ssh connection and sftp transfer impossible

wtb · 02-03-2012, 05:40 AM

Hi,

I'm trying to establish a connection between my server and another with but it doesn't work.

I began to create 2 RSA keys and I sent the public key to the other server which installed it in his authorized_keys.

81.200.xxx.xxx is the IP of the distant server.

My problems are :

1) I don't know why but I can't ping the other server nor even ssh on it

Code:

[myUser@myServer ~]$ ping 81.200.xxx.xxx
PING 81.200.xxx.xxx (81.200.xxx.xxx) 56(84) bytes of data.

--- 81.200.xxx.xxx ping statistics ---
427 packets transmitted, 0 received, 100% packet loss, time 425991ms

Code:

[myUser@myServer ~]$ ssh user@81.200.xxx.xxx
ssh: connect to host 81.200.xxx.xxx port 22: Connection timed out

I'm under a proxy/Firewall, perhaps I don't have the right to connect directly, I must check that.

2) BUT, when I try to ssh on the other server adding the IP address of my proxy and with some verbose I have this result :

Code:

[myUser@myServer ~]$ ssh -v -o "ProxyCommand /usr/bin/nc -x ip_of_my_proxy:1080 %h 22" user@81.200.xxx.xxx
[...]

OpenSSH_4.3p2, OpenSSL 0.9.8e-fips-rhel5 01 Jul 2008
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Executing proxy command: exec /usr/bin/nc -x ip_of_my_proxy:1080 81.200.xxx.xxx 22
debug1: identity file /local/info/data/myuser/.ssh/identity type -1
debug1: identity file /local/info/data/myuser/.ssh/id_rsa type 1
debug1: identity file /local/info/data/myuser/.ssh/id_dsa type -1
debug1: loaded 3 keys
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.6
debug1: match: OpenSSH_5.6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.3
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '81.200.xxx.xxx' is known and matches the RSA host key.
debug1: Found key in /local/info/data/myuser/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
Sie sind auf dem COM Server "distantServer" der Produktion Umgebung angemeldet.
Authorized access only. All actions will be logged.

(Here the connection is established, are you ok?)

debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /local/info/data/myuser/.ssh/identity
debug1: Offering public key: /local/info/data/myuser/.ssh/id_rsa
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Trying private key: /local/info/data/myuser/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: No more authentication methods to try.
Permission denied (publickey,keyboard-interactive).

But at the end the permission is denied. In my hand I have the good rights on my .ssh directory and all appears to be ok.

Code:

0700 .ssh
0600 id_rsa
0644 id_rsa.pub and known_hosts

The fingerprints of the keys are the same for me and the other server and I guess that his ssh configuration is good too.

Do you have ideas of what could be the problem ?

(sorry for my bad english)

Thanks.

suicidaleggroll · 02-03-2012, 11:00 AM

First off, you should skip using keys until you can establish a connection using the password. Keys will do nothing but complicate matters at this stage. Once you are able to connect in both directions using password authentication, then you can look into using keys.

How are both networks set up? Are they behind firewalls? If so how are the firewalls configured? If they're on private subnets, do you have forwarding set up for port 22?

wtb · 02-08-2012, 12:26 PM

I have asked the partner for a temporarely password to access to the host without using keys authentification, I will do the test soon and tell you.

Both servers are behind firewalls and the firewall of the distant server has already authorized my outgoing IP Address. That's why I can enter in the server (but I am rejected at the keys authentification). You can see it in the logs.

Normally, I should be able to do ONLY SFTP transfers with their server (and not basic SSH connection), sending and getting files.

The partner sent me the log after on my demand, do you see any issue ?

acc is the user they created on their server and I use to connect on it (see my first post)

Code:

# grep acc /etc/group
sftponly:x:8144:acc

# grep acc /etc/passwd
acc:x:2254:8155:technischer user fuer eLOK:/home/partnerhome/acc:/bin/false

# Rights on directories
drwxr-sr-x  6 root partner 4096 Dec 12 16:43 acc
drwxr-sr-x  2 root partner 4096 Dec 20 17:27 dev
drwxrwsr-x  2 acc  loyalty 4096 Feb  8 13:26 in
-rw-r--r--  1 acc     2254   33 Dec 12 16:20 .bash_logout
drwxrwsr-x  2 acc  loyalty 4096 Dec 12 16:42 out
drwxr-sr-x  2 root partner 4096 Feb  7 17:15 .ssh
-rw-r--r--  1 root partner  406 Feb  7 17:15 authorized_keys

# cat /etc/syslog-ng/syslog-ng.conf|grep acc/dev
unix-stream("/home/partnerhome/acc/dev/log");

# grep DenyUsers /etc/ssh/sshd_config
DenyUsers acc

There are things that appear me strange :

- The group number of acc user is not the same that the number of sftponly group (but probably no impact)
- The .ssh directory is not in the user home and the right of the it is not good
AND
- They keep me from doing SSH on their server with the DenyUsers directive in the sshd_config. But can you confirm me that the SFTP command use the SSH protocol or not ?

Thank you!