LinuxQuestions.org
Latest LQ Deal: Complete CCNA, CCNP & Red Hat Certification Training Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Software
User Name
Password
Linux - Software This forum is for Software issues.
Having a problem installing a new program? Want to know which application is best for the job? Post your question in this forum.

Notices


Reply
  Search this Thread
Old 10-16-2003, 01:29 AM   #1
Miyamoto
Member
 
Registered: Jun 2003
Distribution: Mandrake Linux 9.1 Bamboo
Posts: 51

Rep: Reputation: 15
Setting up SSH between Mac OS X (A BSD variant) and Mandrake 9.1


Hi all. I recently had to reinstall my Linux installation and I'm having trouble getting my Linux machine set up for remote access through SSH. The keyboard with my Linux box is noisier than anything. What SSH file would I have to edit to enter what IPs are allowed to connect?

Thanks.
 
Old 10-16-2003, 09:36 AM   #2
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
There are 2 files that can do that:

1) /etc/hosts.allow
This file is used by tcpwrappers to control who is allowed to connect to the ssh daemon. Put an entry in here that looks like this:
SSHD: xxx.xxx.xxx.xxx yyy.yyy.

2) Your firewall can restrict entry as well. /etc/sysconfig/iptables holds your firewall rules. The exact rule would depend on how you have your firewall configured, but something like this will give you something to work with:
iptables -I INPUT -p tcp --dport 22 -s xxx.xxx.xxx.xxx -j ACCEPT

----edit-----
BTW, don't edit the iptables file by hand. Just enter the commands from the command line or put together a filewall script. As far as I know, OSX doesn't use iptables, if it has stayed true to it's BSD roots, it should use ipfilter instead. So the location and syntax will be different on the OSX machine.

Last edited by Capt_Caveman; 10-16-2003 at 09:44 AM.
 
Old 10-16-2003, 10:57 AM   #3
Miyamoto
Member
 
Registered: Jun 2003
Distribution: Mandrake Linux 9.1 Bamboo
Posts: 51

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by Capt_Caveman
There are 2 files that can do that:

1) /etc/hosts.allow
This file is used by tcpwrappers to control who is allowed to connect to the ssh daemon. Put an entry in here that looks like this:
SSHD: xxx.xxx.xxx.xxx yyy.yyy.

2) Your firewall can restrict entry as well. /etc/sysconfig/iptables holds your firewall rules. The exact rule would depend on how you have your firewall configured, but something like this will give you something to work with:
iptables -I INPUT -p tcp --dport 22 -s xxx.xxx.xxx.xxx -j ACCEPT

----edit-----
BTW, don't edit the iptables file by hand. Just enter the commands from the command line or put together a filewall script. As far as I know, OSX doesn't use iptables, if it has stayed true to it's BSD roots, it should use ipfilter instead. So the location and syntax will be different on the OSX machine.
When you say xxx.xxx.xxx.xxx I assume that that stands for the IPs that I want to be able to connect. But what's the yyy.yyy symbolize?

Here's what I see in the /etc/hosts.allow:

#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#


Where do I add the line? Oh and I don't remember editing this particular file the last time I had gotten the SSHD working between my iBook here and my Gateway that's running as my server on Linux....

Thanks...
 
Old 10-16-2003, 01:12 PM   #4
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Add the line right after the comments section. So the hosts.allow file would look like this
Code:
Here's what I see in the /etc/hosts.allow:

#
# hosts.allow This file describes the names of the hosts which are
# allowed to use the local INET services, as decided
# by the '/usr/sbin/tcpd' server.
#

SSHD: 123.456.789.123
Where 123.456.789.123 is the ip address you want to allow. For more than one address, just put them one after another with only a space in between them.

If you want to allow a whole block of addresses, you can do a partial ip address. Like if you wanted to allow all of the computers on the 192.168. network, you would just put 192.168. there (which is what I meant by the yyy.yyy.)

Depending on how you configured your old box (default security settings, etc) you might not have had to specify any addresses at all
 
Old 10-16-2003, 01:16 PM   #5
Miyamoto
Member
 
Registered: Jun 2003
Distribution: Mandrake Linux 9.1 Bamboo
Posts: 51

Original Poster
Rep: Reputation: 15
Thanks. I'm gonna try that now.
 
Old 10-16-2003, 01:27 PM   #6
Miyamoto
Member
 
Registered: Jun 2003
Distribution: Mandrake Linux 9.1 Bamboo
Posts: 51

Original Poster
Rep: Reputation: 15
Well that didn't work.

Here's what it said when I tried to connect using my OS X machine's terminal:

[Bob's Computer:~] bob% ssh 64.252.197.134
ssh: connect to host 64.252.197.134 port 22: Connection refused

I tried to get the SSHD running on my Linux box and here's the error it spits back at me:

Could not load host key: /etc/ssh/ssh_host_key
Could not load host key: /etc/ssh/ssh_host_rsa_key
Could not load host key: /etc/ssh/ssh_host_dsa_key Disabling protocol version 1.
Could not load host key Disabling protocol version 2.
Could not load host key sshd: no hostkeys available -- exiting.

Any ideas?
 
Old 10-16-2003, 01:41 PM   #7
Miyamoto
Member
 
Registered: Jun 2003
Distribution: Mandrake Linux 9.1 Bamboo
Posts: 51

Original Poster
Rep: Reputation: 15
Well I went into the Mandrake Control Center and I activated sshd and when I tried connect to my Linux box here's what it says:

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: POSSIBLE DNS SPOOFING DETECTED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
The RSA host key for darwinanime.no-ip.com has changed,
and the key for the according IP address 64.252.197.134
is unknown. This could either mean that
DNS SPOOFING is happening or the IP address for the host
and its host key have changed at the same time.
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
9d:f8:89:5f:1e:c5:13:46:7c:d2:e3:0e:6d:fe:11:ad.
Please contact your system administrator.
Add correct host key in /Users/gasparhe/.ssh/known_hosts to get rid of this message.
Offending key in /Users/gasparhe/.ssh/known_hosts:1
RSA host key for darwinanime.no-ip.com has changed and you have requested strict checking.
Host key verification failed

Should I be worried about that? Also what should the listen address be set to under /etc/ssh/sshd_config?
 
Old 10-16-2003, 02:07 PM   #8
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
OK. I had just assumed you had gotten sshd started.

Don't worry about that message. It just means that the RSA key for that host either changed or hadn't been seen before. You'll need to copy over the RSA key from that machine and put an entry in /Users/gasparhe/.ssh/known_hosts.

In the /etc/ssh/sshd_config file, set the listening address to be the ip address of the machine. Also make sure that root logins are not allowed and that you're only allowing ssh protocol 2.
 
Old 10-16-2003, 03:39 PM   #9
Miyamoto
Member
 
Registered: Jun 2003
Distribution: Mandrake Linux 9.1 Bamboo
Posts: 51

Original Poster
Rep: Reputation: 15
Quote:
Originally posted by Capt_Caveman
OK. I had just assumed you had gotten sshd started.

Don't worry about that message. It just means that the RSA key for that host either changed or hadn't been seen before. You'll need to copy over the RSA key from that machine and put an entry in /Users/gasparhe/.ssh/known_hosts.

In the /etc/ssh/sshd_config file, set the listening address to be the ip address of the machine. Also make sure that root logins are not allowed and that you're only allowing ssh protocol 2.
It's still not working.... I don't know what I'm doing wrong. I added a line into my .ssh/known_hosts file but I still get the same message when sshd is on.

Here's my .ssh/known_hosts file:

darwinanime.no-ip.com,64.252.200.38 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA8/Mai15l6kO5$
64.252.205.51 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA8/Mai15l6kO5jhz35wDoWt5b8d+uCpVyzw$
64.252.196.8 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA8/Mai15l6kO5jhz35wDoWt5b8d+uCpVyzwD$
64.252.200.255 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA8/Mai15l6kO5jhz35wDoWt5b8d+uCpVyz$
64.252.200.129 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA8/Mai15l6kO5jhz35wDoWt5b8d+uCpVyz$
64.252.194.194 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA8/Mai15l6kO5jhz35wDoWt5b8d+uCpVyz$
darwinanime.no-ip.com,64.252.197.134 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAIEA8/Mai15l6kO$

Is that set up correctly? And each time I try and edit the host key file on my Linux server it says that that file doesn't exist... I just turned off the ssh daemon and on this end (on the Server) and when I try and connect up to it from my iBook here it says the connection is refused....

Any suggestions?
 
Old 10-16-2003, 07:10 PM   #10
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
Couple of things to try.
1. The sshd service will need to be up and listening for connections on whichever machine you are try to connect to.
Make sure it's up using: netstat -al | grep ssh

1. There are two entries in the known_hosts file for the hostname darwinanime.no-ip.com. They both have the same key, so just figure out which ip address is right and remove the other entry.

2. Take a look at the sshd_config file and see what authentication methods are uncommented (no # in front). To make sure that you're not trying to use two different authentication methods. I'm no cryptography expert, but your keys look drastically different than mine, so one system might be trying to use RSA, while the other is trying to use DSA or blowfish or something else.

3. Take a look at the /var/log/messages and /var/log/secure files on the machine running sshd and see if you can find any messages relating to failed ssh authentication or ssh failures in general.

4. What security level do you have set? Mandrake uses msec which can act like a crackhead if it's set to paranoid.

5. When you try to connect to the sshd server, use ssh -v to get a verbose output of what is going on.
 
Old 10-16-2003, 08:38 PM   #11
Miyamoto
Member
 
Registered: Jun 2003
Distribution: Mandrake Linux 9.1 Bamboo
Posts: 51

Original Poster
Rep: Reputation: 15
Well thanks alot! ^_^ It's working. I removed all but the current key from the known_hosts file and it allows me to connect again. Here's what it says now:

[Gaspar-Hellers-Computer:~] gasparhe% ssh darwinanime.no-ip.com
key_read: uudecode AAAAB3NzaC1yc2EAAAABIwAAAIEA8/Mai15l6kO5jhz35wDoWt5b8d+uCpVyz$
failed
key_read: uudecode AAAAB3NzaC1yc2EAAAABIwAAAIEA8/Mai15l6kO5jhz35wDoWt5b8d+uCpVyz$
failed
gasparhe@darwinanime.no-ip.com's password:

How do I get it to not display those errors? How do I get it out of verbose mode?

Thanks again.
 
Old 10-16-2003, 10:06 PM   #12
Capt_Caveman
Senior Member
 
Registered: Mar 2003
Distribution: Fedora
Posts: 3,658

Rep: Reputation: 69
It looks like it's still not exchanging keys properly. On the OSX client, make a backup copy of the /Users/username/.ssh/known_hosts file. Then delete the entry for the linux box.

Now try connecting with ssh again. If everything works, it should say "Warning Authenticiticy of blah has changed ...blah,blah,blah... would you like to add blah to your list of know hosts?" Type yes and that should update the new public key.

If any of that is confusing, check out this link:

http://docs.info.apple.com/article.html?artnum=88461
 
Old 10-16-2003, 10:26 PM   #13
Miyamoto
Member
 
Registered: Jun 2003
Distribution: Mandrake Linux 9.1 Bamboo
Posts: 51

Original Poster
Rep: Reputation: 15
It still says that even though I deleted out the file.... but its okay because I can once again ssh into my Linux box... That's all I care about right now. Thanks again..
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Is Mac based on BSD ? inspiredbymetal Other *NIX 6 10-17-2005 05:55 PM
Do you run *BSD & Mac OS X? carboncopy *BSD 4 12-12-2004 10:41 PM
Mac powerbook and BSD hasanito *BSD 1 09-25-2004 09:22 PM
:Pengy: Linux and/or BSD variant on an old mac? cmack Linux - General 2 08-09-2003 02:30 AM
Mac on *BSD c0rk3y *BSD 3 07-05-2002 12:43 PM


All times are GMT -5. The time now is 08:28 AM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration