LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

Reply
 
Search this Thread
Old 10-01-2001, 09:22 AM   #1
Yaukuai
LQ Newbie
 
Registered: Aug 2001
Posts: 7

Rep: Reputation: 0
can only connect with ssh to localhost


hi..

i've just installed RH7.0 and openssh which included in the
distro.

currently, trying to use ssh2 protocol.
configuration file such as :

$HOME/.ssh/id_dsa
$HOME/.ssh/id_dsa.pub
$HOME/.ssh/authorized_keys2

is already set correctly.
and my linuxbox ip is set to 192.168.0.1

if i try to connect with ssh to localhost (127.0.0.1), sshd and
ssh works just fine.
I entered the pass phrase and ssh connection established.

but if i try to connect with ssh to the same host using ip aliases,
(such as 192.168.0.1) ssh show this error message :

The authenticity of host '192.168.0.1' can't be established.
DSA key fingerprint is .....
Are you sure want to continue connecting ?...

and in /var/log/messages shows this message :

sshd[981]: fatal: Read from socket failed: Connection reset
by peer

how can i solve this problem.. ?
any help and suggestion are very appreciated. Thanks..

Yau.
 
Old 10-03-2001, 06:19 AM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,990
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
Put it in /etc/hosts I guess.
IIRC, 192.168.0.1 is in the IANA private range, traffic for the 192.168.0.0/24 shouldnt leave your own net, shouldnt be routable on the 'net, and must be resolved locally.
 
Old 10-05-2001, 05:27 AM   #3
raz
Member
 
Registered: Apr 2001
Location: London
Posts: 408

Rep: Reputation: 31
Yes first check your /etc/hosts file and make sure your box is in there.

Then chekc that the service hasn't just been started for localhost 127.0.0.1 only.

Type:
netstat -nat | grep ":22" | grep LISTEN

This should be listening on 0.0.0.0 not 127.0.0.1

If this is correct go to the /etc/ssh2 diretcory and look in the config file for incorrectly set options.

/Raz
 
Old 10-07-2001, 07:46 AM   #4
Yaukuai
LQ Newbie
 
Registered: Aug 2001
Posts: 7

Original Poster
Rep: Reputation: 0
many thanks for your replys..

recently i do the following..

*install ne2k-pci ethernet card compatible and assign its ip
address to 192.168.0.1

* install named server
works oke..all domain name can be resolved.

*i've modified /etc/hosts like this :

127.0.0.1 eva
192.168.0.1 server

*do this command :
netstat -nat | grep ":22" | grep LISTEN
the result is :
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN

*i did checking if all is set right...
*ping to 192.168.0.1 give good result..
*ping to server give good result..
*ping and telnet from other computer ( from 192.168.0.2)
give good result..

AND i still have the same problem..
can only connect to localhost with ssh..

i tried to do this command :
ssh server
the result gives the same error message..
i'm totally lost..

below is my ssh and sshd configuration
ssh configuration :
Host *
ForwardAgent no
ForwardX11 yes
FallBackToRsh no
DSAAuthentication yes
RSAAuthentication no
port 22
protocol 2

sshd configuration
Port 22
Protocol 2
ListenAddress 0.0.0.0
HostKey /etc/ssh/ssh_host_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin yes
IgnoreRhosts yes
StrictModes yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd yes
KeepAlive yes
SyslogFacility AUTH
LogLevel INFO
RhostsAuthentication no
RhostsRSAAuthentication no
RSAAuthentication no
DSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
CheckMail no
UseLogin no

Please help me how to solve this problem...
thanks in advance..
Yau
 
Old 10-08-2001, 03:07 AM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,990
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
AFAIK sshd needs to be bound to the external IP addy, not to "all" or "any", at least it did need that with sshd-v1, dunno if sshd-v2 is strict like that, works for me anyway, both versions. Also your /etc/hosts localhost entry is IMO dead wrong, its sposed to be "127.0.0.1 localhost (anotherAliasname)" not "127.0.0.1 (anotherAliasname)".
With the recent (not so grave) flaws, and as a std rule, its not good to allow root logins. Better log in as user and sudo to root if really necessary, and I suggest you separate the logfacility, use LOCAL(number), and edit /etc/syslog.conf, andd "LOCAL(number).* /var/log/sshd.log and youve got an uncluttered errorlog for sshd only. Now try again to log in and post some errors from sshd.

Also check *if* youve got the right identity files exported for logging in, and *maybe* since the 192.168(.0.0/16?) is, IIRC, IANA LAN range type, it isnt resolvable by an external DNS, so your sshd server alias needs to be in all clients' /etc/hosts file, but thats just a guess.
 
Old 10-08-2001, 11:05 AM   #6
Yaukuai
LQ Newbie
 
Registered: Aug 2001
Posts: 7

Original Poster
Rep: Reputation: 0
Thanks for your reply.

as you suggested, i disable this option
PermitRootLogin No

and change /etc/hosts to :
127.0.0.1 localhost eva
#192.169.0.1 server (remove this line)
# since "server" and "server.domain" can be resolved
# by named. other client can resolve this domain too by
# using named installed in "server" (192.168.0.1)

and after that i've got several question..
how to bound sshd to external ip address ? does this mean
sshd must be bound to 192.168.0.1 ?

>> and I suggest you separate the logfacility,
>> use LOCAL(number),

when i examined /etc/syslog.conf, i saw the similliar line like
below :
local7.* /var/log/boot.log

what does the number 7 mean ?
how can i determine the number from "LOCAL(number)"

>>Also check *if* youve got the right identity files exported for >>logging in, and *maybe* since the 192.168(.0.0/16?) is, IIRC, >>IANA LAN range type, it isnt resolvable by an external DNS, so >>your sshd server alias needs to be in all clients' /etc/hosts file, >>but thats just a guess.

my eth0 network address is 192.168.0.0/24
( sorry i'm quite new with internet and not so
familliar. what is IIRC, IANA LAN range type, anyway ?
have i mentioned about eth network address could fit
your question ?)

i've assign other clients dns setting to point to 192.168.0.1,so
other client can resolve any domain named i assigned to it..
( put nameserver 192.168.0.1 to all clients' /etc/resolv.conf )
no other dns server.
no other additional settting in all clients' /etc/hosts file except
127.0.0.1 localhost

note : no internet connection available, only local intranet
environment..

after making changes i mentioned, i've still got the same problem.

sorry for troubling
Please advice.. thanks
Yau
 
Old 10-08-2001, 12:03 PM   #7
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,990
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
Ok. IIRC means "if I recall correctly", and IANA is just the organisation that handles the "rules" that describe network ranges (and much more I guess).

Didn't know you only got intranet, no internet. Then I guess it won't matter, because you can't bind sshd to an external Ip address. In sshd.conf its "ListenAddress" where you choose the IP address to bind to, guess if your address is 192.168.0.1 then you would bind it to that. "man sshd" says you can use multiple entries, btw.

For using the syslog LOCAL facility, just find an empty "slot" (number) and set it up like
LOCAL1(tab)/var/log/sshd.log, and change the logging facility in sshd.conf to LOCAL1, or use netconf/linuxconf to set it. kill -s HUP to restart syslogd.

All this doesnt really matter now I guess, but in 192.168.0.0/24 the "/24" denotes a range, IIRC available IP addresses in that range start at 192.168.0.0 and end 192.168.0.255.

Anyway, I don't have any clue anymore, except for crosschecking your servers' sshd.cong and log, and on the client side verbose/debug the connection to see at what point it cuts off...
 
Old 10-12-2001, 09:08 AM   #8
Yaukuai
LQ Newbie
 
Registered: Aug 2001
Posts: 7

Original Poster
Rep: Reputation: 0
hi.. again...

recently i did the folowing :

change some configuration in /etc/ssh/sshd_config :

#ListenAddress 0.0.0.0
ListenAddress 192.168.0.0

then i try this command :

ssh 192.168.0.1

there is some "progress" here. The error message is
not the same anymore..

ssh report this error :
Secure connection to 192.168.0.1 on port 22 refused.

i thought there is something with /etc/hosts.allow and
/etc/hosts.deny..

/etc/hosts.allow contain..:
all:192.168.0.

/etc/hosts.deny contain :
all:all

other /etc/ssh/ssh_config and /etc/ssh/sshd_config
configuration are not modified

is there something i misconfigure here ?

please advice..
thanks...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Cannot connect to anything on localhost JohnKFT Slackware 17 05-11-2005 02:21 AM
can't connect to localhost acidblue Fedora 0 12-05-2004 07:20 PM
SSH localhost is fine, IPs won't connect zzero Linux - Networking 4 03-24-2004 01:00 PM
Can't connect to localhost Brendon Linux - Networking 11 07-30-2002 10:13 AM
unable to connect with ssh except to localhost Yaukuai Linux - Software 0 09-30-2001 06:42 AM


All times are GMT -5. The time now is 08:50 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration