ssh Issues

gmagnotti · October 24, 2012, 11:29pm

Hi Everyone,

I am running on OpenSUSE 11.4. I am having issues ssh-ing into my computer. I have no problem ssh-ing into different servers and I can successfully ping my computer. However, I am unable to ssh into my computer from any of these servers. I get the following error:


ssh gmagnotti@XXX.XXX.XXX.XX

ssh: connect to host XXX.XXX.XXX.XX port 22: Connection timed out

I believe that a solution would probably involve configuring the firewall, but I have looked on google and the other forum posts and didn’t find a solution. Your help and guidance would be greatly appreciated.

Thanks!

user · October 24, 2012, 11:40pm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

sudo /sbin/yast firewall - Allowed Services, choose ‘Secure Shell’ or
whatever from the drop-down, Add, Next, Finish.

Also, be sure the SSH service is running:

sudo /sbin/chkconfig sshd on #enable autostart
sudo /etc/init.d/sshd status #see status
sudo /etc/init.d/sshd start #run it now

Good luck.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.19 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQiGBZAAoJEF+XTK08PnB5dfgQAMGY13fUQLgV6bVQsNiWAAuU
6gjcc1h9ctD1ebdEv/loCktrvr+m35V1YGXv/a17rHP0xpTSF5BDSctIwiqRfJuu
/uTica5GdZJv139UQp59Ep+u2Ow5wgwDKjAaCwt+IJtWfCYftLBVE3S8J2gKDGDW
tR+bRHQmgwM2DwixSDvfkX8XdYQ7hAXFsb8TIYzNLS2WEUqJhi3nW4lvnUb5VTrm
uJFtjPTIH/68OeO0oL5e1aRSW5RcPIDj0MRk2bne4TmrtpmX0BTYxVSniMhFh/jb
QPsJUHKV4c1DvqoDigiLkZ4Ai3a9lWcykep5URiEbaqmyG7dbiUE5N0lxUWqIZSj
ug2AARS7YOWHm2XVkSTgy0vN39PlY+Rfn0IJAi7AiDwx6L9D1Ev+/iQ3vbKhdXu0
b1R8PCQF+lTt2wjj2vQY7rKjfierBb8pqGvnWD2ws2Dyg7mho8gzNDuck5KPK6HE
qPeQnTSbBzjnmc/KdpfgFwJcD3kRZu4U2nLMLd6C7I1fZAHEZFN9vnFEXhVThY+S
GaEYRnzLXX3u8g7M5bhPQ8wzksOU3JP81netX5GSKjByq7Zk6cv1VnF1QV7rrwi3
70i+aEYx8vteN1Znpdw/5xxG3eOPntLoIRnaZNFgtFRLvpcHDRkOSFrRhqXK+cvB
hZxFPFAqed0Jx86F5rQx
=OrYn
-----END PGP SIGNATURE-----

gmagnotti · October 25, 2012, 1:11am

Thanks for your help!

I followed your instructions as laid out and got the following results:


sudo /etc/init.d/sshd status #see status
Checking for service sshd                                                                                running

sudo /etc/init.d/sshd start #run it now
Starting SSH daemon                                                                                      done

But I still cannot ssh into my computer. Any other ideas? Maybe some help ensuring that the ports are configured correctly would be good…

gmagnotti · October 25, 2012, 2:31am

I used the nmap command and have the following result.


nmap -sS 127.0.0.1

Starting Nmap 5.21 ( http://nmap.org ) at 2012-10-24 20:31 EDT
Nmap scan report for localhost (127.0.0.1)
Host is up (0.0000020s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE
25/tcp  open  smtp
111/tcp open  rpcbind
631/tcp open  ipp

Nmap done: 1 IP address (1 host up) scanned in 0.06 seconds

So it appears that my port 22 is not open for ssh service. How do I fix this? Also, ideally I would like it be another port (not 22 for security purposes). Thanks in advance for your guidance.

robin_listas · October 25, 2012, 4:48am

On 2012-10-25 02:36, gmagnotti wrote:
> So it appears that my port 22 is not open for ssh service. How do I fix
> this? Also, ideally I would like it be another port (not 22 for security
> purposes). Thanks in advance for your guidance.

The commands you were given were to be run on the server, not the client.
Also you commented nothing on the opening of the firewall instructions given.

–
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” (Minas Tirith))

gmagnotti · October 25, 2012, 3:34pm

I do not have sudo privileges on the server so I didn’t think to run those command on the server. I ran them on my computer and provided the results.

Apologies for not commenting on the opening of the firewall instructions. Provided below is the printout from YAST for the Firewall Configuration Summary.


 Firewall Starting
 


  - Enable firewall automatic starting 
  - Firewall starts after the configuration gets written 


 [HR][/HR] Internal Zone
 


  - No interfaces assigned to this zone. 


 Demilitarized Zone
 


  - No interfaces assigned to this zone. 


 External Zone
 Interfaces
 


  - Intel Ethernet controller / eth0 


 Open Services, Ports, and Protocols
 


  - Secure Shell Server 
  - TCP Ports: XXXX 


 Custom Rules
 


  - 1 custom rules are defined

It’s still not working. Does it not appear to be a port issue?

gmagnotti · October 25, 2012, 3:58pm

First of all, I would like to thank everyone who has replied so far. But perhaps some more information would help identifying the root cause…

Some history:
Previously, my computer was on a different network (let’s call it AE Network). I used to be able to ssh into my computer from my home laptop (Windows) via VPN and then using X-Win I would connect to an AE server to get behind the AE firewall and then ssh into my computer from that server.

My lab has since relocated and I am now on a different network (let’s call it ME network). Since this change occurred, I have not been able to successfully ssh into my computer directly via VPN or from any other server. Additionally, I have had to a fresh install of OpenSUSE 11.4. So I’m trying to figure out the source of the problem: is it my computer’s firewall configurations, it is my new networks Firewall or is it a combination of the two?

Hope this information might help shed some light onto the situation. Any guidance you can give about troubleshooting and identifying the root of this problem is greatly appreciated.

robin_listas · October 25, 2012, 4:09pm

On 2012-10-25 15:36, gmagnotti wrote:
>
> robin_listas;2498654 Wrote:
>>
>>
>> The commands you were given were to be run on the server, not the
>> client.
>> Also you commented nothing on the opening of the firewall instructions
>> given.
>>
>>
>
> I do not have sudo privileges on the server so I didn’t think to run
> those command on the server. I ran them on my computer and provided the
> results.

Then you need that the administrator person of that machine gets involved: you can do nothing.

–
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” (Minas Tirith))

djh-novell · October 25, 2012, 4:19pm

gmagnotti wrote:
> robin_listas;2498654 Wrote:
>>
>> The commands you were given were to be run on the server, not the
>> client.
>> Also you commented nothing on the opening of the firewall instructions
>> given.
>
> I do not have sudo privileges on the server so I didn’t think to run
> those command on the server. I ran them on my computer and provided the
> results.

I think what Carlos wrote is confusing, and what you did was correct. I
think that Carlos may have meant to say to run the commands on the
machine that is running the sshd server daemon, and that is of course
your own computer. Whilst when he said ‘client’, I expect he meant ‘ssh
client’ which is of course running on one of your servers. As I say,
confusing.

> Apologies for not commenting on the opening of the firewall
> instructions. Provided below is the printout from YAST for the Firewall

> Configuration Summary.
> External Zone
> Interfaces
>
>
> - Intel Ethernet controller / eth0
>
> Open Services, Ports, and Protocols
>
> - Secure Shell Server
> - TCP Ports: XXXX
>
> Custom Rules
>
> - 1 custom rules are defined

> It’s still not working. Does it not appear to be a port issue?

So it is saying that the port is open, but nmap says not. However, I
think you ran nmap on 127.0.0.1 - the localhost i/f. I think you need to
run it on the external i/f, whatever IP address you actually use on your
network. However, I might be wrong, I’m not an expert. But please repeat
the nmap with the real IP address.

What is the “custom rule” in the firewall?

Another trick is to use telnet to simulate whatever protocol you’re
having trouble with:

telnet your-ip-address 22

and report back whatever message it gives you.

Even if you eventually want to use a different port, I would stick with
22 until you get ssh working. Otherwise, it’s another factor to get
confused about.

gmagnotti · October 25, 2012, 5:26pm

So I ran the nmap command and here is the output:


nmap -sS <my ip address>

Starting Nmap 5.21 ( http://nmap.org ) at 2012-10-25 11:17 EDT
Nmap scan report for ME01281.me.XXXXXX.edu (xxx.xxx.xxx.xx)
Host is up (0.0000020s latency).
Not shown: 999 closed ports
PORT    STATE SERVICE
111/tcp open  rpcbind

Nmap done: 1 IP address (1 host up) scanned in 0.07 seconds

I then ran the telnet command and here is the output:


telnet xxx.xxx.xxx.xx 22
Trying xxx.xxx.xxx.xx...
telnet: connect to address xxx.xxx.xxx.xx: Connection refused

I then ran the telnet command with the custom port and here is the output:


telnet xxx.xxx.xxx.xx [custom port]
Trying xxx.xxx.xxx.xx...
Connected to xxx.xxx.xxx.xx.
Escape character is '^]'.
SSH-2.0-OpenSSH_5.8

And the custom rule has been removed in Yast. It was to allow a specific IP address access via TCP protocol at the custom port.

djh-novell · October 25, 2012, 5:46pm

gmagnotti wrote:
> I then ran the telnet command with the custom port and here is the
> output:
>
> Code:
> --------------------
>
> telnet xxx.xxx.xxx.xx [custom port]
> Trying xxx.xxx.xxx.xx…
> Connected to xxx.xxx.xxx.xx.
> Escape character is ‘^]’.
> SSH-2.0-OpenSSH_5.8
>
> --------------------

According to that, ssh should be working. Have you been giving it the
custom port number when trying?

djh-novell · October 25, 2012, 5:49pm

Dave Howorth wrote:
> According to that, ssh should be working. Have you been giving it the
> custom port number when trying?

Oh, and if it isn’t, please use -v or -vv or even -vvv when trying and
show us the output.

knurpht · October 25, 2012, 6:10pm

Try moving ~/.ssh to ~/.ssh.old, then retry.

gmagnotti · October 25, 2012, 6:24pm

Yes, I have been giving the port. From my laptop computer using X-Win, I get the following message:


Looking up host "xxx.xxx.xxx.xx"
Connecting to xxx.xxx.xxx.xx port ****
Using SSPI from SECUR32.DLL
Failed to connect to [xxx.xxx.xxx.xx](http://143.215.240.92/): Network error: Connection timed out
Network error: Connection timed out
FATAL ERROR: Network error: Connection timed out

From either of the two servers I have tried, when I use ssh -v -p **** gmagnotti@xxx.xxx.xxx.xx, this is the output:


OpenSSH_5.4p1, OpenSSL 0.9.7a Feb 19 2003
debug1: Reading configuration data /opt/openssh-5.4p1/etc/ssh_config
debug1: Applying options for *
/opt/openssh-5.4p1/etc/ssh_config line 41: Unsupported option "GSSAPIAuthentication"
debug1: Connecting to xxx.xxx.xxx.xx [xxx.xxx.xxx.xx] port ****.
debug1: connect to address xxx.xxx.xxx.xx port ****: Connection timed out
ssh: connect to host xxx.xxx.xxx.xx port ****: Connection timed out

I am a little confused myself. It does appear that my port is open but the connection always seems to time out. Does this mean that the root cause is an issue with the network firewall?

gmagnotti · October 25, 2012, 6:33pm

I executed the above command but I am still receiving the same connection timed out error when attempting to ssh into my computer. The only difference I noticed is that when I tried ssh-ing into a server from my computer, I received the following message:


The authenticity of host '<host-name> (host-ip-address)' can't be established.
RSA key fingerprint is 49:0a:75:0e:c0:78:98:53:ee:0f:a5:99:47:b8:63:c6.
Are you sure you want to continue connecting (yes/no)? y
Please type 'yes' or 'no': yes
Warning: Permanently added '<host-name>,host-ip-address' (RSA) to the list of known hosts.

robin_listas · October 25, 2012, 7:50pm

On 2012-10-25 18:36, gmagnotti wrote:

> I executed the above command but I am still receiving the same
> connection timed out error when attempting to ssh into my computer. The
> only difference I noticed is that when I tried ssh-ing into a server
> from my computer, I received the following message:

It means the server was reinstalled, and the signature changed.

–
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” (Minas Tirith))

robin_listas · October 25, 2012, 7:50pm

On 2012-10-25 16:19, Dave Howorth wrote:
> gmagnotti wrote:
>> robin_listas;2498654 Wrote:

> I think what Carlos wrote is confusing, and what you did was correct. I
> think that Carlos may have meant to say to run the commands on the
> machine that is running the sshd server daemon, and that is of course
> your own computer. Whilst when he said ‘client’, I expect he meant ‘ssh
> client’ which is of course running on one of your servers. As I say,
> confusing.

Yes, of course, I mean that.

> So it is saying that the port is open, but nmap says not. However, I
> think you ran nmap on 127.0.0.1 - the localhost i/f. I think you need to
> run it on the external i/f, whatever IP address you actually use on your
> network. However, I might be wrong, I’m not an expert. But please repeat
> the nmap with the real IP address.

Yes, you are correct.
But the new description he made of the network makes it more complex, and I think that he should get
the network manager involved.

As there is an intermediate machine, the test has to be run from there.

> Even if you eventually want to use a different port, I would stick with
> 22 until you get ssh working. Otherwise, it’s another factor to get
> confused about.

Absolutely.

–
Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” (Minas Tirith))

user · October 25, 2012, 10:36pm

gmagnotti wrote:

> My lab has since relocated and I am now on a different network (let’s
> call it ME network). Since this change occurred, I have not been able to
> successfully ssh into my computer directly via VPN or from any other
> server. Additionally, I have had to a fresh install of OpenSUSE 11.4. So
> I’m trying to figure out the source of the problem: is it my computer’s
> firewall configurations, it is my new networks Firewall or is it a
> combination of the two?

Just a wild guess, but how are the networks interconnected? Most of the
ones I work with here are actually networks of private networks and behind
firewalls in the DSL routers we use. That means I need to set up the
routers for port forwarding as the routers NAT the internal machines and the
external IP is in reality the IP of the router, not the internal machine.

–
Will Honea

djh-novell · October 26, 2012, 11:11am

Carlos E. R. wrote:
> But the new description he made of the network makes it more complex, and I think that he should get
> the network manager involved.
>
> As there is an intermediate machine, the test has to be run from there.

Somehow, I hadn’t seen that description yesterday

I agree completely with Carlos. The first step is to try to solve it
with the local support people who are responsible for the new network.
If gmagnotti can isolate his new problem to ‘such and such works with
win**** but fails with opensuse on my machine’ or something like that,
then me may have a chance of understanding what the problem is.

Alternatively, we need a network diagram, and the results of running
ping and traceroute as well as ssh (and what else?) on all machines.