ssh working on lan , not on wan

English Network/Internet
#1

Hi ,
I’m having some trouble setting up ssh on Suse 11.2 x64

Login with pubkey and/or password works fine over lan :

slack@mint ~ $ ssh mick@192.168.2.5
Last login: Fri Apr  2 16:44:50 2010 from 192.168.2.14
Have a lot of fun...
mick@linux-s1s2:~> exit
logout

However , when I try to login with my public IP the pubkey authentication is refused.When I enter the password it is also refused , even though it is the correct password.

slack@mint ~ $ ssh mick@XX.XX.XX.XX -vv
OpenSSH_5.1p1 Debian-5ubuntu1, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to XX.XX.XX.XX [XX.XX.XX.XX] port 22.
debug1: Connection established.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /home/slack/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: Remote protocol version 2.0, remote software version dropbear_0.46
debug1: no match: dropbear_0.46
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent

#snip#

debug2: mac_setup: found hmac-md5
debug1: kex: server->client 3des-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server 3des-cbc hmac-md5 none
debug2: dh_gen_key: priv key bits set: 188/384
debug2: bits set: 498/1024
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Host 'XX.XX.XX.XX' is known and matches the RSA host key.
debug1: Found key in /home/slack/.ssh/known_hosts:2
debug2: bits set: 530/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/slack/.ssh/id_rsa (0xb98afa38)
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/slack/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
mick@XX.XX.XX.XX's password: 
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
mick@XX.XX.XX.XX's password: 
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
mick@XX.XX.XX.XX's password: 
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,password).
slack@mint ~ $

The only changes I have made in /etc/ssh/sshd_config are:

PermitRootLogin no
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile     .ssh/authorized_keys

I’ve also swapped
PasswordAuthentication no
to
PasswordAuthentication yes

Deleted .ssh/known_hosts on the client , still no joy.

netstat -antp | grep ssh
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      30241/sshd
tcp        0      0 :::22                   :::*                    LISTEN      30241/sshd

I’m baffled , I set this up at home on my pc and got ssh & FreeNX working over wan in a half hour without any special fiddling around , also Suse 11.2 x64.

I’m probably missing something simple , can someone help here , I’m going home Sunday & I was hoping to have this setup working by then.

BTW , grc/shields up port is open
canyouseeme.org/ port is open

Thanks

#2

On 04/02/2010 06:46 PM, K Boyd wrote:
>
> Hi ,
> I’m having some trouble setting up ssh on Suse 11.2 x64

<snip>
>
>
> Code:
> --------------------
> PermitRootLogin no
> RSAAuthentication yes
> PubkeyAuthentication yes
> AuthorizedKeysFile .ssh/authorized_keys
> --------------------
>
>
> I’ve also swapped
> PasswordAuthentication no
> to
> PasswordAuthentication yes

Try without RSAAuthentication.

Vahis

http://waxborg.servepics.com
openSUSE 11.2 (x86_64) 2.6.31.12-0.2-default
19:02pm up 7 days 22:20, 14 users, load average: 1.08, 0.97, 0.85

#3

Thanks for reply , no change though :

PermitRootLogin no
RSAAuthentication no
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes

# /etc/init.d/sshd restart


slack@mint ~/.ssh $ cat /dev/null > known_hosts 
slack@mint ~/.ssh $ cat known_hosts 
slack@mint ~/.ssh $ ssh mick@XX.XX.XX.XX -vv
OpenSSH_5.1p1 Debian-5ubuntu1, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to XX.XX.XX.XX [XX.XX.XX.XX] port 22.
debug1: Connection established.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /home/slack/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: Remote protocol version 2.0, remote software version dropbear_0.46
debug1: no match: dropbear_0.46
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib

#Snip#

debug2: mac_setup: found hmac-md5
debug1: kex: server->client 3des-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server 3des-cbc hmac-md5 none
debug2: dh_gen_key: priv key bits set: 198/384
debug2: bits set: 508/1024
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug2: no key of type 0 for host XX.XX.XX.XX
debug2: no key of type 2 for host XX.XX.XX.XX
The authenticity of host 'XX.XX.XX.XX (XX.XX.XX.XX)' can't be established.
RSA key fingerprint is a9:8c:28:9c:41:d3:c6:51:3a:cc:89:e3:4a:81:40:f1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'XX.XX.XX.XX' (RSA) to the list of known hosts.
debug2: bits set: 529/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /home/slack/.ssh/id_rsa (0xb896aa38)
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/slack/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
mick@xx.XX.XX.XX's password: 
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
mick@XX.XX.XX.XX's password: 
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,password
Permission denied, please try again.
mick@XX.XX.XX.XX's password: 
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: No more authentication methods to try.
Permission denied (publickey,password).
slack@mint ~/.ssh $


slack@mint ~/.ssh $ ssh mick@192.168.2.5
The authenticity of host '192.168.2.5 (192.168.2.5)' can't be established.
RSA key fingerprint is db:86:e9:8e:c0:39:64:0d:db:5b:a7:ae:93:50:22:46.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.2.5' (RSA) to the list of known hosts.
Password: 
Last login: Fri Apr  2 16:45:13 2010 from 192.168.2.14
Have a lot of fun...
mick@linux-s1s2:~> exit
logout
Connection to 192.168.2.5 closed.
slack@mint ~/.ssh

I moved , then put back the Authorized_keys on the host , same result.
I started again with sshd_conf original backup , no good either.
Re-installed openssh also.

Tried just about every combination I can think of.
Usually with a problem I can find a solution with Google & forums , been on this one for 5 days now.
I have to admit I’m stumped.(But not defeated)

Could it be a problem on the client side ?
I’ve also tried with a Debian variant in VirtualBox , no go either

Thanks for any help anyone can offer

Mick

#4

If you look at the identification string the ssh server sends back in the second case, it’s dropbear. It looks like your router/firewall loops back connections to the external IP to itself. So you were connecting to the router/firewall’s ssh server.

You have to do set up a port forward at the router/firewall (and I would advise choosing a different port to avoid brute-force attempts to guess your login), and you have to test it from outside.

#5

On 04/03/2010 10:06 AM, K Boyd wrote:
>
> Thanks for reply , no change though :
>
>
> Code:
> --------------------
> PermitRootLogin no
> #RSAAuthentication yes
> PubkeyAuthentication yes
> AuthorizedKeysFile .ssh/authorized_keys
> PasswordAuthentication yes
>
> --------------------

Should be OK.

There’s something here:
<snip>
> debug1: Connecting to XX.XX.XX.XX [XX.XX.XX.XX] port 22.
> debug1: Connection established.
> debug2: key_type_from_name: unknown key type ‘-----BEGIN’
> debug2: key_type_from_name: unknown key type ‘-----END’

That looks like what for example NXClient uses in its keys.Basic ssh
keys don’t have those “BEGIN” and “END”.

Are you running also NX?

Anyways, I don’t know why LAN works and not WAN but if you get in over
LAN, do the following:

Remove all keys, host and client.

Make new keys on client like this:

ssh-keygen -t rsa -b 2048 -f ~/.ssh/id_rsa

Then put it on the server:

cat ~/.ssh/id_rsa.pub | ssh your.example.com ‘cat - >>
~/.ssh/authorized_keys’

Everything in one line. your.example.com = your server’s IP address.

This is how I always do it and it always works.
If it doesn’t work now, It’s beyond me.

Vahis

http://waxborg.servepics.com
openSUSE 11.2 (x86_64) 2.6.31.12-0.2-default
10:26am up 8 days 13:44, 14 users, load average: 0.18, 0.20, 0.23

#6

ken_yap , thankyou for your reply ,
yes I see your point with dropbear , but if that is the case why am I being asked for mick@publicIP (Host box) password ?
And why is it not being accepted ?

I had this working using my external IP at home on my pc.
Could it be a router/firmware problem ?
The router here is a Belkin , the router at home a netgear.

debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Offering public key: /home/slack/.ssh/id_rsa
debug2: we sent a publickey packet, wait for reply
debug1: Authentications that can continue: publickey,password
debug2: we did not send a packet, disable method
debug1: Next authentication method: password
***mick@xx.XX.XX.XX's password***: 
debug2: we sent a password packet, wait for reply
debug1: Authentications that can continue: publickey,password
Permission denied, please try again

.

The Belkin router login is not mick , ports are forwarded ok , I’ve tested at GRC & Canyouseeme.org.

I’ve been looking in the /var/log on the hostbox & I’ve found this:

linux-s1s2:~ # grep -ir ssh /var/log/warn
Apr  1 08:40:50 linux-s1s2 sshd[901]: error: PAM: User not known to the underlying authentication module for illegal user slack from 192.168.2.14
***Apr  2 08:43:14 linux-s1s2 sshd[25222]: error: Bind to port 57427 on XX.XX.XX.XX failed: Cannot assign requested address***.
Apr  2 08:43:14 linux-s1s2 sshd[25222]: fatal: Cannot bind any address.
linux-s1s2:~ #

However , the date of this log is from the testing I did yesterday , this mornings efforts have not been logged.

Do you know how I can specify a logfile for sshd somehow so I can keep on digging ?

I’ll be changing the port no. once I can get everything working
properly , thanks again for your help

mick

#7

@ Vahis , thanks for your help

@ ken_yap , yes , you are right , it’s the router:

mick@linux-s1s2:~/.ssh> ssh 192.168.2.1
The authenticity of host '192.168.2.1 (192.168.2.1)' can't be established.
RSA key fingerprint is a9:8c:28:9c:41:d3:c6:51:3a:cc:89:e3:4a:81:40:f1.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.2.1' (RSA) to the list of known hosts.
mick@192.168.2.1's password:
Permission denied, please try again.
mick@192.168.2.1's password:
Permission denied, please try again.
mick@192.168.2.1's password:
Permission denied (publickey,password).

I’ll add the pubkeys from my home pc & keep my fingers crossed for when I get home.

Many thanks & a Happy Easter

Mick