[leaf-user] Can't make keys for SSHD
I've followed the instructions at http://leaf.sourceforge.net/devel/jnilo/openssh2.html but I don't get very far. When I type "makekey", I get the message "/usr/bin/makekey :ssh-keygen: notfound" I'm using the latest image of Bering on 2 floppies set up for dial up modem. I also checked http://leaf.sourceforge.net/devel/jnilo/packages/openssh-3.4p1/README.txt and made changes as indicated. I am new to leaf although I have been using the Trevor Marshall version of LRP for a while with very few configuration changes and this is my first attempt at SSH. I have read a lot of posts on this list about problems setting up SSH and none seem to have this trouble. Can anyone help. Richard Saunders --- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Re: Can't make keys for SSHD
Forget it. DOH. stupid. sorry. >I've followed the instructions at http://leaf.sourceforge.net/devel/jnilo/openssh2.html but I >don't get very far. When I type "makekey", I get the message >"/usr/bin/makekey :ssh-keygen: notfound" >I'm using the latest image of Bering on 2 floppies set up for dial up modem. >I also checked http://leaf.sourceforge.net/devel/jnilo/packages/openssh-3.4p1/README.txt and made >changes as indicated. >I am new to leaf although I have been using the Trevor Marshall version of LRP for a while with >very few configuration changes and this is my first attempt at SSH. >I have read a lot of posts on this list about problems setting up SSH and none seem to have this >trouble. >Can anyone help. >Richard Saunders --- This SF.net email is sponsored by: The Definitive IT and Networking Event. Be There! NetWorld+Interop Las Vegas 2003 -- Register today! http://ads.sourceforge.net/cgi-bin/redirect.pl?keyn0001en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] vpn won't disconnect
G'day peoples, I'm using Bering 1.2 with Freeswan. I have a VPN between 2 offices (Brisbane and Kawana) using rsa keys and this works perfectly. I am trying to set up a my winXP machine at home to connect to the Brisbane office using certificates over a dial up connection. I'm using the ebootis IPSEC tool. All seems to work fine until I disconnect and try to reconnect again. I can't create a new connection with a new IP address until I manually down the ipsec connection at the bering box. Here's some info: Bering box # /etc/ipsec.conf - FreeS/WAN IPsec configuration file # More elaborate and more varied sample configurations can be found # in FreeS/WAN's doc/examples file, and in the HTML documentation. # basic configuration config setup interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes # defaults for subsequent connection descriptions conn %default keyingtries=0 conn net-net authby=rsasig left=220.245.xxx.xxx leftsubnet=192.168.1.0/24 leftrsasigkey=0&^*^*%&^$%$^%$^$&*&)) leftnexthop=%defaultroute right=220.244.xxx.xxx rightsubnet=192.168.0.0/27 rightrsasigkey=(&@(*#&$(^%&%$*^%&% rightnexthop=%defaultroute pfs=yes auto=add conn w2k authby=rsasig left=220.245.xxx.xxx leftsubnet=192.168.1.0/24 leftnexthop=%defaultroute leftrsasigkey=%cert leftcert=fwCert.pem right=%any rightrsasigkey=%cert leftid="CN=fw" pfs=yes auto=add Window XP setup (ipsec.conf) conn W2K left=%any compress=yes leftid="CN=richard" right=220.245.xxx.xxx rightsubnet=192.168.1.0/24 leftca="C=AU, L=bris, O=gmp, CN=certserv, [EMAIL PROTECTED]" network=auto auto=start pfs=yes Thanks if you can help. --- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almosthttp://www.thinkgeek.com/sfshirt leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Dial in to Bering + VPN
Hi all , I have a Bering uClibc box set up at one office and a Bering 1.2 box at another. Both connect to the internet via ADSL. I have freeswan on both and a VPN between the 2 offices. I have a 56k modem attached to the uClibc box and I was wondering if it is possible to dial into the uClibc box and have access to both networks and/or the internet. Thanks Richard Saunders --- This SF.Net email is sponsored by Oracle Space Sweepstakes Want to be the first software developer in space? Enter now for the Oracle Space Sweepstakes! http://ads.osdn.com/?ad_id=7412&alloc_id=16344&op=click leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] TCP wrappers
Hi, I am moving from Bering uClibc 2.23 to 2.3 rc1 and most things are going well. The problem I am having is accessing www and ssh from the local network. If I leave the default settings in hosts.allow and hosts.deny I cannot access the www and ssh on the firewall, but if I comment out everything ( which I assume effectively disables tcp wrappers) I have no problem, except of course that I don't have the protection of wrappers. Shouldn't the default ( ALL: 192.168.1.0/255.255.255.0) allow everything including ssh and www from the local network. I had the same problem with 2.23 but just commented everything and ignored it, but this time I would like to get it right from the start. Regards Richard Saunders --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] Re: TCP wrappers
Forget it sorry. While setting up I have somehow deleted the new line at the end of the hosts.allow file. Don't know why it didn't work in 2.23 - I probably managed to do the same stupid thing twice. At 10:36 AM 28/09/2005, Idiot wrote: Hi, I am moving from Bering uClibc 2.23 to 2.3 rc1 and most things are going well. The problem I am having is accessing www and ssh from the local network. If I leave the default settings in hosts.allow and hosts.deny I cannot access the www and ssh on the firewall, but if I comment out everything ( which I assume effectively disables tcp wrappers) I have no problem, except of course that I don't have the protection of wrappers. Shouldn't the default ( ALL: 192.168.1.0/255.255.255.0) allow everything including ssh and www from the local network. I had the same problem with 2.23 but just commented everything and ignored it, but this time I would like to get it right from the start. Regards Richard Saunders --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Hi I am setting up uClibc 2.3rc1. I have copied the ipsec.conf file from my uClibc 2.23 box which has always worked ok. When starting up I get the following errors in auth.log: Sep 28 13:57:09 firewall pluto[21197]: no public interfaces found in daemon.log: Sep 28 13:57:07 firewall ipsec_setup: no default route, %defaultroute cannot cope!!! Sep 28 13:57:08 firewall ipsec_setup: ...Openswan IPsec started Sep 28 13:57:09 firewall ipsec__plutorun: ipsec_auto: fatal error in "w2k": %defaultroute requested but not known Sep 28 13:57:09 firewall ipsec__plutorun: ipsec_auto: fatal error in "net-net": %defaultroute requested but not known When the box finishes starting if I type "ipsec setup restart" it runs fine. Sep 28 14:26:50 firewall ipsec_setup: Stopping Openswan IPsec... Sep 28 14:26:50 firewall ipsec_setup: stop ordered, but IPsec does not appear to be running! Sep 28 14:26:50 firewall ipsec_setup: doing cleanup anyway... Sep 28 14:26:51 firewall ipsec_setup: ...Openswan IPsec stopped Sep 28 14:26:51 firewall ipsec_setup: Starting Openswan IPsec 1.0.9... Sep 28 14:26:51 firewall ipsec_setup: Using /lib/modules/ipsec.o Sep 28 14:26:51 firewall ipsec_setup: KLIPS debug `none' Sep 28 14:26:52 firewall ipsec_setup: KLIPS ipsec0 on ppp0 220.245.99.4 peer 202.7.162.162/32 Sep 28 14:26:52 firewall ipsec_setup: WARNING: ppp0 has route filtering turned on, KLIPS may not work Sep 28 14:26:52 firewall ipsec_setup: (/proc/sys/net/ipv4/conf/ppp0/rp_filter = `1', should be 0) Sep 28 14:26:52 firewall ipsec_setup: ...Openswan IPsec started Here is my setup: # basic configuration config setup interfaces=%defaultroute klipsdebug=none plutodebug=none plutoload=%search plutostart=%search uniqueids=yes # defaults for subsequent connection descriptions conn %default keyingtries=0 conn net-net authby=rsasig left=220.245.99.4 leftsubnet=192.168.1.0/24 leftrsasigkey=[keyid AQON] leftnexthop=%defaultroute right=220.244.10.142 rightsubnet=192.168.0.0/27 rightrsasigkey=[keyid AQN7] rightnexthop=%defaultroute pfs=yes auto=add conn w2k authby=rsasig left=220.245.99.4 leftsubnet=192.168.1.0/24 leftnexthop=%defaultroute leftrsasigkey=%cert leftcert=fwCert.pem right=%any rightrsasigkey=%cert leftid="CN=fw" pfs=yes auto=add # Any ideas on what might be happening? --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Thanks Eric Unfortunately that has had no effect, but I do think you are on the right track ie. ipsec is starting before ppp0 is fully up, but since I know nothing except being able to blindly follow instructions, I don't like my chances of finding a solution myself. Regarding "WARNING: ppp0 has route filtering turned on, KLIPS may not work". This error has always been there and has never shown any detrimental effects as far as I know. There have been previous threads regarding this and I think the conclusion was to ignore it. At 06:08 PM 28/09/2005, you wrote: Hello Richard, I've looked through the changes between ipsec from 2.2.3 and 2.3rc1, there was a change in the start/stop levels of ipsecs init.d script due to warnings when stopping ipsec. The differences are: (2.2.3): RCDLINKS="0,K42 1,K42 2,S42 3,S42 4,S42 5,S42 6,K42" (2.3rc1): RCDLINKS="0,K19 1,K19 2,S21 3,S21 4,S21 5,S21 6,K19" It could be that the ppp interface isn't full brought up, before ipsec is started. You could try to change the /etc/init.d/ipsec script to read: RCDLINKS="0,K19 1,K19 2,S41 3,S41 4,S41 5,S41 6,K19" Although the following line in you log is also somewhat strange: "Sep 28 14:26:52 firewall ipsec_setup: WARNING: ppp0 has route filtering turned on, KLIPS may not work Sep 28 14:26:52 firewall" Did you also had that warning with 2.2.3? You can turn of route filtering by setting "spoofprotect=no" in lrcfg -> 1) Network configuration -> 2) network options file (/etc/network/options) Eric Spakman > Hi > I am setting up uClibc 2.3rc1. > I have copied the ipsec.conf file from my uClibc 2.23 box which has > always worked ok. When starting up I get the following errors > in auth.log: > > Sep 28 13:57:09 firewall pluto[21197]: no public interfaces found > > > in daemon.log: > > Sep 28 13:57:07 firewall ipsec_setup: no default route, %defaultroute > cannot cope!!! Sep 28 13:57:08 firewall ipsec_setup: ...Openswan IPsec > started Sep 28 13:57:09 firewall ipsec__plutorun: ipsec_auto: fatal error > in "w2k": %defaultroute requested but not known > Sep 28 13:57:09 firewall ipsec__plutorun: ipsec_auto: fatal error in > "net-net": %defaultroute requested but not known > > > When the box finishes starting if I type "ipsec setup restart" it runs > fine. > > Sep 28 14:26:50 firewall ipsec_setup: Stopping Openswan IPsec... > Sep 28 14:26:50 firewall ipsec_setup: stop ordered, but IPsec does > not appear to be running! Sep 28 14:26:50 firewall ipsec_setup: doing > cleanup anyway... Sep 28 14:26:51 firewall ipsec_setup: ...Openswan IPsec > stopped Sep 28 14:26:51 firewall ipsec_setup: Starting Openswan IPsec > 1.0.9... > Sep 28 14:26:51 firewall ipsec_setup: Using /lib/modules/ipsec.o > Sep 28 14:26:51 firewall ipsec_setup: KLIPS debug `none' > Sep 28 14:26:52 firewall ipsec_setup: KLIPS ipsec0 on ppp0 > 220.245.99.4 peer 202.7.162.162/32 > Sep 28 14:26:52 firewall ipsec_setup: WARNING: ppp0 has route > filtering turned on, KLIPS may not work Sep 28 14:26:52 firewall > ipsec_setup: (/proc/sys/net/ipv4/conf/ppp0/rp_filter = `1', should be 0) > Sep 28 14:26:52 firewall ipsec_setup: ...Openswan IPsec started > > > Here is my setup: > # basic configuration > config setup interfaces=%defaultroute klipsdebug=none plutodebug=none > plutoload=%search plutostart=%search uniqueids=yes > > > > # defaults for subsequent connection descriptions > conn %default keyingtries=0 > > conn net-net authby=rsasig left=220.245.99.4 leftsubnet=192.168.1.0/24 > leftrsasigkey=[keyid AQON] leftnexthop=%defaultroute right=220.244.10.142 > rightsubnet=192.168.0.0/27 rightrsasigkey=[keyid AQN7] > rightnexthop=%defaultroute pfs=yes auto=add > > conn w2k authby=rsasig left=220.245.99.4 leftsubnet=192.168.1.0/24 > leftnexthop=%defaultroute leftrsasigkey=%cert leftcert=fwCert.pem right=%any > rightrsasigkey=%cert leftid="CN=fw" pfs=yes auto=add # > > > Any ideas on what might be happening? > > > > > > > > --- > This SF.Net email is sponsored by: > Power Architecture Resource Center: Free content, downloads, discussions, > and more. http://solutions.newsforge.com/ibmarch.tmpl > > leaf-user mailing list: leaf-user@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/leaf-user > Support Request -- http://leaf-project.org/ > > --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Is it possible just to insert a pause somewhere in the startup scripts to wait for ppp0 to come up before continuing? At 07:43 AM 30/09/2005, you wrote: This problem has always existed for any connection type. It shows up in a lot of different locations on all Bering versions. I saw this on ppp connections as well as pcmcia based ethernet connections. The common denominator of all these is, that you cannot predict reliably how long they take to come up, but the init script may terminate _before_ they are up completely. Agreed. Shorewall by default has really awful failure modes if the upstream ppp interface isn't up yet. I'd love to have an "is up?" semaphore, but perhaps in some cases, we should instead be triggering the apps by the fact that the interface is up. Both /etc/network/interfaces and ppp have trigger scripts they can call for interface up. Then it comes down to what is "up?" -- link up? address configured and able to pass data? routing up? I don't want to confuse things with those last questions, there probably is no universal good way to do these things. Frankly, I wish shorewall was just a little smarter when it came to ephemeral interfaces. Paul --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Does this problem have anything to do with shorewall? Shorewall seems to startup without a problem and everything else runs fine. It's only ipsec that can't find a default route. I thought inetd may be responsible. Not that I know anything much about it. At 08:24 AM 30/09/2005, you wrote: Richard Saunders wrote: > Is it possible just to insert a pause somewhere in the startup scripts > to wait for ppp0 > to come up before continuing? > You could place a pause/check loop in /etc/shorewall/init. Or, better yet, configure Shorewall so that it doesn't require ppp0 to be up when it starts. -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
Thanks Tom and Eric I don't know if it matters to me how long it takes to come up, so long as everything that is supposed to work works once it's up. When ppp0 is up its a router, until then it's lump of useless metal chewing power. I have put the loop here: #!/bin/sh # IPsec startup and shutdown script # Copyright (C) 1998, 1999, 2001 Henry Spencer. /..SNIP # misc setup umask 022 while true; do ip link ls dev ppp0 > /dev/null 2>&1 && break echo "Waiting for ppp0 to come up..." sleep 5 done # do it case "$1" in start|--start|stop|--stop) Is this alright? I won't get to test it until I can reboot on the weekend. At 08:35 AM 30/09/2005, you wrote: Richard Saunders wrote: Is it possible just to insert a pause somewhere in the startup scripts to wait for ppp0 to come up before continuing? Yes, that was my first aproach, unfortunately not a very smart one, as, for example, ppp may take a very long time to come up. Erich --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] ipsec %defaultroute in Bering 2.3 rc1
I managed to kick everyone off at lunchtime and reboot. The loop paused the startup for about half a second and off it went. Everything started up fine including ipsec. Thank you very much Tom and Erich. I am very grateful for your help. Richard Saunders At 10:56 AM 30/09/2005, you wrote: Richard Saunders wrote: > > # misc setup > umask 022 > > while true; do > ip link ls dev ppp0 > /dev/null 2>&1 && break > echo "Waiting for ppp0 to come up..." > sleep 5 > done > > # do it > case "$1" in > start|--start|stop|--stop) > > Is this alright? I won't get to test it until I can reboot on the weekend. I don't have a ppp interface to test with so I don't know at what point 'ip link ls dev ppp0' returns 0 for an exit status. If the above doesn't work, the output of 'ip' may need to be piped into 'grep -q' looking for 'inet' or something like that -Tom -- Tom Eastep\ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ [EMAIL PROTECTED] PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] tcp wrappers www and ssh
Hi, I am very happy with the way my new bering uclibc 2.3 rc1 box is going. Thank you all for your help to get it going. I am still having a couple of minor problems - One with ipsec road warrior, but I'll muck about with that and read some more docs before i bother you all with that. The other is with tcp wrappers and external ssh and www access. I am using knockd to open up the ssh and www ports and also to dnat a couple of ports to internal servers. I all works perfectly with tcp wrappers disabled and access from the local network works fine with wrappers enabled. But i can't get access from the net to the firewall sshd and weblet with tcp wrappers on. i've tried ssh: ALL and sshd: ALL and sh-httpd: ALL and www: ALL and none of those seem to work. Are any of these correct and if so is there something else that I would be missing. Regards Richard Saunders --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
[leaf-user] Re: tcp wrappers www and ssh
Eric, That's basically what I've done for now which is what I meant by disabled. But it's what I am trying to avoid if possible, mainly because I am paranoid. Richard Richard, I'm not very familiar with tcp-wrapper rules, but you could try to remove the "ALL PARANOID" from /etc/hosts.deny. Eric Spakman > Hi, > I am very happy with the way my new bering uclibc 2.3 rc1 box is going. > Thank you all for your help to get it going. > I am still having a couple of minor problems - One with ipsec road > warrior, but I'll muck about with that and read some more docs before i > bother you all with that. The other is with tcp wrappers and external ssh > and www access. I am using knockd to open up the ssh and www ports and > also to dnat a couple of ports to internal servers. > > I all works perfectly with tcp wrappers disabled and access from the > local network works fine with wrappers enabled. But i can't get access from > the net to the firewall sshd and weblet with tcp wrappers on. i've tried > ssh: ALL and sshd: ALL and sh-httpd: ALL and www: ALL and > none of those seem to work. Are any of these correct and if so is there > something else that I would be missing. Regards > Richard Saunders --- This SF.Net email is sponsored by: Power Architecture Resource Center: Free content, downloads, discussions, and more. http://solutions.newsforge.com/ibmarch.tmpl leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/