Problems getting SSH to work

TrulyTessa · 11-15-2004, 02:20 PM

I'm running SuSE 9.2 pro and I have a three part question related to SSH:

1. I have no trouble SSH-ing out of my linux machine, but SSH-ing in from remote locations is another story. At the moment, I can ping my (static) IP address from other machines, but I cannot ping my domain name, which I suspect is part of the problem.

Furthermore, when I try to SSH to my IP address, I am told that there are "No further authentication methods available". When I try to SSH to my domain name, I am told the host is unknown.

How can I make SSH work so I can log into my linux machine from remote locations?

2. Does ssh-agent have to be running in order for me to be able to log in remotely?

3. In tinkering around, I set up a public or private key for SSH, which I shouldn't have done since I prefer to log in with a password. (I used the command ssh-keygen -p -t rsa and that put stuff related to the keys into ~/.ssh/id_rsa and ~/.ssh/id_rsa.pub ...) How do I delete these keys so I don't have to use them in the future? I can't find out how to delete keys anywhere in any documentation. Can I just delete the two files I mentioned above, or will that create new problems?

Many thanks.

TrulyTessa · 11-15-2004, 03:24 PM

Here's a weird thing that may help shed light on what's going wrong: when I log in from my linux box to a remote box running unix (which has nothing to do with my problem; I just logged into it to see if I could glean any info about my current problem), the remote box gets my computer's name wrong. (That is, when I give the command 'who', the login location it has for me is wrong.) It thinks I'm SSH-ing in from my windows machine which happens to be plugged into the same hub but has a different IP address.

I think my linux machine is having identity problems.

When I look at /etc/hosts, I see what looks (to me) to be correct, so I'm not sure why another machine sees my machine with the wrong name (albeit the right domain):

127.0.0.1 localhost

my.correct.ip.address correctname.my.domain.com correctname

plus the following other stuff appears between those two lines:

::1 localhost ipv6-localhost ipv6-loopback
fe00::0 ipv6-localnet
ff00::1 ipv6-mcastprefix
ff02::2 ipv6-allrouters
ff02::3 ipv6-allhosts

NetAX · 11-15-2004, 05:34 PM

In order to SSH from remote locations, i.e. school/work, You need to configure the box for port forwarding. SSH accepts connections on port 22. You mot likely will have to configure your router to listen on port 22. Furthermore your linux firewall (that's if you have one must accept port 22 from the router). Last but not least you must find out your external IP address. A quixk way to finding out this is by visiting http://www.whatismyip.com/.

You use the external IP address to login with SSH. When the router receives a connection on port 22 it forwards it to the box.

Diagram:

externalIP_of_your router:22 ->internal_router:22->linux:22 box.

PS:
Don't worry about the public/private key's until your able to access SSH remotely. (it will only mess things up more.)

TrulyTessa · 11-15-2004, 07:15 PM

I know my external IP because I configured my machine to have a static IP. (That's what I was referring to above when I wrote "my.correct.IP.address".) The problem is that when I attempt to SSH to my IP address (or my machine's name), I can't connect. (I'm not trying to SSH to 127.0.0.1 -- I'm trying to SSH to my actual IP address.)

I presumed that when I used SuSE's configuration tools to set up the firewall to allow SSH connections, it opened up port 22. If you think that's incorrect, could you tell me how to check / be sure?

Thanks NetAX for taking the time to reply. If you or anyone else has suggestions on how to address question 1, or any comments on my questions 2 or 3, I'd be glad to hear your thoughts. (And a follow-up question -- let's call it question 4 -- will my having set up public/private keys now prevent me from being able to establish a connection?)

NetAX · 11-15-2004, 07:28 PM

If you used SuSE's configuration wizard then yes, the port should be opened correctly.

Are you using a router?(like i said earlier the router needs to accept port 22)

You can easily check what ports are open by using nmap IP_address_or_domain_name -p 22 from a remote linux machine.

4. No, public/private key authentication will not prevent you from establishing a connection. It is used to create a secure connection/session between two known hosts. (I only stated not to work with it now because its harder to work on getting two things two work at the same time, instead of working on one problem at a time. It's basic troubleshooting.

)

TrulyTessa · 11-16-2004, 08:43 AM

Yes, I'm using a router, so now I understand a bit better what you're getting at.

I don't have easy access to a remote linux box, but I'll look into finding out if port 22 is open on my router. It'll have to wait 'til I'm back in the office with the linux box in it, so I'll post an update in a couple of days.

Meanwhile, does anyone know a good reference for tinkering with the settings on my router? Assuming I find out that port 22 isn't open, I'll need to figure out how to open it.

I guess I understand now why the remote unix box I was SSH-ing into was getting my machine's 'identity' wrong. What I saw when I used 'who' was probably the identity of my router, not my Windows machine which shares the same hub.

Thanks.

TrulyTessa · 11-16-2004, 11:09 AM

My IT people (who don't officially support linux which is what makes this whole exercise so painful) have asked me whether my linux machine has the port 22 / SSH daemon enabled. I know the firewall is open to allow port 22 connections, but do I need to be running an SSH daemon to connect from a remote machine? This relates to my original question #2... Does something have to be running in the background in order for my linux box to be able to accept SSH connections?

I'm still working on finding out the answer to the router questions NetAX asked previously... Will report back when able.

lhoff · 11-16-2004, 11:13 AM

As root, type

Code:

service sshd status

If it's running, you should see a declaration to that effect. If not, try

Code:

service sshd start

Hope it's as simple as that!

TrulyTessa · 11-16-2004, 01:40 PM

Thanks lhoff, I'll try that on Thursday!

TrulyTessa · 11-18-2004, 09:28 AM

Quote:

Originally posted by lhoff
As root, type

Code:

service sshd status

If it's running, you should see a declaration to that effect. If not, try

Code:

service sshd start

Hope it's as simple as that!

I couldn't run 'service sshd status', but '/etc/init.d/sshd start' worked to get the SSH daemon running.

Sadly, I still can't connect remotely though:

When I SSH to my machine name, I'm told my host name is unknown.

When I SSH to my IP, I'm told 'no further authentication methods available'

TrulyTessa · 11-18-2004, 12:49 PM

Folks, I tried verbose mode in attempting to ssh into my linux machine from a remote location, thinking the result might help isolate the problem. The first thing that strikes me in the response (attached below) is the expression "Remote version has rekey incompatibility bug." Another noteworthy issue is the fact that the connection is shut down locally after the 'publickey' and 'keyboard-interactive' authentication methods are offered. Any idea how I might address this problem? Evidently I'm not having trouble connecting to port 22, it's what comes after contact is made that's causing the failure.

Incidentally, I have tried tinkering with my ssh_config file, making sure PasswordAuthentication is set to yes and playing around with PreferredAuthentications (adding password, and even removing keyboard-interactive and publickey), but the error message remains the same.

Code:

debug: SshAppCommon/sshappcommon.c:154/ssh_app_get_global_regex_context: Allocat
ing global SshRegex context.
debug: SshConfig/sshconfig.c:2184/ssh2_parse_config: Unable to open /homes/[deleted personal info]/.ssh2/ssh2_config
debug: Connecting to [deleted personal info], port 22...
debug: Ssh2/ssh2.c:1956/main: Entering event loop.
debug: Ssh2Client/sshclient.c:1330/ssh_client_wrap: Creating transport protocol.
debug: SshAuthMethodClient/sshauthmethodc.c:137/ssh_client_authentication_initialize: Added "publickey" to usable methods.
debug: SshAuthMethodClient/sshauthmethodc.c:137/ssh_client_authentication_initialize: Added "password" to usable methods.
debug: Ssh2Client/sshclient.c:1362/ssh_client_wrap: Creating userauth protocol.
debug: client supports 2 auth methods: 'publickey,password'
debug: Ssh2Common/sshcommon.c:496/ssh_common_wrap: local ip = [deleted personal info], loc
al port = 15648
debug: Ssh2Common/sshcommon.c:498/ssh_common_wrap: remote ip = [deleted personal info], rem
ote port = 22
debug: SshConnection/sshconn.c:1889/ssh_conn_wrap: Wrapping...
debug: Remote version: SSH-1.99-OpenSSH_3.9p1
debug: Ssh2Transport/trcommon.c:1373/ssh_tr_input_version: Remote version has rekey incompatibility bug.
debug: Ssh2Transport/trcommon.c:1376/ssh_tr_input_version: Remote version is OpenSSH, KEX guesses disabled.
debug: Ssh2Transport/trcommon.c:1717/ssh_tr_negotiate: lang s to c: `', lang c to s: `'
debug: Ssh2Transport/trcommon.c:1783/ssh_tr_negotiate: c_to_s: cipher aes128-cbc, mac hmac-sha1, compression none
debug: Ssh2Transport/trcommon.c:1786/ssh_tr_negotiate: s_to_c: cipher aes128-cbc, mac hmac-sha1, compression none
debug: Remote host key found from database.
debug: Ssh2Common/sshcommon.c:291/ssh_common_special: Received SSH_CROSS_STARTUP packet from connection protocol.
debug: Ssh2Common/sshcommon.c:341/ssh_common_special: Received SSH_CROSS_ALGORITHMS packet from connection protocol.
debug: server offers auth methods 'publickey,keyboard-interactive'.
debug: SshConfig/sshconfig.c:2184/ssh2_parse_config: Unable to open /homes/[deleted personal info]/.ssh2/identification
debug: Ssh2AuthClient/sshauthc.c:316/ssh_authc_completion_proc: Method 'publickey' disabled.
debug: server offers auth methods 'publickey,keyboard-interactive'.
debug: Ssh2Common/sshcommon.c:137/ssh_common_disconnect: DISCONNECT received: No further authentication methods available.
warning: Authentication failed.
debug: Ssh2/ssh2.c:117/client_disconnect: locally_generated = TRUE
Disconnected; no more authentication methods available (No further authentication methods available.).
debug: Ssh2Client/sshclient.c:1395/ssh_client_destroy: Destroying client.
debug: SshConnection/sshconn.c:1937/ssh_conn_destroy: Destroying SshConn object.
debug: Ssh2Client/sshclient.c:1448/ssh_client_destroy_finalize: Destroying client completed.
debug: SshAuthMethodClient/sshauthmethodc.c:162/ssh_client_authentication_uninitialize: Destroying authentication method array.

TrulyTessa · 11-18-2004, 03:56 PM

Hey, I figured it out!

I needed to edit my sshd_config file. PasswordAuthentication had been set to no. I commented the line out and rebooted, and that changed it back to the default of yes, enabling me to log in with my password.

Still lots to learn, but I feel like I have graduated from Newbie level 0 to Newbie level 0.1

NetAX · 11-18-2004, 04:31 PM

Contragulations!

Working the problem until you find a solution shows how persistent you are.

buldir · 11-30-2004, 04:30 AM

Quote:

Originally posted by TrulyTessa
Hey, I figured it out!

I needed to edit my sshd_config file. PasswordAuthentication had been set to no. I commented the line out and rebooted, and that changed it back to the default of yes, enabling me to log in with my password.

Still lots to learn, but I feel like I have graduated from Newbie level 0 to Newbie level 0.1

Thanks TrulyTessa! I was banging my head against the Google wall for about 30 minutes dealing with this same issue in Suse 9.1.

TrulyTessa · 11-30-2004, 09:19 AM

Glad to hear it buldir!