ssh login without static ip or ddns

Fred Caro · 08-04-2015, 07:53 PM

I am trying to log in to my home computer that is behind nat addressing and has no fully qualified domain.
Using my external address I get a 'not found' error with something like this:

Code:

ssh -l me :external-address:

Perhaps leave out the ":" ?

Ports and keys are set in config and user files.

If I run dig against the 'external-address' it reports the correct pc as forwarded by the router.

Must be doing something stupid!

Fred.

Emerson · 08-04-2015, 08:23 PM

ssh x.x.x.x -l me

or

ssh me@x.x.x.x

Fred Caro · 08-05-2015, 04:22 PM

Emerson,
thanks for reply but niether:

ssh -l me :x.x.x.x:

if I leave out the colons, it does connect (I think) and asks for key password and then hangs.
The public rsa key for the local machine is on the remote server in autherized_keys. Nothing in the ufw logs to indicate any blocking.

Anyone any thoughts?

Fred.

michaelk · 08-05-2015, 04:52 PM

Can you login to the home computer on the LAN side?

You can add -v option to add debug information. Multiple -v add additional messages with 3 -v being the max.

Make sure the permissions for the .ssh directory and keys are correct.

jpollard · 08-06-2015, 04:42 PM

The problem is that you are attempting to login to the router, not the PC.

To have that work, you have to configure the router to forward the ssh port to your PC. That takes the router out of the connection path - anything that connects to that port is automatically forwarded to the PC to handle.

Now a connection to your public address will be forwarded to the PC and you can login as you expect.

NOTE: This means that you PC has to treat that port as if it were directly connected to the internet...

Fred Caro · 08-06-2015, 07:18 PM

Thanks for the replies.
not sure what this means:

Quote:

NOTE: This means that you PC has to treat that port as if it were directly connected to the internet...

I assume that port 80, or its equivalent is also directly connected to the internet?

This pc is experimental and the router only forwards outside connections to that pc besides web browsers and email.

Is that set up a security risk?

I changed the file permissions as per html.faq in /usr/share/doc/openssh-server and now I can login remotely.

Any thoughts?

Fred.

Fred Caro · 08-09-2015, 07:43 PM

jpollard,
ok, but the router only forwards to one LAN address but then it (a sniffer) could access other LAN pc's if they were connected?

Fred.

jpollard · 08-10-2015, 04:42 AM

Quote:

Originally Posted by Fred Caro

jpollard,
ok, but the router only forwards to one LAN address but then it (a sniffer) could access other LAN pc's if they were connected?

Fred.

Only after logging in.

All an outside sniffer can see is the port. The only address seen is the public one.

Fred Caro · 08-11-2015, 04:45 PM

Quote:

Only after logging in.

All an outside sniffer can see is the port. The only address seen is the public one.

Good, this is what I wanted to hear!

For general information, the 2 things that confused me the most were:

1) you literally substitute the domain name with the external ip address, no @ or :

2) file permisions on the .ssh files.

The -v option was also helpful and it appeared to be preforming some sort of debugging exercise but that may have been just hidden information.

Thanks for the help.

Fred.