Okay, so I know this question has been asked before a lot. I'm asking again because I have already been through the search results both here and on Google.

My problem is that I need to do some tech support for my family in a different city. This would all go much faster if I could get some kind of remote shell access. Unfortunately, I can't seem to log into SSH, despite taking the following steps.

* Static IP isn't really an issue, I'm willing to phone them to get their IP address from something like www.whatismyip.com.

* I've seen assurances from our ISP (Windstream) that they are not blocking port 22

* I've user our router (dd-wrt linksys wrt54g) to forward port 22 to that particular computer (which has a static local IP).

* I'm running a liveCD there (systemrescuecd), where I've used the iptables command to allow absolutely everything through. (Yes, it's insecure, but we don't have anything on there worth taking/trashing, and this setup lasts only a day or so). (And yes, I set a root password on the live cd)

* I have the ssh daemon running. It works on the local network - other computers connected to the router can ssh in, just not anyone outside the LAN.


All of the hints I've found so far say to check one of these things. Having done all of them, I still have no access. All my ssh connections time out before I get to a log in screen. Internet access is perfectly normal and operational from that machine.

So any ideas?

Have you checked "LoginGraceTime" field in /etc/ssh/sshd_conf on the server side?

I have not, I'll check that. I didn't think it would be relevant - I thought that meant the amount of time between a login prompt and when the user had to react - I never get the prompt.

I tried setting it to 2 minutes, but it made no difference. My ssh client still just sat there for ~20 seconds, then said that there was a network error and the connection timed out.

Also it could be helpful to attach endpoint-to-endpoint 'tcptraceroute', 'ssh -vvv' and remote sshd output (mask where necessary). Also using iptables to just "-j LOG" (or tcpdump?) on both the filter INPUT and OUTPUT chains might help (plus router logging?) to see if packets actually hit the target.

I'm actually having an identical issue, and I ultimately feel in my case that it's an issue with the isp on *their* end (don't think the op mentions anything about them.)

Anyway, my point isn't to discover why it won't work, rather to offer a work-around based on a similar issue I had a couple of years back (with the same endpoint isp), and that is to setup openvpn, and use that as a tunnel, whether via ssh or whatnot. I'm about to do the same here, just haven't had the time.

I will mention that the important thing to remember with openvpn is that "float" option for the port has to be in the config on the host (*their*) side, essentially searching for an open port....

I'll also mention that I'd like to see a simpler solution, so please don't let me interrupt further....


cheers,

ps - edit: also like to mention, and you've probably considered, that *they* could tunnel to you, and you could perhaps help that way....

I agree with mrclisdue. I believe it is going to be the ISP. Try changing the ssh server to run on port 443. You could also run an nmap scan of your local network to make sure that port 22 is actually open.

On the server side, have you set /etc/hosts.allow to accept incoming connections?

The simplest and least secure method is to add
to /etc/hosts.allow

You said that you forwarded port 22 to your computer. Has this been done on the other side as well? It is the server that needs port 22 opened not the client. (unless you block outgoing traffic)

A cheap way to check input connectivity is "telnet <IP> <port>". You should see a response like:
Trying 192.168.1.106...
Connected to elite.
Escape character is '^]'.
SSH-2.0-OpenSSH_5.2

Also try using nmap to see which ports are open on the server.
Make sure they are running the sshd server.
Make sure their firewall isn't blocking port 22.

OK, I thought you meant the login timed out.

Like others have suggested, if you can ping the target IP from you PC and port 22 is forwarded in the router, most likely the ISP is blocking that port.

You could use tcpdump on the ssh server to see if any ssh packets are reaching it. If not you would then know the problem is either with your ISP or with your router. Sorry, I am not familiar with the tcpdump command so cannot suggest which options to use.

Thanks for all of your help. It turns out that there was a second side to this issue that I had not considered. The ISP of the server was fine, but the ISP of the client (Campus Technologies, to whom my university farms out internet access) has a habit of blocking everything but port 80, even outbound. I suspect that once I fight this out with them to get 22 unblocked on the client side, things will improve. I'll look for another internet connection to test this theory with.