ssh to computer [SOLVED]

vytalelementz · 2007-04-23 05:03:27

I have been trying to use putty and openssh on my windows computer at work to ssh into my archlinux box at home, but I always get a timeout error. I have researched through google and this forum to find what the proper configurations are and I still have no success. Here are my configurations:

hosts.allow:

#
# /etc/hosts.allow
#

sshd: ALL
# End of file
--------------------------------------

hosts.deny:

#
# /etc/hosts.deny
#

ALL: ALL: DENY

# End of file
--------------------------------------

ssh_config:

# $OpenBSD: ssh_config,v 1.22 2006/05/29 12:56:33 dtucker Exp $

# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options. For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# GSSAPIAuthentication no
# GSSAPIDelegateCredentials no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
Protocol 2
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~
# Tunnel no
# TunnelDevice any:any
# PermitLocalCommand no
-------------------------------------------------

sshd_config:

# $OpenBSD: sshd_config,v 1.74 2006/07/19 13:07:10 dtucker Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
Protocol 2
#AddressFamily any
ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

LoginGraceTime 2m
PermitRootLogin no # (put yes if you want root login)
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
-----------------------------------------------------

I have checked to make sure openssh was installed and sshd is running(i have added this in the rc.conf file). Any help will be appreciated.

Last edited by vytalelementz (2008-05-08 02:29:21)

firedance · 2007-04-23 06:05:53

My hosts.allow looks like this:
sshd sshd1 sshd2 : ALL : ALLOW
I think yours should have the : ALLOW part also.

Can you access the ssh from the server? (ie ssh myuser@localhost)

tomk · 2007-04-23 08:04:10

I can't remember if putty logs stuff, but if it does, that would be worth checking. If there's a verbosity option for the logs (e.g. like ssh -v), make it as verbose as possible.

Also check the auth logs on your home machine to see if the connection attempts are even getting through. If not, you need to look for the blockage somewhere in between - work firewall, ISP port blocking, etc.

FWIW, when I used to do this, I needed to set up a http tunnel first, then put the ssh session through that.

Last edited by tomk (2007-04-23 08:04:45)

vytalelementz · 2007-04-25 01:16:42

Thanks for the replies. I try your suggestions out.

vytalelementz · 2007-04-25 03:39:16

well I tried all suggestions and nothing seems to work. I was wondering, would trying to ssh to a public ip assigned automatically by my isp have something to do with this? i can ssh to the computer using another one in the house by using the private ip but i have no luck using the public ip. Sorry if I seem ignorant about something that might be easy to fix, but I'm not entirely knowledgeable with networking yet:).

Pudge · 2007-04-25 04:33:45

vytalelementz wrote:

hosts.deny:
#
# /etc/hosts.deny
#
ALL: ALL: DENY
# End of file

First, your hosts.deny needs to be edited to as follows:

#
# /etc/hosts.deny
#

# ALL: ALL: DENY

# End of file

The line

ALL:  ALL: DENY

denies ALL hosts from having access to ssh, nobody can connect with this line in place. This line must be commented out.

Secondly, you must add any hosts that you want to ssh to/from in the /etc/hosts file so ssh can determine the route. /etc/hosts should look something like this:

#
# /etc/hosts: static lookup table for host names
#

#<ip-address>   <hostname.domain.org>   <hostname>
127.0.0.1         localhost.localdomain               localhost
192.168.0.2      firstcomputer.localdomain         firstcomputer          # your arch computer
192.168.0.3      secondcomputer.localdomain     secondcomputer      # first computer you want to ssh to/from
192.168.0.4      thirdcomputer.localdomain        thirdcomputer          # second computer you want to ssh to/from

# End of file

Every computer that you want to ssh to must be in this file. The information for the local computer (your Arch computer) should also be in this file.

as user,

$ ssh-keygen -t rsa -b 2048

to generate rsa public keys in your /home/username/.ssh directory.

For security reasons, after you get this up and running, you should also edit the /etc/ssh/sshd_config file to NOT allow login as root, and I highly recommend NOT using the default port 22. Change the port used from 22 to some eight thousand, nine thousand, or ten thousand number such as 8091. These ports must be set the same on both ends.

# /etc/ssh/sshd_config
PermitRootLogin no
Port 8091

When you change port numbers, you must also edit /etc/ssh/ssh_config to the new port number.

Check for any firewalls that may be blocking ssh, and make sure they reflect any new port numbers in their policies.

Hope that helps.

Pudge

Edit: I just noticed that in both your ssh_config and sshd_config files you listed, the line

# Port 22

is commented out. ssh has no idea what port to use. Remove the # in front of the Port definition lines, such as

Port 22

For security reasons, I would also remove the # from the

#PasswordAuthentication yes

line, and have ssh Authenticate the password

Last edited by Pudge (2007-04-25 04:42:31)

mcover · 2007-04-25 07:15:06

If you can login to your arch box via ssh from a computer within your local network (what you said you were able to do), it should work without much problems from anywhere.

is it possible that you have a network where each computer in your LAN shares one internet connection - meaning you use a router with NAT enabled? if so, thats most likely your problem. you have to setup your router so that incoming connections to your ssh-port (22) are forwarded to the one machine where you have the ssh daemon running. or simply enable DMZ for this one machine and test if it works from the outside.

but if the computer you tried to connect from (the computer at work) is getting access to the internet via router as well, this might also be a cause of the problem. but this is rather unlikely, since this is only the client.

tomk · 2007-04-25 09:18:46

A few corrections, Pudge, for the sake of accuracy:

Pudge wrote:

The line
ALL:  ALL: DENY
denies ALL hosts from having access to ssh, nobody can connect with this line in place.

That is only true if no specific access is allowed in /etc/hosts.allow. Anything in hosts.allow overrides this. Also, that line is there to deny all connections by default (obviously ), and commenting or removing is not recommended.

Pudge wrote:

Secondly, you must add any hosts that you want to ssh to/from in the /etc/hosts file so ssh can determine the route.

That is only necessary if you want to use hostnames, instead of IP addresses, in your ssh command. As per the file's description, it is a "lookup table for host names" i.e. it converts names to IP addresses. If the OP is content to use the IP address, this is not necessary.

Pudge wrote:

I highly recommend NOT using the default port 22. Change the port used from 22 to some eight thousand, nine thousand, or ten thousand number such as 8091. These ports must be set the same on both ends.

You can select different ports at each end.

Last edited by tomk (2007-04-25 09:22:47)

Pudge · 2007-05-02 03:54:48

tomk wrote:

A few corrections, Pudge, for the sake of accuracy:
Pudge wrote:
The line
ALL:  ALL: DENY
denies ALL hosts from having access to ssh, nobody can connect with this line in place.
That is only true if no specific access is allowed in /etc/hosts.allow. Anything in hosts.allow overrides this. Also, that line is there to deny all connections by default (obviously ), and commenting or removing is not recommended.

O.K. since commenting or removing this line is not recommended, I put the

ALL: ALL: Deny

line back so it is active in the hosts.deny file. If I put the following in my hosts.allow

sshd : ALL : ALLOW

I can use ssh to connect to this computer from other Linux computers on my LAN. But, this allows ANY computer to connect through ssh. I only want other computers on my LAN to be able to connect to this computer. I have tried numerous variations to try and do this, including

sshd : 192.168.0.XXX : ALLOW
sshd : LOCAL : ALLOW
sshd : 192.168.0.XXX/255.255.255.0 : ALLOW
sshd : localhostname : ALLOW
sshd : localhostname.localdomainname : ALLOW

I used 192.168.0.XXX simply because I did not want to use my actual full address. I also used localhostname and localdomainname instead of my real host name and domain name.

I've also tried not using the ALLOW on the end. No matter what I try, I cannot connect to this computer other than allowing ALL to connect.

tcp_wrappers is obviously checking hosts.deny and hosts.allow because by editing these files you can make ssh work and not work. tcp_wrappers includes a utility called tcpdchk which will test the rules you set up in hosts.deny and hosts.allow. I do not have Apache or rsh/telnet running on this computer, so when I run

# tcpdchk -v
Cannot find your inetd.conf or tlid.conf file.
Please specify its location.
#

tcpdchk complains it can't find inetd.conf so I can't verify my rules with tcpdchk. tcpdmatch doesn't work either for the same reason.

Can someone help me with the correct syntax for allowing only other computers on my LAN to connect? Or, do I need an inetd.conf file to make this work at all?

Pudge

madeye · 2007-05-02 09:46:34

Have you tried to use

sshd: 192.168.0.0: ALLOW

IIRC that would enable all computers on your lan to connect through SSH to your machine.

dschrute · 2007-05-02 13:08:30

sshd : 192.168.0.XXX : ALLOW
sshd : LOCAL : ALLOW
sshd : 192.168.0.XXX/255.255.255.0 : ALLOW
sshd : localhostname : ALLOW
sshd : localhostname.localdomainname : ALLOW

I don't think you need the " :ALLOW". In mine I have simply :

sshd: 192.168.X.X/255.255.255.0

and it works as expected.

vytalelementz · 2007-05-03 04:49:34

Thanks for all the input I'll give all these suggestions a try and see if I have any luck.:)

dmartins · 2007-05-03 07:36:55

vytalelementz, from what I've read I would agree with mcover. You probably need to set up port forwarding on your home's router. For example, I have a linksys router at my house which connects through ethernet to my cable modem. It receives a public address from my ISP of 72.xxx.xxx.xxx. It also assigns private addresses to any computer connected to it. All of the private addresses begin with 192.168.x.x by default. If I setup a SSH server on a computer which gets a private address of 192.168.1.100 and I want to connect to it via ssh from the internet then I need to log in to the router (usually through 192.168.1.1) and set up port forwarding for port 22 to 192.168.1.100. From anywhere outside my private network I would ssh to my the computer by connecting to 72.xxx.xxx.xxx and my linksys router will automatically pass the connection through to the computer that I've setup port forwarding for.

Pudge, try

sshd : 192.168.0. : ALLOW

Last edited by dmartins (2007-05-03 07:42:09)

Pudge · 2007-05-04 01:51:18

Thanks everyone for your help and suggestions. I have tried them all with no success. I now feel that it's not a syntax problem with hosts.allow. So many of you have suggested syntax that works for you, I must have something else set up improperly. Perhaps an option in one of the config files or something.

When I get some spare time, I intend to pursue this further.

Thanks again.

Pudge

hacosta · 2007-05-04 08:07:04

from your other computer at home (the one with which you can connect to your arch box) try connecting but this time use your external ip i.e
the one you get from http://www.ip-adress.com/ that way we'll know if it's a natting problem

vytalelementz · 2007-05-21 22:45:16

Question...This might be a stupid one since I'm completely ignorant when it comes to networking at the moment, but can you create a home network on computers set to use dynamic private ip's or do the private ip's have to be static in order to create a home network?

ataraxia · 2007-05-21 23:44:02

You can do it with dynamic but it'll be more annoying since you'll have to figure out what the current IPs are each time you need to type one in. No big deal as long as you have a monitor on each dynamic machine so you can find out (or you don't mind guessing some IPs).

Purch · 2007-05-22 04:22:40

vytalelementz wrote:

Question...This might be a stupid one since I'm completely ignorant when it comes to networking at the moment, but can you create a home network on computers set to use dynamic private ip's or do the private ip's have to be static in order to create a home network?

You can use dnsmasq or some other dhcp server to give dynamic IP's to your LAN computers. Just remember to put "nameserver [IP of the dnsmasq server]" to the first in /etc/resolv.conf. Dont let dhcpd to update your dns servers on every lookup. Or otherwise the dns queries goes to the ISP servers and they dont have your lan in their tables.

Look at my post in this: http://bbs.archlinux.org/viewtopic.php?id=31824

vytalelementz · 2007-05-22 04:38:13

Thanks again for all your inputs. I will try these out soon enough once I get started on this project.

vytalelementz · 2008-05-08 02:28:49

Problem was resolved. It had to do with enabling ssh services on my westell modem.

Arch Linux

#1 2007-04-23 05:03:27

ssh to computer [SOLVED]

#2 2007-04-23 06:05:53

Re: ssh to computer [SOLVED]

#3 2007-04-23 08:04:10

Re: ssh to computer [SOLVED]

#4 2007-04-25 01:16:42

Re: ssh to computer [SOLVED]

#5 2007-04-25 03:39:16

Re: ssh to computer [SOLVED]

#6 2007-04-25 04:33:45

Re: ssh to computer [SOLVED]

#7 2007-04-25 07:15:06

Re: ssh to computer [SOLVED]

#8 2007-04-25 09:18:46

Re: ssh to computer [SOLVED]

#9 2007-05-02 03:54:48

Re: ssh to computer [SOLVED]

#10 2007-05-02 09:46:34

Re: ssh to computer [SOLVED]

#11 2007-05-02 13:08:30

Re: ssh to computer [SOLVED]

#12 2007-05-03 04:49:34

Re: ssh to computer [SOLVED]

#13 2007-05-03 07:36:55

Re: ssh to computer [SOLVED]

#14 2007-05-04 01:51:18

Re: ssh to computer [SOLVED]

#15 2007-05-04 08:07:04

Re: ssh to computer [SOLVED]

#16 2007-05-21 22:45:16

Re: ssh to computer [SOLVED]

#17 2007-05-21 23:44:02

Re: ssh to computer [SOLVED]

#18 2007-05-22 04:22:40

Re: ssh to computer [SOLVED]

#19 2007-05-22 04:38:13

Re: ssh to computer [SOLVED]

#20 2008-05-08 02:28:49

Re: ssh to computer [SOLVED]

Board footer