Enabling Basic SSH on SUSE 12.1

Dear All,

My brain is dying on me but I wanted to setup SSHD so I can log into my computer remotely. I downloaded the fancy GUI yast2 SSHD manager and I have configured it so it seems to have everything that I need: it starts automagically on system startup, it has a port number (for now 22 but I plan on changing it), I allow TCP forwarding, X forwarding, compression, firewall is disabled, I permit public key usage, etc.

So, when I try to log into my shiny new linux box using my Macbook I get an error saying that the connection was refused. I have tried to use this link:

SDB:Configure openSSH - openSUSE

But since I am using the GUI SSHD manager I am a little confused what steps I am missing and which ones I have successfully bypassed. I think I need to configure my ssh_config files, but I don’t want to mess anything up. My settings look like this:

#	$OpenBSD: ssh_config,v 1.26 2010/01/11 01:39:46 dtucker Exp $

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

Host *
#   ForwardAgent no
#   ForwardX11 no

# If you do not trust your remote host (or its administrator), you
# should not forward X11 connections to your local X11-display for
# security reasons: Someone stealing the authentification data on the
# remote side (the "spoofed" X-server by the remote sshd) can read your
# keystrokes as you type, just like any other X11 client could do.
# Set this to "no" here for global effect or in your own ~/.ssh/config
# file if you want to have the remote X11 authentification data to
# expire after two minutes after remote login.
ForwardX11Trusted yes

#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   BatchMode no
#   CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   Port 22
    Protocol 2
#   Cipher 3des
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no

# Set this to 'yes' to enable support for the deprecated 'gssapi' authentication
# mechanism to OpenSSH 3.8p1. The newer 'gssapi-with-mic' mechanism is included
# in this release. The use of 'gssapi' is deprecated due to the presence of
# potential man-in-the-middle attacks, which 'gssapi-with-mic' is not susceptible to.
#   GSSAPIEnableMITMAttack no

# This enables sending locale enviroment variables LC_* LANG, see ssh_config(5).
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL

# This will print the fingerprint of the host key in "visual" form
# this should make it easier to also recognize bad things
VisualHostKey no

# This will hash new host keys and make them so unusable for malicious
# people or software trying to use known_hosts to find further hops.
HashKnownHosts yes

#   ProxyCommand ssh -q -W %h:%p gateway.example.com

Can you help guide me in the right direction?
Thanks.

I didn’t know that existed. But then, I cannot imagine what I would use it for.

The first thing to check is that sshd is running.


% netstat -an | grep :22
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      
tcp        0      0 :::22                   :::*                    LISTEN

In my case, those lines indicate that it is. A “connection refused” often means that the server is not running.

Next, you have to allow port 22 through the firewall. I doubt that is your problem, for if the firewall is blocking connections then you would get a timeout trying to connect instead of a connection refused.

If your computer is behind a home router, and you want access from outside the local LAN, then you will need to setup port forwarding on your router. Check the router documentation for details on that.

Mine is running. I think it might be because I am trying to access it through the same router. I am going to ssh into my school’s computers and try again from there.

Still no luck. If I plan to do this occasionally should I set up a static ip address for this computer?

First things first.

Are you behind a home router (or NAT router)?

If you are behind a router, then your computer should have an IP address something like 192.168.1.20

That is, it probably begins 192.168 or sometimes 172.x or 10.x

If you are behind a router, then try connecting using the LAN IP. That is, from the Macbook, try connecting to 192.168.1.20 (or whatever that LAN ip is).

I’ll comment further after you reply about that.

I’m not familiar with the GUI utility but what do you have in /etc/ssh/sshd_config? Specifically for ‘ListenAddress 0.0.0.0’ ? Is that IP appearing there the one you want it to be (or 0.0.0.0 which basically means to bind to all available IPs on all interfaces)?

From what I understand you want to do this:

OpenSUSE <-----> Router <----------------> Your ISP <-------------> Internet

Also with another computer (Your Macbook) connected behind your router.

From what I know then you probably want to use the the Local NAT IP address and bind to that interface (for example, 192.168.1.45). Then from there you configure your router to forward all connections coming from the internet on the ssh port (usually 22) to go to that local machine assuming you want to accept connections from over the internet to your OpenSUSE SSH port (This is actually somewhat dangerous, you don’t need to do this just to connect from your macbook when also behind the router). So usually this means you do want to configure the local machine to use a static IP address behind the router (so that you know where to forward port 22 traffic). Then also for your Macbook to connect you would simply have it connect to the local IP address (such as 192.168.1.45) and it would do so to the other machine all behind the router.

I do use the GUI. Did you set it to start at boottime? This is in the first Tab. They option to open the firewallport is there too. If you change ports, go there too to apply changes and reload the service. Works fine here with defaults except for portno.

You don’t need to change anything in /etc/ssh/sshd_config, unless you have special needs. All you need is to have the sshd service running, which you can check with this command:

systemctl status sshd.service

and start/stop with:

systemctl start sshd.service
systemctl stop sshd.service

Further you need to open port 22 or the port on which you’re running sshd. It is a little bit safer to use a higher port, since your router is permanently port scanned by potential intruders. To use an alternate port, you would add it in /etc/sshd_config. Example:

Port 22
Port 9422

Athough what matters is not the port on your computer but the port on your router. You can also open a higher port on your router. You can run sshd on several ports. I highly recommend to use fail2ban](http://www.fail2ban.org/wiki/index.php/Main_Page) if you intend to connect from outside your lan. It is available in the standard repo:

zypper info fail2ban

On your router you need to forward the ssh port to your computer, as already said. From the outside world, you connect to your router IP. If it changes to often, you need to set up a DDNS account. There are some for free. Use the blip](http://forums.opensuse.org/english/other-forums/development/programming-scripting/448072-netinfo-read-network-pc-information-into-local-text-file-3.html#post2237702) script to find out your external IP or ask a site such as Current IP Check.

On 2012-02-09 16:56, davidmfl wrote:
> OpenSUSE <-----> Router <----------------> Your ISP <------------->
> Internet

Forget that. Concentrate first in making it work from a computer to another
computer in the same local network.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)