ssh question

ssh question

Post by na » Tue, 25 Dec 2001 18:48:13



I have set up openssh for public key auth. If I log into ssh (from the
same machine that is running the ssh server) using the comand "ssh
localhost" I am asked for my passphase and I get to login. Now if I use my
internet domain name "ssh mydomain_name" (from the same user account) I
get a "ssh_exchange_identification: Connection closed by remote host"
message. I disabled my firewall and the same problem occured so it appears
to not be firewall related. Anyone aware of why this is happening?

Thanks

 
 
 

ssh question

Post by Dean Thompso » Tue, 25 Dec 2001 23:24:49


Hi!,

Quote:> I have set up openssh for public key auth. If I log into ssh (from the
> same machine that is running the ssh server) using the comand "ssh
> localhost" I am asked for my passphase and I get to login. Now if I use my
> internet domain name "ssh mydomain_name" (from the same user account) I
> get a "ssh_exchange_identification: Connection closed by remote host"
> message. I disabled my firewall and the same problem occured so it appears
> to not be firewall related. Anyone aware of why this is happening?

Does running the OpenSSH daemon in a higher debugging level help out at all?
It would seem to suggest that the system is unable to read the public_key from
your account and connect to the machine.

See ya

Dean Thompson

--
+____________________________+____________________________________________+

| Bach. Computing (Hons)     | ICQ     - 45191180                         |
| PhD Student                | Office  - <Off-Campus>                     |
| School Comp.Sci & Soft.Eng | Phone   - +61 3 9903 2787 (Gen. Office)    |
| MONASH (Caulfield Campus)  | Fax     - +61 3 9903 1077                  |
| Melbourne, Australia       |                                            |
+----------------------------+--------------------------------------------+

 
 
 

ssh question

Post by ken_yap_ceb77624_.. » Tue, 25 Dec 2001 23:42:29


|I have set up openssh for public key auth. If I log into ssh (from the
|same machine that is running the ssh server) using the comand "ssh
|localhost" I am asked for my passphase and I get to login. Now if I use my
|internet domain name "ssh mydomain_name" (from the same user account) I
|get a "ssh_exchange_identification: Connection closed by remote host"
|message. I disabled my firewall and the same problem occured so it appears
|to not be firewall related. Anyone aware of why this is happening?

Check /etc/hosts.allow. sshd pays attention to this. localhost =
127.0.0.1 but mydomain_name is something else.

 
 
 

ssh question

Post by na » Wed, 26 Dec 2001 01:47:44




> Check /etc/hosts.allow. sshd pays attention to this. localhost =
> 127.0.0.1 but mydomain_name is something else.

it was the hosts.allow file that was causing the problem. I am running
sshd as a regular deamon, so I did not think tcpwrappers would apply to it
(i thought the service had to be controlled by inetd for this to apply). I
had to enter an "sshd: ALL" entry to  hosts.allow in order to recieve ssh
connections from anywhere on the internet.
 
 
 

ssh question

Post by Bill Unr » Wed, 26 Dec 2001 04:04:50




]> Check /etc/hosts.allow. sshd pays attention to this. localhost =
]> 127.0.0.1 but mydomain_name is something else.

]it was the hosts.allow file that was causing the problem. I am running
]sshd as a regular deamon, so I did not think tcpwrappers would apply to it
](i thought the service had to be controlled by inetd for this to apply). I
]had to enter an "sshd: ALL" entry to  hosts.allow in order to recieve ssh
]connections from anywhere on the internet.

openssh has tcpwrappers installed as part of the program.

 
 
 

ssh question

Post by ken_yap_52197cef_.. » Wed, 26 Dec 2001 08:40:43


|> Check /etc/hosts.allow. sshd pays attention to this. localhost =
|> 127.0.0.1 but mydomain_name is something else.
|
|it was the hosts.allow file that was causing the problem. I am running
|sshd as a regular deamon, so I did not think tcpwrappers would apply to it

sshd uses libwrap which is an internalised form of tcpwrapper checking.

 
 
 

ssh question

Post by na » Wed, 26 Dec 2001 11:10:16




> |> Check /etc/hosts.allow. sshd pays attention to this. localhost = |>
> 127.0.0.1 but mydomain_name is something else. | |it was the hosts.allow
> file that was causing the problem. I am running |sshd as a regular
> deamon, so I did not think tcpwrappers would apply to it

> sshd uses libwrap which is an internalised form of tcpwrapper checking.

Thanks. The only problem I have now is I cannot get public key auth with
ssh2 (using rsa). I can do public key auth on ssh1 with no problems. When I
try to use ssh2 to login I get a permission denied. I created a ssh2 (rsa)
key which produced  id_rsa and id_rsa.pub files in my ~/.ssh directory. I
then took the contents of id_rsa.pub and pasted it on one line in the
authorized_keys file as I am supposed to do. I then launch ssh with the
command "ssh -i ~/.ssh/id_rsa the_target_machine_name". Instead of asking
me the passphase for the login, I just a permission denied message.

Like I said I have no problems using public key auth with ssh1 protocol
just the ssh2 protocol. Anyone got any ideas what I am doing wrong?

Thanks

 
 
 

ssh question

Post by ken_yap_486ccd7e_.. » Wed, 26 Dec 2001 11:55:48


|Thanks. The only problem I have now is I cannot get public key auth with
|ssh2 (using rsa). I can do public key auth on ssh1 with no problems. When I
|try to use ssh2 to login I get a permission denied. I created a ssh2 (rsa)

I'm going to assume you're using openssh, which is easier to configure
than classic ssh. In openssh, the ssh2 keys go in the same file
.ssh/authorized_keys

Two things to check: that the server is trying protocol 2 as well. You
need a line in /etc/ssh/sshd_config that says:

Protocol 2,1

or the reverse as you wish. Secondly, that your ssh client is attempting
protocol 2 first. Force it with -2 and see what happens. Then look at
/etc/ssh/ssh_config and see if there is a Protocol line. This file
overrides .ssh/config so it may cause it to try protocol 1 first.

 
 
 

ssh question

Post by na » Wed, 26 Dec 2001 20:31:31




> |Thanks. The only problem I have now is I cannot get public key auth
> with |ssh2 (using rsa). I can do public key auth on ssh1 with no
> problems. When I |try to use ssh2 to login I get a permission denied. I
> created a ssh2 (rsa)

> I'm going to assume you're using openssh, which is easier to configure
> than classic ssh. In openssh, the ssh2 keys go in the same file
> .ssh/authorized_keys

That is what I am using..........

Quote:> Two things to check: that the server is trying protocol 2 as well. You
> need a line in /etc/ssh/sshd_config that says:

> Protocol 2,1

There is such a line  in /etc/ssh/sshd_config

Quote:

> or the reverse as you wish. Secondly, that your ssh client is attempting
> protocol 2 first. Force it with -2 and see what happens. Then look at
> /etc/ssh/ssh_config and see if there is a Protocol line. This file
> overrides .ssh/config so it may cause it to try protocol 1 first.

I had Protocol 1,2 line in my /etc/ssh/ssh_config. I switched to Protocol
2,1 and that seemed to do the trick. But now I need to force with -1 to
make it use ssh1 connections, even if the passed key type is ssh1. So now
it appears I will have to choose making either ssh1 or ssh2 the default
ssh protocol and explicty force the other, unless there is a way to get
ssh to look at the passed key and then automatically use the key type to
determine the correct protocol.

Thanks for the help.............

 
 
 

ssh question

Post by ken_yap_54b0c962_.. » Wed, 26 Dec 2001 21:11:56


|I had Protocol 1,2 line in my /etc/ssh/ssh_config. I switched to Protocol
|2,1 and that seemed to do the trick. But now I need to force with -1 to
|make it use ssh1 connections, even if the passed key type is ssh1. So now
|it appears I will have to choose making either ssh1 or ssh2 the default
|ssh protocol and explicty force the other, unless there is a way to get
|ssh to look at the passed key and then automatically use the key type to
|determine the correct protocol.

You can make the default 2 and control the Protocol on a host by host
basis in .ssh/config if you know which hosts take only protocol 1. And I
would try to migrate all hosts over to 2.

 
 
 

ssh question

Post by Wayne Thro » Thu, 27 Dec 2001 04:20:08



: it appears I will have to choose making either ssh1 or ssh2 the
: default ssh protocol and explicty force the other, unless there is a
: way to get ssh to look at the passed key and then automatically use
: the key type to determine the correct protocol.

Near as I can tell from events logged by use of "-v", ssh chooses
the protocol before it ever even looks for an identity.  So it can't
really base protocol choice on identity type.

Indeed, it picks which identity to use by default depending on which
protocol is in use.

But maybe you mean, have it do an implicit "-1" or "-2", if it is given
an explicit -i?  That might be convenient, but if you were giving it
an explicit -i anyways, then adding the "-1 " or "-2 " before that
doesn't seem that onerous.

Or maybe I'm not following what's desired here...