First please excuse my long-windedness. I have been working on this for a couple of days now. Feal free to skip to the end unless you want all the gory details of how I got there.
Well I thought I had it working.
In a previous thread I was working on getting dns working on my linux firewall. I am building it from the ground up. It is based on Debian Lenny's base install no gui. Not in service yet.
I know that part of the problem is that I don't enter the command correctly all the time and so dns can't return any data. I am not sure that, even though I have set the name servers in dhclient.conf, they are being used until I do a restart on bind and dhcp. At this point local names will resolv on the server but not on a client.
My setup
Big-bad-www > Existing-Linux-firewall -> local-network -> plastic-box-router -> New-Linux-firewall < hub > client
What I want is for local names to resolve without having to enter the domain name when I do something like "$ ssh -l user-name some-host". I understand that for ssh to resolve in some cases I need to populate the /etc/hosts file with data. I already have the data set up in dns for my local network, and it dose work with the description above when I use the dig, nslookup or host commands. But it does not resolve for ssh or vncviwer.
This project is both for practical use and a learning experience. Eventually this server will replace my current firewall.
So my questions to start with are; ( disreguard I seam to have this part fixed)
Without the hosts file populated on the clients should I still get local name resolution for ssh and vncviewer from the server via dns?
How do I get the client machine to resolve local names from the data on the server? I have edited /etc/hosts on the client to contain the server name and ip.
So far google and the man pages have not yielded a solution for me.
Thanks for what guidance you can give me.
***********************************
More info.
I have been looking at this for a couple of days now. I have to the best of my ability locked the linux firewall/dns down. It is possible that something in that proccess is what is causing the problem, yet befor I setup bind9 I was able to ssh into the server. This leads me to believe that it is a name resolution issue.
Second, I did update the firewall/dns server since I installed bind9 but I think the ssh issue accured befor that update.
I am certain that it is not a "too many connection at one time issue" because there are only 2 machines on the network I have setup for testing the setup before I put it into production.
I opened a hole thorugh the plastic-box router to the firewll/dns server and tried to ssh into it form my laptop, which I could do before, and I got the same error.
Code:
ssh_exchange_identification: Connection closed by remote host
I have not changed anything on the client machine since the Debian Lenny RC1 install except to add a line in /etc/hosts " 192.168.x.x some-local.network server-name", and a line in /etc/hoss.conf "order host,bind".
At the moment the network is not up so I can't give the exact error when I try to ssh into the client from the server.
I suspect that it is an issue with the host.allow or host.deny file on the server. There again the server is not up so I can't give you the exact file. But I do have a line ALL:ALL:deny in the allow file but it is after an entry that is suppose to allow connections form the local network by name. As I remember something like ALL: .some-local.network . My understanding is that reading the files stops on the first match, with the allow file read first. So it seams that somehow my entry above is not working corectly. I did have the ALL:PARINOID line active in the deny file but have disabled it.
**********************************************
So ok I have booted both systems now. I just ran '$ ssh -vl user 192.168.x.x' and this is what it returned.
Code:
OpenSSH_5.1p1 Debian-S, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying optinon for *
debug1: Connetcing to 192.168.x.x [192.168.x.x] port 22
debug1: Connection established.
debug1: identity file /home/user/.ssh/identity type -1
debug1: identity file /home/user/.ssh/id_rsa type -1
debug1: identity file /home/user/.ssh/id_dsa type -1
ssh_exchange_identification: Connection closed by remote host
Typing this in by hand made me realize that these files don't exist on the client machine nor do they exist on the server. Some how trying to redirect the output with > some-file does not work for me with ssh. So I have to enter it by hand.
Something I forgot to mention before is that I have zeroed out the known_hosts files on both machines. So that is not the issue like I have read that some people have had.
Running another command I came across has revealed that the sshd on the server seams to not be able to bind to any address.
Code:
# /usr/sbin/sshd -d -d
debup2: load_server_config: filedame /etc/sshd_config
debug2: load_server_config: done config len = 657
debug2: parse_lerver_config: config /etc/ssh/sshd_config len 657
debug1: sshd version OpenSSH_5.1p1 Debian-5
debug1: read PEM private key done: type RSA
debug1: checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: rexec_argv[2]='-d'
debug2: fd 3 senning O_NONBLOCK
debug1: bind to port 22 on ::.
Bind to port 22 on :: failed: Address already in use.
debug2: fd 3 setting O_NONBLOCK
debug1: bind to port 22 on 0.0.0.0.
Bind to port 22 on 0.0.0.0 failed: Address already in use.
Cannot bind any address.
#
I ran the same command on the client and it returned the same thing.
I ran # ssh 192.168.x.x from the server and it connected right up and asked for aproval of the fingerprint of the client.
I ran, again on the server, # ssh -vl user host.some-local.network it returned
Code:
OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connetcting to host.some-local.network [192.168.x.x] port 22
debug1: connect to address 192.168.x.x port 22: Connection timed out
ssh: connect to host host.some-local.network port 22: Connection timed out
#
On the client side it allways returns ssh_exchange_identification: Connection closed by remote host wether I use just the ip or include user names and host names.
In /var/log/auth there are several entries about the host name not matching the ip. In the example above the name and ip are correct for what is in the dns data base. The ip's are assigned by dhcp and static so that the same mac address always gets the same ip. Have tried some changes to /etc/security/host_access.
Hear is the error in /var/log/auth.log
Code:
sshd[2615]: warning: /etc/hosts.allow, line 14: host name/address mismatch: 192.168.x.x != host.some-local.network
sshd[2615]: refused connect from 192.168.x.x (192.168.x.x)
I am not sure why I am getting this error. The only thing I can figure is that the user account I am using to login with only exists on the server. I have to use this account or root to login to the server because it is locked down pretty hard and will not accept any other users to login.
Still none of this explains why I can't access the client from the server when using names. I have not connected my laptop back up to the testing network to see if I can log into the client from it which would indicate that it is a server specific problem. Guess I will try that.
Well that was little help. I was able to ssh into the client machine form my laptop, but only with the ip and not the fqdn. I got the same error when I tried to login to the server. Guess I go read some more posts on google.
********************************
Looking back through the log I am keeping as I setup the new firewall/dns I see an entry about editing /etc/pam.d/login to make selinux control logins. Could that be the issue.
Well I have looked at the pam setup for sshd and I don't see a reason that it should be causing the problem I am having. It is not calling anything that should be causing this problem.
I have changed some things and now the error that is reported by.. I think I will do a restart. No change. grrrr
So ok the exact entry in auth.log is:
Code:
Feb 21 09:18:54 bamod-aish sshd[2443]: warning: /etc/hosts.allow, line 13: host name/address mismatch: 192.168.7.11 != distraction.Torah-disciple.local
Feb 21 09:18:55 bamod-aish sshd[2443]: refused connect from 192.168.7.11 (192.168.7.11)
Feb 21 09:19:51 bamod-aish sshd[2445]: warning: /etc/hosts.allow, line 13: host name/address mismatch: 192.168.7.11 != distraction.Torah-disciple.local
Feb 21 09:19:51 bamod-aish sshd[2445]: refused connect from 192.168.7.11 (192.168.7.11)
The first entry is from trying to connect with "$ ssh -vl smoke 192.168.7.1" (smoke is a general user account on the firewall box, it does not exist on the client) both the host name and address are correct per the dhcp lease assigned to the client machine
The second entry in from trying to connect with "$ ssh -v 192.168.7.1". It still pulled the correct name and ip yet I was still denied access.
Line 13 in the hosts.allow file reads "ALL: LOCAL" The next line reads "ALL: .Torah-disciple.local". There are no other uncommented lines in the file. I had a line that read "ALL:ALL:deny" but I commented it out just in case.
There is an entry in syslog that matches up time wise with the second attempt that says
Code:
Feb 21 09:19:51 bamod-aish named[1993]: client 127.0.0.1#55203: RFC 1918 response from Internet for 11.0.168.192.in-addr.arpa
not sure that means anything but there it is.
I have tried adding a line in sshd.conf to specifically allow the user "smoke" and did a ssh restart and there is no change.
Any ideas where to look?
