[SOLVED] ssh/rsync problem

business_kid · 01-16-2023, 12:33 PM

I'm having issues setting up ssh & rsync on the new RazPi image. I can get from the RazPi to my pc, but not the other way around. I did copy over the working sshd_config but it made no difference. The previous install worked out of the box, but that was a while ago (kernel 5.16.7). Here's the trsansaction

Code:

bash-5.1$ rsync dec@192.168.178.181:/home/dec
(dec@192.168.178.181) Password: 
Connection to 192.168.178.181 closed by remote host.
rsync: connection unexpectedly closed (0 bytes received so far) [Receiver]
rsync error: error in rsync protocol data stream (code 12) at io.c(228) [Receiver=3.2.3]
bash-5.1$ ssh dec@192.168.178.181
(dec@192.168.178.181) Password: 
Connection to 192.168.178.181 closed by remote host.
Connection to 192.168.178.181 closed.
bash-5.1$ ssh root@192.168.178.181
(root@192.168.178.181) Password: 
Connection to 192.168.178.181 closed by remote host.
Connection to 192.168.178.181 closed.

Root login shouldn't be allowed, but I think it actually is in the default config. I mean to limit the config to my home network. Ideas welcome.

Turbocapitalist · 01-16-2023, 12:55 PM

I'd look at the logs from the SSH daemon to see what they have regarding the very brief session.

If you need to you can set up a one-off SSHd instance with logging to a unique log file, just so things can be kept separate.

Code:

/usr/bin/sshd -d -d -d -E /tmp/disconnection.sshd.log -p 2222

If your system's packet filter allows it, you can connect once with SSH to port 2222 and the whole log for that session, but nothing else, will be stored in the designated file. You might reduce the number of -d options to two or just one if less verbosity is needed.

Then once it is working, you can try rsync -av

slac-in-the-box · 01-17-2023, 02:05 AM

the things I check:

(1) /etc/ssh/sshd_config

Code:

Port 7777
AddressFamily inet
ListenAddress 10.0.0.1

#...

PasswordAuthentication yes
PubkeyAuthentication yes

Changing the default "any" to "inet", set it to only use ipv4
Change the port to an unused port other than "22"
Explicitly defining the ip address forces it to listen only on the one defined address instead of every interface it can find...

(2) /etc/rc.d/rc.firewall (or any other script that controls iptables or packet filtering)

Code:

/usr/sbin/iptables -A tcp_inbound -p TCP -s 0/0 --destination-port 7777 -j ACCEPT

accepts requests from all networks to port 7777 (change to whatever the port was set to in sshd_config)

(3) check ownership and permissions on contents of ~/.ssh

Code:

me@slackhost:/home/me/.ssh ==> ls -lah
total 32K
drwxr--r--  2 me users 4.0K Apr  5  2022 ./
drwxr-xr-x 25 me users 4.0K Jan 17 07:04 ../
-rw-r--r--  1 me users  391 Sep  7  2021 authorized_keys
-rw-r--r--  1 me users 6.3K Sep  7  2021 config
-rw-------  1 me users 2.1K Apr  5  2022 known_hosts
-rw-------  1 me users 1.3K Sep 12  2021 known_hosts.old
-rw-------  1 me users 1.7K Sep  7  2021 my.ssh.key.priv
-rwxr-xr-x  1 me users  392 Sep  7  2021 my.ssh.key.pub

The authorized keys is world readable, and contains the public part of every cryptgraphic key pair allowed to connect to this host.
The .priv.key is only readable by user...
The .priv.pub is the public part of the pair, that is appended to the authorized_keys file in users ~/.ssh directory on each hosts that users wants to connect to with the private key, and therefore .priv.key can be world readable...

The config file defines hosts that are frequently connected to so you can connect with just the hostname, and not having to specify ip, port, etc. each time. Each entry of my ~/.ssh/config has this syntax:

Code:

Host t420
     HostName 10.0.0.10
     User me
     IdentityFile /home/me/.ssh/my.ssh.key.priv
     Port 7777
     IdentitiesOnly yes
     CheckHostIP no
     ControlMaster auto
     ControlPath ~/.ssh/master-%r@%h:%p
     ForwardAgent yes
     ServerAliveInterval 60

This defines the host of my wife's t420, that, on our lan, has ip 10.0.0.10. I have an account on her computer, and in my home folder on her computer, in ~/.ssh/authorized_keys, I have the contents of my.ssh.key.pub, so it will recognize my.ssh.key.priv when I need to connect to her device remotely and help her print

I don't fully understand the ControlMaster and ControlPath settings, and have never had to tweek them.

After this is configured, remote login to her computer is merely

Code:

ssh t420

Transfering a directory of files from my home directory on my wife's computer to my home directory on my computer:

Code:

rsync t420:~/the.directory/ ~/the.directory

If I put a trailing slash on the destination, like "~/the.directory/" it ends up nested at the destination as ~/the.directory/the.directory, and so I must be sure to not include the trailing slash, and then it ends up just the way it as on the originating device, ~/the.directory.

Oh, and to create those private/public cryptographic key pairs:

Code:

ssh-keygen

I rename them to my.ssh.key.priv and my.ssh.key.pub respectively. Their file names are not important, but their ownerships and permissons are.

When I can't connect via ssh, it is usually because I made an error somewhere in those steps, most commonly forgetting to set up the firewall, or because a private key or config is world or group readable.

Once its working, I ususally for safe measure, go back and re-edit /etc/ssh/sshd_config on the host, and change "PasswordAuthentication yes" to "PasswordAuthentication no", as password authentication is no longer necessary. With it off, all those failed password logins from random ips around the world, disappear from the logs

business_kid · 01-17-2023, 06:49 AM

Thanks for the reply.

I was using the default setup which has system wide configs. I'm behind the firewall (such as it is) and want access from my network, not just one IP. I could put "10.0.0.0" as the IP to get onto that? But this should just work on the defaults, and I can set up security after I get things talking. The last thing I want to do is give ssh another excuse to fall over! So port 22 will do until it works. Here's my ~/.ssh

Code:

bash-5.2$ ls -lha ~/.ssh
total 16K
drwx------  2 dec users 4.0K Mar 14  2022 ./
drwx--x--x 24 dec users 4.0K Jan 17 12:12 ../
-rw-------  1 dec users 1.4K Dec  3 17:13 known_hosts
-rw-r--r--  1 dec users   97 Mar 14  2022 known_hosts.old

This RazPi has my PC in /etc/hosts, so .ssh/known_hosts shows the hostname. The file I was suspicious of was/etc/ssh/sshd_config - this one

Code:

#       $OpenBSD: sshd_config,v 1.104 2021/07/02 05:11:21 dtucker Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/local/sbin:/usr/sbin:/sbin:/usr/local/bin:/usr/bin:/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile      .ssh/authorized_keys

#AuthorizedPrincipalsFile none

#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
/etc/ssh/sshd_config

EDIT: This is supplied with slarm64. The last one I had installed just worked out of the box.

business_kid · 01-17-2023, 08:44 AM

Got it.

It was in /etc/ssh/sshd_config all right. I keep an offline backup, a backup of the backup

. This isn't a business, so I'm kinda lazy, and it still had my old RazPi system. I grabbed the config from that and stuck it in as a lazy manouvre, which worked. There was also confusion caused by some doubtful usb wifi adapters that went through the 2 boxes so ~/.ssh/known_hosts required pruning.

You can see the BSD roots of ssh/sshd; Just reading the config, it can be super-paranoid, if you let it.