[leaf-user] SSH connection
Hi everyone, I was wondering something about the hosts.allow file. I have for example the following line inserted: ALL: 192.168.1.2/255.255.255.255 but I'm still able to ssh to the machine from other addresses inside the 192.168.1.0/24 network.. Shouldn't this file take care of this or should it also be specified in shorewall? But in that case I don't see the point of having the hosts.allow hosts.deny file. btw, my hosts.deny file contains: ALL: ALL Grtz, Tom - This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] SSH connection
Tom Tom Hendrickx wrote: Hi everyone, I was wondering something about the hosts.allow file. I have for example the following line inserted: ALL: 192.168.1.2/255.255.255.255 but I'm still able to ssh to the machine from other addresses inside the 192.168.1.0/24 network.. Shouldn't this file take care of this or should it also be specified in shorewall? But in that case I don't see the point of having the hosts.allow hosts.deny file. This has to be compiled in the application, so if your ssh daemon does not have libwrap compiled in then it does not matter what you write to your hosts.allow/deny files. If you want to be sure, use shorewall rules for this purpose cheers Erich - This SF.net email is sponsored by the 2008 JavaOne(SM) Conference Don't miss this year's exciting event. There's still time to save $100. Use priority code J8TL2D2. http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone leaf-user mailing list: leaf-user@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/leaf-user Support Request -- http://leaf-project.org/
Re: [leaf-user] SSH login takes 40 seconds
Okay, I figured out a solution reading the DNSMASQ docs (I'm using DNSMASQ with messy DHCP). I forgot exactly everything I did, but I'm pretty sure this is it (sorry to take so long to respond): First I modified the dnsmasq config, note the change below: # Change this line if you want dns to get its upstream servers from # somewhere other that /etc/resolv.conf #resolv-file= resolv-file=/etc/resolv.dnsmasq Then... - Early in the bootup process, after I get my IP via DHCP (cable modem) I rename resolv.conf (with DHCP updates) to resolv.dnsmasq via a startup script - Then I do an echo nameserver 127.0.0.1 /etc/resolv.conf (same script) That's it. No more delay, no host file maintenance for every possible client. __ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] SSH login takes 40 seconds
I don't like the /etc/hosts solution either, but its the one I use as well. Doug Date: Wed, 17 Nov 2004 08:18:51 +0100 From: Erich Titl [EMAIL PROTECTED] To: cpu memhd [EMAIL PROTECTED] CC: [EMAIL PROTECTED] Subject: Re: [leaf-user] SSH login takes 40 seconds Hi cpu memhd wrote: Bering uClibc 2.2 - I got SSH working a few weeks ago. Now for some reason it takes 40 seconds to display a console screen after I login. I have read that this is likely a reverse DNS problem. But why should it matter if I'm using private, 10.x.x.x IPs? Also, I don't recall making any changes between the time SSH worked and now. Any ideas? If you have a working DNS server then it should just return an NXDOMAIN and you should be fine. If not, sshd will try to reverse lookup your address and finally time out. One possible solution is to include your management station in the /etc/hosts file (not that I specifically like this solution) Erich --- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] SSH login takes 40 seconds
Hi cpu memhd wrote: Bering uClibc 2.2 - I got SSH working a few weeks ago. Now for some reason it takes 40 seconds to display a console screen after I login. I have read that this is likely a reverse DNS problem. But why should it matter if I'm using private, 10.x.x.x IPs? Also, I don't recall making any changes between the time SSH worked and now. Any ideas? If you have a working DNS server then it should just return an NXDOMAIN and you should be fine. If not, sshd will try to reverse lookup your address and finally time out. One possible solution is to include your management station in the /etc/hosts file (not that I specifically like this solution) Erich --- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] ssh access from inside being rejected.
I never got sshd working on 2.2.1. I just switched to dropbear. It works fine. Glenn Glenn A. Thompson wrote: No it actually segfaulted when I ran it in debug mode. Martin Hejl wrote: Glenn A. Thompson wrote: I installed the sshd module on my bering 2.2.1 test box and gernerated keys etc. I can't seem to connect to it from my local network. I'm running my local network on 192.168.10.0/24. That caused me some grief on a few other packges until I changed their configs. But from what I can tell I've got all that fixed up OK. I can connect to the fw weblet application no problem. When I try to connect to the sshd from the internet I see stuff in my logs as I would expect. When I do it from the loc network I see immediate rejects and I can't find anything in any logs. So I installed the ssh client on the firewall. If I try to connect to localhost I just hang there. If I try to connect to the loc interface I get reject UNKNOWN. I've looked through the rules and it seems like it should work. I even changed the interfaces file under shorewall to be more explicit about the loc and fw interfaces. Any clues? Any more information I should provide? You probably already checked that, but could it be an issue with /etc/hosts.allow needing to be updated with the new net? It could also be that sshd is trying to do a DNS lookup on the IP of the box that's connecting - that would surely _seem_ like it's just died. Martin --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This Newsletter Sponsored by: Macrovision For reliable Linux application installations, use the industry's leading setup authoring tool, InstallShield X. Learn more and evaluate today. http://clk.atdmt.com/MSI/go/ins003001msi/direct/01/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] ssh access from inside being rejected.
Hey, I installed the sshd module on my bering 2.2.1 test box and gernerated keys etc. I can't seem to connect to it from my local network. I'm running my local network on 192.168.10.0/24. That caused me some grief on a few other packges until I changed their configs. But from what I can tell I've got all that fixed up OK. I can connect to the fw weblet application no problem. When I try to connect to the sshd from the internet I see stuff in my logs as I would expect. When I do it from the loc network I see immediate rejects and I can't find anything in any logs. So I installed the ssh client on the firewall. If I try to connect to localhost I just hang there. If I try to connect to the loc interface I get reject UNKNOWN. I've looked through the rules and it seems like it should work. I even changed the interfaces file under shorewall to be more explicit about the loc and fw interfaces. Any clues? Any more information I should provide? Thanks, glenn --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] ssh access from inside being rejected.
Glenn A. Thompson wrote: Hey, I installed the sshd module on my bering 2.2.1 test box and gernerated keys etc. I can't seem to connect to it from my local network. I'm running my local network on 192.168.10.0/24. That caused me some grief on a few other packges until I changed their configs. But from what I can tell I've got all that fixed up OK. I can connect to the fw weblet application no problem. When I try to connect to the sshd from the internet I see stuff in my logs as I would expect. When I do it from the loc network I see immediate rejects and I can't find anything in any logs. So I installed the ssh client on the firewall. If I try to connect to localhost I just hang there. If I try to connect to the loc interface I get reject UNKNOWN. I've looked through the rules and it seems like it should work. I even changed the interfaces file under shorewall to be more explicit about the loc and fw interfaces. Any clues? Any more information I should provide? Thanks, glenn What does your output look like when you turn on verbose mode: ssh -v host and how is your sshd_config configured? We'll need that to begin with.. If you have changed other configuration files, other than those connected with ssh, sshd you'll have to provide info with that as well. Is sshd actually running? Try netstat -an and ps ax and see what gives.. Regards, -- Patrick Benson Stockholm, Sweden --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] ssh access from inside being rejected.
I set the log level to debug in the sshd_config file. It forks a child and seems to negotiate a protocol level and then no more log entries. It may just be dying. Again any clues would be helpful Thanks Glenn Glenn A. Thompson wrote: Hey, I installed the sshd module on my bering 2.2.1 test box and gernerated keys etc. I can't seem to connect to it from my local network. I'm running my local network on 192.168.10.0/24. That caused me some grief on a few other packges until I changed their configs. But from what I can tell I've got all that fixed up OK. I can connect to the fw weblet application no problem. When I try to connect to the sshd from the internet I see stuff in my logs as I would expect. When I do it from the loc network I see immediate rejects and I can't find anything in any logs. So I installed the ssh client on the firewall. If I try to connect to localhost I just hang there. If I try to connect to the loc interface I get reject UNKNOWN. I've looked through the rules and it seems like it should work. I even changed the interfaces file under shorewall to be more explicit about the loc and fw interfaces. Any clues? Any more information I should provide? Thanks, glenn --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] ssh access from inside being rejected.
Glenn A. Thompson wrote: I installed the sshd module on my bering 2.2.1 test box and gernerated keys etc. I can't seem to connect to it from my local network. I'm running my local network on 192.168.10.0/24. That caused me some grief on a few other packges until I changed their configs. But from what I can tell I've got all that fixed up OK. I can connect to the fw weblet application no problem. When I try to connect to the sshd from the internet I see stuff in my logs as I would expect. When I do it from the loc network I see immediate rejects and I can't find anything in any logs. So I installed the ssh client on the firewall. If I try to connect to localhost I just hang there. If I try to connect to the loc interface I get reject UNKNOWN. I've looked through the rules and it seems like it should work. I even changed the interfaces file under shorewall to be more explicit about the loc and fw interfaces. Any clues? Any more information I should provide? You probably already checked that, but could it be an issue with /etc/hosts.allow needing to be updated with the new net? It could also be that sshd is trying to do a DNS lookup on the IP of the box that's connecting - that would surely _seem_ like it's just died. Martin --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] ssh access from inside being rejected.
Glenn A. Thompson wrote: I set the log level to debug in the sshd_config file. It forks a child and seems to negotiate a protocol level and then no more log entries. It may just be dying. Again any clues would be helpful There are two FAQ's that may be helpful: http://www.snailbook.com/faq/ http://www.openssh.com/faq.html Regards, -- Patrick Benson Stockholm, Sweden --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] ssh access from inside being rejected.
No it actually segfaulted when I ran it in debug mode. Martin Hejl wrote: Glenn A. Thompson wrote: I installed the sshd module on my bering 2.2.1 test box and gernerated keys etc. I can't seem to connect to it from my local network. I'm running my local network on 192.168.10.0/24. That caused me some grief on a few other packges until I changed their configs. But from what I can tell I've got all that fixed up OK. I can connect to the fw weblet application no problem. When I try to connect to the sshd from the internet I see stuff in my logs as I would expect. When I do it from the loc network I see immediate rejects and I can't find anything in any logs. So I installed the ssh client on the firewall. If I try to connect to localhost I just hang there. If I try to connect to the loc interface I get reject UNKNOWN. I've looked through the rules and it seems like it should work. I even changed the interfaces file under shorewall to be more explicit about the loc and fw interfaces. Any clues? Any more information I should provide? You probably already checked that, but could it be an issue with /etc/hosts.allow needing to be updated with the new net? It could also be that sshd is trying to do a DNS lookup on the IP of the box that's connecting - that would surely _seem_ like it's just died. Martin --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] ssh on dachstein - update
Latest: got sshd going on the firewall - had to make the following change: in /etc/ssh/sshd_config change UsePrivilegeSeparation yes to UsePrivilegeSeparation no then if I start sshd manually, I can login. I have no clue what that means other than it avoids the error message and let's me get going. Still have not sorted out Putty from WindowsExplorer via GUI interface, but I can login from both my debian machine as well as from the putty command line on my WinMe machine So All I need to figure out is how to get sshd started on startup - that'll be my next project. Looks like there is more to it than just getting and loading the files ;-) and the two Howtos I've found both need work. Once I get this all sorted out I'll try to contact the authors with the details. Thanks to both you and Ray for their interest and help Arnold Tibbs, Richard wrote: OK, next idea: Go to /usr/sbin. Type ./sshd For some reason error messages for sshd don't go to any log. You should see some complaint. For sshd in Bering, you need libcrypt.lrp, libz.lrp and libnsl. If you see certain libraries missing like libcrypto.so.yadda, then you are missing some packages. Good luck Tibbs. -Original Message- From: Arnold Wiegert [mailto:[EMAIL PROTECTED] Sent: Monday, August 16, 2004 7:56 PM To: Tibbs, Richard Subject: Re: [leaf-user] ssh on dachstein Thanks, Richard; sshd is not running :-( I did generate the keys, but the Mini-Howto said nothing about what else needs to be done - if anything - to have sshd run after installing, generating the keys, backing up rebooting Arnold Tibbs, Richard wrote: Check your processes with a ps -A command. If you do not see sshd, then it is not running. Likely you need to generate keys with sshkey.lrp ( at least that is what works with Bering.) HTH, Rick. -Original Message- From: [EMAIL PROTECTED] on behalf of Arnold Wiegert Sent: Mon 8/16/2004 4:28 PM To: [EMAIL PROTECTED] Cc: Subject: [leaf-user] ssh on dachstein I've finally decided to try and get an ssh link going on my network. I'm running normal Dachstein with dual floppies and have installed all the ssh .lrp files as per the openshh LEAF/LRP user's guide http://leaf.sourceforge.net/devel/jnilo/openssh2.html I've added a password for 'root' and have tried PuTTY as a client to sign on, but have had no luck at all. All I get - after several seconds - is RuTTY Fatal Error: Network error: Connection timed out If I need to supply extra information, please let me know. TIA Arnold --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] ssh on dachstein
Arnold -- No coubt inadvertantly, you replied to me personally instead of to the list. To fix this, I'm responding to the list, and not trimming your reply (as I would normally do, since only the first part of the response is needed). At 07:30 PM 8/16/2004 -0700, Arnold Wiegert wrote: Ray Olszewski wrote: At 01:28 PM 8/16/2004 -0700, Arnold Wiegert wrote: I've finally decided to try and get an ssh link going on my network. I didn't see any other replies to this, but please forgive me if I missed something. I think you need to walk through the basics. 1. On the LEAF system, after you install the ssh stuff and reboot, is the sshd process running? Does it show up in the process list? Does netstat -l (I think Dach has this command) report it as listening on port 22? neither netstat -l nor ps -A show sshd as running running it manually in /usr/sbin via ./sshd gives me an error message: Privilege separation user sshd does not exist This is your problem. You cannot connect to the router because it is is not running sshd. Why? Hard to say for sure, but it sounds like you are using a newer version of sshd than the one Dach was configured for. Privilege separation is a newer security modiication of sshd, and it probably postdates whatever version of Dach you are running. How to fix it? Your safest bet is to do a quick install of some version of Bering, see what its entry for the sshd user is, and replicate that in Dach's /etc/passwd (and /etc/shadow) file. Or, on the bet that this userid is pretty standard, you could add these entries (taken from my Debian system) to the relevant files: in /etc/passwd: sshd:x:100:65534::/var/run/sshd:/bin/false in /etc/shadow: sshd:!:11912:0:9:7::: Then back up the relevant .lrp package (probably etc.lrp, but you should check ... actually, you must know this piece better than I, since you changed root's password successfully). Though I've left the rest of your response below, it has nothing to do with your immediate problem, so you can stop reading now. 2. Is your LEAF firewall configured to permit connections to port 22 on the router from wherever (LAN or Internet) you are connecting from? Haven't tried that yet; I'm trying to get to the router from inside. 3. Are you trying to connect from the LAN (internal) side or the Internet (external) side? Are you connecting to the appropriate IP address? Could there be a DNS issue? If you are connecting from the Internet, might your ISP be blocking traffic to TCP port 22? 4. after several seconds implies that you get this response quickly. Am I reading this right, or are we talking about time more like 30 seconds, or even 3 minutes? Time delays are sometimes important hints to diagnosis, so please be as exact as you can on this. For example, here I just tried to connect to an unused LAN IP address, and it took 20 seconds for me to get that same message. (And I've assumed that RuTTY is just a typo ... if not, please correct me.) Yes it is a typo, should be PuTTY - time to error message is 22 - 23 sec. 5. After you try and fail to connect to the router, do the router logs show anything, logged by either sshd or iptables? Is the host you tried to connect from (assuming a LAN connection) in the router's arp cache? Is the router in the host's arp cache? see above, I'm on the inside 6. Do you know that PuTTY works properly? Can you use it to connect to other hosts? I've assumed you are an experienced PuTTY user, so are not making any rookie mistakes at that end (like trying to do a telnet connection instead of an ssh connection), so please confirm or correct this assumption. I'm a rookie - very much, although I do believe I am trying for a ssh connection. I've tried the -v (verbose) option, but it does not produce any output to the DOS box window - with or without the -v option 7. If you post again, please round up the usual suspects when you do. Tell us the networks and IP addresses involved. as far as I know, I'm using the default addresses for my leaf box and I am using it - 192.168.1.254 - as the host name/IP address Thank you for your reply. Arnold --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] ssh on dachstein
I've finally decided to try and get an ssh link going on my network. I'm running normal Dachstein with dual floppies and have installed all the ssh .lrp files as per the openshh LEAF/LRP user's guide http://leaf.sourceforge.net/devel/jnilo/openssh2.html I've added a password for 'root' and have tried PuTTY as a client to sign on, but have had no luck at all. All I get - after several seconds - is RuTTY Fatal Error: Network error: Connection timed out If I need to supply extra information, please let me know. TIA Arnold --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
FW: [leaf-user] ssh on dachstein
From: Tibbs, Richard Sent: Monday, August 16, 2004 6:22 PM To: Arnold Wiegert; [EMAIL PROTECTED] Subject: RE: [leaf-user] ssh on dachstein Check your processes with a ps -A command. If you do not see sshd, then it is not running. Likely you need to generate keys with sshkey.lrp ( at least that is what works with Bering.) HTH, Rick. -Original Message- From: [EMAIL PROTECTED] behalf of Arnold Wiegert Sent: Mon 8/16/2004 4:28 PM To: [EMAIL PROTECTED] Cc: Subject: [leaf-user] ssh on dachstein I've finally decided to try and get an ssh link going on my network. I'm running normal Dachstein with dual floppies and have installed all the ssh .lrp files as per the openshh LEAF/LRP user's guide http://leaf.sourceforge.net/devel/jnilo/openssh2.html I've added a password for 'root' and have tried PuTTY as a client to sign on, but have had no luck at all. All I get - after several seconds - is RuTTY Fatal Error: Network error: Connection timed out If I need to supply extra information, please let me know. TIA Arnold --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] ssh on dachstein
At 01:28 PM 8/16/2004 -0700, Arnold Wiegert wrote: I've finally decided to try and get an ssh link going on my network. I'm running normal Dachstein with dual floppies and have installed all the ssh .lrp files as per the openshh LEAF/LRP user's guide http://leaf.sourceforge.net/devel/jnilo/openssh2.html I've added a password for 'root' and have tried PuTTY as a client to sign on, but have had no luck at all. All I get - after several seconds - is RuTTY Fatal Error: Network error: Connection timed out If I need to supply extra information, please let me know. I didn't see any other replies to this, but please forgive me if I missed something. I think you need to walk through the basics. 1. On the LEAF system, after you install the ssh stuff and reboot, is the sshd process running? Does it show up in the process list? Does netstat -l (I think Dach has this command) report it as listening on port 22? 2. Is your LEAF firewall configured to permit connections to port 22 on the router from wherever (LAN or Internet) you are connecting from? 3. Are you trying to connect from the LAN (internal) side or the Internet (external) side? Are you connecting to the appropriate IP address? Could there be a DNS issue? If you are connecting from the Internet, might your ISP be blocking traffic to TCP port 22? 4. after several seconds implies that you get this response quickly. Am I reading this right, or are we talking about time more like 30 seconds, or even 3 minutes? Time delays are sometimes important hints to diagnosis, so please be as exact as you can on this. For example, here I just tried to connect to an unused LAN IP address, and it took 20 seconds for me to get that same message. (And I've assumed that RuTTY is just a typo ... if not, please correct me.) 5. After you try and fail to connect to the router, do the router logs show anything, logged by either sshd or iptables? Is the host you tried to connect from (assuming a LAN connection) in the router's arp cache? Is the router in the host's arp cache? 6. Do you know that PuTTY works properly? Can you use it to connect to other hosts? I've assumed you are an experienced PuTTY user, so are not making any rookie mistakes at that end (like trying to do a telnet connection instead of an ssh connection), so please confirm or correct this assumption. 7. If you post again, please round up the usual suspects when you do. Tell us the networks and IP addresses involved. --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] SSH Bug and Exploit
Seems there is a bug in OpenSSH and some reports of exploits in the wild: http://slashdot.org/articles/03/09/16/1327248.shtml?tid=126tid=172 There is a new OpenSSH version available (3.7). Is somebody upgrading the LRPs? - Alex --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] ssh and link error
I just downloaded the lrps for ssh and sshd listed under the Uclibc Packages tree. However whenever /usr/sbin/sshd attempts to start I am getting the following error. ./sbin: linked against GNU libc!! Anyone have any insight into what I need to do to fix this? Currently I have the following lrps on this system. root etc local modules keyboard libc225 libz libpopt libcrpto libssl2 djbutils maradns netsnmpd sshd ssh Try the libz,ssh,sshd from http://leaf.sourceforge.net/devel/jnilo To do this you DO have to uce the libc225. I had the same problem and this worked for me. --- This SF.Net email sponsored by: Free pre-built ASP.NET sites including Data Reports, E-commerce, Portals, and Forums are available now. Download today and enter to win an XBOX or Visual Studio .NET. http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] ssh - key only - no password
In theory I don't see why it shouldn't work. Steve Wright wrote: Gurus, I am trying to get my LEAF-WISP 2591 to ssh out, and to accept ssh connections and auth with key only. The routers must be able to load/change/reload policy (addresses, routes, rules) on command from the core but this is insecure without ssh. (I can cron a passworded wget off the core httpd, but not secure.) I have read a number of HOWTOs on doing this but it still refuses. My question is ; Will the ssh/sshd on 2591 do key-only (no password) auth, incoming and outgoing ? If it does, then I have a config error and I will continue working on it. TIA, and kind regards, Steve --- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html -- Best Regards, Vladimir Ivaschenko Thunderworx - Senior Systems Engineer (RHCE) --- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] ssh - key only - no password
Gurus, I am trying to get my LEAF-WISP 2591 to ssh out, and to accept ssh connections and auth with key only. The routers must be able to load/change/reload policy (addresses, routes, rules) on command from the core but this is insecure without ssh. (I can cron a passworded wget off the core httpd, but not secure.) I have read a number of HOWTOs on doing this but it still refuses. My question is ; Will the ssh/sshd on 2591 do key-only (no password) auth, incoming and outgoing ? If it does, then I have a config error and I will continue working on it. TIA, and kind regards, Steve --- This SF.net email is sponsored by: Etnus, makers of TotalView, The best thread debugger on the planet. Designed with thread debugging features you've never dreamed of, try TotalView 6 free at www.etnus.com. leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Ssh
Ok, I got the IPSec problem worked out, and I have a working tunnel across the wireless link... Now I have another little problem.. I can't ssh into it... First the layout: workstation - bering1.0 - internet - rh7.2 w/shorewall - ipsec - bering1.0 I have tried from the workstation to the RH box, and ssh to the other end of the IPSec tunnel, and I also tried DNATing a high port on the RH box to 22 on the other end of the tunnel and connecting to that from the workstation, and I get the same thing either way.. It prompts me for the password, I enter it, hit enter, the cursor moves to the next line and just sits there and blinks at me.. CTRL-C and I'm back at the prompt.. When I set the Bering box up, I ssh'd to it on the local LAN and it worked fine... I'm not sure why it's doing this.. Any ideas? --- Homer Parker /\ ASCII Ribbon Campaign \ / No HTML/RTF in email http://www.homershut.net x No Word docs in email telnet://bbs.homershut.net/ \ Respect for open standards Bill Gates reports on security progress made and the challenges ahead. -- Microsoft's Homepage, on the day an SQL Server bug crippled large sections of the Internet. pgp0.pgp Description: PGP signature
Re: [leaf-user] SSH question
Thanks Tom. Setting my buddies sshd to listen on 0.0.0.0 did the trick. I never noticed that it was set to internal IP. John === Work: http://www.olgclotteries.com [EMAIL PROTECTED] 888-345-7568 ext. 2205 Personal: http://www.mullan.ca [EMAIL PROTECTED] MSN:[EMAIL PROTECTED] === Tom Eastep [EMAIL PROTECTED] To: John Mullan [EMAIL PROTECTED] Sent by: cc: [EMAIL PROTECTED] [EMAIL PROTECTED]Subject: Re: [leaf-user] SSH question ceforge.net 14-02-03 10:04 AM John Mullan wrote: Yes, they are intentional. I want to keep the FTP server on port 1021. If anyone comes in from outside without specifying port 1021, they will still get to my FTP server. That leaves me the future opportunity to have another FTP server on 21 but only accessible from internal. At least, that is the way I figure it. Your first rule actually insists that the CLIENT port be 1021 -- rather odd requirement. I will attempt the Telnet idea later. Work doesn't open very many ports. I don't even get port 80 access from this workstation :( Also be sure that your sshd is listening on 0.0.0.0 and/or on the exernal IP address of your firewall. -Tom -- Tom Eastep\ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] SSH question
Hello folks A little pre-amble: When setting up my buddies LEAF box, I made an exact copy of my LEAF setup, changing PPPoE user/password, some host names, and that was pretty much it. Everything works exactly like mine. Well, almost everything. While I can login to my LEAF box (over the internet) with SSH (TeraTermPro), I cannot with his. I keep getting connection refused. I can do it within the internal net no problem (again, same as mine). What should I look for? Could there be something with the possibility of identical keys having copied my installation? I'm not familiar with how that part may or may no affect the situation. Sample of Shorewall RULES file follows: # # Accept DNS connections from the firewall to the network # ACCEPT fw net tcp 53 ACCEPT fw net udp 53 # # Accept SSH connections from the local and internet network for administration # ACCEPT loc fw tcp 22 ACCEPT net fw tcp 22 # # Bering specific rules: # allow loc to fw udp/53 for dnscache to work # ACCEPT loc fw udp 53 # # Allow all access to weblet # REDIRECT loc 8080 tcp 80 - 192.168.1.254 ACCEPT loc fw tcp 8080 # Custom rules: # allow various services for internal servers # DNAT net loc:192.168.1.254 tcp 8080 DNAT net loc:192.168.1.128 tcp 80 DNAT net loc:192.168.1.128 tcp 21 1021 DNAT net loc:192.168.1.128 tcp 1021 DNAT net loc:192.168.1.128 tcp 25 DNAT net loc:192.168.1.128 tcp 110 DNAT net loc:192.168.1.128 tcp 1080 DNAT net loc:192.168.1.128 tcp 5631 DNAT net loc:192.168.1.128 tcp 5632 DNAT net loc:192.168.1.128 udp 5631 DNAT net loc:192.168.1.128 udp 5632 DNAT net loc:192.168.1.128 tcp DNAT net loc:192.168.1.128 tcp 9925 #LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE === Work: http://www.olgclotteries.com [EMAIL PROTECTED] 888-345-7568 ext. 2205 Personal: http://www.mullan.ca [EMAIL PROTECTED] MSN:[EMAIL PROTECTED] === --- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
AW: [leaf-user] SSH question
A little pre-amble: When setting up my buddies LEAF box, I made an exact copy of my LEAF setup, changing PPPoE user/password, some host names, and that was pretty much it. Everything works exactly like mine. Well, almost everything. While I can login to my LEAF box (over the internet) with SSH (TeraTermPro), I cannot with his. I keep getting connection refused. Try opening a telnet connection to the ssh daemon telnet x.x.x.x 22 If it answers with SSH-2.0-OpenSSH_3.5p1 or something similar, then the problem is with the SSH daemon configuration or the password, because you know that you have a running sshd and an firewall that allows connections to it What should I look for? Could there be something with the possibility of identical keys having copied my installation? There should be no problem with using identical keys though it is clearly not recommended. DNAT net loc:192.168.1.128 tcp 21 1021 DNAT net loc:192.168.1.128 tcp 1021 Are these two 1021 intentional? Regards Alex --- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] SSH question
Yes, they are intentional. I want to keep the FTP server on port 1021. If anyone comes in from outside without specifying port 1021, they will still get to my FTP server. That leaves me the future opportunity to have another FTP server on 21 but only accessible from internal. At least, that is the way I figure it. I will attempt the Telnet idea later. Work doesn't open very many ports. I don't even get port 80 access from this workstation :( === Work: http://www.olgclotteries.com [EMAIL PROTECTED] 888-345-7568 ext. 2205 Personal: http://www.mullan.ca [EMAIL PROTECTED] MSN:[EMAIL PROTECTED] === Alex Rhomberg alex.lists@bluewTo: John Mullan [EMAIL PROTECTED], [EMAIL PROTECTED] in.ch cc: Subject: AW: [leaf-user] SSH question 14-02-03 08:29 AM A little pre-amble: When setting up my buddies LEAF box, I made an exact copy of my LEAF setup, changing PPPoE user/password, some host names, and that was pretty much it. Everything works exactly like mine. Well, almost everything. While I can login to my LEAF box (over the internet) with SSH (TeraTermPro), I cannot with his. I keep getting connection refused. Try opening a telnet connection to the ssh daemon telnet x.x.x.x 22 If it answers with SSH-2.0-OpenSSH_3.5p1 or something similar, then the problem is with the SSH daemon configuration or the password, because you know that you have a running sshd and an firewall that allows connections to it What should I look for? Could there be something with the possibility of identical keys having copied my installation? There should be no problem with using identical keys though it is clearly not recommended. DNAT net loc:192.168.1.128 tcp 21 1021 DNAT net loc:192.168.1.128 tcp 1021 Are these two 1021 intentional? Regards Alex --- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] SSH question
John Mullan wrote: Yes, they are intentional. I want to keep the FTP server on port 1021. If anyone comes in from outside without specifying port 1021, they will still get to my FTP server. That leaves me the future opportunity to have another FTP server on 21 but only accessible from internal. At least, that is the way I figure it. Your first rule actually insists that the CLIENT port be 1021 -- rather odd requirement. I will attempt the Telnet idea later. Work doesn't open very many ports. I don't even get port 80 access from this workstation :( Also be sure that your sshd is listening on 0.0.0.0 and/or on the exernal IP address of your firewall. -Tom -- Tom Eastep\ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] SSH question
Thanks Tom, I will double check the listening address. It may have gotten changed somehow. I'm not sure about your reference to 'odd requirement'. Do you mean choosing port 1021? My only intention is, that if external clients make an FTP request using default port of 21 that they get routed to 1021 on the appropriate machine. Saves me explaining to friends to use 1021. Would it be more appropriate to use a REDIRECT instead of DNAT?? John === Work: http://www.olgclotteries.com [EMAIL PROTECTED] 888-345-7568 ext. 2205 Personal: http://www.mullan.ca [EMAIL PROTECTED] MSN:[EMAIL PROTECTED] === Tom Eastep [EMAIL PROTECTED] To: John Mullan [EMAIL PROTECTED] Sent by: cc: [EMAIL PROTECTED] [EMAIL PROTECTED]Subject: Re: [leaf-user] SSH question ceforge.net 14-02-03 10:04 AM John Mullan wrote: Yes, they are intentional. I want to keep the FTP server on port 1021. If anyone comes in from outside without specifying port 1021, they will still get to my FTP server. That leaves me the future opportunity to have another FTP server on 21 but only accessible from internal. At least, that is the way I figure it. Your first rule actually insists that the CLIENT port be 1021 -- rather odd requirement. I will attempt the Telnet idea later. Work doesn't open very many ports. I don't even get port 80 access from this workstation :( Also be sure that your sshd is listening on 0.0.0.0 and/or on the exernal IP address of your firewall. -Tom -- Tom Eastep\ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] SSH question
John Mullan wrote: Thanks Tom, I will double check the listening address. It may have gotten changed somehow. I'm not sure about your reference to 'odd requirement'. Do you mean choosing port 1021? My only intention is, that if external clients make an FTP request using default port of 21 that they get routed to 1021 on the appropriate machine. Saves me explaining to friends to use 1021. Would it be more appropriate to use a REDIRECT instead of DNAT?? John === Work: http://www.olgclotteries.com [EMAIL PROTECTED] 888-345-7568 ext. 2205 Personal: http://www.mullan.ca [EMAIL PROTECTED] MSN:[EMAIL PROTECTED] === Tom Eastep [EMAIL PROTECTED] To: John Mullan [EMAIL PROTECTED] Sent by: cc: [EMAIL PROTECTED] [EMAIL PROTECTED]Subject: Re: [leaf-user] SSH question ceforge.net 14-02-03 10:04 AM John Mullan wrote: Yes, they are intentional. I want to keep the FTP server on port 1021. If anyone comes in from outside without specifying port 1021, they will still get to my FTP server. That leaves me the future opportunity to have another FTP server on 21 but only accessible from internal. At least, that is the way I figure it. This is the rule that you posted: DNAT net loc:192.168.1.128 tcp 21 1021 That rule says to DNAT tcp connection requests from the net to 192.168.1.128 if the destination port is 21 AND THE SOURCE PORT IS 1021. If you wanted to accept either 21 or 1021 then the rule would have been: DNAT net loc:192.168.1.128 tcp 21,1021 And of course you must tell ip_conntrack_ftp and ip_nat_ftp to consider 1021 to be an ftp port. -Tom -- Tom Eastep\ Shorewall - iptables made easy Shoreline, \ http://www.shorewall.net Washington USA \ [EMAIL PROTECTED] --- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] SSH question
At 07:44 AM 2/14/03 -0500, John Mullan wrote: Hello folks A little pre-amble: When setting up my buddies LEAF box, I made an exact copy of my LEAF setup, changing PPPoE user/password, some host names, and that was pretty much it. Everything works exactly like mine. Well, almost everything. While I can login to my LEAF box (over the internet) with SSH (TeraTermPro), I cannot with his. I keep getting connection refused. I can do it within the internal net no problem (again, same as mine). What should I look for? Could there be something with the possibility of identical keys having copied my installation? I'm not familiar with how that part may or may no affect the situation. [details deleted] Your guess about keys seems implausible. The fact that you can connect from the LAN side indicates that sshd (or inetd) is listening on port 22. And the bare connection refused message almost always means a failure before ssh authentication (I say almost because I haven't used TT in years, and it may be different from the Linux ssh client and PuTTY in how it reports authentication failures). How are you determining the IP address to connect to? Since this problem is taking place in a setting of dynamic addressing (PPPoE), are you certain you are connecting to the right IP address? The Shorewall rules you list look OK to me (and more important, Tom seems to think the relevant ones are OK). But the way to be sure is to run shorewall status *after* a connection failure to see if the packets are arriving and what rule is blocking them. Also check the logs for any messages from sshd after a failure (might there be a reverse-lookup problem? wild guess here). Do you and your friend use the same ISP? I've never actually heard of an ISP who blocks ssh connections, but I no longer dismiss the possibility of ANY ISP action on the grounds that it is stupid or inconvenient for customers. A final long shot ... where are you connecting *from*? Are you connecting to both your and your friend's router from the same location? If so, could there be anything about the source end that makes the two connections look different (I ask only because you mentioned in a followup that at work you have a restrictive firewall in place)? If not, could there be some difference of consequence between the two locations you try to connect from? -- ---Never tell me the odds! Ray Olszewski -- Han Solo Palo Alto, California, USA [EMAIL PROTECTED] --- --- This SF.NET email is sponsored by: FREE SSL Guide from Thawte are you planning your Web Server Security? Click here to get a FREE Thawte SSL guide and find the answers to all your SSL security issues. http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] SSH Sentinel
Hello Does SSH Sentinel support Dynamic DNS IPs? Thanks Herbert Ahora podés usar Yahoo! Messenger desde tu celular. Aprendé cómo hacerlo en Yahoo! Móvil: http://ar.mobile.yahoo.com/sms.html --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] SSH Sentinel
Not 100% what you mean, are you asking if the client is dynamic can you SSH Sentinel on the client? If so they the answer is yes, they have some great docs on there site for integrating with FreeSwan. - Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Heriberto Höhlke Sent: Thursday, January 30, 2003 8:38 AM To: [EMAIL PROTECTED] Subject: [leaf-user] SSH Sentinel Hello Does SSH Sentinel support Dynamic DNS IPs? Thanks Herbert Ahora podés usar Yahoo! Messenger desde tu celular. Aprendé cómo hacerlo en Yahoo! Móvil: http://ar.mobile.yahoo.com/sms.html --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com -- -- leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] SSH Sentinel
Yes, my question was if the client SSH Sentinel could be dynamic Thanks Not 100% what you mean, are you asking if the client is dynamic can you SSH Sentinel on the client? If so they the answer is yes, they have some great docs on there site for integrating with FreeSwan. - Todd -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Heriberto Höhlke Sent: Thursday, January 30, 2003 8:38 AM To: [EMAIL PROTECTED] Subject: [leaf-user] SSH Sentinel Hello Does SSH Sentinel support Dynamic DNS IPs? Thanks Herbert Ahora podés usar Yahoo! Messenger desde tu celular. Aprendé cómo hacerlo en Yahoo! Móvil: http://ar.mobile.yahoo.com/sms.html --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com -- -- leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html Ahora podés usar Yahoo! Messenger desde tu celular. Aprendé cómo hacerlo en Yahoo! Móvil: http://ar.mobile.yahoo.com/sms.html --- This SF.NET email is sponsored by: SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See! http://www.vasoftware.com leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] Ssh and portforwarding
Hi, I'm getting the following error in my logs : sshd[1986]: channel 3: open failed: connect failed: Remote port is not recognised Can anyone tell me what this error means and/or what is causing it ? My guess is it has something todo with portforwarding, but searching Google doesn't give me any hints :-( I'm using OpenSSH_3.0p1 on an Eigerstein CD configuration. Stefaan --- This SF.NET email is sponsored by: Thawte.com Understand how to protect your customers personal information by implementing SSL on your Apache Web Server. Click here to get our FREE Thawte Apache Guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0029en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] ssh running on firewall
-Original Message- From: Timothy J. Massey [mailto:modernmerchant;yahoo.com] Sent: Thursday, November 07, 2002 11:40 AM Subject: RE: [leaf-user] Unable to serve large files (Dachstein 1.0.2) snip Anyway, I am not physically in front of the firewall, and I don't have SSH on that box (it's against my religion to put methods to access the firewall on the firewall), I will have to change the MTU later today. Hopefully, that will fix it. I don't have SSH on my firewall either, but I ssh into a forwarded host inside the network and then connect to the router via null modem cable from there. --- This sf.net email is sponsored by: See the NEW Palm Tungsten T handheld. Power Color in a compact size! http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] ssh
- Original Message - From: David Douthitt [EMAIL PROTECTED] To: ArisB [EMAIL PROTECTED] Cc: Jeff Newmiller [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, October 10, 2002 4:06 AM Subject: Re: [leaf-user] ssh Shutdown the sshd daemon on the firewall, and start it from the command line like so: sshd -ddd ...and watch what happens when you connect. Likewise, when connecting, use: slogin -v me@myfirewall ...or: ssh -v me@myfirewall Then report what the server said, and report what the client said. Note that after a connection (successful or not) the sshd client running in debug mode quits. You'll have to restart your sshd server normally - but if it doesn't work, it may not matter... When i start the demon like this sshd -ddd i get this on my screen: debug1: sshd version OpenSSH_3.4p1 debug1: private host key: #0 type0 RSA1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 RSA Privilege separation user sshd does not exist When i run the client i see this: ssh -v [EMAIL PROTECTED] OpenSHH_3.4p1, SHH protocols 1.5/2.0, OpenSSL 0x0090605f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Rhosts authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 connecting to: 192.168.1.254 [192.168.1.254] port 22 debug1: connection established debug1: indentity file /root/.ssh/indentity type -1 debug1: indentity file /root/.ssh/id_rsa type -1 debug1: indentity file /root/.ssh/id_dsa type -1 ssh_exchange_identification: Connection closed by remote host debug1: calling cleanup 0x8061e60(0x0) It looks like the problem is something with the key files, but im sure (100%) i created them with makekey. How can i solve this? thanks in advance, Aris --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] ssh
Aris At 14:25 10.10.2002, you wrote: - Original Message - From: David Douthitt [EMAIL PROTECTED] To: ArisB [EMAIL PROTECTED] Cc: Jeff Newmiller [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Thursday, October 10, 2002 4:06 AM Subject: Re: [leaf-user] ssh When i start the demon like this sshd -ddd i get this on my screen: debug1: sshd version OpenSSH_3.4p1 debug1: private host key: #0 type0 RSA1 debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key debug1: read PEM private key done: type RSA debug1: private host key: #1 type 1 RSA debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key debug1: read PEM private key done: type DSA debug1: private host key: #2 type 2 RSA Privilege separation user sshd does not exist This is a FAQ and handled in the bering docs, basically you have to create a user sshd. Please browse the archives When i run the client i see this: ssh -v [EMAIL PROTECTED] OpenSHH_3.4p1, SHH protocols 1.5/2.0, OpenSSL 0x0090605f debug1: Reading configuration data /etc/ssh/ssh_config debug1: Rhosts authentication disabled, originating port will not be trusted. debug1: ssh_connect: needpriv 0 connecting to: 192.168.1.254 [192.168.1.254] port 22 debug1: connection established debug1: indentity file /root/.ssh/indentity type -1 debug1: indentity file /root/.ssh/id_rsa type -1 debug1: indentity file /root/.ssh/id_dsa type -1 Looks like the key/identity files are missing, look into your .ssh directories. ssh_exchange_identification: Connection closed by remote host debug1: calling cleanup 0x8061e60(0x0) It looks like the problem is something with the key files, but im sure (100%) i created them with makekey. How can i solve this? I guess you have to re-read http://leaf.sourceforge.net/devel/jnilo/openssh.html HTH Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] ssh
I'm now using bering instead of dachstein and im trying to setup a sshd (internal). So i downloaded ssh,sshd,libz,sshkey from http://leaf.sourceforge.net/devel/jnilo/ I put them on a disk (1440) and configured bering to start from 2 diskettes. I have made a key (with makekey) and it seems to be installed. but when i try to connect from a client i see this: ssh_exchange_identification : connection closed by remote host (with redhat 8.0), in windows with putty i only get the message connection closed by remote host PS where can i configure silent_deny in bering? thanks in advance, Aris --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] ssh
I've followed the install instructions on the website, it still isn't working. but when i install a ssh client on the firewall and then try to connect to the sshd (wich is allso on the firewall) i still can't connect, then i get exchange_identification : connection closed by remote host and in the host.allow is a line ALL: 192.168.1.0/255.255.255.0. I had allmost the same problem with dachstein, i solved that by getting the sshd.lrp from the dachstein cd-rom. I can't find another sshd.lrp for bering, every site links to http://leaf.sourceforge.net/devel/jnilo/ How can i solve my problem? PS with SILENT_DENY i mean i don't want to log this message Oct 10 02:01:02 firewall kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT= MAC=ff:ff:ff:ff:ff:ff:00:80:2d:6a:f5:8b:08:00 SRC=172.31.254.129 DST=255.255.255.255 LEN=348 TOS=0x00 PREC=0x00 TTL=253 ID=45715 DF PROTO=UDP SPT=67 DPT=68 LEN=328 otherwise i get very large logfiles because i get this like 3000 times a day. Thanks in advance, Aris - Original Message - From: Jeff Newmiller [EMAIL PROTECTED] To: ArisB [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Sent: Thursday, October 10, 2002 2:40 AM Subject: Re: [leaf-user] ssh On Thu, 10 Oct 2002, ArisB wrote: I'm now using bering instead of dachstein and im trying to setup a sshd (internal). So i downloaded ssh,sshd,libz,sshkey from ssh.lrp shouldn't be necessary, and may actually be a bad idea for a firewall. http://leaf.sourceforge.net/devel/jnilo/ I put them on a disk (1440) and configured bering to start from 2 diskettes. I have made a key (with makekey) and it seems to be installed. but when i try to connect from a client i see this: ssh_exchange_identification : connection closed by remote host (with redhat 8.0), in windows with putty i only get the message connection closed by remote host Is /etc/hosts.allow configured to let you connect? Have you followed the instructions for configuring an sshd user for privilege separation? http://leaf.sourceforge.net/devel/jnilo/openssh.html PS where can i configure silent_deny in bering? If you mean use DENY rather than REJECT for default packet handling... in the Shorewall policy file. -- - Jeff NewmillerThe . . Go Live... DCN:[EMAIL PROTECTED]Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k -- - --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] ssh
On Thu, Oct 10, 2002 at 03:27:03AM +0200, ArisB wrote: I've followed the install instructions on the website, it still isn't working. but when i install a ssh client on the firewall and then try to connect to the sshd (wich is allso on the firewall) i still can't connect, then i get exchange_identification : connection closed by remote host and in the host.allow is a line ALL: 192.168.1.0/255.255.255.0. Shutdown the sshd daemon on the firewall, and start it from the command line like so: sshd -ddd ...and watch what happens when you connect. Likewise, when connecting, use: slogin -v me@myfirewall ...or: ssh -v me@myfirewall Then report what the server said, and report what the client said. Note that after a connection (successful or not) the sshd client running in debug mode quits. You'll have to restart your sshd server normally - but if it doesn't work, it may not matter... --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] SSH Bering Leaf
I would like to enable SSH from the Internet on a LEAF Bering box tomorrow so I can remotely monitor it. I already have libz, sshd and sshkey loaded from syslinux.cfg. Assuming I do a makekey and can connect from inside (i.e., loc), is it sufficient to add the following to my Shorewall rules file: ACCEPT net fw tcp 22 or is there more to do? Thanks! -sr --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] SSH Bering Leaf
Le Dimanche 22 Septembre 2002 21:31, sr a écrit : I would like to enable SSH from the Internet on a LEAF Bering box tomorrow so I can remotely monitor it. I already have libz, sshd and sshkey loaded from syslinux.cfg. Assuming I do a makekey and can connect from inside (i.e., loc), is it sufficient to add the following to my Shorewall rules file: ACCEPT net fw tcp 22 or is there more to do? Yes Check hosts.allow :-) Jacques --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] SSH Bering Leaf
Jacques Nilo wrote: Le Dimanche 22 Septembre 2002 21:31, sr a écrit : or is there more to do? Yes Check hosts.allow :-) Jacques Hosts.allow only comes into play if sshd is being started via /etc/inted.conf: === #:OTHER: Other services sshstream tcp nowait root/usr/sbin/tcpd /usr/sbin/sshd -i === Following your docs, this would be commented out, and the daemon would be running standalone from init. A better line in your /etc/shorewall/rules would be something like: ACCEPT net:128.287.333.12 fw tcp 22 or ACCEPT net:128.287.333.0/24 fw tcp 22 if'n you know where'n ya'll are gonna be comin' from, because it's more restrictive. regards, matthew --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] SSH Bering Leaf
On Sun, 22 Sep 2002, Matthew Schalit wrote: Jacques Nilo wrote: Le Dimanche 22 Septembre 2002 21:31, sr a écrit : or is there more to do? Yes Check hosts.allow :-) Jacques Hosts.allow only comes into play if sshd is being started via /etc/inted.conf: Matt... sshd also checks /etc/hosts.allow itself if compiled to do so. Most binaries for LEAF boxen are compiled this way. === #:OTHER: Other services sshstream tcp nowait root/usr/sbin/tcpd /usr/sbin/sshd -i === Following your docs, this would be commented out, and the daemon would be running standalone from init. A better line in your /etc/shorewall/rules would be something like: ACCEPT net:128.287.333.12 fw tcp 22 or ACCEPT net:128.287.333.0/24 fw tcp 22 if'n you know where'n ya'll are gonna be comin' from, because it's more restrictive. regards, matthew --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html --- Jeff NewmillerThe . . Go Live... DCN:[EMAIL PROTECTED]Basics: ##.#. ##.#. Live Go... Live: OO#.. Dead: OO#.. Playing Research Engineer (Solar/BatteriesO.O#. #.O#. with /Software/Embedded Controllers) .OO#. .OO#. rocks...2k --- --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] SSH Bering Leaf
Yes, it's OK. But I think net is too wide. May be you want to specify only your network to connect it. Such as: ACCEPT net:202.22.34.0/24 fw tcp 22 Cheers Chutima S. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On Behalf Of sr Sent: 23 September, 2002 2:32 AM To: LEAF Subject: [leaf-user] SSH Bering Leaf I would like to enable SSH from the Internet on a LEAF Bering box tomorrow so I can remotely monitor it. I already have libz, sshd and sshkey loaded from syslinux.cfg. Assuming I do a makekey and can connect from inside (i.e., loc), is it sufficient to add the following to my Shorewall rules file: ACCEPT net fw tcp 22 or is there more to do? Thanks! -sr --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html áËë^¨¥Ë)¢{(ç[É8bAzEÊzÚ yé!y«Þm§ÿí)äç¤r¿±ù^iû¬z¹X§X¬¶W~ë®X¬¶Ë(º·~àzwÛi³ÿåËl²«qç讧zßåËlþX¬¶)ߣù^iû¬z´!¶ÚþW~èç-¢¸?¦æÿv?vjv z¿Ý¡È×ÏuÙ¥
Re: [leaf-user] SSH Bering Leaf
Jeff Newmiller wrote: On Sun, 22 Sep 2002, Matthew Schalit wrote: Hosts.allow only comes into play if sshd is being started via /etc/inted.conf: Matt... sshd also checks /etc/hosts.allow itself if compiled to do so. Most binaries for LEAF boxen are compiled this way. Yea, I've messed with that when compiling it myself, and I was was wrong to make such a blanket statement. But it's not enabled on the pre-rolled sshd-3.4p1 by JN. So that specific version won't use hosts.allow when running standalone. That's what I was thinking after having tested it. thanks, matt --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] ssh error
I recently switched out a Dachstein floppy firewall with a Dachstein CD firewall. The major difference between the two firewalls was the addition of ssh on the new one running DCD. My problem is any attempt to ssh to a WAN client ends in a server refused a secure connection error. I can ssh to the firewall itself from any LAN computer and I can ssh to a remote host from the firewall itself fine. It appears as if the firewall is not forwarding the ssh request packets to the WAN boxes. I have been unable to find the same error in the archives and since I am initiating the connection on the LAN, the connection should be using a non-priviledged port. Is there anyone else that has run into this error and/or has someone come up with a better solution than simply eliminating ssh on the firewall??? TIA -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] ssh error
I recently switched out a Dachstein floppy firewall with a Dachstein CD firewall. The major difference between the two firewalls was the addition of ssh on the new one running DCD. My problem is any attempt to ssh to a WAN client ends in a server refused a secure connection error. I can ssh to the firewall itself from any LAN computer and I can ssh to a remote host from the firewall itself fine. It appears as if the firewall is not forwarding the ssh request packets to the WAN boxes. I have been unable to find the same error in the archives and since I am initiating the connection on the LAN, the connection should be using a non-priviledged port. Is there anyone else that has run into this error and/or has someone come up with a better solution than simply eliminating ssh on the firewall??? The above is very strange...you shouldn't have any problems connecting via ssh to a remote machine just because you run ssh on the firewall. I run ssh on all my Dachstein-CD boxes, and can ssh to either the firewall or various remote hosts with no problems. Can you really connect with exactly the same setup, excpet for Dachstein-floppy instead of Dachstein-CD as your firewall? With the error you report, I'd suspect something more like: - Remote server is refusing connections on port-22 (ssh) - Remote server only accepts ssh-V2, and you're running ssh-V1 - Remote server configured to only allow connections authenticated by public key - Incorrect username/password embedded in some gui ssh client ...or similar issues, unless of course, you manually added some REDIRECT rules to the ipchains ruleset or something :-) Charles Steinkuehler http://lrp.steinkuehler.net http://c0wz.steinkuehler.net (lrp.c0wz.com mirror) --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] ssh error
On Friday 30 August 2002 13:06, Charles Steinkuehler wrote: The above is very strange...you shouldn't have any problems connecting via ssh to a remote machine just because you run ssh on the firewall. I run ssh on all my Dachstein-CD boxes, and can ssh to either the firewall or various remote hosts with no problems. Got it (finally!). The NOMASQ_DEST variable was set for ssh in network.conf. I wonder when I set that option The new firewall is a spare 1U box I made that was lying around w/o a CF reader figured it might be more convient since the ISP was down for a while. I keep thinking I know how to troubleshoot my own system. Thanks again Charles! -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] ssh error
Lynn guitarlynn wrote the following at 19:56 30.08.2002: I recently switched out a Dachstein floppy firewall with a Dachstein CD firewall. The major difference between the two firewalls was the addition of ssh on the new one running DCD. My problem is any attempt to ssh to a WAN client ends in a server refused a secure connection error. I can ssh to the firewall itself from any LAN computer and I can ssh to a remote host from the firewall itself fine. It appears as if the firewall is not forwarding the ssh request packets to the WAN boxes. I have been unable to find the same error in the archives and since I am initiating the connection on the LAN, the connection should be using a non-priviledged port. Is there anyone else that has run into this error and/or has someone come up with a better solution than simply eliminating ssh on the firewall??? I believe you are barking up the wrong tree. Unless you do some fancy port forwarding I don't see how the presence of ssh on the firewall should prevent you from passing a ssh connection through it. I have been running a floppy based box including ssh exactly the way you want to. cheers Erich THINK Püntenstrasse 39 8143 Stallikon mailto:[EMAIL PROTECTED] PGP Fingerprint: BC9A 25BC 3954 3BC8 C024 8D8A B7D4 FF9D 05B8 0A16 --- This sf.net email is sponsored by: OSDN - Tired of that same old cell phone? Get a new here for FREE! https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390 leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] ssh Ctrl-C behavior
I apologize if this is a little unrelated, but one of my bering boxes behaves differently from my other bering boxes in a ssh session. The ssh session simply disconnects when I press ctrl-c at the # prompt. This does not happen on the other boxes. I am using the same client (putty) to access these boxes. It's very annoying as I use ctrl-c to stop processes like ping, and it terminates the ssh session and I need to reconnect. Ugh! __ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com --- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] ssh Ctrl-C behavior
On Thu, 2002-06-27 at 12:45, Dragon Wood wrote: I apologize if this is a little unrelated, but one of my bering boxes behaves differently from my other bering boxes in a ssh session. The ssh session simply disconnects when I press ctrl-c at the # prompt. This does not happen on the other boxes. I am using the same client (putty) to access these boxes. It's very annoying as I use ctrl-c to stop processes like ping, and it terminates the ssh session and I need to reconnect. Ugh! I had the same problem with bering rc2 on CD. The fix was to replace the sshd package with the latest one. Stephen --- Sponsored by: ThinkGeek at http://www.ThinkGeek.com/ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] SSH via http ?
-Original Message- From: Jack Coates [mailto:[EMAIL PROTECTED]] Sent: Saturday, May 25, 2002 17:09 To: [EMAIL PROTECTED] Cc: leaf Subject: Re: [leaf-user] SSH via http ? Use corkscrew (http://www.agroman.net/corkscrew); you may need to use cygwin if coming from windows. Works like a charm at my work, which also only allows HTTP/S out. Jack On Fri, 24 May 2002, David Ondzes wrote: I have seen a commercial product that lets you use a browser to connect to a SSH server and get terminal access. Does anyone know if there a similar type application available for LEAF ? The reason I ask is because my company only lets http traffic pass through firewall (via a proxy server) and it would be nice to be able to reach my machine at home. __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm -- -- leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html -- Jack Coates Monkeynoodle: A Scientific Venture... ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] SSH via http ?
Oops...forgot the data If you're using a windows client, u can try http-tunnel, what it does is tunnel all traffic, via the proxy server on port 80 cheers -Original Message- From: Jack Coates [mailto:[EMAIL PROTECTED]] Sent: Saturday, May 25, 2002 17:09 To: [EMAIL PROTECTED] Cc: leaf Subject: Re: [leaf-user] SSH via http ? Use corkscrew (http://www.agroman.net/corkscrew); you may need to use cygwin if coming from windows. Works like a charm at my work, which also only allows HTTP/S out. Jack On Fri, 24 May 2002, David Ondzes wrote: I have seen a commercial product that lets you use a browser to connect to a SSH server and get terminal access. Does anyone know if there a similar type application available for LEAF ? The reason I ask is because my company only lets http traffic pass through firewall (via a proxy server) and it would be nice to be able to reach my machine at home. __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm -- -- leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html -- Jack Coates Monkeynoodle: A Scientific Venture... ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas - http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] SSH Help
I installed SSH on my LEAF box (running Dachstein) with the help of http://leaf.sourceforge.net/devel/jnilo/openssh2.html . I did it exactly as it said and I ran makekey to generate the key. So it should be working, but I'm gettig a connection refused error. I'm using Putty to connect to my LRP box (192.168.1.254:22). Are there any settings I have to set, or changes to the ssh files on router? Thanks, Jon ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] SSH Help
On Sat, 2002-06-01 at 12:13, Jonathan Berglund wrote: I installed SSH on my LEAF box (running Dachstein) with the help of http://leaf.sourceforge.net/devel/jnilo/openssh2.html . I did it exactly as it said and I ran makekey to generate the key. So it should be working, but I'm gettig a connection refused error. I'm using Putty to connect to my LRP box (192.168.1.254:22). Are there any settings I have to set, or changes to the ssh files on router? Try the following: In /etc/init.d/sshd comment out #echo Secure Shell server via inetd: sshd #exit 0 and then run svi sshd restart. ps ax | grep sshd should show /usr/sbin/sshd running. Now, try connecting to the LEAF box. Stephen ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] SSH Help
Are you allowing ssh connections to your box? Check your /etc/hosts.allow. -prabhakar I installed SSH on my LEAF box (running Dachstein) with the help of http://leaf.sourceforge.net/devel/jnilo/openssh2.html . I did it exactly as it said and I ran makekey to generate the key. So it should be working, but I'm gettig a connection refused error. I'm using Putty to connect to my LRP box (192.168.1.254:22). Are there any settings I have to set, or changes to the ssh files on router? ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
RE: [leaf-user] SSH Help
Thanks!!! I love you guys! LOL. Thanks for the help to everyone on this mailing list. Now I got port forwarding working and remote access to my LRP box (no more need for this extra monitor!!!). Thanks so much! If I have any other questions, I know where to ask. - Jon -Original Message- From: Stephen Lee [mailto:[EMAIL PROTECTED]] Sent: Saturday, June 01, 2002 12:58 PM To: [EMAIL PROTECTED] Cc: Leaf-user Subject: Re: [leaf-user] SSH Help On Sat, 2002-06-01 at 12:13, Jonathan Berglund wrote: I installed SSH on my LEAF box (running Dachstein) with the help of http://leaf.sourceforge.net/devel/jnilo/openssh2.html . I did it exactly as it said and I ran makekey to generate the key. So it should be working, but I'm gettig a connection refused error. I'm using Putty to connect to my LRP box (192.168.1.254:22). Are there any settings I have to set, or changes to the ssh files on router? Try the following: In /etc/init.d/sshd comment out #echo Secure Shell server via inetd: sshd #exit 0 and then run svi sshd restart. ps ax | grep sshd should show /usr/sbin/sshd running. Now, try connecting to the LEAF box. Stephen ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] SSH problems from external network
Jacques, Thanks so much for the swift, short and CORRECT answer! I changed the hosts.allow file and all works wonderfully now. Could this also be the reason my qmail wasn't working, or is that more complex? (See previous posting). Thanks once again, Adam. - Original Message - From: Jacques Nilo [EMAIL PROTECTED] To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Sent: Monday, May 27, 2002 3:23 PM Subject: Re: [leaf-user] SSH problems from external network Le Lundi 27 Mai 2002 19:35, [EMAIL PROTECTED] a écrit : My Bering 2.4.18 firewall is installed on a 486 with HD booting. I use SSH (PuTTY) to access the firewall from internally, and all works well. I set up a rule in SHOREWALL to allow this: ACCESS loc fw tcp 22 Now I want to use SSH to access from the internet. I enter: ACCESS net fw tcp 22 But unfortunately, it won't work. PuTTY runs, and I get the black screen with my ip address showing and it seems to be waiting to display the login: but nothing appears. Then PuTTY quits. Any ideas? Check hosts.allow :-) jacques ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] SSH problems from external network
My Bering 2.4.18 firewall is installed on a 486 with HD booting. I use SSH (PuTTY) to access the firewall from internally, and all works well. I set up a rule in SHOREWALL to allow this: ACCESS loc fw tcp 22 Now I want to use SSH to access from the internet. I enter: ACCESS net fw tcp 22 But unfortunately, it won't work. PuTTY runs, and I get the black screen with my ip address showing and it seems to be waiting to display the login: but nothing appears. Then PuTTY quits. Any ideas? Adam Drake. - This mail sent via Golden Triangle Web-Mail http://www.golden.net ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] SSH problems from external network
Le Lundi 27 Mai 2002 19:35, [EMAIL PROTECTED] a écrit : My Bering 2.4.18 firewall is installed on a 486 with HD booting. I use SSH (PuTTY) to access the firewall from internally, and all works well. I set up a rule in SHOREWALL to allow this: ACCESS loc fw tcp 22 Now I want to use SSH to access from the internet. I enter: ACCESS net fw tcp 22 But unfortunately, it won't work. PuTTY runs, and I get the black screen with my ip address showing and it seems to be waiting to display the login: but nothing appears. Then PuTTY quits. Any ideas? Check hosts.allow :-) jacques ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] SSH via http ?
Use corkscrew (http://www.agroman.net/corkscrew); you may need to use cygwin if coming from windows. Works like a charm at my work, which also only allows HTTP/S out. Jack On Fri, 24 May 2002, David Ondzes wrote: I have seen a commercial product that lets you use a browser to connect to a SSH server and get terminal access. Does anyone know if there a similar type application available for LEAF ? The reason I ask is because my company only lets http traffic pass through firewall (via a proxy server) and it would be nice to be able to reach my machine at home. __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html -- Jack Coates Monkeynoodle: A Scientific Venture... ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [leaf-user] ssh to host behind firewall: connect direct or through router?
Eric House [EMAIL PROTECTED] wrote: There seem to be two ways to allow ssh access from outside the firewall to a host inside: 1. forward some port on the fw to the host; 2. connect directly to sshd on the fw and use the -Lport:host:port flag to forward an additional connection to the host. Is there agreement on which method is better (where better means more secure, I guess)? To answer the security question, I believe you have to look at how often you are able to get a bug fix on each host. For example, if your are using the port forward method in #1. above, that would depend on the host you are forwarding to. I know Redhat had a security fix for the last ssh vulnerability right away. The same goes for method #2 above. Jacques Nilo had a ssh package for all the LEAF firewalls. So if the timeliness of the patches are the same, it depends on how quickly you apply the patches as to which method is more secure. The fw and host are at home. Most of the time I'm connecting from outside I'm either at work and want to xhost some app, or I want to transfer a bunch of files. Occasionally I need to tweak the router, so picking #1 above wouldn't remove the need to have sshd on the router's floppy. This may then depend on style in your case. If you are more comfortable port forwarding, method #1, then use it. If you want to stop at the firewall first and then jump off to somewhere else on your home network, then pick method #2 above. Perhaps there's another task that you would want to do in the future that would affect your decision. For now it does not seem to matter which method you use in your case. However, it appears that your ssh tasks appear geared toward your internal machine--xhosting and scp files-- verses firewall maintenance. Connections are always from machines that have keys in the router's (and inside host's) .ssh/authorized_keys files. Password login is disabled. I'm running Bering RC2. Thanks, --Eric Hope this helps, Greg Morgan ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] SSH via http ?
I have seen a commercial product that lets you use a browser to connect to a SSH server and get terminal access. Does anyone know if there a similar type application available for LEAF ? The reason I ask is because my company only lets http traffic pass through firewall (via a proxy server) and it would be nice to be able to reach my machine at home. __ Do You Yahoo!? LAUNCH - Your Yahoo! Music Experience http://launch.yahoo.com ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
[leaf-user] ssh to host behind firewall: connect direct or through router?
There seem to be two ways to allow ssh access from outside the firewall to a host inside: 1. forward some port on the fw to the host; 2. connect directly to sshd on the fw and use the -Lport:host:port flag to forward an additional connection to the host. Is there agreement on which method is better (where better means more secure, I guess)? The fw and host are at home. Most of the time I'm connecting from outside I'm either at work and want to xhost some app, or I want to transfer a bunch of files. Occasionally I need to tweak the router, so picking #1 above wouldn't remove the need to have sshd on the router's floppy. Connections are always from machines that have keys in the router's (and inside host's) .ssh/authorized_keys files. Password login is disabled. I'm running Bering RC2. Thanks, --Eric ** * From the desktop of: Eric House, [EMAIL PROTECTED]* *Crosswords 4.0 for PalmOS is out!: http://www.peak.org/~fixin/xwords * ** ___ Don't miss the 2002 Sprint PCS Application Developer's Conference August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
Re: [Leaf-user] ssh firewall revisited
Henning, Brian [EMAIL PROTECTED] wrote: Hello- I continue to have problems connecting to the webserver on my LAN. Here is my configurations using putty. Can anyone see what i am doing wrong? I thought i was following the directions. Thanks, brian putty at work: Source port:3005 Destination: LEAF ip:80 Local web browser at work: http://localhost:3005/ setup at home: Leaf/echowall - port forward ssh | | | w2k/apache - port 80 --__--__-- I think you are doing a great job and heading in the right direction. It appears that you have all the mechanics setup correctly. You have putty on your work computer. If you are using plink, then it appears that you are using a command similar to plink -L 3005:myLEAFipAddress:80 myuser@myW2kboxIPorName Now let's address the LEAF or W2K problems. 1.) If you have configured LEAF to port forward port 22 to the W2K box, then the W2K box needs to have a SSH server on it. In this configuration LEAF is not using SSH at all. LEAF just redirects the traffic to another server. I know the putty site does not have a SSH daemon, nor intends to create one. If this is your configuration, you need a SSH daemon on the W2K box to receive the port 22 forwards from your LEAF firewall. Perhaps someone else knows of a SSH daemon for Windows. 2.) If you are running SSH on your LEAF firewall, then the conection stops at the firewall i.e. -L 3005:myLEAFipAddress:80 is trying to talk to weblet. In this case it appears like you are mixing port forwarding and server processes. I do not know if you there is a way to have the SSH daemon send the decyrpted traffic to the W2K box from the firewall. If solutions cannot be found to either of these configurations, then ipsec sounds like an alternative. I cannot address that solution at this time. Can anyone else add comments to Brians' configuration issues? Greg Morgan ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] ssh firewall revisited
putty at work: Source port:3005 Destination: ip of w2k machine on the local network:80 Local web browser at work: http://localhost:3005/ setup at home: Leaf/echowall - port forward ssh | | | w2k/apache - port 80 Greg i got it fixed thanks for you time i had to use the ip of w2k machine on the local network.. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ssh firewall
I gotcha. My problem is I'm always wanting to do updates remotely and wouldn't want users to have to flip a switch or God forbid reboot. But a compact flash can be pulled after booting to ramdisk without harm. That's pretty write protected. Problem is to get access to it again you'll have to power down. I would be more interested in a heavily software protected mount, dd, etc. If these commands were 400 and could only be accessed via a very secure sudo like thingy. I mean even root could not get to then without getiing past security. Maybe that's impossible ??? Oh yeah, if you want to solder, break into your IDE cable and run the write enable thru a switch (don't ask me). If you're clever you might even not bring the drive down. That would be cool. Matt Schalit [EMAIL PROTECTED] on 04/01/2002 03:14:30 PM To: Phillip Watts/austin/Nlynx@Nlynx cc: [EMAIL PROTECTED] Subject: Re: [Leaf-user] ssh firewall [EMAIL PROTECTED] wrote: Matt Schalit [EMAIL PROTECTED] on 03/30/2002 10:22:44 PM To: [EMAIL PROTECTED] cc:(bcc: Phillip Watts/austin/Nlynx) Subject: Re: [Leaf-user] ssh firewall 4) hardware protectable IDE Flash disk module Explain this one , please . A mass storage device for a firewall preferrably would have a way to write protect it. A floppy diskette for instance has the little tab that you slide into position. This can not be circumvented by software tricks, ie can't be circumvented by a potential hacker. Currently, only a floppies and tapes have hardware write protect, iirc. A lot of developers have been keen to gain mass storage capacity at low cost, but are hampered by a lack of hardware write protect on hard drives and flash storage. Mike Noyes picked up an ADM, a flash storage IDE Disk Module, which was under $20 for 8 MB. It plugs into your ide plug. If it only had a micro switch on it for write protect, we would have glory. Four of us got together in San Francisco a couple of weeks ago at the Linux Embedded Systems Conference to track down vendors and look for a solution. For all the details, read the leaf-devel archives thread called ADM write protect and perhaps the earlier one, CF (write protect) + IDE adapter both posted at the beginning of February. The current problem is that the ADM is so small that soldering in a switch to those micro sized surface mount contact points is looking very tough. Regards, Matthew ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ssh firewall
[EMAIL PROTECTED] wrote: Matt Schalit [EMAIL PROTECTED] on 03/30/2002 10:22:44 PM To: [EMAIL PROTECTED] cc:(bcc: Phillip Watts/austin/Nlynx) Subject: Re: [Leaf-user] ssh firewall 4) hardware protectable IDE Flash disk module Explain this one , please . A mass storage device for a firewall preferrably would have a way to write protect it. A floppy diskette for instance has the little tab that you slide into position. This can not be circumvented by software tricks, ie can't be circumvented by a potential hacker. Currently, only a floppies and tapes have hardware write protect, iirc. A lot of developers have been keen to gain mass storage capacity at low cost, but are hampered by a lack of hardware write protect on hard drives and flash storage. Mike Noyes picked up an ADM, a flash storage IDE Disk Module, which was under $20 for 8 MB. It plugs into your ide plug. If it only had a micro switch on it for write protect, we would have glory. Four of us got together in San Francisco a couple of weeks ago at the Linux Embedded Systems Conference to track down vendors and look for a solution. For all the details, read the leaf-devel archives thread called ADM write protect and perhaps the earlier one, CF (write protect) + IDE adapter both posted at the beginning of February. The current problem is that the ADM is so small that soldering in a switch to those micro sized surface mount contact points is looking very tough. Regards, Matthew ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ssh firewall
Why don't U use FreeSwan Ipsec...I just woke up hehe Upnet Joe - Original Message - From: Greg Morgan [EMAIL PROTECTED] To: [EMAIL PROTECTED]; Henning, Brian [EMAIL PROTECTED] Sent: Saturday, March 30, 2002 1:57 AM Subject: Re: [Leaf-user] ssh firewall Henning, Brian [EMAIL PROTECTED] wrote: hello- I am using echowall on dachstein LRP. I have a windows 2k pro machine that i can ssh into from the outside. i am also running an http server on my w2k machine. I am port forwarding ssh through my router/firewall. My problem is I am not sure how to tunnel the http to the *outside world*. I am not sure if it is possible. Any thoughts or suggestions? thanks brian Charles gave you the answer to this before, but if you are coming from a windows world it may not make sense. I attached his original post at the end of this message. Here's what I'll presume about you. You are on a windows client at work or somewhere else connecting to your LEAF box. As you described you have a Windows 2000 box with a web page you want to see. There are allot of things to keep straight in ones mind when you start playing with port forwarding and SSH. In short, you are not trying to tunnel the http to the *outside world* but you tell your clients how to tunnel to the service. First off think of your LEAF box as just a patch cord. You have taken a cord and plugged it into a receptacle named 22 available to the rest of the world. The other end of the cord has been plugged into 22 on your W2K box. That's all port forwarding does in LEAF. LEAF is completely out of the picture now. All that is is is a pipe for data to flow over. You have successfully done that as you describe above. Now let's talk about the magic of SSH. SSH is one protocol. It allows a person to setup an encrypted link between two computers. Typically, a telnet like feature is used within the SSH suite to talk to another server and run commands on it. A but there are a few more tricks up SSH's sleeve. SSH allows you to build other pipes within the port 22 pipe. This is normally referred to as tunneling. Within the port 22 pipe you can create multiple tunnels. For example I have both regular SSH and web tunneled to a windows machine. I created these tunnels to try and explain what you'll need to do. If I wanted to ftp through SSH, then you could add this too. Name a protocol and try it. You are really just redirecting a port that the protocol normally uses on your localhost to the desired port on your server. There are several SSH packages for Windows. I'll describe putty. You will need version 0.52. My prior version, 0.51, did not have the features to perform the tasks you're asking for. (And yes I upgraded today to try it out. :) ) A.8.8 How do I pronounce PuTTY? Exactly like the normal word putty. Just like the stuff you put on window frames. (One of the reasons it's called PuTTY is because it makes Windows usable. :-) http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html Download the executables from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. You will want plink.exe especially. plink is short for putty link. You will want to setup your private key on the windows client computer that attaches to LEAF. plink.exe takes the SSH part and simplifies building tunnels within the port 22 pipe on a Windows PC. I have a Samba Server on a Linux box that acts like your W2K box. I used a windows PC with putty and plink to connect to it. Here's the command I used where myLEAFipAddress is the address to LEAF performing port forwarding. myuser is the userid on the W2K box. myW2kboxIPorName is the ip or name of your W2k box. You would need to add the name in c:\windows\host file for a server name to work. plink -L 80:myLEAFipAddress:80 myuser@myW2kboxIPorName This establishes the tunnel. I do not have a web server on my windows PC. However, when I use http://localhost/ in the web browser, I see my what my Apache server is providing me. Remember port 80 is the default port used by browsers i.e. http://localhost/ is the same as http://localhost:80/. SSH through plink is creating a tunnel to my local machine or a secure patch cord. plink forwards whatever connects on my local windows box at port 80 to the other server on port 80. You have to just believe this until it makes sense. Also note the localhost is the name for ip address 127.0.0.1. Every networking host has this available to it. Perhaps the -L 80:myLEAFipAddress:80 is confusing because the command is using the same port numbers on both ends of the pipe or tunnel. Let's try this since I am putting off filling out my 1040 tax forms :} plink -L 1040:myLEAFipAddress:80 myuser@myW2kboxIPorName Now use http://localhost:1040/ in the web browser. Once again I see the pages Apache is serving up to me
Re: [Leaf-user] ssh firewall
Greg/Charles, that was a really good HOWTO you just wrote. I wish you had done it a few days ago :-) I spent the last few months puzzling out how to do exactly what you just described. Just yesterday I attained my 'holy grail' of networking which was to click'n'drag files from my Windoze workstation at work to my Linux workstation behind EigerStein2B4 at home. I use Secure iXplorer (www.i-tree.org) on the Windoze machine, which works well with the Putty programs. It's a GUI front end for the Putty Secure Shell Copy (PSCP) program. If anyone needs to see details of the setup, drop me a line. I guess I need a new holy grail now. (I already got VNC working, too, but my upload speed at home is only 90KB which makes for realy slow screen updates.) Any suggestions for a new grail? -John --- Greg Morgan [EMAIL PROTECTED] wrote: Henning, Brian [EMAIL PROTECTED] wrote: hello- I am using echowall on dachstein LRP. I have a windows 2k pro machine that i can ssh into from the outside. i am also running an http server on my w2k machine. I am port forwarding ssh through my router/firewall. My problem is I am not sure how to tunnel the http to the *outside world*. I am not sure if it is possible. Any thoughts or suggestions? thanks brian Charles gave you the answer to this before, but if you are coming from a windows world it may not make sense. I attached his original post at the end of this message. Here's what I'll presume about you. You are on a windows client at work or somewhere else connecting to your LEAF box. As you described you have a Windows 2000 box with a web page you want to see. There are allot of things to keep straight in ones mind when you start playing with port forwarding and SSH. In short, you are not trying to tunnel the http to the *outside world* but you tell your clients how to tunnel to the service. First off think of your LEAF box as just a patch cord. You have taken a cord and plugged it into a receptacle named 22 available to the rest of the world. The other end of the cord has been plugged into 22 on your W2K box. That's all port forwarding does in LEAF. LEAF is completely out of the picture now. All that is is is a pipe for data to flow over. You have successfully done that as you describe above. Now let's talk about the magic of SSH. SSH is one protocol. It allows a person to setup an encrypted link between two computers. Typically, a telnet like feature is used within the SSH suite to talk to another server and run commands on it. A but there are a few more tricks up SSH's sleeve. SSH allows you to build other pipes within the port 22 pipe. This is normally referred to as tunneling. Within the port 22 pipe you can create multiple tunnels. For example I have both regular SSH and web tunneled to a windows machine. I created these tunnels to try and explain what you'll need to do. If I wanted to ftp through SSH, then you could add this too. Name a protocol and try it. You are really just redirecting a port that the protocol normally uses on your localhost to the desired port on your server. There are several SSH packages for Windows. I'll describe putty. You will need version 0.52. My prior version, 0.51, did not have the features to perform the tasks you're asking for. (And yes I upgraded today to try it out. :) ) A.8.8 How do I pronounce PuTTY? Exactly like the normal word putty. Just like the stuff you put on window frames. (One of the reasons it's called PuTTY is because it makes Windows usable. :-) http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html Download the executables from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. You will want plink.exe especially. plink is short for putty link. You will want to setup your private key on the windows client computer that attaches to LEAF. plink.exe takes the SSH part and simplifies building tunnels within the port 22 pipe on a Windows PC. I have a Samba Server on a Linux box that acts like your W2K box. I used a windows PC with putty and plink to connect to it. Here's the command I used where myLEAFipAddress is the address to LEAF performing port forwarding. myuser is the userid on the W2K box. myW2kboxIPorName is the ip or name of your W2k box. You would need to add the name in c:\windows\host file for a server name to work. plink -L 80:myLEAFipAddress:80 myuser@myW2kboxIPorName This establishes the tunnel. I do not have a web server on my windows PC. However, when I use http://localhost/ in the web browser, I see my what my Apache server is providing me. Remember port 80 is the default port used by browsers i.e. http://localhost/ is the same as http://localhost:80/. SSH through plink is creating a tunnel to my local machine or a secure patch cord. plink forwards whatever
Re: [Leaf-user] ssh firewall
John Desmond wrote: I guess I need a new holy grail now. (I already got VNC working, too, but my upload speed at home is only 90KB which makes for realy slow screen updates.) Any suggestions for a new grail? -John 1) QoS (discussed recently, though) 2) multiple ISP load balancing 3) debug.lrp that works on all LEAF distros 4) hardware protectable IDE Flash disk module Good Luck :) Matthew ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ssh firewall
--- Matt Schalit [EMAIL PROTECTED] wrote: John Desmond wrote: Any suggestions for a new grail? -John 1) QoS (discussed recently, though) The Q stands for 'Quality'. Since my ISP is Verizon, I probably wouldn't notice any differences. 2) multiple ISP load balancing Two Verizons... three Verizons... O, the horror! 3) debug.lrp that works on all LEAF distros It's Linux... no need to debug! 4) hardware protectable IDE Flash disk module I took some flash pictures of the IDE disk and it didn't hurt it, so I guess it's protected. Good Luck :) Matthewinfo/leaf-user Happy April Fool's! And if you want to get some good ideas for a 'wired house' go see Panic Room this weekend. I can't see why, though, they didn't have a 'net connection and a little LEAF in the corner! :-) -John __ Do You Yahoo!? Yahoo! Greetings - send holiday greetings for Easter, Passover http://greetings.yahoo.com/ ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] ssh/sftp through dachstein firewall
I set up portforwarding to point ssh to my fileserver, in the hopes that i would be able to secure-ftp into it, but it doesn't seem to like the portforwarding. svi network ipfilter list portfw says that port 22 is pointed to the apropriate internal machine, and i can ssh/sftp into it from the internal network, just not from the external network. i'm using dach. 1.02 floppy... any thoughts? thanks in advance -david ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ssh/sftp through dachstein firewall
David Goodrich wrote: I set up portforwarding to point ssh to my fileserver, in the hopes that i would be able to secure-ftp into it, but it doesn't seem to like the portforwarding. svi network ipfilter list portfw says that port 22 is pointed to the apropriate internal machine, and i can ssh/sftp into it from the internal network, just not from the external network. i'm using dach. 1.02 floppy... any thoughts? thanks in advance -david Is your ssh client truely on a the external network? Do you have any relevant messages appear in any one of you syslogs? Have you read the newish Dachstein Port Forwading FAQ? Look for it on the LEAF site. You mentioned that the port was forwarded as listed in the ipfilter output, but is the port open in the first place so that traffic can get in to be forwarded? Good Luck, Matthew ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ssh/sftp through dachstein firewall
yes. 64.x.x.x -david - Original Message - From: rwtech.com [EMAIL PROTECTED] To: David Goodrich [EMAIL PROTECTED] Sent: Friday, March 29, 2002 4:02 PM Subject: Re: [Leaf-user] ssh/sftp through dachstein firewall do both dachstein boxes have external (real)ips? brett --- David Goodrich [EMAIL PROTECTED] wrote: i did a bit more testing. the first external box i was testing on is also behind a dachstein firewall, but a /different/ dachstein firewall. I ssh'ing into my server from one of the lab computers, and didn't have any problem. is this some weird dachstein-dachstein interaction? -david - Original Message - From: rwtech.com [EMAIL PROTECTED] To: David Goodrich [EMAIL PROTECTED] Sent: Friday, March 29, 2002 3:49 PM Subject: Re: [Leaf-user] ssh/sftp through dachstein firewall that is odd, i can both ssh and stfp into my machine from the outside. i always thought if one works so would the other. sorry, i have nothing helpful at this point. brett --- David Goodrich [EMAIL PROTECTED] wrote: yes, i did. and it turns out i can ssh into it, just not sftp. both ssh and sftp work on the internal network. -david - Original Message - From: rwtech.com [EMAIL PROTECTED] To: David Goodrich [EMAIL PROTECTED] Sent: Friday, March 29, 2002 2:00 PM Subject: Re: [Leaf-user] ssh/sftp through dachstein firewall hi, did you open tcp port 22 on the firewall? --- David Goodrich [EMAIL PROTECTED] wrote: I set up portforwarding to point ssh to my fileserver, in the hopes that i would be able to secure-ftp into it, but it doesn't seem to like the portforwarding. svi network ipfilter list portfw says that port 22 is pointed to the apropriate internal machine, and i can ssh/sftp into it from the internal network, just not from the external network. i'm using dach. 1.02 floppy... any thoughts? thanks in advance -david ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user __ Do You Yahoo!? Yahoo! Greetings - send holiday greetings for Easter, Passover http://greetings.yahoo.com/ __ Do You Yahoo!? Yahoo! Greetings - send holiday greetings for Easter, Passover http://greetings.yahoo.com/ __ Do You Yahoo!? Yahoo! Greetings - send holiday greetings for Easter, Passover http://greetings.yahoo.com/ ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ssh firewall
Henning, Brian [EMAIL PROTECTED] wrote: hello- I am using echowall on dachstein LRP. I have a windows 2k pro machine that i can ssh into from the outside. i am also running an http server on my w2k machine. I am port forwarding ssh through my router/firewall. My problem is I am not sure how to tunnel the http to the *outside world*. I am not sure if it is possible. Any thoughts or suggestions? thanks brian Charles gave you the answer to this before, but if you are coming from a windows world it may not make sense. I attached his original post at the end of this message. Here's what I'll presume about you. You are on a windows client at work or somewhere else connecting to your LEAF box. As you described you have a Windows 2000 box with a web page you want to see. There are allot of things to keep straight in ones mind when you start playing with port forwarding and SSH. In short, you are not trying to tunnel the http to the *outside world* but you tell your clients how to tunnel to the service. First off think of your LEAF box as just a patch cord. You have taken a cord and plugged it into a receptacle named 22 available to the rest of the world. The other end of the cord has been plugged into 22 on your W2K box. That's all port forwarding does in LEAF. LEAF is completely out of the picture now. All that is is is a pipe for data to flow over. You have successfully done that as you describe above. Now let's talk about the magic of SSH. SSH is one protocol. It allows a person to setup an encrypted link between two computers. Typically, a telnet like feature is used within the SSH suite to talk to another server and run commands on it. A but there are a few more tricks up SSH's sleeve. SSH allows you to build other pipes within the port 22 pipe. This is normally referred to as tunneling. Within the port 22 pipe you can create multiple tunnels. For example I have both regular SSH and web tunneled to a windows machine. I created these tunnels to try and explain what you'll need to do. If I wanted to ftp through SSH, then you could add this too. Name a protocol and try it. You are really just redirecting a port that the protocol normally uses on your localhost to the desired port on your server. There are several SSH packages for Windows. I'll describe putty. You will need version 0.52. My prior version, 0.51, did not have the features to perform the tasks you're asking for. (And yes I upgraded today to try it out. :) ) A.8.8 How do I pronounce PuTTY? Exactly like the normal word putty. Just like the stuff you put on window frames. (One of the reasons it's called PuTTY is because it makes Windows usable. :-) http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html Download the executables from http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html. You will want plink.exe especially. plink is short for putty link. You will want to setup your private key on the windows client computer that attaches to LEAF. plink.exe takes the SSH part and simplifies building tunnels within the port 22 pipe on a Windows PC. I have a Samba Server on a Linux box that acts like your W2K box. I used a windows PC with putty and plink to connect to it. Here's the command I used where myLEAFipAddress is the address to LEAF performing port forwarding. myuser is the userid on the W2K box. myW2kboxIPorName is the ip or name of your W2k box. You would need to add the name in c:\windows\host file for a server name to work. plink -L 80:myLEAFipAddress:80 myuser@myW2kboxIPorName This establishes the tunnel. I do not have a web server on my windows PC. However, when I use http://localhost/ in the web browser, I see my what my Apache server is providing me. Remember port 80 is the default port used by browsers i.e. http://localhost/ is the same as http://localhost:80/. SSH through plink is creating a tunnel to my local machine or a secure patch cord. plink forwards whatever connects on my local windows box at port 80 to the other server on port 80. You have to just believe this until it makes sense. Also note the localhost is the name for ip address 127.0.0.1. Every networking host has this available to it. Perhaps the -L 80:myLEAFipAddress:80 is confusing because the command is using the same port numbers on both ends of the pipe or tunnel. Let's try this since I am putting off filling out my 1040 tax forms :} plink -L 1040:myLEAFipAddress:80 myuser@myW2kboxIPorName Now use http://localhost:1040/ in the web browser. Once again I see the pages Apache is serving up to me. If you will, plink makes a web server available on your client windows PC. Without plink forwarding the web server over SSH to the windows client, you would receive the typical 404 http error message. Note that SSH is a server process in this configuration. If you need two way communication that is where both ends of the tunnel need to
[Leaf-user] ssh firewall
hello- I am using echowall on dachstein LRP. I have a windows 2k pro machine that i can ssh into from the outside. i am also running an http server on my w2k machine. I am port forwarding ssh through my router/firewall. My problem is I am not sure how to tunnel the http to the *outside world*. I am not sure if it is possible. Any thoughts or suggestions? thanks brian ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] ssh in Bering
I need help installing sshd in bering . Site info of lrpkg -i libz,sshd,sshkey doesn't work as far as backing up sshd pkg. ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ssh in Bering
On Wednesday 27 March 2002 19:59, Jim Van Eeckhoutte wrote: I need help installing sshd in bering . Site info of lrpkg -i libz,sshd,sshkey doesn't work as far as backing up sshd pkg. lrpkg -i only loads (installs) the package, you will need to backup the package from the lrcfg backup menu to keep your changes on the disk. You will also need to add it to the syslinux.cfg file in the LRP=.. line. -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] ssh in Bering
This the problem im having . I cant back it up I get cant move from tmp dir error. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of guitarlynn Sent: Wednesday, March 27, 2002 7:58 PM To: [EMAIL PROTECTED] Subject: Re: [Leaf-user] ssh in Bering On Wednesday 27 March 2002 19:59, Jim Van Eeckhoutte wrote: I need help installing sshd in bering . Site info of lrpkg -i libz,sshd,sshkey doesn't work as far as backing up sshd pkg. lrpkg -i only loads (installs) the package, you will need to backup the package from the lrcfg backup menu to keep your changes on the disk. You will also need to add it to the syslinux.cfg file in the LRP=.. line. -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ssh in Bering
Jim Van Eeckhoutte wrote: This the problem im having . I cant back it up I get cant move from tmp dir error. Please post the exact error message, plus a listing of what's in you /tmp directory, plus explain what I get cant move from tmp dir error means. Good Luck, Matt ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] SSH Problems with DMZ
Hi, me again! I have configured my Dachstien CD based router and parts are working quite fine. My web server can be seen from its dedicated public IP and from my masq. network.Unfortunately, I cannot ssh into the server via the public-ip router. This despite the fact I have enabled the port in the same places and the same way as with tcp:80. A few days ago I could only get ssh running by having a separate port (222) forwarded to 22 on the server. Off the top, here are some of the pertinent settings: DMZ=YES SSH WWW open with EXTERN_TCP_PORTn=0/0 ssh public_IP/n etc. INTERN_SERVERS=tcp_public_IP_ssh_dmz_IP_ssh DMZ_OPEN_DEST=tcp_public_IP_ssh (where public-ip is one of my static IPs from the ISP.) I have been over the settings quite a few times and did find a couple of errors but still, no SSH. If I bypass the router,the systems link within seconds and it all works fine. Any thoughts? Thanks, Scott ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] SSH Problems with DMZ
When you say I cannot ssh into the server ... how much time are you giving it? Do you wait 3 minutes to see if it connects? If not, consider the possibility that the DMZ server cannot do DNS lookups properly, and you are experiencing the well-known delays associated with reverse-lookup failures. The fix is to get DNS working on the DMZ host. (Or do what I sometimes do; add an entry in /etc/hosts for the IP address you ssh in from; I use this when I remote-admin systems, so DNS problems don't delay troubleshooting connections.) Only a guess, of course, based largely on your saying a direct connection succeeds within seconds. At 09:18 AM 2/13/02 -0700, Scott Sandeman-Allen wrote: Hi, me again! I have configured my Dachstien CD based router and parts are working quite fine. My web server can be seen from its dedicated public IP and from my masq. network.Unfortunately, I cannot ssh into the server via the public-ip router. This despite the fact I have enabled the port in the same places and the same way as with tcp:80. A few days ago I could only get ssh running by having a separate port (222) forwarded to 22 on the server. Off the top, here are some of the pertinent settings: DMZ=YES SSH WWW open with EXTERN_TCP_PORTn=0/0 ssh public_IP/n etc. INTERN_SERVERS=tcp_public_IP_ssh_dmz_IP_ssh DMZ_OPEN_DEST=tcp_public_IP_ssh (where public-ip is one of my static IPs from the ISP.) I have been over the settings quite a few times and did find a couple of errors but still, no SSH. If I bypass the router,the systems link within seconds and it all works fine. -- Never tell me the odds!--- Ray Olszewski-- Han Solo Palo Alto, CA[EMAIL PROTECTED] ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] SSH access error
Running DCD 102 booting off a floppy using openssh 3.0p1. When I attempt to ssh into the DCD router from the local network using the latest puTTY client, I receive the following error message: Network error: connection refused. The hosts.allow file allows access from the local network as follows: ALL: 192.168.1.0/255.255.255.0 ps aux shows the following: PID Uid Stat Command 1 root Sinit 2 root S[kflushd] 3 root S[kupdate] 4 root S[kswapd] 5 root S[keventd] 6 root S[mdrecoveryd] 1086 root S/usr/sbin/dhclient eth0 1275 root S/sbin/syslogd -m 240 1277 root S/sbin/klogd 1281 root S/usr/sbin/inetd 1285 root S/usr/sbin/watchdog 1288 root S/usr/sbin/cron 1309 tinydns S/usr/bin/tinydns 1334 dnscache S/usr/bin/dnscache 1335 root S-sh 1336 root S/sbin/getty 38400 tty2 2331 sh-httpd Ssh /usr/sbin/sh-httpd 2367 sh-httpd Ssh /var/sh-www/cgi-bin/viewsys 2368 sh-httpd Ssleep 1 2369 sh-httpd Scat 2370 sh-httpd Ssh /var/sh-www/cgi-bin/viewsys 2447 sh-httpd Rps aux I don't see any entry for the sshd daemon. I followed the instructions in the DCD documentation for generating the keys and made a partial backup. But no dice. What am I missing here? ~Doug ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] SSH access error
I guess I should say that I am quite familiar with SSH in general. I am unsure whether I should copy the public key from the sshd server to the client. Or whether I should enable SSH1 or SSH2 authentication on the client machine. I worked on an Eigerstein set-up in the past and it was relatively simple to set up SSH on that machine. I did not copy the key over to the client machine nor did I make any changes to the client configuration. Unfortunately it isn't so simple with this Dachstein CD set-up... But then I've only set up SSH once before. Any pointers or tips would be greatly appreciated. ~Doug -Original Message- From: Doug Sampson [mailto:[EMAIL PROTECTED]] Sent: Tuesday, February 12, 2002 12:33 PM To: '[EMAIL PROTECTED]' Subject: SSH access error Running DCD 102 booting off a floppy using openssh 3.0p1. When I attempt to ssh into the DCD router from the local network using the latest puTTY client, I receive the following error message: Network error: connection refused. The hosts.allow file allows access from the local network as follows: ALL: 192.168.1.0/255.255.255.0 ps aux shows the following: PID Uid Stat Command 1 root Sinit 2 root S[kflushd] 3 root S[kupdate] 4 root S[kswapd] 5 root S[keventd] 6 root S[mdrecoveryd] 1086 root S/usr/sbin/dhclient eth0 1275 root S/sbin/syslogd -m 240 1277 root S/sbin/klogd 1281 root S/usr/sbin/inetd 1285 root S/usr/sbin/watchdog 1288 root S/usr/sbin/cron 1309 tinydns S/usr/bin/tinydns 1334 dnscache S/usr/bin/dnscache 1335 root S-sh 1336 root S/sbin/getty 38400 tty2 2331 sh-httpd Ssh /usr/sbin/sh-httpd 2367 sh-httpd Ssh /var/sh-www/cgi-bin/viewsys 2368 sh-httpd Ssleep 1 2369 sh-httpd Scat 2370 sh-httpd Ssh /var/sh-www/cgi-bin/viewsys 2447 sh-httpd Rps aux I don't see any entry for the sshd daemon. I followed the instructions in the DCD documentation for generating the keys and made a partial backup. But no dice. What am I missing here? ~Doug ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] SSH access error
On Tuesday 12 February 2002 15:08, Doug Sampson wrote: I guess I should say that I am quite familiar with SSH in general. I am unsure whether I should copy the public key from the sshd server to the client. Or whether I should enable SSH1 or SSH2 authentication on the client machine. I worked on an Eigerstein set-up in the past and it was relatively simple to set up SSH on that machine. I did not copy the key over to the client machine nor did I make any changes to the client configuration. Unfortunately it isn't so simple with this Dachstein CD set-up... But then I've only set up SSH once before. Any pointers or tips would be greatly appreciated. Doug, Are you loading the sshd package? This isn't stock on the DF floppy. Their are server, client, and key packages for DF. You said floppy in the first post, now the cd version I'm getting confused, exact details of what you _are_ using and what you have done will help. When you back-up the key, you either have to back up root.lrp or add /root to local.lrp... otherwise it's lost forever (or every reboot). What version of ssh you use will depend on how you set sshd up, I believe the default config will use either You don't need to copy a key over unless you get tired of logging in. Hope this helps, -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] SSH access error
On Tuesday 12 February 2002 16:05, Doug Sampson wrote: Am running DCD 102 booting off a floppy because the mobo doesn't boot off a CD drive. openssh.lrp is stock on a DCD 102. I have /usr/sbin/sshd in my ps ax, so as I thought, you are _not_ loading the package. Check the lrpkg.cfg file on your floppy. The lrpkg.cfg file overrides the LRP= line in syslinux.cfg. You will also need to add this line to /etc/hosts.allow: sshd: 192.168.1 127. Am backing up sshd.lrp partially as described in Steinkuehler's README.txt documentation on the LRP-CD. Do I need to back up the root.lrp as well as the sshd.lrp each time a new key is generated? I didn't have any luck with that, but I am also running a stand-alone cd, so I can't say for sure. I always backup both to make sure, someone else might shed better light on this for me. Am setting it up the way Steinkuehler described in his documentation. All I want to do is set up SSH and get going. There are multiple problems I am having with the router but must solve the sshd thing in order to do a copy and paste function of relevant information for troubleshooting purposes. Yep, sneakernet comes in handy in times such as this. There are a lot of lib* dependancies with DCD you have to check. It has been working great for me here for about 4 months w/o a reboot. Hope what I've given is helpful. Let me know if there's anything else I should provide. Yep, it has helped, thx. You really have to get sshd loaded before you're going to have any luck. Good luck! -- ~Lynn Avants aka Guitarlynn guitarlynn at users.sourceforge.net http://leaf.sourceforge.net If linux isn't the answer, you've probably got the wrong question! ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] SSH access error
There are multiple problems I am having with the router but must solve the sshd thing in order to do a copy and paste function of relevant information for troubleshooting purposes. Ahaa. The copy and paste problem. It's great to have ssh to help, but it's not always there. ip addr show /tmp/pout 21 will place the output of that command in the file /tmp/pout. mount -t msdos /dev/fd0u1680 /mnt will mount your LEAF floppy. gzip -c /tmp/pout /mnt/pout.gz zip the file and puts it on the floppy. umount /mnt unmount the floppy. Now you can take the diskette over to any other computer and copy it on there because it's a DOS format diskette. Regards, Matthew ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] SSH access error
I have /usr/sbin/sshd in my ps ax, so as I thought, you are _not_ loading the package. Check the lrpkg.cfg file on your floppy. The lrpkg.cfg file overrides the LRP= line in syslinux.cfg. You will also need to add this line to /etc/hosts.allow: sshd: 192.168.1 127. I already have the config file listed in the lrpkg.cfg file. However I had appended :R to it- i.e. sshd:R. I took the :R parameter out and rebooted. Upon rebooting it reports as follows: sshd dev/cdrom dev/fd0u1680 (nf!) I don't understand why I have to specify sshd: 192.168.1.xxx in the /etc/hosts.allow file when it contains ALL: 192.168.1.0/255.255.255.0? This line exists in DCD's default hosts.allow file. Am backing up sshd.lrp partially as described in Steinkuehler's README.txt documentation on the LRP-CD. Do I need to back up the root.lrp as well as the sshd.lrp each time a new key is generated? I didn't have any luck with that, but I am also running a stand-alone cd, so I can't say for sure. I always backup both to make sure, someone else might shed better light on this for me. Looks like I have to regenerate the keys and back up root.lrp as well as sshd.lrp, eh? ~Doug ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
RE: [Leaf-user] SSH access error
I noticed two entries for sshd in the back up menu of LRCFG. I changed the first entry's backup destination back to /dev/cdrom leaving the other entry pointing to the dev/fd0u1680 as its backup destination. Upon rebooting, sshd loaded correctly and now I am able to ssh in from my Windoze machine! I did not have to add an entry in the hosts.allow file as Guitarlynn suggested. I did not regenerate the keys- I merely used the ones that were originally generated. This means that root.lrp does not have to be backed up after the keys are generated- only the local configuration file of the sshd.lrp. Now that I have conquered the ssh thing (hurrah for this newb!), on to the silent_deny issue! Which will be in the next post from me! ~Doug I have /usr/sbin/sshd in my ps ax, so as I thought, you are _not_ loading the package. Check the lrpkg.cfg file on your floppy. The lrpkg.cfg file overrides the LRP= line in syslinux.cfg. You will also need to add this line to /etc/hosts.allow: sshd: 192.168.1 127. I already have the config file listed in the lrpkg.cfg file. However I had appended :R to it- i.e. sshd:R. I took the :R parameter out and rebooted. Upon rebooting it reports as follows: sshd dev/cdrom dev/fd0u1680 (nf!) I don't understand why I have to specify sshd: 192.168.1.xxx in the /etc/hosts.allow file when it contains ALL: 192.168.1.0/255.255.255.0? This line exists in DCD's default hosts.allow file. Am backing up sshd.lrp partially as described in Steinkuehler's README.txt documentation on the LRP-CD. Do I need to back up the root.lrp as well as the sshd.lrp each time a new key is generated? I didn't have any luck with that, but I am also running a stand-alone cd, so I can't say for sure. I always backup both to make sure, someone else might shed better light on this for me. Looks like I have to regenerate the keys and back up root.lrp as well as sshd.lrp, eh? ~Doug ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ssh / openssh?
Julian Church wrote: Hi All, I use ssh to access and administer my Dachstein firewalls. (one home, one office). I'm a bit confused because there seem to be two versions of sshd.lrp available at the moment - The one I've always used is quite small, is called sshd.lrp, is available at ftp://ftp.linuxrouter.org/linux-router/dists/2.9.8/packages/ and is referenced in Steve Peck's sshd howto http://c0wz.steinkuehler.net/dox/sshd.txt. The other one is much bigger (too big for my floppy), is also called sshd.lrp, requires that I use libz.lrp and is part of openssh maintained by Jaques Nilo at http://leaf.sourceforge.net/devel/jnilo/index.html. Could someone explain the differences? Are the differences worth worrying about? Should I consider upgrading? cheers Julian You definitely want to use J. Nilo's most recent ssh package, which I'm pretty sure is an OpenSSH implementation. You just need a second floppy or to use CDROM for your packages. Try Dachstein CD if you want. Matthew ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] ssh / openssh?
Hi All, I use ssh to access and administer my Dachstein firewalls. (one home, one office). I'm a bit confused because there seem to be two versions of sshd.lrp available at the moment - The one I've always used is quite small, is called sshd.lrp, is available at ftp://ftp.linuxrouter.org/linux-router/dists/2.9.8/packages/ and is referenced in Steve Peck's sshd howto http://c0wz.steinkuehler.net/dox/sshd.txt. The other one is much bigger (too big for my floppy), is also called sshd.lrp, requires that I use libz.lrp and is part of openssh maintained by Jaques Nilo at http://leaf.sourceforge.net/devel/jnilo/index.html. Could someone explain the differences? Are the differences worth worrying about? Should I consider upgrading? cheers Julian -- [EMAIL PROTECTED] www.ljchurch.co.uk ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] SSH with Secure iXplorer - no remote tree displayed
I'm trying to use Secure iXplorer on a Win95 box to access a LRP firewall system on which I am running OpenSSH daemon. I am able to copy files to the LRP firewall using iXplorer, but no remote tree is displayed. Also, I am unable to create subdirectories using iXplorer. Using PuTTY, from the same Win95 box, I can issue a 'ls -la' command receive appropriate directory listing, and I'm able to create subdirectories with no problem. Your thoughts please. (I'm using iXplorer with the firewall only to try out iXplorer. My intended use for it is as an end user tool for accessing internal fileservers at our remote offices.) Thanks. _ Do You Yahoo!? Get your free @yahoo.com address at http://mail.yahoo.com ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ssh
Bill Hults wrote: Hi Can someone point me to an instruction for setting up ssh on Dachstein. I've copied sshd-1.lrp sshkey-1.lrp to the disk, generated a key, saved it but it's still looking for a key. TIA Did you use this? ssh-keygen -f /etc/ssh/ssh_host_key ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key That's what I had to do on Oxygen with OpenSSH-2.9p1. Perhaps your sshd is looking there or somewhere else. I think you can enable debug in the sshd_config file and find out where. Regards, Matthew ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
Re: [Leaf-user] ssh
Hi Can someone point me to an instruction for setting up ssh on Dachstein. I've copied sshd-1.lrp sshkey-1.lrp to the disk, generated a key, saved it but it's still looking for a key. http://leaf.sourceforge.net/devel/jnilo/openssh.html Jacques ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user
[Leaf-user] ssh
Hi Can someone point me to an instruction for setting up ssh on Dachstein. I've copied sshd-1.lrp sshkey-1.lrp to the disk, generated a key, saved it but it's still looking for a key. TIA -- Bill Hults Dir. Network Services Infinite Technologies of Vermont 71 Millet Street Richmond, VT 05477 Office(802)434-5393 X20 Home(802)288-9494 ___ Leaf-user mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user