cannot ssh from some hosts

greengear · 01-19-2006, 04:35 PM

Hi,

I have a machine behind a firewall. The firewall forwards to port 22 on the machine. The machine is set to accept only public key authentication.

From two different outside machines, I was able to connect to the machine. However, ssh'ing from my workplace, ssh does not receive any response and so timeouts. Tried on both linux and windows XP using putty.

I was able to connect from my workplace the day before. I was also able to ssh out to other machines, so ssh does work.

Any idea why I'm able to ssh from some hosts but not from my workplace?

Thanks.

kvedaa · 01-19-2006, 08:33 PM

It might be worth while to see if you are routing to your firewall. I would start by seeing if you can ping your firewall (note in all examples please replace 10.10.10.10 with the apporiate IP address).

ping 10.10.10.10

This of course will only work if your firewall responds to pings. But you might find trace route to be more useful.

traceroute 10.10.10.10

Here you should look does it make it all the way to your firewall? Are there any really long delays at any of the spots along the way. Assuming that no smoking gun is located at this point, I would suggest that you try telneting to your ssh port to see if it responds,

telnet 10.10.10.10 22

If it connects you should see something like:

Trying 10.10.10.10...
Connected to your.machine.com.
Escape character is '^]'.
SSH-1.99-OpenSSH_3.9p1

This would be a succesful response. If you cannot get here, then you likely have a problem between your two systems. If you can, but you still cannot connect then something is likely off with the ssh client you are trying to use or the server that is listening.

I hope that this helps.

greengear · 01-20-2006, 12:02 AM

Tried traceroute and saw that it was taking a very long time to reach my router. Then I realize that my router doesn't respond to traceroute. Finally I realized that maybe it had something to do with the port forwarding that I had in my firewall, so I tried changing it to something known. And I was now able to get ssh to connect. Seems like my firewall is blocking off the ports I was originally using.

Thanks for the pointers.

greengear · 01-20-2006, 11:48 AM

OK, I thought about the problem more, and I have to take back some of what I wrote. In the original configuration, I had forwarded a port from the router to port 22 on the machine. I was able to ssh from some machines outside, but I was not able to ssh from my company. When I change the port numbers on the router, I was able to ssh from my company.

Since it was able to forward from the outside under the original configuration, it doesn't appear to be something to do with the router. Also, I was able to see traceroute go outside my company, so my company is not blocking it.

So, I'm still wondering how this could have happened.

jonlake · 01-20-2006, 12:19 PM

Traceroute uses icmp traffic to trace the route. Just because traceroute is getting there doesn't mean that ssh will get there. (Company firewall blocking certain outbound traffic). Were you using the same destination port at all times from your company(port 22). If one port worked, and the other didn't, chances are you company is blocking that outbound traffic.

Hangdog42 · 01-20-2006, 04:15 PM

Maybe your workplace changed their firewall and are preventing you from sshing out. A lot of companies view it as a potential security leak to allow ssh traffic out of the network.

kvedaa · 01-20-2006, 08:52 PM

As stated by jonlake stated, a succesful traceroute is not proof that a request to a specific service is not being blocked. I had suggested it only to get a feel for any potential problem areas with the routing (possibly signified by exceptioanlly large delay times).

The effort to telnet to the port in question, provides some visablity into weather or not traffic is getting out of one network and into the other on the requested port.

Hangdog also makes a good point, in that these things are often not static. If something does not work one day, but does on another, it can well be a configuration change that is made at any numner of points between the two systems in question (such as your corporate IT staff, or possible resetting the config on your home router was the magic ticket).

Should you lose connectivity going forward, you should be in good shape for narrowing down the possible problem in short order.

Happy hunting,

greengear · 01-23-2006, 12:15 PM

I am able to ssh out to other machines from my company. I can also ssh back to my own machine when I stick to certain port numbers on my router. But there are certain ranges that are not working, even though I could connect from other machines outside my company.
Thanks for all the suggestions, although it is still a mystery to me.

dbogdan · 01-23-2006, 01:39 PM

Just a thought.... could it be that you are attempting to access you're box from an SSH v1 connection and you're sshd config only allows v2 ?????

again, just a thought.

greengear · 01-29-2006, 02:48 AM

Er, no, because in verbose mode ssh showed that it simply got stuck waiting for connection. Also, when I move to some other port, it was ok.

Is is possible that my company blocks some ports? Maybe. But given that I was able to get to many ports below and above those that failed, the probability seems to be low, however.