's consistent. Most of my servers run with jailed services and I access the jails directly with NAT to a private network where the jails run. Jails network are just aliases of lo0 liske so: lo0: flags=8049 metric 0 mtu 16384 options=3 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet6 ::1 prefixlen 128 inet 127.0.0.1 netmask 0xff00 inet 192.168.101.1 netmask 0xff00 inet 192.168.101.80 netmask 0xff00 inet 192.168.101.101 netmask 0xff00 [etc.] inet 192.168.101.123 netmask 0xff00 Then in natd.conf I have nats defined like so: redirect_port tcp 192.168.101.123:22 12322 At first _all_ my NATed ssh connections were slow until I added -tso to the main nic ifconfig. So this -tco switch is something that I've had to add to all my nics for NAT to work properly: em0: flags=8843 metric 0 mtu 1500 options=209b Nevertheless, _some_ specific networks are still very slow with NATed ssh. So for example, I access the server from my home network and I can't even notice any difference between non-NAT and NATed connections. But we have one specific remote location where the NATed connections are really slow. It's not their network because if they first login to the base server (no NAT) and _then_ ssh to the private IP, then the performance is perfect. The issue is only when on the natted port. In other words: if they ssh -p 12322 like the example above it's painfully slow, but if they first ssh to the base server and then ssh to the private IP, the performance is great. This is the exact same performance issue we were getting before the -tco param, so maybe there are other flags that affect NAT performance? maybe on that location's router? Wouldn't this affect the normal ssh connections, why only the NAT ports have problems? I really want to avoid to replicate the users in the base system, so there must be something else that can be done to fix this. Again, -tco helped a lot but for these particular locations there is still some problem with the NATed connections we haven't been able to figure out. Anyone have any ideas on what could be going on here? Thanks, -- Alejandro Imass ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ssh -X (X11 forwarding) not working from 6.1 to 8.1
Frank Shute wrote: > On Tue, Jul 12, 2011 at 03:18:07AM -0700, per...@pluto.rain.com wrote: > > > > DISPLAY is not getting set in a remote shell started by "ssh -X". ... > Have you tried putting: > > DISPLAY=:0.0 > > in ~/.ssh/environment on the machine that's not setting DISPLAY > properly? Wouldn't that cause the remote app -- which is running on the ssh server -- to (try to) use that machine's own local display? A port-forwarded connection normally has something along the lines of DISPLAY=localhost:10.0 (but it can't be hard-coded, because the "10" part will vary depending on what-all port-forwarded connections exist). ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Solved: Re: ssh -X (X11 forwarding) not working from 6.1 to 8.1
Mark Felder wrote: > On Tue, 12 Jul 2011 00:06:33 -0500, Michael Sierchio > wrote: > > > xauth not in your path? > > ssh -Y skips all auth stuff so you don't need xauth; he said that > didn't work either :-( Well, apparently, even -Y needs xauth (which was not installed on the 8.1 system) on the ssh server -- although not on the ssh client. After installing it: $ ssh -Y fbsd81 'echo DISPLAY=%$DISPLAY%' /usr/local/bin/xauth: creating new authority file /home/perryh/.Xauthority DISPLAY=%localhost:10.0% and -X also works :) so this turns out to have been the solution. Next question: shouldn't I have gotten some kind of error message when attempting "ssh -X" or "ssh -Y" when xauth wasn't available? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ssh -X (X11 forwarding) not working from 6.1 to 8.1
On Tue, Jul 12, 2011 at 03:18:07AM -0700, per...@pluto.rain.com wrote: > > DISPLAY is not getting set in a remote shell started by "ssh -X". > > $ echo $DISPLAY > :0.0 > $ ssh -X [server] 'echo DISPLAY=%$DISPLAY%' > DISPLAY=%% > > How would I go about debugging this? > > DISPLAY _is_ set correctly on the ssh client -- I am running in > an xterm there, and can successfully start another (local) one -- > and the word DISPLAY is not present in any of the shell startup > files (.bash*, .cshrc, .login, .profile, .shrc) on either the > ssh client or the ssh server. > > The ssh client is FreeBSD 6.1 and the ssh server is FreeBSD 8.1. > > It does work correctly in the other direction (using the 8.1 system > as the ssh client and the 6.1 system as the ssh server), and I can > run X11 programs on the 8.1 system, displaying on the 6.1 system, > provided I set DISPLAY appropriately on the 8.1 system. It's only > the ssh X11 forwarding that's broken, and only in one direction. Have you tried putting: DISPLAY=:0.0 in ~/.ssh/environment on the machine that's not setting DISPLAY properly? Regards, -- Frank Contact info: http://www.shute.org.uk/misc/contact.html pgpL3UspxCyWi.pgp Description: PGP signature
Re: ssh -X (X11 forwarding) not working from 6.1 to 8.1
Eitan Adler wrote: > > It still fails with the 6.1 system as the ssh client, > > and works with the 6.1 system as the ssh server > > Is X11Forwarding yes set in the server config of the failing > direction? Both seem to be defaulted. On 6.1: $ egrep -C 2 X11Forwarding /etc/ssh/sshd_config #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes On 8.1: $ egrep -C 2 X11Forwarding /etc/ssh/sshd_config #AllowTcpForwarding yes #GatewayPorts no #X11Forwarding yes #X11DisplayOffset 10 #X11UseLocalhost yes -- # Example of overriding settings on a per-user basis #Match User anoncvs # X11Forwarding no # AllowTcpForwarding no # ForceCommand cvs server ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ssh -X (X11 forwarding) not working from 6.1 to 8.1
> > It still fails with the 6.1 system as the ssh client, > and works with the 6.1 system as the ssh server Is X11Forwarding yes set in the server config of the failing direction? > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" > -- Eitan Adler ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ssh -X (X11 forwarding) not working from 6.1 to 8.1
On Tue, 12 Jul 2011 00:06:33 -0500, Michael Sierchio wrote: xauth not in your path? ssh -Y skips all auth stuff so you don't need xauth; he said that didn't work either :-( ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ssh -X (X11 forwarding) not working from 6.1 to 8.1
xauth not in your path? On Tue, Jul 12, 2011 at 4:46 AM, wrote: > Mark Felder wrote: > >> This sounds silly, but what happens if you try ssh -Y > > Exactly the same thing as with -X, in either direction. > > It still fails with the 6.1 system as the ssh client, > and works with the 6.1 system as the ssh server > ___ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" > ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ssh -X (X11 forwarding) not working from 6.1 to 8.1
Mark Felder wrote: > This sounds silly, but what happens if you try ssh -Y Exactly the same thing as with -X, in either direction. It still fails with the 6.1 system as the ssh client, and works with the 6.1 system as the ssh server ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: ssh -X (X11 forwarding) not working from 6.1 to 8.1
This sounds silly, but what happens if you try ssh -Y Regards, Mark ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
ssh -X (X11 forwarding) not working from 6.1 to 8.1
DISPLAY is not getting set in a remote shell started by "ssh -X". $ echo $DISPLAY :0.0 $ ssh -X [server] 'echo DISPLAY=%$DISPLAY%' DISPLAY=%% How would I go about debugging this? DISPLAY _is_ set correctly on the ssh client -- I am running in an xterm there, and can successfully start another (local) one -- and the word DISPLAY is not present in any of the shell startup files (.bash*, .cshrc, .login, .profile, .shrc) on either the ssh client or the ssh server. The ssh client is FreeBSD 6.1 and the ssh server is FreeBSD 8.1. It does work correctly in the other direction (using the 8.1 system as the ssh client and the 6.1 system as the ssh server), and I can run X11 programs on the 8.1 system, displaying on the 6.1 system, provided I set DISPLAY appropriately on the 8.1 system. It's only the ssh X11 forwarding that's broken, and only in one direction. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Color Spills Over From SSH Session
Screen uses it's own $TERM, screen, so you'll have to make sure it's correct. If you're not committed to GNU screen, you could try tmux which is part of OpenBSD, and ported to FreeBSD. If you use tmux, you'll have to make sure the $TERM inside the screen session is 'screen' and not something else. Most terminals are similar enough to just work until you do something special. On 7/9/2011 11:05 AM, David Krauser wrote: I echoed $TERM on both boxes, and they are both cons25. I figured out, though, that I'm only seeing the color spillover issue when I run GNU Screen on the remote box (which is OpenBSD). GNU Screen is not installed on the FreeBSD box. How can I get screen's colors to work in my FreeBSD ssh sessions? I can connect to the remote box from other computers (using putty, xterm, linux console, etc.) without issue. Maybe I need to have screen installed in FreeBSD? On Sat, 9 Jul 2011, Joshua Isom wrote: On 7/8/2011 11:07 PM, David Krauser wrote: Hello everybody, I've tried to setup a kind of 'dedicated ssh client' using FreeBSD, and I'm having some issues with the terminal colors. I have a basic install of FreeBSD 8.2-RELEASE (I only had kernel-dev packages checked at installation) and I rebuilt the GENERIC kernel with the VESA and SC_PIXEL_MODE options enabled (for a high resolution terminal). Now here's the problem: when I ssh into another box and issue a command with colors (like vim's syntax hilighting or a colored ls) the primary color of the terminal will change. I'm often left with a crazy colored and hard to read bash prompt (all in the ssh session). When I exit the session back to FreeBSD, the colors persist. I have to use the command 'reset' to fix the issue. I believe my primary FreeBSD shell is csh (it's whatever the default is in FreeBSD) and I'm not sure if it can handle colors or if it has them enabled. I generally ssh into a bash shell. I'm really a newcomer with FreeBSD, and any help would be greatly appreciated. Thanks a bunch, David Krauser david.krau...@gmail.com Are you sshing from the console or an xterm? If it's from the console, it should be cons25, and if it's from an xterm it should be xterm or xterm-color. You might have the .cshrc on the other box forcing it to something that it's not. On the FreeBSD box, run `echo $TERM` and note what it says, then ssh into the other box and run it again. They're probably different. It's probably not the FreeBSD box, but the other box doesn't know what you're using. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Color Spills Over From SSH Session
Figured it out. I just needed screen installed on the FreeBSD box. Thanks for all your help! On Sat, 9 Jul 2011, Joshua Isom wrote: On 7/8/2011 11:07 PM, David Krauser wrote: Hello everybody, I've tried to setup a kind of 'dedicated ssh client' using FreeBSD, and I'm having some issues with the terminal colors. I have a basic install of FreeBSD 8.2-RELEASE (I only had kernel-dev packages checked at installation) and I rebuilt the GENERIC kernel with the VESA and SC_PIXEL_MODE options enabled (for a high resolution terminal). Now here's the problem: when I ssh into another box and issue a command with colors (like vim's syntax hilighting or a colored ls) the primary color of the terminal will change. I'm often left with a crazy colored and hard to read bash prompt (all in the ssh session). When I exit the session back to FreeBSD, the colors persist. I have to use the command 'reset' to fix the issue. I believe my primary FreeBSD shell is csh (it's whatever the default is in FreeBSD) and I'm not sure if it can handle colors or if it has them enabled. I generally ssh into a bash shell. I'm really a newcomer with FreeBSD, and any help would be greatly appreciated. Thanks a bunch, David Krauser david.krau...@gmail.com Are you sshing from the console or an xterm? If it's from the console, it should be cons25, and if it's from an xterm it should be xterm or xterm-color. You might have the .cshrc on the other box forcing it to something that it's not. On the FreeBSD box, run `echo $TERM` and note what it says, then ssh into the other box and run it again. They're probably different. It's probably not the FreeBSD box, but the other box doesn't know what you're using. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Color Spills Over From SSH Session
I echoed $TERM on both boxes, and they are both cons25. I figured out, though, that I'm only seeing the color spillover issue when I run GNU Screen on the remote box (which is OpenBSD). GNU Screen is not installed on the FreeBSD box. How can I get screen's colors to work in my FreeBSD ssh sessions? I can connect to the remote box from other computers (using putty, xterm, linux console, etc.) without issue. Maybe I need to have screen installed in FreeBSD? On Sat, 9 Jul 2011, Joshua Isom wrote: On 7/8/2011 11:07 PM, David Krauser wrote: Hello everybody, I've tried to setup a kind of 'dedicated ssh client' using FreeBSD, and I'm having some issues with the terminal colors. I have a basic install of FreeBSD 8.2-RELEASE (I only had kernel-dev packages checked at installation) and I rebuilt the GENERIC kernel with the VESA and SC_PIXEL_MODE options enabled (for a high resolution terminal). Now here's the problem: when I ssh into another box and issue a command with colors (like vim's syntax hilighting or a colored ls) the primary color of the terminal will change. I'm often left with a crazy colored and hard to read bash prompt (all in the ssh session). When I exit the session back to FreeBSD, the colors persist. I have to use the command 'reset' to fix the issue. I believe my primary FreeBSD shell is csh (it's whatever the default is in FreeBSD) and I'm not sure if it can handle colors or if it has them enabled. I generally ssh into a bash shell. I'm really a newcomer with FreeBSD, and any help would be greatly appreciated. Thanks a bunch, David Krauser david.krau...@gmail.com Are you sshing from the console or an xterm? If it's from the console, it should be cons25, and if it's from an xterm it should be xterm or xterm-color. You might have the .cshrc on the other box forcing it to something that it's not. On the FreeBSD box, run `echo $TERM` and note what it says, then ssh into the other box and run it again. They're probably different. It's probably not the FreeBSD box, but the other box doesn't know what you're using. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org" ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Re: Color Spills Over From SSH Session
On 7/8/2011 11:07 PM, David Krauser wrote: Hello everybody, I've tried to setup a kind of 'dedicated ssh client' using FreeBSD, and I'm having some issues with the terminal colors. I have a basic install of FreeBSD 8.2-RELEASE (I only had kernel-dev packages checked at installation) and I rebuilt the GENERIC kernel with the VESA and SC_PIXEL_MODE options enabled (for a high resolution terminal). Now here's the problem: when I ssh into another box and issue a command with colors (like vim's syntax hilighting or a colored ls) the primary color of the terminal will change. I'm often left with a crazy colored and hard to read bash prompt (all in the ssh session). When I exit the session back to FreeBSD, the colors persist. I have to use the command 'reset' to fix the issue. I believe my primary FreeBSD shell is csh (it's whatever the default is in FreeBSD) and I'm not sure if it can handle colors or if it has them enabled. I generally ssh into a bash shell. I'm really a newcomer with FreeBSD, and any help would be greatly appreciated. Thanks a bunch, David Krauser david.krau...@gmail.com Are you sshing from the console or an xterm? If it's from the console, it should be cons25, and if it's from an xterm it should be xterm or xterm-color. You might have the .cshrc on the other box forcing it to something that it's not. On the FreeBSD box, run `echo $TERM` and note what it says, then ssh into the other box and run it again. They're probably different. It's probably not the FreeBSD box, but the other box doesn't know what you're using. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
Color Spills Over From SSH Session
Hello everybody, I've tried to setup a kind of 'dedicated ssh client' using FreeBSD, and I'm having some issues with the terminal colors. I have a basic install of FreeBSD 8.2-RELEASE (I only had kernel-dev packages checked at installation) and I rebuilt the GENERIC kernel with the VESA and SC_PIXEL_MODE options enabled (for a high resolution terminal). Now here's the problem: when I ssh into another box and issue a command with colors (like vim's syntax hilighting or a colored ls) the primary color of the terminal will change. I'm often left with a crazy colored and hard to read bash prompt (all in the ssh session). When I exit the session back to FreeBSD, the colors persist. I have to use the command 'reset' to fix the issue. I believe my primary FreeBSD shell is csh (it's whatever the default is in FreeBSD) and I'm not sure if it can handle colors or if it has them enabled. I generally ssh into a bash shell. I'm really a newcomer with FreeBSD, and any help would be greatly appreciated. Thanks a bunch, David Krauser david.krau...@gmail.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
