LinuxQuestions.org
Latest LQ Deal: Latest LQ Deals
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 03-07-2017, 11:32 PM   #16
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,513
Blog Entries: 3

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784

Quote:
Originally Posted by TashiDuks View Post
I can connect bastion using IP Address, can't connect using "ssh bastion" it says "ssh: Could not resolve hostname bastion: Name or service not known"
Ok. That is the first of the problems. I see that you are using root. In which account did you put the client configuration file? If you are always going to be using root, which is a faux pas, then you can put it in ~root/.ssh/config and if you are going to be using another account, then drop root and use the correct account.

Quote:
Originally Posted by TashiDuks View Post
What is the purpose of following line:

IdentityFile /home/bastionuser/.ssh/machine1_e25519
If you are using keys, then you need to tell the SSH client which key to use for which host. See the manual page for any of the SSH client configuration options:

Code:
man ssh_config
 
Old 03-08-2017, 11:25 PM   #17
TashiDuks
Member
 
Registered: Sep 2010
Posts: 54

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Turbocapitalist View Post
Ok. That is the first of the problems. I see that you are using root. In which account did you put the client configuration file? If you are always going to be using root, which is a faux pas, then you can put it in ~root/.ssh/config and if you are going to be using another account, then drop root and use the correct account.



If you are using keys, then you need to tell the SSH client which key to use for which host. See the manual page for any of the SSH client configuration options:

Code:
man ssh_config
Quote:
If you are using keys, then you need to tell the SSH client which key to use for which host. See the manual page for any of the SSH client configuration options:
I am not using keys for ssh, it is just a basic ssh.

Quote:
That is the first of the problems. I see that you are using root. In which account did you put the client configuration file? If you are always going to be using root, which is a faux pas, then you can put it in ~root/.ssh/config and if you are going to be using another account, then drop root and use the correct account.
I tried changing the user to 'root' as config file is located ~/.ssh/config but still I cannot do ssh. Following are the config (modified):
Code:
#Jump Host. Directly reachable
#Host bastion
        HostName 20.20.20.11
        User root
#       IdentityFile /home/bastionuser/.ssh/machine1_e25519
        Port 22
        ForwardAgent yes

#Host to Fileserver via Bastion
#Host fileserver
        HostName 10.10.10.13
        User linuxclient
#       IdentityFile /home/bastionuser/.ssh/machine1_e25519
        Port 22
        ProxyCommand ssh -W %h:%p bastion
 
Old 03-08-2017, 11:35 PM   #18
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,513
Blog Entries: 3

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
What is then in /root/.ssh/config?

It should be more or less this:

Code:
#Jump Host. Directly reachable
Host bastion
        HostName 20.20.20.11
        User root
#       IdentityFile /home/bastionuser/.ssh/machine1_e25519
        Port 22
        ForwardAgent yes

#Host to Fileserver via Bastion
Host fileserver
        HostName 10.10.10.13
        User linuxclient
#       IdentityFile /home/bastionuser/.ssh/machine1_e25519
        Port 22
        ProxyCommand ssh -W %h:%p bastion
Mind that you do not comment out the Host configuration directives with pound signs #
The one you have posted above will not work because of that.

Last edited by Turbocapitalist; 03-08-2017 at 11:38 PM.
 
Old 03-09-2017, 02:02 AM   #19
TashiDuks
Member
 
Registered: Sep 2010
Posts: 54

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Turbocapitalist View Post
What is then in /root/.ssh/config?

It should be more or less this:
Yes, that's true. I have exact the same configuration shown below in my ~/.ssh/config OR /root/.ssh/config.
Code:
#Jump Host. Directly reachable
Host bastion
       HostName 20.20.20.11
       User root
       Port 22
       ForwardAgent yes

#Host to Fileserver via Bastion
Host fileserver
       HostName 10.10.10.13
       User user1
       Port 22
       ProxyCommand ssh -W %h:%p bastion
Just for testing purpose I tried using following line which is working just fine:
Code:
ssh -t root@20.20.20.11 'ssh user1@10.10.10.13'
Reference from your previous post "http://www.linuxquestions.org/questi...sh-4175590163/"

The only thing is I cannot ssh using ssh fileserver or ssh 10.10.10.13.

When use ssh fileserver it says:
[root@localhost ~]# ssh fileserver
ssh: Could not resolve hostname fileserver: Name or service not known


When i use ssh 10.10.10.13 it says:
[root@localhost ~]# ssh 10.10.10.13
ssh: connect to host 10.10.10.13 port 22: No route to host

Last edited by TashiDuks; 03-09-2017 at 02:09 AM.
 
Old 03-09-2017, 02:05 AM   #20
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,513
Blog Entries: 3

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
Quote:
Originally Posted by TashiDuks View Post
Yes, that's true. I have exact the same configuration shown below in my ~/.ssh/config OR /root/.ssh/config.
Code:
#Jump Host. Directly reachable
Host bastion
       HostName 20.20.20.11
       User root
       Port 22
       ForwardAgent yes

#Host to Fileserver via Bastion
Host fileserver
       HostName 10.10.10.13
       User linuxclient
       Port 22
       ProxyCommand ssh -W %h:%p bastion
Can you log into the bastion with the shortcut? That is what you need to be debugging.

Code:
ssh bastion
ssh -v bastion
 
Old 03-09-2017, 02:22 AM   #21
TashiDuks
Member
 
Registered: Sep 2010
Posts: 54

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Turbocapitalist View Post
Can you log into the bastion with the shortcut? That is what you need to be debugging.

Code:
ssh bastion
ssh -v bastion
Yes I can login:
Code:
[root@localhost ~]# ssh bastion
root@bastion's password: 
Last login: Thu Mar  9 16:20:48 2017 from 20.20.20.15
[root@localhost ~]#
 
Old 03-09-2017, 02:28 AM   #22
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,513
Blog Entries: 3

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
What if you look at a more verbose connection attempt?

Code:
ssh -v fileserver
ssh -vv fileserver
ssh -vvv fileserver
Also, which distro are you connecting from if I may ask?

Code:
lsb_release -rd
 
Old 03-09-2017, 02:31 AM   #23
TashiDuks
Member
 
Registered: Sep 2010
Posts: 54

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Turbocapitalist View Post
Can you log into the bastion with the shortcut? That is what you need to be debugging.

Code:
ssh bastion
ssh -v bastion
Hi Turbocapitalist,

I tried restarting still the problem is same.

Thanks

Last edited by TashiDuks; 03-09-2017 at 02:33 AM.
 
Old 03-09-2017, 02:42 AM   #24
TashiDuks
Member
 
Registered: Sep 2010
Posts: 54

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Turbocapitalist View Post
What if you look at a more verbose connection attempt?

Code:
ssh -v fileserver
ssh -vv fileserver
ssh -vvv fileserver
Also, which distro are you connecting from if I may ask?

Code:
lsb_release -rd
Here what I have done:
Code:
[root@linuxclient ~]# ssh -v fileserver
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to fileserver [10.10.10.13] port 22.
debug1: connect to address 10.10.10.13 port 22: No route to host
ssh: connect to host fileserver port 22: No route to host

[root@linuxclient ~]# ssh -vv fileserver
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to fileserver [10.10.10.13] port 22.
debug1: connect to address 10.10.10.13 port 22: No route to host
ssh: connect to host fileserver port 22: No route to host

[root@linuxclient ~]# ssh -vvv fileserver
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to fileserver [10.10.10.13] port 22.
debug1: connect to address 10.10.10.13 port 22: No route to host
ssh: connect to host fileserver port 22: No route to host
[root@linuxclient ~]# 
When I ssh directly to "bastion" from "linuxclient" I can connect:
Code:
[root@linuxclient ~]# ssh bastion
root@bastion's password: 
Last login: Thu Mar  9 16:26:40 2017 from dithp-003.diverseit.com.au
[root@bastion ~]# 
Quote:
which distro are you connecting from if I may ask?
All the machines bastion, fileserver, linuxclient are running with CentOS 7.
 
Old 03-09-2017, 02:49 AM   #25
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,513
Blog Entries: 3

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
Connecting to the bastion works, so we don't need to test that anymore. Now we need to debug the stdio forwarding. I'm not surprised that a restart had no effect, that is as it should be.

But you need to find a line like this in one of the -v outputs:

Code:
debug1: /home/user1/.ssh/config line n: Applying options for fileserver
You have the one where it is parsing /etc/ssh/ssh_config but we should confirm if it is reading from the user account's configuration too.
 
Old 03-09-2017, 03:07 AM   #26
TashiDuks
Member
 
Registered: Sep 2010
Posts: 54

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Turbocapitalist View Post
Connecting to the bastion works, so we don't need to test that anymore. Now we need to debug the stdio forwarding. I'm not surprised that a restart had no effect, that is as it should be.

But you need to find a line like this in one of the -v outputs:

Code:
debug1: /home/user1/.ssh/config line n: Applying options for fileserver
You have the one where it is parsing /etc/ssh/ssh_config but we should confirm if it is reading from the user account's configuration too.
Umm, I cannot find the line as shown above in my debug. I could see only

[root@linuxclient ~]# ssh -v fileserver
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to fileserver [10.10.10.13] port 22.
debug1: connect to address 10.10.10.13 port 22: No route to host
ssh: connect to host fileserver port 22: No route to host

What could be the problem?

Can you tell me why the file named known_hosts is listed under ~/.ssh/?
Code:
# ls
config  known_hosts
 
Old 03-09-2017, 03:14 AM   #27
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,513
Blog Entries: 3

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
Quote:
Originally Posted by TashiDuks View Post
Umm, I cannot find the line as shown above in my debug. I could see only

[root@linuxclient ~]# ssh -v fileserver
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to fileserver [10.10.10.13] port 22.
debug1: connect to address 10.10.10.13 port 22: No route to host
ssh: connect to host fileserver port 22: No route to host

What could be the problem?
Very strange.

If you are logging in from the user1 account, try this to force which configuration file the client looks for:

Code:
ssh -F /home/user1/.ssh/config fileserver
If from another account, adjust the path as needed.

Quote:
Originally Posted by TashiDuks View Post
Can you tell me why the file named known_hosts is listed under ~/.ssh/?
Code:
# ls
config  known_hosts
Yes. That's where the client's own known host's key register is kept by default. The public keys of the machines you have already connected to are kept there so that the client can use them next time to verify that you are connecting to the same machine as before. There is a global register in /etc/ssh/ssh_known_hosts which is also used. See the manual page for sshd for an explanation of the format of either register.
 
Old 03-09-2017, 03:37 AM   #28
TashiDuks
Member
 
Registered: Sep 2010
Posts: 54

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Turbocapitalist View Post
Very strange.

If you are logging in from the user1 account, try this to force which configuration file the client looks for:

Code:
ssh -F /home/user1/.ssh/config fileserver
If from another account, adjust the path as needed.



Yes. That's where the client's own known host's key register is kept by default. The public keys of the machines you have already connected to are kept there so that the client can use them next time to verify that you are connecting to the same machine as before. There is a global register in /etc/ssh/ssh_known_hosts which is also used. See the manual page for sshd for an explanation of the format of either register.
Just a Information : the above debug is being done from client machine "linuxclient'. The machines are connected in following manner:

Linuxclient====>bastion====>fileserver

So I will be doing this debug from Linux client rite??

Code:
ssh -F /home/user1/.ssh/config fileserver
 
Old 03-09-2017, 03:39 AM   #29
Turbocapitalist
LQ Guru
 
Registered: Apr 2005
Distribution: Linux Mint, Devuan, OpenBSD
Posts: 5,513
Blog Entries: 3

Rep: Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784Reputation: 2784
Quote:
Originally Posted by TashiDuks View Post
Just a Information : the above debug is being done from client machine "linuxclient'. The machines are connected in following manner:

Linuxclient====>bastion====>fileserver

So I will be doing this debug from Linux client rite??

Code:
ssh -F /home/user1/.ssh/config fileserver
Yes, but NOT as root.

It looks like something is wrong with ~/.ssh/ and or ~/.ssh/config for your normal user account. The client will ignore the directory or file if the permissions or ownerships are wrong.

Edit: the permissions for config should be 600 or 660

( I've tried a few experiments and I would strongly suggest not messing around as root for this so it can be debugged properly. Using root for fiddling around makes a mess, eventually. )

In your regular user's account, make sure that the directory .ssh is owned by that user and not by root and that permissions for .ssh are set to 700. Then for the config file inside .ssh, check that it is owned by that use and not by root

Last edited by Turbocapitalist; 03-09-2017 at 03:40 AM.
 
Old 03-15-2017, 10:28 PM   #30
TashiDuks
Member
 
Registered: Sep 2010
Posts: 54

Original Poster
Rep: Reputation: 0
Quote:
Originally Posted by Turbocapitalist View Post
Yes, but NOT as root.
I have fixed all the ~/.ssh/config to users from root.

In Bastion Machine I have configured following in /home/bastionuser/.ssh/config
Code:
#Jump Host. Directly reachable
Host bastion
       HostName 20.20.20.11
       User bastionuser
       Port 22
       ForwardAgent yes

#Host to Fileserver via Bastion
Host fileserver
       HostName 10.10.10.13
       User user1
       Port 22
       ProxyCommand ssh -W %h:%p bastion
Just to make sure I have applied following permission to ~/.ssh/config in "Bastion" machine
Code:
chmod 600 ~/.ssh/config
Following which I have tried so far from "linuxclient" machine:

1. ssh to bastion which seems to be OK
Code:
[linuxclient@linuxclient ~]$ ssh bastionuser@bastion
bastionuser@bastion's password:
Last login: Thu Mar 16 11:10:41 2017 from 20.20.20.15
[bastionuser@bastion ~]$
[bastionuser@bastion ~]$
2. ssh to fileserver which is not working
Code:
[linuxclient@linuxclient ~]$ ssh user1@fileserver
ssh: connect to host fileserver port 22: No route to host
[linuxclient@linuxclient ~]$
3. ssh -F /home/user1/.ssh/config fileserver
Code:
[linuxclient@linuxclient ~]$ ssh -F /home/user1/.ssh/config fileserver
Can't open user config file /home/user1/.ssh/config: No such file or directory
[linuxclient@linuxclient ~]$
but when i do ls from fileserver to check "/home/user1/.ssh/config"
Code:
[user1@fileserver ~]$ ls -la ~/.ssh/
total 4
drwx------. 2 user1 user1  39 Mar 16 11:13 .
drwx------. 3 user1 user1  95 Feb 16 13:30 ..
-rw-------  1 user1 user1   0 Mar 16 11:13 config
-rw-r--r--  1 user1 user1 346 Mar  9 17:01 known_hosts
[user1@fileserver ~]$
I tried ssh using following parameter (not proxycommand) which seems ok:
Code:
[linuxclient@linuxclient ~]$ ssh -t bastionuser@20.20.20.11 'ssh user1@10.10.10.13'
bastionuser@20.20.20.11's password:
user1@10.10.10.13's password:
Last login: Thu Mar 16 11:12:41 2017 from gateway
[user1@fileserver ~]$
Tried debug mode:
Code:
[linuxclient@linuxclient ~]$ ssh -v fileserver
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /home/linuxclient/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 56: Applying options for *
debug1: Connecting to fileserver [10.10.10.13] port 22.
debug1: connect to address 10.10.10.13 port 22: No route to host
ssh: connect to host fileserver port 22: No route to host
[linuxclient@linuxclient ~]$
Is there any mistakes/error?

Thanks

Last edited by TashiDuks; 03-15-2017 at 11:00 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Bastion Host ek192010 Linux - Networking 1 10-24-2012 02:13 AM
[SOLVED] user removed from one group can still get that group's permission LanFan.BlueSailor Linux - Security 11 08-23-2012 12:32 AM
freeradius User/Group ACL vikki Linux - Server 1 02-17-2011 08:19 AM
To apply acl for two diffrent user,group in RHEL5,Squid 2.6 mbnaik Linux - Enterprise 0 10-01-2007 10:27 AM
Bastion Host gfdecaires Linux - Networking 0 10-13-2005 06:20 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 06:37 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration