the things I check:
(1) /etc/ssh/sshd_config
Code:
Port 7777
AddressFamily inet
ListenAddress 10.0.0.1
#...
PasswordAuthentication yes
PubkeyAuthentication yes
Changing the default "any" to "inet", set it to only use ipv4
Change the port to an unused port other than "22"
Explicitly defining the ip address forces it to listen only on the one defined address instead of every interface it can find...
(2) /etc/rc.d/rc.firewall (or any other script that controls iptables or packet filtering)
Code:
/usr/sbin/iptables -A tcp_inbound -p TCP -s 0/0 --destination-port 7777 -j ACCEPT
accepts requests from all networks to port 7777 (change to whatever the port was set to in sshd_config)
(3) check ownership and permissions on contents of ~/.ssh
Code:
me@slackhost:/home/me/.ssh ==> ls -lah
total 32K
drwxr--r-- 2 me users 4.0K Apr 5 2022 ./
drwxr-xr-x 25 me users 4.0K Jan 17 07:04 ../
-rw-r--r-- 1 me users 391 Sep 7 2021 authorized_keys
-rw-r--r-- 1 me users 6.3K Sep 7 2021 config
-rw------- 1 me users 2.1K Apr 5 2022 known_hosts
-rw------- 1 me users 1.3K Sep 12 2021 known_hosts.old
-rw------- 1 me users 1.7K Sep 7 2021 my.ssh.key.priv
-rwxr-xr-x 1 me users 392 Sep 7 2021 my.ssh.key.pub
The authorized keys is world readable, and contains the public part of every cryptgraphic key pair allowed to connect to this host.
The .priv.key is only readable by user...
The .priv.pub is the public part of the pair, that is appended to the authorized_keys file in users ~/.ssh directory on each hosts that users wants to connect to with the private key, and therefore .priv.key can be world readable...
The config file defines hosts that are frequently connected to so you can connect with just the hostname, and not having to specify ip, port, etc. each time. Each entry of my ~/.ssh/config has this syntax:
Code:
Host t420
HostName 10.0.0.10
User me
IdentityFile /home/me/.ssh/my.ssh.key.priv
Port 7777
IdentitiesOnly yes
CheckHostIP no
ControlMaster auto
ControlPath ~/.ssh/master-%r@%h:%p
ForwardAgent yes
ServerAliveInterval 60
This defines the host of my wife's t420, that, on our lan, has ip 10.0.0.10. I have an account on her computer, and in my home folder on her computer, in ~/.ssh/authorized_keys, I have the contents of my.ssh.key.pub, so it will recognize my.ssh.key.priv when I need to connect to her device remotely and help her print
I don't fully understand the ControlMaster and ControlPath settings, and have never had to tweek them.
After this is configured, remote login to her computer is merely
Transfering a directory of files from my home directory on my wife's computer to my home directory on my computer:
Code:
rsync t420:~/the.directory/ ~/the.directory
If I put a trailing slash on the destination, like "~/the.directory/" it ends up nested at the destination as ~/the.directory/the.directory, and so I must be sure to not include the trailing slash, and then it ends up just the way it as on the originating device, ~/the.directory.
Oh, and to create those private/public cryptographic key pairs:
I rename them to my.ssh.key.priv and my.ssh.key.pub respectively. Their file names are not important, but their ownerships and permissons are.
When I can't connect via ssh, it is usually because I made an error somewhere in those steps, most commonly forgetting to set up the firewall, or because a private key or config is world or group readable.
Once its working, I ususally for safe measure, go back and re-edit /etc/ssh/sshd_config on the host, and change "PasswordAuthentication yes" to "PasswordAuthentication no", as password authentication is no longer necessary. With it off, all those failed password logins from random ips around the world, disappear from the logs