[SOLVED] SSH host keys authentication error (WAN) LAN works
Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
You might have both installed. Check running processes, netstat etc to see what is running. You can also probe the port with netcat (or telnet) and check the output on the system itself:
nc localhost 22
If openSSH is running you will see something like:
SSH-2.0-OpenSSH_9.2p1
First, if it asks for password, it isn't a firewall issue, it is getting there.
cop
How do you "switch key"? Just use -i to reference the private key. On the client, cd to .ssh, ssh -i krazy.rsa HOST. Or copy the private key to id_rsa.
On the ssh server itself, "ssh krazy@locahost" and make sure that works. There are several local things that will make it fail silently (account lock, unapproved shell).
If that works, try from a remote host.
Check in the auth log, /var/log/auth.log or /var/log/secure.
Last edited by elgrandeperro; 07-25-2023 at 08:16 AM.
On the ssh server itself, "ssh krazy@locahost" and make sure that works. There are several local things that will make it fail silently (account lock, unapproved shell).
If that works, try from a remote host.
Check in the auth log, /var/log/auth.log or /var/log/secure.
Not home to try it ATM. But considering it works from within the lan (192.168.2.x) I can assure you localhost will work. Will try when I get home.
You might have both installed. Check running processes, netstat etc to see what is running. You can also probe the port with netcat (or telnet) and check the output on the system itself:
nc localhost 22
If openSSH is running you will see something like:
SSH-2.0-OpenSSH_9.2p1
Do the same thing using your public IP address.
Doing this (NC localhost 22 and for my external IP displays the same thing SSH-2.0-OpenSSH_9.3
On the ssh server itself, "ssh krazy@locahost" and make sure that works. There are several local things that will make it fail silently (account lock, unapproved shell).
If that works, try from a remote host.
Check in the auth log, /var/log/auth.log or /var/log/secure.
This worked on the machine itself, but not when I tried using cell not on wifi I go into password failure loop even though it is correct. The /var/log/secure only show for sshd
Quote:
gkr-pam unable to locate daemon control file
gkr-pam stashed password to try later in open session
pam_unix(sshd:session): session opened for user krazy(uid=1000) by krazy
Doesn't look like external connection even hitting server.
Last edited by KrazyKanuk; 07-25-2023 at 05:51 PM.
krazy@krazy:~$ nmap xx.xx.xx.xx
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-25 18:49 EDT
Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
Nmap done: 1 IP address (0 hosts up) scanned in 3.01 seconds
krazy@krazy:~$ nmap -Pn xx.xx.xx.xx
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-25 18:50 EDT
Nmap scan report for bras-base-stcton1066w-grc-04-xx-xx-xx-xx.dsl.bell.ca (xx.xx.xx.xx)
Host is up (0.017s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp closed ssh
2222/tcp closed EtherNetIP-1
Nmap done: 1 IP address (1 host up) scanned in 4.25 seconds
It shows port 22 and 2222 as closed even though I have port forwarded those 2 ports to 192.168.2.25 (IP address of the Slackware box), If they showing as closed would setting as a DMZ fix this? for it something on the ISP end if I have already set a port forward for the 2 ports.
I think I am trying to perform an impossible task. Put the IP address in DMZ on the modem/router check https://www.infobyip.com/sshservertest.php on port 22, no go says cannot connect. change to an irregular port same thing went and got a dyndns address same thin on normal and irregular port. Think it is a done deal unless there is some other way to do it other then changing my ISP for I see that may be my only option to get this up and working. Thank you everyone for all your help it is greatly appreciated.
Your ISP may be blocking those ports but the typical ones are SMB/CIFS, 80 and 25. They should have a list posted somewhere.
You might be configuring port forwarding wrong. Make sure the from/to ports are the same as well as selecting TCP.
Usually ssh works with hair-pinning i.e. connecting from within your network using the public IP address with most routers so using your phone may not be required for testing. Just depends on how it is configured.
dyndns just assigns a fixed URL to your dynamic IP addressed using client software that updates their servers. It won't help if ssh does not work anyway.
Check your /etc/hosts.allow /etc/hosts.deny /etc/ssh/sshd_config files for anything that might limit ssh to listening only to your LAN. Does your sshd_config file have a specific ListenAddress or match directive to limit connections.
Use ss or netstat to check too for listening addresses on your server.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.