Can't connect thru ssh on port 54545 or any port other than default

I am sure there has been a lot of discussion already on this topic but nothing has worked for me as yet.

I have configured my sshd_config correctly and listed port 54545, opened the port from firewall, generated rsa keys but I can’t upload the keys.

The port is open as per lsof -

[CODE][size=3]> lsof -i | grep sshd
sshd 5645 root 3u IPv6 31166 0t0 TCP *:54545 (LISTEN)
[/size]

The error is below - 

[size=3]> ssh-copy-id apogee@apogee.suse.lst
ssh: connect to host apogee.suse.lst port 22: Connection refused
[/size]

What do I do to get it to work[size=3][FONT=Cantarell]?

[/size][/FONT]

You’ve probably made connections when port 22 was the default for the host. Remove ~/.ssh/known_hosts and try again. The connection to the host is probably known in there, but on port 22.

When I try that comm[size=3]and (using port 22), I get lines for bot[size=3]h IPv4 a[size=3]nd IPv6.[/size][/size]
[/size]

It looks as if the command “ssh-copy-id” does not have an option for ports. So you may have to setup keys manually.

You should try connecting, with:

ssh -p 54545 apogee@apogee.suse.lst

Just a point for better posting. Do not alter the default fonts. We can all read the normal fonts and there is no need to irritate people by using larger fonts then usual. Also, while you did this a bit haphazard, one of you CODE parts did not work (font size changing in the midst of the tag).

> > sshd 5645 root 3u IPv6 31166 0t0 TCP *:54545 (LISTEN)

Yes, that’s fine.

> When I try that command (using port 22), I get lines for
> It looks as if the command “ssh-copy-id” does not have an option for
> ports. So you may have to setup keys manually.

This is, exactly, the problem. ssh-copy-id is great for every other case,
but stinks in this one case; adding an option to accept a port should
probably take about ten seconds, so if I can find the upstream repo I’ll
go do that. In the meantime:

1. Put it back, copy the key, then restrict ports:
   A. Change the port back to 22, or better yet add ‘22’ as another port for
   now. Restart sshe
   B. ssh-copy-id as you were before; it’ll work now.
   C. Change back to just port 54545 and restart sshd.

2. Copy the key manually.
   A. Copy contents of ~/.ssh/id_rsa.pub (or whatever you named it)
   B. Paste on destination box’s ~/.ssh/authorized_keys file; create if not
   already there, but be sure permissions are set to 600 (rw-------) for the
   file and 700 (rwx------) for the ~/.ssh directory or things may not work
   later.
   C. Try logging in.

The ‘Connection Refused’ means that the port is not listening (as you
configured, so okay) and that the default SUSE firewall is not blocking it
(odd… you should probably still be blocking TCP 22, but oh well… maybe
this is a result of your testing or previous configuration).

Good luck.

On 2013-01-01 11:56, inkjetunit wrote:
> The error is below -
>
> Code:
> --------------------
> linux-gu9x:~/.ssh # ssh-copy-id apogee@apogee.suse.lst
> ssh: connect to host apogee.suse.lst port 22: Connection refused
>
> --------------------

You forgot to tell the client to change the default port.

–
Cheers / Saludos,

Carlos E. R.
(from 11.4, with Evergreen, x86_64 “Celadon” (Minas Tirith))

While I have not tried this, another option to get this script working may
include setting the ~/.ssh/config file with the following:

Port = 54545

so…

echo ‘Port = 54545’ >> ~/.ssh/config

Doing that should allow ssh-copy-id to work for this system. Change ports
as needed when needing this script to work.

Good luck.

And a patch for ssh-copy-id based on the current version in openSUSE 12.2,
which also appears to be the current version per openssh.org:

Code:

ab@mybox:~/code/openssh/contrib> diff ./ssh-copy-id.orig ./ssh-copy-id
37c37
< echo “Usage: $0 -i [identity_file]] [user@]machine” >&2

> echo “Usage: $0 -i [identity_file]] [user@]machine -p ssh_port]” >&2
42a43
> shift
44c45,52
< { eval “$GET_ID” ; } | ssh $host “umask 077; test -d ~/.ssh || mkdir
~/.ssh ; cat >> ~/.ssh/authorized_keys” || exit 1

> #If a port was specified, use it.
> if ! -z ${1} && ‘-p’ = ${1} && ! -z ${2} ]]; then
> SSHPORT="-p ${2}"
> shift
> shift
> fi
>
> { eval “$GET_ID” ; } | ssh ${SSHPORT} $host “umask 077; test -d ~/.ssh
|| mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys” || exit 1

Basically it allows you to add a ‘-p portnum’ option at the end of the
command, so:

ssh-copy-id remotebox

becomes:

ssh-copy-id remotebox -p 54545

Seems to be working on my systems, both for those with default ports as
well as non-default ones. Now if only I can figure out how to submit this…

Oh, and to apply this put the diff text above into ‘ssh-copy-id.patch’ and
run the following (with privileges if not using a copy of the original
file which is user-owned by ‘root’):

patch which ssh-copy-id /path/to/ssh-copy-id.patch

Good luck.

@ knurpht, been there done that but no luck.

@ nrickert, tried that too but didn’t work.

@ hcvv, I am sorry if my thread caused inconvenience to you or offended you in any way. My terminal fonts are different and I had text similar to ‘AA’ ‘AA’[size=3] [size=2]while p[size=2]asting it in browser ( I ended up ha[size=2]nd editing last tag, which actually worked).

@ ab #5, looks like it will work that way[size=2]. [/size][/size][/size][/size]

@ ab #7, I already altered [size=2]~/[size=2].ssh[/size][/size]/config and made it read port 54545, that is mentioned in SDB for [size=2]‘ssh’.

@ ab #8, thanks for the diff, I will [size=2]work on it after finis[size=2]hing [size=2]cpio on my production b[size=2]ox. [/size][/size][/size][/size][/size][/size]

Now I can ssh at port 54545@localhost but I can’t do it from other machines on network.

apogee:/home/apogee/.ssh # ssh -v 10.0.0.4
OpenSSH_6.0p1, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /root/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug1: Connecting to 10.0.0.4 [10.0.0.4] port 54545.
debug1: connect to address 10.0.0.4 port 54545: Connection refused
ssh: connect to host 10.0.0.4 port 54545: Connection refused

apogee:/home/apogee/.ssh # ssh -v apogee.suse.lst
OpenSSH_6.0p1, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /root/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug1: Connecting to apogee.suse.lst [127.0.0.2] port 54545.
debug1: connect to address 127.0.0.2 port 54545: Connection refused
ssh: connect to host apogee.suse.lst port 54545: Connection refused

apogee:/home/apogee/.ssh # ssh -v localhost
OpenSSH_6.0p1, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /root/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug1: Connecting to localhost ::1] port 54545.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0
debug1: match: OpenSSH_6.0 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: RSA 6b:xx:da:xx:78:58:xx:00:ac:yy:ab:aa:55:d8:98:ad
debug1: checking without port identifier
The authenticity of host '[localhost]:54545 (::1]:54545)' can't be established.
RSA key fingerprint is 6b:4f:da:d0:78:58:98:00:ac:b1:ab:1f:55:d8:98:ab.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[localhost]:54545' (RSA) to the list of known hosts.
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Next authentication method: keyboard-interactive
Password: 
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Password: 
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Password: 
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to localhost (::1]:54545).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Last failed login: Tue Jan  1 12:33:13 PST 2013 from localhost on ssh:notty
There were 2 failed login attempts since the last successful login.
Have a lot of fun...
apogee:~ #

What am I missing here?

I can ssh apogee@apogee.suse.lst from localhost but I cant do that from network.

apogee:/home/apogee/.ssh # ssh -v apogee@apogee.suse.lst
OpenSSH_6.0p1, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /root/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug1: Connecting to apogee.suse.lst ::1] port 54545.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type 1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.0
debug1: match: OpenSSH_6.0 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: RSA 6b:4f:da:d0:78:58:98:00:ac:b1:ab:1f:55:d8:98:ab
debug1: checking without port identifier
The authenticity of host '[apogee.suse.lst]:54545 (::1]:54545)' can't be established.
RSA key fingerprint is xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[apogee.suse.lst]:54545' (RSA) to the list of known hosts.
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering RSA public key: /root/.ssh/id_rsa
debug1: Authentications that can continue: publickey,password,keyboard-interactive
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Trying private key: /root/.ssh/id_ecdsa
debug1: Next authentication method: keyboard-interactive
Password: 
debug1: Authentications that can continue: publickey,password,keyboard-interactive
Password: 
debug1: Authentication succeeded (keyboard-interactive).
Authenticated to apogee.suse.lst (::1]:54545).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = en_US.UTF-8
Last failed login: Tue Jan  1 13:42:40 PST 2013 from localhost on ssh:notty
There was 1 failed login attempt since the last successful login.
Last login: Tue Jan  1 11:11:02 2013 from console
Have a lot of fun...
apogee@apogee:~> exitdebug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0

logout
debug1: channel 0: free: client-session, nchannels 1
Connection to apogee.suse.lst closed.
Transferred: sent 2872, received 2712 bytes, in 1051.5 seconds
Bytes per second: sent 2.7, received 2.6
debug1: Exit status 0

Strange though I had my hostname setup from console and restarted the network but it needed some fancy service to record it from ‘GUI’.

@ab, I resolved ssh connection on localhost, which now works but I still can’t ssh from network -

$ ssh -v -p 54545 apogee@10.0.0.2
OpenSSH_6.1p1, OpenSSL 1.0.1c 10 May 2012
debug1: Connecting to 10.0.0.2 [10.0.0.2] port 54545.
debug1: connect to address 10.0.0.2 port 54545: Connection refused
ssh: connect to host 10.0.0.2 port 54545: Connection refused

Any ideas?

This is a different IP from a couple of posts ago; are you sure you’re
hitting a box that is listening on TCP 54545? Another simple test to rule
out SSH:

Code:

netcat -zv 10.0.0.2 54545
netcat -zv 10.0.0.4 54545
netcat -zv apogee.suse.lst 54545

The error is pretty straight-forward usually; the standard SUSE firewall
isn’t blocking it but neither is anything listening there in the first
place. Doesn’t make much sense to me considering the ‘locahost’ attempt
worked, but ‘localhost’ apparently resolves to the IPv6 address so maybe
that’s somehow related. What do you get from this:

Code:

netstat -planet | grep :54545

Good luck.

@ab, yeah I use dhcp. FYI, I managed to ssh into my tower running 12.1 @ 10.0.0.4 configured with default port. I will get you other details by the end of the day today.

Sounds good.

As a final follow-up, somebody has already implemented a better
ssh-copy-id script so go get on the CC list to encourage it along:

https://bugzilla.mindrot.org/show_bug.cgi?id=1980

On 01/02/2013 06:26 AM, inkjetunit wrote:
>
> @ab, yeah I use dhcp. FYI, I managed to ssh into my tower running 12.1 @
> 10.0.0.4 configured with default port. I will get you other details by
> the end of the day today.
>
>

ssh-copy-id can transfer the key fine to a ssh server listening on non-standard port.

The flag isn’t listed in the man page, but you use the standard -p flag.

The gotchya is that it requires special formatting to work, so surround it in single quotes.

If you use it without the quotes, you get the following:

ssh-copy-id -p 64322 localhost
Bad port 'umask 077; test -d ~/.ssh || mkdir ~/.ssh ; cat >> ~/.ssh/authorized_keys'

It doesn’t need a patch to work, just use single quotes:

ssh-copy-id** '**-p 64322 localhost**'**

Some other helpful things to consider… When you setup the ssh server to listen on a non-standard port, you can change the default port the client would use to connect. The client has to set this up by modifying the /etc/services file.

The following lines can be changed from the standard port 22 to something else on both the client and server side.

ssh              22/tcp    # SSH Remote Login Protocol
ssh              22/udp    # SSH Remote Login Protocol
ssh              22/sctp   # SSH

Replace 22 with your non-standard port.
So after you modify that port number with your own, save and close, then try connecting without using the -p flag. It should use the port you entered there.

This is kind of helpful because if it’s changed on the server side as well then you can go into SuSEFirewall on the ssh server and select SSH from the list of services and it forwards the port you specified in the /etc/services file. You don’t need to manually specify it in Advanced… as part of the Allowed Services tab.

The problem with changing the /etc/services file is that when you want to connect to a ssh server that does listen on port 22, you will need to use the -p flag and tell it that you want to use 22 as that isn’t the default port anymore. So consider whether or not you will be connecting to that non-standard port often, if you do use that port for connecting often, it can be worth changing.

@ saultdon, thanks that fixed it. I can now ssh in 10.0.0.3 but it still can’t resolve a fully qualified hostname, which is strange.

One thing to double check is the FQDN on the SSH server.

Open Yast2 and click Network Settings. If you’re using Network Manager instead of ifup, you’ll get a warning - just click OK to continue and ignore it.
Go to the Hostname/DNS tab and use what you see in the **Hostname **and Domain Name boxes. You can hit cancel to close Network Settings.

When a client wants to use the FQDN to connect to that SSH server, try using **<hostname>.<domain-name> **(notice the dot separating them).
On my openSUSE PC’s I usually leave the Domain Name as linux so I would use…

ssh -p 54545 username@opensuse1.*linux*

…where *opensuse1 *is the **Hostname **and *linux *is the Domain Name.

If you find that the client still can’t connect using that FQDN, try pinging it from the client - does it time out?
Then it’s not resolving and maybe the router is intercepting the DNS (packet 53) and overriding it. So you could do either two things here…

1. Assign the FQDN in the router to the SSH server IP so that *every *
   client on that LAN can SSH in using that FQDN. 1. or manually edit the /etc/hosts
   file on every client so that they can resolve the FQDN themselves.

If using option 2, an entry in the /etc/hosts file could look like…

192.168.1.122 opensuse1.linux opensuse1

…where <destination ip> is the IP of the SSH server that you want to connect to. After making changes, save and close the hosts file then try pinging or ssh’ling the server now.

If you want to use option 1 (modifying the router) then maybe let the forum know what make and model router you have so we can have a boo at the manual to see where you need to go in there to set that up.