LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 07-30-2007, 01:47 PM   #1
honesthank
LQ Newbie
 
Registered: Jul 2007
Posts: 3

Rep: Reputation: 0
Post Linux networking help needed: cannot SSH to another box


Hi guys,

I'm not a linux guru by any means, so please excuse my novice terminology.

Here is a rundown of some servers i have at my disposal:

NEC1 - 10.10.10.100
NEC2 - 10.10.10.101
Dell - 10.10.10.102
DB - 10.10.10.22
FYI, 10.10.10.x is a private network with no DHCP (all IPs are statically assigned).

NEC1, NEC2, and Dell are fresh installs of RedHat EL4 ES Update4. When I installed NEC1, it was sitting on another DHCP-enabled LAN (10.1.127.x). After RH was installed, I was able to SSH, SCP, and ping to and from other servers without any issues. Then I brought NEC1 over to the private LAN (10.10.10.x). I changed my "/etc/sysconfig/network-scripts/ifcfg-eth0" file from:

DEVICE=eth0
BOOTPROTO=dhcp
HWADDR=xx:xx:xx:xx:xx:xx
ONBOOT=yes
TYPE=Ethernet
USERCTL=no
IPV6INIT=no
PEERDNS=yes

to

DEVICE=eth0
BOOTPROTO=none
BROADCAST=10.10.10.255
HWADDR=xx:xx:xx:xx:xx:xx
IPADDR=10.10.10.101
NETMASK=255.255.255.0
NETWORK=10.10.10.0
ONBOOT=yes
TYPE=Ethernet
USERCTL=no
IPV6INIT=no
PEERDNS=yes

I used the "/etc/sysconfig/network-scripts/ifcfg-eth0" file from the DB server as a template. The DB server has been up on the network for a while, and I have not had any difficulties with it before. Thus, I assume its good and used its ifc-cfg-eth0 file for a template.

After I changed the ifcfg-eth0 file from NEC1, I did a "service network restart". NEC1 can ping DB, and DB can ping NEC1. NEC1 cannot SSH to DB, but DB can SSH into NEC1. After a long delay, the following is the error msg I get when I try to SSH from NEC1 to DB:

ssh_exchange_identification: read: Connection reset by peer

When I installed RH, I disabled the firewall. I still checked to see if it was up, by running "service iptables status". It returms "Firewall is stopped".

I googled the error msg, but I wasn't able to make much of it. I thought maybe I screwed up something with the networking, so I brought up NEC2. I installed RH on that box, and it never touched the 10.1.127.x network. As soon as the OS was installed, I stuck a static IP on him, but it everything was exactly the same as NEC1.

Then I remembered that I had installed RH EL4 ES Update4 on the Dell server the day before. This server was installed on the DHCP-enabled 10.1.127.x network. Everything has been working normally. I changed him over to the 10.10.10.x network. I had expected it to also have problems SSH'ing to other server, but I was wrong. The Dell server actually worked fine. Apparently, there is something different between Dell and NEC1/NEC2, but I just don't know what it is.

So to summarize, here is what's going on:

1. NEC1, NEC2, and Dell all have a fresh install of RH EL4 ES Update4
2. All three servers have statically assigned IPs on a private network
3. NEC1 and NEC2 have network connectivity, but they cannot SSH to other servers. Dell works fine.

I'm trying to figure out why NEC1/NEC2 cannot SSH out. I'm pretty much stumped. Has anyone ever encountered an issue like this before? Can someone give me some suggestions on how I should proceed here? Thanx fellas
 
Old 07-31-2007, 01:55 PM   #2
hob
Senior Member
 
Registered: Mar 2004
Location: Wales, UK
Distribution: Debian, Ubuntu
Posts: 1,075

Rep: Reputation: 45
Check the contents and permissions of the .ssh/ directory in your home directory on NEC1 and NEC2 against that on your Dell. If I've read your post correctly then you have already proved that the SSH server is OK, and that the network connectivity between clients and server is fine (with ping tests).
 
Old 07-31-2007, 02:08 PM   #3
honesthank
LQ Newbie
 
Registered: Jul 2007
Posts: 3

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by hob
Check the contents and permissions of the .ssh/ directory in your home directory on NEC1 and NEC2 against that on your Dell. If I've read your post correctly then you have already proved that the SSH server is OK, and that the network connectivity between clients and server is fine (with ping tests).
hello hob,

thanx for the suggestions. i just checked the permissions of the .ssh dir between NEC1/NEC2 and Dell, and everything looks pretty much the same.

here is something kind of strange. someone suggested to me that i check "/etc/ssh_config" and only enabled protocol 2. i did this and it did not have any affect on my troubles. afterwards, i reverted my ssh_config file back to default settings.

however, if i go to any server that NEC1/NEC2 could not ssh to (ie - DB) and edit "/etc/sshd_config" to only use protocol 2, then i am able to ssh in from NEC/NEC2. this is really strange to me, becuz i dont understand how this is a server side issue. but... it works, so i am mixed between joy and befuddlement.

basically, here are the steps that i took:

1. in any server that i am failing to ssh into (from NEC1/NEC2), edit "/etc/sshd_config" to only use protocol 2
2. restart sshd

something else that i dont understand... if i leave "/etc/sshd_config" as default on the server side, if i want to force protocol 2 from the client side, i should be able to do so with "ssh -2 10.10.10.22" (ssh to DB). but when i run this command, it still fails (same problem as in the original post). so right now, the only way i know how to get around this issue is to only enable protocol 2 support on the server side. does this sound normal?
 
Old 07-31-2007, 03:48 PM   #4
hob
Senior Member
 
Registered: Mar 2004
Location: Wales, UK
Distribution: Debian, Ubuntu
Posts: 1,075

Rep: Reputation: 45
No, it sounds like the SSH server is running an old version of SSH. Version 2 of the SSH protocol has been the standard and default with OpenSSH clients and servers for several years now. Version 1 of the SSH protocol had known security weaknesses, and is very much deprecated.
 
Old 07-31-2007, 04:20 PM   #5
honesthank
LQ Newbie
 
Registered: Jul 2007
Posts: 3

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by hob
No, it sounds like the SSH server is running an old version of SSH. Version 2 of the SSH protocol has been the standard and default with OpenSSH clients and servers for several years now. Version 1 of the SSH protocol had known security weaknesses, and is very much deprecated.

i just verified on all servers mentioned in this thread (NEC1, NEC2, Dell, and DB) are running the same version of OpenSSH. when i run "ssh -V", it returns the following:
"OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003"


my default /etc/ssh/sshd_config file lookse like this:
# $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication mechanism.
# Depending on your PAM configuration, this may bypass the setting of
# PasswordAuthentication, PermitEmptyPasswords, and
# "PermitRootLogin without-password". If you just want the PAM account and
# session checks to run without PAM authentication, then enable this but set
# ChallengeResponseAuthentication=no
#UsePAM no
UsePAM yes

#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#ShowPatchLevel no

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server


so be default, both verion 1 and 2 of the ssh protocol are enabled, correct?
 
Old 08-01-2007, 01:43 PM   #6
hob
Senior Member
 
Registered: Mar 2004
Location: Wales, UK
Distribution: Debian, Ubuntu
Posts: 1,075

Rep: Reputation: 45
Quote:
Originally Posted by honesthank
so be default, both verion 1 and 2 of the ssh protocol are enabled, correct?
Yes.

If you haven't already, try using the "-vvv" option with the ssh client. This lets you see every stage of the SSH login process, which may make it clear at which point the logins fail.
 
Old 08-03-2007, 03:18 AM   #7
tajamari
Member
 
Registered: Jul 2007
Distribution: Red Hat CentOS Ubuntu FreeBSD OpenSuSe
Posts: 252

Rep: Reputation: 30
What was the error you encountered? To check if it remote server accepts it. try this steps
1. do the ssh connection from the client side
2. on the remote ssh server, do tcpdump, check if there are packets traversing on port 22.
 
Old 08-03-2007, 03:19 AM   #8
tajamari
Member
 
Registered: Jul 2007
Distribution: Red Hat CentOS Ubuntu FreeBSD OpenSuSe
Posts: 252

Rep: Reputation: 30
oh by the way, flush first the firewall it may have a default firewall. iptables -F to flush.
 
Old 08-03-2007, 12:38 PM   #9
sandgroper
Member
 
Registered: Jul 2004
Location: Perth , Western Australia
Distribution: Fedora Core 5 , Mint 9
Posts: 118

Rep: Reputation: 15
Have you set a gateway for NEC1 ?

It doesn't look like it going by what you have posted in /etc/sysconfig/networking/devices/ifcg-eth0.

Also have you checked hosts.allow and hosts.deny for the appropiate entries for NEC1

 
Old 09-14-2007, 05:11 AM   #10
JZL240I-U
Senior Member
 
Registered: Apr 2003
Location: Germany
Distribution: openSuSE 13.1 / 12.3_64-KDE, Ubuntu 14.04, Fedora 20, Mint 17, Chakra
Posts: 3,642

Rep: Reputation: Disabled
Off Topic

I apologize for (temporarily) highjacking your thread, honesthank, but I just can't reach some information.

Hi sandgroper.

Your link http://203.59.24.225/~steveray/linux/kpppconfig.txt

from your post http://www.linuxquestions.org/questi...16&postcount=9 seems dead. Is your HowTo still available?

I need it for this: http://www.linuxquestions.org/questi...40#post2891540

Last edited by JZL240I-U; 09-14-2007 at 05:14 AM.
 
Old 09-14-2007, 05:29 AM   #11
sandgroper
Member
 
Registered: Jul 2004
Location: Perth , Western Australia
Distribution: Fedora Core 5 , Mint 9
Posts: 118

Rep: Reputation: 15
Quote:
Originally Posted by JZL240I-U View Post
I apologize for (temporarily) highjacking your thread, honesthank, but I just can't reach some information.

Hi sandgroper.

Your link http://203.59.24.225/~steveray/linux/kpppconfig.txt

from your post http://www.linuxquestions.org/questi...16&postcount=9 seems dead. Is your HowTo still available?

I need it for this: http://www.linuxquestions.org/questi...40#post2891540

Hi JZL240I-U
Yes my Howto is still available , that is a fairly old link using a IP address and my ISP have moved/reorganised their servers around.

Try this link.

http://members.iinet.net.au/~stevera...kpppconfig.txt
 
Old 09-14-2007, 05:39 AM   #12
JZL240I-U
Senior Member
 
Registered: Apr 2003
Location: Germany
Distribution: openSuSE 13.1 / 12.3_64-KDE, Ubuntu 14.04, Fedora 20, Mint 17, Chakra
Posts: 3,642

Rep: Reputation: Disabled
Thank you for the fast response. Link works and content already printed. Stupid mode sadly not mentioned either, though .

Thanks everybody for your patience during my intrusion.
 
  


Reply

Tags
protocol, ssh, sshconfig


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Networking one Linux and one XP box kaiwhoeatspie Linux - Networking 4 07-31-2007 07:22 AM
Understanding SSH (Sun box to Linux box) oswald21 Linux - Newbie 2 07-08-2006 02:06 PM
Networking an iBook and a linux box linmith Linux - Networking 2 07-29-2005 02:20 PM
I need help networking a linux box to a win98 box... philfighter Linux - Networking 0 11-13-2001 09:49 PM


All times are GMT -5. The time now is 11:23 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration