I'm trying to set up ssh so that I can connect to my work computer from home. It is pretty much essential that I keep the work box as secure as possible at all times. (So I can't disable the firewall, come home and test it because IT would not be at all happy.)
I'm not sure if this is an Arch question, a Fedora question or a general Linux/networking question.
The work box is running Fedora 17. It has a firewall eerily like the "simple stateful firewall" described on Arch's wiki. It is running sshd. Public key authentication is enabled. No other form of authentication is enabled. It has a rule allowing ssh connections.
My laptop is running Arch. It has a firewall very like that described on the "simple stateful firewall" page. It has a couple of rules allowing stuff I need at home (printer and something I had to enable for the LAN).
Initially, I was given an internal ip address. I got this working fine i.e. I could ssh into the box from my laptop while sitting next to it in my office over the LAN. I'm using the default form of key pair generated on Arch (i.e. rsa) and am using gpg-agent with ssh support in lieu of ssh-agent to manage keys. Pin entry is using the qt front end as I'm on KDE. (I adapted KDE's config so that it starts gpg-agent with ssh support for the session so that I didn't end up with two instances.)
Once the firewall was in place and sshd was running, they gave me a public ip address. At this point, no port was opened in their firewall to allow WAN connections but I tested the public ip address from within the LAN and it once again worked fine.
Once I'd confirmed the machine could connect out after getting a public ip, they arranged for the port to be opened for ssh. However, I cannot connect to the machine from home.
$ ssh -vvi .ssh/id_rsa firstname.lastname@example.org OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 22: Applying options for xxx.xxx.xxx.x debug1: /etc/ssh/ssh_config line 32: Applying options for * debug1: auto-mux: Trying existing master debug1: Control socket "/email@example.com:nn" does not exist debug2: ssh_connect: needpriv 0 debug1: Connecting to xxx.xxx.xxx.x [xxx.xxx.xxx.x] port nn. debug1: connect to address xxx.xxx.xxx.x port nn: Connection timed out ssh: connect to host xxx.xxx.xxx.x port nn: Connection timed out
xxx.xxx.xxx.x is the public ip (works fine from LAN)
nn is the port number
username is my user name (same on both machines)
The options for the host from ssh_config are:
AddressFamily inet Compression yes ControlMaster auto ControlPath ~/.ssh/socket-%r@%h:%p
and the only generic option applied to all hosts is just a line to insist on protocol 2 which I think is default now anyway but I followed the wiki and specified it to be sure.
What have I missed? My networking knowledge is pretty basic at best. (I got this far using Arch's wiki, Fedora's documentation and a little trial and error. That seemed to work well but now I've added google and still can't figure it out. All the hits I get concern cases where the LAN connection works but authentication fails over WAN. But I'm not getting that far - it looks like my work box doesn't respond at all...)
Last edited by cfr (2012-09-25 22:12:06)
So I discovered I'd also managed to kill off LAN access as well as the machine's ability to use any sort of DNS... (I did say it needed to be secure...)
Anyway, I fixed that, reestablished working ssh from LAN but still can't get it to work from WAN.
Question: if ShieldsUp! reports the port as stealthed does that mean that the port has not actually been opened? So the campus firewall is blocking the connection? Because if so, I'm knocking my head against a brick (fire)wall to no purpose whatsoever...
I figure it can't be the software firewall else I'd not be able to connect on the LAN. And it is a public ip address so there's no NAT translation required...
"stealthed" probably means that, yes. At least if you scanned your single ssh port with it and not the whole lot.
But that's a online-tool specialised for windows machines. Try this to find out what's running on port nn of host xxx:
pacman -S netcat nc xxx.xxx.xxx.x nn
Hmm... Well that command gives me no output at all - even if I add -v to make it verbose. I tried to figure out what I might expect from the man page and info pages but they didn't really tell me much beyond nc's connecting stdin to stdout from local to remote host. However, I assume some sort of output would be expected if the port really was open.
I didn't actually specify the port to ShieldsUp! but just had it do the standard port scan. I know it is somewhat Windows centric but the basics are OS independent as far as I know. (And I figured whether a port was open, closed or stealthed was fairly basic.)
A lot of firewalls start to drop traffic after the first few connect-attempts, if a portscan seems to happen. The drops then may be interpreted as "stealth" by that tool. That's why I wrote that.
sudo nc 127.0.0.1 22
Sounds like your box is not reachable externally yet.
Yesterday, I asked IT if they were *certain* the port was open. They checked, said it was but added they'd double-check with central IT.
This evening it works. Since I've had no time to fiddle with this at all today, I suspect that it is.. er... now actually open and that I was banging my head against a brick wall before.
(Either that or somebody has gone into my office this evening and fixed it for me. But people who break into your office rarely do such useful things in my experience. )
Thanks for all the advice.
You're welcome. Good to hear you get it working.