[leaf-user] SSH connection

[Tom Hendrickx]

Hi everyone,

I was wondering something about the hosts.allow file.
I have for example the following line inserted:
ALL: 192.168.1.2/255.255.255.255

but I'm still able to ssh to the machine from other addresses inside 
the 192.168.1.0/24 network..
Shouldn't this file take care of this or should it also be specified in 
shorewall? But in that case I don't see the point of having the 
hosts.allow  hosts.deny file.

btw, my hosts.deny file contains:
ALL: ALL


Grtz,
Tom

-
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] SSH connection

[Erich Titl]

Tom

Tom Hendrickx wrote:
 Hi everyone,
 
 I was wondering something about the hosts.allow file.
 I have for example the following line inserted:
 ALL: 192.168.1.2/255.255.255.255
 
 but I'm still able to ssh to the machine from other addresses inside 
 the 192.168.1.0/24 network..
 Shouldn't this file take care of this or should it also be specified in 
 shorewall? But in that case I don't see the point of having the 
 hosts.allow  hosts.deny file.

This has to be compiled in the application, so if your ssh daemon does 
not have libwrap compiled in then it does not matter what you write to 
your hosts.allow/deny files.

If you want to be sure, use shorewall rules for this purpose

cheers

Erich



-
This SF.net email is sponsored by the 2008 JavaOne(SM) Conference 
Don't miss this year's exciting event. There's still time to save $100. 
Use priority code J8TL2D2. 
http://ad.doubleclick.net/clk;198757673;13503038;p?http://java.sun.com/javaone

leaf-user mailing list: leaf-user@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/leaf-user
Support Request -- http://leaf-project.org/

Re: [leaf-user] SSH login takes 40 seconds

[cpu memhd]

Okay, I figured out a solution reading the DNSMASQ docs (I'm using
DNSMASQ with messy DHCP). I forgot exactly everything I did, but I'm
pretty sure this is it (sorry to take so long to respond):

First I modified the dnsmasq config, note the change below:

# Change this line if you want dns to get its upstream servers from
# somewhere other that /etc/resolv.conf
#resolv-file=
resolv-file=/etc/resolv.dnsmasq

Then...

- Early in the bootup process, after I get my IP via DHCP (cable modem)
I rename resolv.conf (with DHCP updates) to resolv.dnsmasq via a
startup script

- Then I do an echo nameserver 127.0.0.1  /etc/resolv.conf (same
script)

That's it. No more delay, no host file maintenance for every possible client.

__
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


---
SF email is sponsored by - The IT Product Guide
Read honest  candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] SSH login takes 40 seconds

[Doug Hite]

I don't like the /etc/hosts solution either, but 
its the one I use as well.

Doug


Date: Wed, 17 Nov 2004 08:18:51 +0100
From: Erich Titl [EMAIL PROTECTED]
To: cpu memhd [EMAIL PROTECTED]
CC: [EMAIL PROTECTED] 
Subject: Re: [leaf-user] SSH login takes 40 seconds

Hi

cpu memhd wrote:

Bering uClibc 2.2 - I got SSH working a few weeks ago. Now for some
reason it takes 40 seconds to display a console screen after I login. I
have read that this is likely a reverse DNS problem. But why should it
matter if I'm using private, 10.x.x.x IPs? Also, I don't recall making
any changes between the time SSH worked and now. Any ideas?
  

If you have a working DNS server then it should just return an NXDOMAIN 
and you should be fine. If not, sshd will try to reverse lookup your 
address and finally time out.

One possible solution is to include your management station in the 
/etc/hosts file (not that I specifically like this solution)

Erich





---
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] SSH login takes 40 seconds

[Erich Titl]

Hi
cpu memhd wrote:
Bering uClibc 2.2 - I got SSH working a few weeks ago. Now for some
reason it takes 40 seconds to display a console screen after I login. I
have read that this is likely a reverse DNS problem. But why should it
matter if I'm using private, 10.x.x.x IPs? Also, I don't recall making
any changes between the time SSH worked and now. Any ideas?
 

If you have a working DNS server then it should just return an NXDOMAIN 
and you should be fine. If not, sshd will try to reverse lookup your 
address and finally time out.

One possible solution is to include your management station in the 
/etc/hosts file (not that I specifically like this solution)

Erich

---
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] ssh access from inside being rejected.

[Glenn A. Thompson]

I never got sshd working on 2.2.1.
I just switched to dropbear.  It works fine.
Glenn
Glenn A. Thompson wrote:
No it actually segfaulted when I ran it in debug mode.
Martin Hejl wrote:

Glenn A. Thompson wrote:
I installed the sshd module on my bering 2.2.1 test box and 
gernerated keys etc.  I can't seem to connect to it from my local 
network. I'm running my local network on 192.168.10.0/24.  That 
caused me some grief on a few other packges until I changed their 
configs.
But from what I can tell I've got all that fixed up OK.
I can connect to the fw weblet application no problem. When I try to 
connect to the sshd from the internet I see stuff in my logs as I 
would expect.
When I do it from the loc network I see immediate rejects and I 
can't find anything in any logs.
So I installed the ssh client on the firewall.  If I try to connect 
to localhost I just hang there.
If I try to connect to the loc interface I get reject UNKNOWN. I've 
looked through the rules and it seems like it should work.  I even 
changed the interfaces file under shorewall to be more explicit 
about the loc and fw interfaces.

Any clues? Any more information I should provide?

You probably already checked that, but could it be an issue with 
/etc/hosts.allow needing to be updated with the new net?

It could also be that sshd is trying to do a DNS lookup on the IP of 
the box that's connecting - that would surely _seem_ like it's just 
died.

Martin
---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. 
Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find 
out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html



---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out 
more
http://productguide.itmanagersjournal.com/guidepromo.tmpl

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html



---
This Newsletter Sponsored by: Macrovision 
For reliable Linux application installations, use the industry's leading
setup authoring tool, InstallShield X. Learn more and evaluate 
today. http://clk.atdmt.com/MSI/go/ins003001msi/direct/01/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] ssh access from inside being rejected.

[Glenn A. Thompson]

Hey,
I installed the sshd module on my bering 2.2.1 test box and gernerated 
keys etc.  I can't seem to connect to it from my local network. 
I'm running my local network on 192.168.10.0/24.  That caused me some 
grief on a few other packges until I changed their configs.
But from what I can tell I've got all that fixed up OK.
I can connect to the fw weblet application no problem. 
When I try to connect to the sshd from the internet I see stuff in my 
logs as I would expect.
When I do it from the loc network I see immediate rejects and I can't 
find anything in any logs.
So I installed the ssh client on the firewall.  If I try to connect to 
localhost I just hang there.
If I try to connect to the loc interface I get reject UNKNOWN. 
I've looked through the rules and it seems like it should work.  I even 
changed the interfaces file under shorewall to be more explicit about 
the loc and fw interfaces.

Any clues? Any more information I should provide?
Thanks,
glenn

---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] ssh access from inside being rejected.

[Patrick Benson]

Glenn A. Thompson wrote:
 
 Hey,
 
 I installed the sshd module on my bering 2.2.1 test box and gernerated
 keys etc.  I can't seem to connect to it from my local network.
 I'm running my local network on 192.168.10.0/24.  That caused me some
 grief on a few other packges until I changed their configs.
 But from what I can tell I've got all that fixed up OK.
 I can connect to the fw weblet application no problem.
 When I try to connect to the sshd from the internet I see stuff in my
 logs as I would expect.
 When I do it from the loc network I see immediate rejects and I can't
 find anything in any logs.
 So I installed the ssh client on the firewall.  If I try to connect to
 localhost I just hang there.
 If I try to connect to the loc interface I get reject UNKNOWN.
 I've looked through the rules and it seems like it should work.  I even
 changed the interfaces file under shorewall to be more explicit about
 the loc and fw interfaces.
 
 Any clues? Any more information I should provide?
 Thanks,
 glenn

What does your output look like when you turn on verbose mode:

ssh -v host

and how is your sshd_config configured? We'll need that to begin with..
If you have changed other configuration files, other than those
connected with ssh, sshd you'll have to provide info with that as well.
Is sshd actually running? Try netstat -an and ps ax and see what
gives..

Regards,
-- 
Patrick Benson
Stockholm, Sweden


---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] ssh access from inside being rejected.

[Glenn A. Thompson]

I set the log level to debug in the sshd_config file.
It  forks a child and seems to negotiate a protocol level and then no 
more log entries.
It may just be dying.
Again any clues would be helpful

Thanks
Glenn
Glenn A. Thompson wrote:
Hey,
I installed the sshd module on my bering 2.2.1 test box and gernerated 
keys etc.  I can't seem to connect to it from my local network. I'm 
running my local network on 192.168.10.0/24.  That caused me some 
grief on a few other packges until I changed their configs.
But from what I can tell I've got all that fixed up OK.
I can connect to the fw weblet application no problem. When I try to 
connect to the sshd from the internet I see stuff in my logs as I 
would expect.
When I do it from the loc network I see immediate rejects and I can't 
find anything in any logs.
So I installed the ssh client on the firewall.  If I try to connect to 
localhost I just hang there.
If I try to connect to the loc interface I get reject UNKNOWN. I've 
looked through the rules and it seems like it should work.  I even 
changed the interfaces file under shorewall to be more explicit about 
the loc and fw interfaces.

Any clues? Any more information I should provide?
Thanks,
glenn

---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out 
more
http://productguide.itmanagersjournal.com/guidepromo.tmpl

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html



---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] ssh access from inside being rejected.

[Martin Hejl]

Glenn A. Thompson wrote:
I installed the sshd module on my bering 2.2.1 test box and gernerated 
keys etc.  I can't seem to connect to it from my local network. I'm 
running my local network on 192.168.10.0/24.  That caused me some grief 
on a few other packges until I changed their configs.
But from what I can tell I've got all that fixed up OK.
I can connect to the fw weblet application no problem. When I try to 
connect to the sshd from the internet I see stuff in my logs as I would 
expect.
When I do it from the loc network I see immediate rejects and I can't 
find anything in any logs.
So I installed the ssh client on the firewall.  If I try to connect to 
localhost I just hang there.
If I try to connect to the loc interface I get reject UNKNOWN. I've 
looked through the rules and it seems like it should work.  I even 
changed the interfaces file under shorewall to be more explicit about 
the loc and fw interfaces.

Any clues? Any more information I should provide?
You probably already checked that, but could it be an issue with 
/etc/hosts.allow needing to be updated with the new net?

It could also be that sshd is trying to do a DNS lookup on the IP of the 
box that's connecting - that would surely _seem_ like it's just died.

Martin
---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] ssh access from inside being rejected.

[Patrick Benson]

Glenn A. Thompson wrote:
 
 I set the log level to debug in the sshd_config file.
 It  forks a child and seems to negotiate a protocol level and then no
 more log entries.
 It may just be dying.
 Again any clues would be helpful

There are two FAQ's that may be helpful:

http://www.snailbook.com/faq/
http://www.openssh.com/faq.html


Regards,
-- 
Patrick Benson
Stockholm, Sweden


---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] ssh access from inside being rejected.

[Glenn A. Thompson]

No it actually segfaulted when I ran it in debug mode.
Martin Hejl wrote:

Glenn A. Thompson wrote:
I installed the sshd module on my bering 2.2.1 test box and 
gernerated keys etc.  I can't seem to connect to it from my local 
network. I'm running my local network on 192.168.10.0/24.  That 
caused me some grief on a few other packges until I changed their 
configs.
But from what I can tell I've got all that fixed up OK.
I can connect to the fw weblet application no problem. When I try to 
connect to the sshd from the internet I see stuff in my logs as I 
would expect.
When I do it from the loc network I see immediate rejects and I can't 
find anything in any logs.
So I installed the ssh client on the firewall.  If I try to connect 
to localhost I just hang there.
If I try to connect to the loc interface I get reject UNKNOWN. I've 
looked through the rules and it seems like it should work.  I even 
changed the interfaces file under shorewall to be more explicit about 
the loc and fw interfaces.

Any clues? Any more information I should provide?
You probably already checked that, but could it be an issue with 
/etc/hosts.allow needing to be updated with the new net?

It could also be that sshd is trying to do a DNS lookup on the IP of 
the box that's connecting - that would surely _seem_ like it's just died.

Martin
---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out 
more
http://productguide.itmanagersjournal.com/guidepromo.tmpl

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html



---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] ssh on dachstein - update

[Arnold Wiegert]

Latest: got sshd going on the firewall - had to make the following change:
in /etc/ssh/sshd_config
change
UsePrivilegeSeparation yes
to
UsePrivilegeSeparation no
then if I start sshd manually, I can login. I have no clue what that 
means  other than it avoids the error message and let's me get going.

Still have not sorted out Putty from WindowsExplorer via GUI interface,
but I can login from both my debian machine as well as from the putty 
command line on my WinMe machine

So All I need to figure out is how to get sshd started on startup - 
that'll be my next project.

Looks like there is more to it than just getting and loading the files 
;-) and the two Howtos I've found both need work. Once I get this all 
sorted out I'll try to contact the authors with the details.

Thanks to both you and Ray for their interest and help
Arnold
Tibbs, Richard wrote:
OK, next idea:
Go to /usr/sbin.
Type ./sshd
For some reason error messages for sshd don't go to any log.
You should see some complaint.
For sshd in Bering, you need libcrypt.lrp, libz.lrp and libnsl.
If you see certain libraries missing like libcrypto.so.yadda, then you
are missing some packages.
Good luck
Tibbs.
-Original Message-
From: Arnold Wiegert [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 16, 2004 7:56 PM
To: Tibbs, Richard
Subject: Re: [leaf-user] ssh on dachstein

Thanks, Richard;
sshd is not running :-(
I did generate the keys, but the Mini-Howto said nothing about what else
needs to be done - if anything - to have sshd run after installing, 
generating the keys, backing up  rebooting
Arnold

Tibbs, Richard wrote:

Check your processes with a ps -A command. If you do not see sshd,
then it is not running.
Likely you need to generate keys with sshkey.lrp ( at least that is
what works with Bering.)
HTH,
Rick.
	-Original Message- 
	From: [EMAIL PROTECTED] on behalf of Arnold
Wiegert 

	Sent: Mon 8/16/2004 4:28 PM 
	To: [EMAIL PROTECTED] 
	Cc: 
	Subject: [leaf-user] ssh on dachstein
	
	

	I've finally decided to try and get an ssh link going on my
network.

I'm running normal Dachstein with dual floppies and have
installed all
the ssh .lrp files as per the openshh LEAF/LRP user's guide
http://leaf.sourceforge.net/devel/jnilo/openssh2.html

I've added a password for 'root' and have tried PuTTY as a
client to
	sign on, but have had no luck at all. All I get - after several
seconds
- is RuTTY Fatal Error: Network error: Connection timed out

If I need to supply extra information, please let me know.

TIA
Arnold



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank
Media
	100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only
$33
	Save 50% off Retail on Ink  Toner - Free Shipping and Free
Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ:
http://leaf-project.org/pub/doc/docmanager/docid_1891.html




---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] ssh on dachstein

[Ray Olszewski]

Arnold -- No coubt inadvertantly, you replied to me personally instead of 
to the list. To fix this, I'm responding to the list, and not trimming your 
reply (as I would normally do, since only the first part of the response is 
needed).

At 07:30 PM 8/16/2004 -0700, Arnold Wiegert wrote:
Ray Olszewski wrote:
At 01:28 PM 8/16/2004 -0700, Arnold Wiegert wrote:
I've finally decided to try and get an ssh link going on my network.
I didn't see any other replies to this, but please forgive me if I missed 
something.
I think you need to walk through the basics.
1. On the LEAF system, after you install the ssh stuff and reboot, is the 
sshd process running? Does it show up in the process list? Does netstat 
-l (I think Dach has this command) report it as listening on port 22?
neither netstat -l nor ps -A show sshd as running
running it manually  in /usr/sbin via ./sshd gives me an error message:
Privilege separation user sshd does not exist
This is your problem. You cannot connect to the router because it is is not 
running sshd. Why? Hard to say for sure, but it sounds like you are using a 
newer version of sshd than the one Dach was configured for. Privilege 
separation is a newer security modiication of sshd, and it probably 
postdates whatever version of Dach you are running.

How to fix it? Your safest bet is to do a quick install of some version of 
Bering, see what its entry for the sshd user is, and replicate that in 
Dach's /etc/passwd (and /etc/shadow) file. Or, on the bet that this userid 
is pretty standard, you could add these entries (taken from my Debian 
system) to the relevant files:

in /etc/passwd:
sshd:x:100:65534::/var/run/sshd:/bin/false
in /etc/shadow:
sshd:!:11912:0:9:7:::
Then back up the relevant .lrp package (probably etc.lrp, but you should 
check ... actually, you must know this piece better than I, since you 
changed root's password successfully).

Though I've left the rest of your response below, it has nothing to do with 
your immediate problem, so you can stop reading now.

2. Is your LEAF firewall configured to permit connections to port 22 on 
the router from wherever (LAN or Internet) you are connecting from?
Haven't tried that yet; I'm trying to get to the router from inside.
3. Are you trying to connect from the LAN (internal) side or the Internet 
(external) side? Are you connecting to the appropriate IP address? Could 
there be a DNS issue? If you are connecting from the Internet, might your 
ISP be blocking traffic to TCP port 22?
4. after several seconds implies that you get this response quickly. Am 
I reading this right, or are we talking about time more like 30 seconds, 
or even 3 minutes? Time delays are sometimes important hints to 
diagnosis, so please be as exact as you can on this. For example, here I 
just tried to connect to an unused LAN IP address, and it took 20 seconds 
for me to get that same message. (And I've assumed that RuTTY is just a 
typo ... if not, please correct me.)
Yes it is a typo, should be PuTTY - time to error message is 22 - 23 sec.
5. After you try and fail to connect to the router, do the router logs 
show anything, logged by either sshd or iptables? Is the host you tried 
to connect from (assuming a LAN connection) in the router's arp cache? Is 
the router in the host's arp cache?
see above, I'm on the inside
6. Do you know that PuTTY works properly? Can you use it to connect to 
other hosts? I've assumed you are an experienced PuTTY user, so are not 
making any rookie mistakes at that end (like trying to do a telnet 
connection instead of an ssh connection), so please confirm or correct 
this assumption.
I'm a rookie - very much, although I do believe I am trying for a ssh 
connection.
I've tried the -v (verbose) option, but it does not produce any output to 
the DOS box window - with or without the -v option

7. If you post again, please round up the usual suspects when you do. 
Tell us the networks and IP addresses involved.
as far as I know, I'm using the default addresses for my leaf box and I am 
using it - 192.168.1.254 - as the host name/IP address

Thank you for your reply.
Arnold


---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] ssh on dachstein

[Arnold Wiegert]

I've finally decided to try and get an ssh link going on my network.
I'm running normal Dachstein with dual floppies and have installed all 
the ssh .lrp files as per the openshh LEAF/LRP user's guide
http://leaf.sourceforge.net/devel/jnilo/openssh2.html

I've added a password for 'root' and have tried PuTTY as a client to 
sign on, but have had no luck at all. All I get - after several seconds 
- is RuTTY Fatal Error: Network error: Connection timed out

If I need to supply extra information, please let me know.
TIA
Arnold

---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

FW: [leaf-user] ssh on dachstein

[Tibbs, Richard]

From: Tibbs, Richard 
Sent: Monday, August 16, 2004 6:22 PM
To: Arnold Wiegert; [EMAIL PROTECTED]
Subject: RE: [leaf-user] ssh on dachstein

Check your processes with a ps -A command. If you do not see sshd, then it is not 
running.
Likely you need to generate keys with sshkey.lrp ( at least that is what works with 
Bering.)
HTH,
Rick.
-Original Message- 
From: [EMAIL PROTECTED] behalf of Arnold Wiegert 
Sent: Mon 8/16/2004 4:28 PM 
To: [EMAIL PROTECTED] 
Cc: 
Subject: [leaf-user] ssh on dachstein
I've finally decided to try and get an ssh link going on my network.

I'm running normal Dachstein with dual floppies and have installed all
the ssh .lrp files as per the openshh LEAF/LRP user's guide
http://leaf.sourceforge.net/devel/jnilo/openssh2.html

I've added a password for 'root' and have tried PuTTY as a client to
sign on, but have had no luck at all. All I get - after several seconds
- is RuTTY Fatal Error: Network error: Connection timed out

If I need to supply extra information, please let me know.

TIA
Arnold



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] ssh on dachstein

[Ray Olszewski]

At 01:28 PM 8/16/2004 -0700, Arnold Wiegert wrote:
I've finally decided to try and get an ssh link going on my network.
I'm running normal Dachstein with dual floppies and have installed all the 
ssh .lrp files as per the openshh LEAF/LRP user's guide
http://leaf.sourceforge.net/devel/jnilo/openssh2.html

I've added a password for 'root' and have tried PuTTY as a client to sign 
on, but have had no luck at all. All I get - after several seconds - is 
RuTTY Fatal Error: Network error: Connection timed out

If I need to supply extra information, please let me know.
I didn't see any other replies to this, but please forgive me if I missed 
something.

I think you need to walk through the basics.
1. On the LEAF system, after you install the ssh stuff and reboot, is the 
sshd process running? Does it show up in the process list? Does netstat 
-l (I think Dach has this command) report it as listening on port 22?

2. Is your LEAF firewall configured to permit connections to port 22 on the 
router from wherever (LAN or Internet) you are connecting from?

3. Are you trying to connect from the LAN (internal) side or the Internet 
(external) side? Are you connecting to the appropriate IP address? Could 
there be a DNS issue? If you are connecting from the Internet, might your 
ISP be blocking traffic to TCP port 22?

4. after several seconds implies that you get this response quickly. Am I 
reading this right, or are we talking about time more like 30 seconds, or 
even 3 minutes? Time delays are sometimes important hints to diagnosis, so 
please be as exact as you can on this. For example, here I just tried to 
connect to an unused LAN IP address, and it took 20 seconds for me to get 
that same message. (And I've assumed that RuTTY is just a typo ... if 
not, please correct me.)

5. After you try and fail to connect to the router, do the router logs show 
anything, logged by either sshd or iptables? Is the host you tried to 
connect from (assuming a LAN connection) in the router's arp cache? Is the 
router in the host's arp cache?

6. Do you know that PuTTY works properly? Can you use it to connect to 
other hosts? I've assumed you are an experienced PuTTY user, so are not 
making any rookie mistakes at that end (like trying to do a telnet 
connection instead of an ssh connection), so please confirm or correct this 
assumption.

7. If you post again, please round up the usual suspects when you do. Tell 
us the networks and IP addresses involved.



---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] SSH Bug and Exploit

[Alex Rhomberg]

Seems there is a bug in OpenSSH and some reports of exploits in the wild:
http://slashdot.org/articles/03/09/16/1327248.shtml?tid=126tid=172
There is a new OpenSSH version available (3.7). Is somebody 
upgrading the LRPs?

- Alex


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] ssh and link error

[chrispatch]

I just downloaded the lrps for ssh and sshd listed under the Uclibc
Packages tree.  However whenever /usr/sbin/sshd attempts to start I am
getting the following error.
./sbin: linked against GNU libc!!

Anyone have any insight into what I need to do to fix this?

Currently I have the following lrps on this system.
root
etc
local
modules
keyboard
libc225
libz
libpopt
libcrpto
libssl2
djbutils
maradns
netsnmpd
sshd
ssh

Try the libz,ssh,sshd from
http://leaf.sourceforge.net/devel/jnilo

To do this you DO have to uce the libc225.

I had the same problem and this worked for me.



---
This SF.Net email sponsored by: Free pre-built ASP.NET sites including
Data Reports, E-commerce, Portals, and Forums are available now.
Download today and enter to win an XBOX or Visual Studio .NET.
http://aspnet.click-url.com/go/psa0016ave/direct;at.asp_061203_01/01

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] ssh - key only - no password

[Vladimir Ivaschenko]

In theory I don't see why it shouldn't work.

Steve Wright wrote:

Gurus,

I am trying to get my LEAF-WISP 2591 to ssh out, and to accept ssh 
connections and auth with key only.  The routers must be able to 
load/change/reload policy (addresses, routes, rules) on command from the 
core but this is insecure without ssh.  (I can cron a passworded wget 
off the core httpd, but not secure.)

I have read a number of HOWTOs on doing this but it still refuses. 
My question is ;

Will the ssh/sshd on 2591 do key-only (no password) auth, incoming and 
outgoing  ?

If it does, then I have a config error and I will continue working on it.

TIA, and kind regards,
Steve


---
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


--
Best Regards,
Vladimir Ivaschenko
Thunderworx - Senior Systems Engineer (RHCE)


---
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] ssh - key only - no password

[Steve Wright]

Gurus,

I am trying to get my LEAF-WISP 2591 to ssh out, and to accept ssh 
connections and auth with key only.  The routers must be able to 
load/change/reload policy (addresses, routes, rules) on command from the 
core but this is insecure without ssh.  (I can cron a passworded wget 
off the core httpd, but not secure.)

I have read a number of HOWTOs on doing this but it still refuses.  

My question is ;

Will the ssh/sshd on 2591 do key-only (no password) auth, incoming and 
outgoing  ?

If it does, then I have a config error and I will continue working on it.

TIA, and kind regards,
Steve


---
This SF.net email is sponsored by:  Etnus, makers of TotalView, The best
thread debugger on the planet. Designed with thread debugging features
you've never dreamed of, try TotalView 6 free at www.etnus.com.

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Ssh

[Homer Parker]

Ok, I got the IPSec problem worked out, and I have a working tunnel
across the wireless link... Now I have another little problem.. I can't
ssh into it... First the layout:

workstation - bering1.0 - internet - rh7.2 w/shorewall - ipsec - bering1.0

I have tried from the workstation to the RH box, and ssh to the other end
of the IPSec tunnel, and I also tried DNATing a high port on the RH box to
22 on the other end of the tunnel and connecting to that from the
workstation, and I get the same thing either way.. It prompts me for the
password, I enter it, hit enter, the cursor moves to the next line and
just sits there and blinks at me.. CTRL-C and I'm back at the prompt..
When I set the Bering box up, I ssh'd to it on the local LAN and it worked
fine... I'm not sure why it's doing this.. Any ideas?

--- 
Homer Parker  /\ ASCII Ribbon Campaign
  \ / No HTML/RTF in email
http://www.homershut.net   x  No Word docs in email
telnet://bbs.homershut.net/ \ Respect for open standards

Bill Gates reports on security progress made and the challenges ahead.
-- Microsoft's Homepage, on the day an SQL Server bug crippled large
   sections of the Internet.


 


pgp0.pgp
Description: PGP signature

Re: [leaf-user] SSH question

[John Mullan]

Thanks Tom.  Setting my buddies sshd to listen on 0.0.0.0 did the trick.  I
never noticed that it was set to internal IP.

John
===
Work:   http://www.olgclotteries.com
[EMAIL PROTECTED]
888-345-7568 ext. 2205

Personal:   http://www.mullan.ca
[EMAIL PROTECTED]
MSN:[EMAIL PROTECTED]
===




   
 
  Tom Eastep   
 
  [EMAIL PROTECTED]   To:   John Mullan 
[EMAIL PROTECTED]  
  Sent by:  cc:   
[EMAIL PROTECTED]   
  [EMAIL PROTECTED]Subject:  Re: [leaf-user] SSH 
question  
  ceforge.net  
 
   
 
   
 
  14-02-03 10:04 AM
 
   
 
   
 




John Mullan wrote:
 Yes, they are intentional.  I want to keep the FTP server on port 1021.
If
 anyone comes in from outside without specifying port 1021, they will
still
 get to my FTP server.  That leaves me the future opportunity to have
 another FTP server on 21 but only accessible from internal.

 At least, that is the way I figure it.

Your first rule actually insists that the CLIENT port be 1021 -- rather
odd requirement.


 I will attempt the Telnet idea later.  Work doesn't open very many ports.
 I don't even get port 80 access from this workstation :(


Also be sure that your sshd is listening on 0.0.0.0 and/or on the
exernal IP address of your firewall.

-Tom
--
Tom Eastep\ Shorewall - iptables made easy
Shoreline, \ http://www.shorewall.net
Washington USA  \ [EMAIL PROTECTED]



---
This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your  SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html








---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] SSH question

[John Mullan]

Hello folks

A little pre-amble:  When setting up my buddies LEAF box, I made an exact
copy of my LEAF setup, changing PPPoE user/password, some host names, and
that was pretty much it.  Everything works exactly like mine.

Well, almost everything.  While I can login to my LEAF box (over the
internet) with SSH (TeraTermPro), I cannot with his.  I keep getting
connection refused.

I can do it within the internal net no problem (again, same as mine).

What should I look for?  Could there be something with the possibility of
identical keys having copied my installation?  I'm not familiar with how
that part may or may no affect the situation.

Sample of Shorewall RULES file follows:

#
# Accept DNS connections from the firewall to the network
#
ACCEPT fw  net tcp 53
ACCEPT fw  net udp 53

#
# Accept SSH connections from the local and internet network for
administration
#
ACCEPT loc fw  tcp 22
ACCEPT net fw  tcp 22

#
# Bering specific rules:
# allow loc to fw udp/53 for dnscache to work
#
ACCEPT loc fw  udp 53

#
# Allow all access to weblet
#
REDIRECT loc 8080 tcp 80 - 192.168.1.254
ACCEPT loc fw tcp 8080

# Custom rules:
#  allow various services for internal servers
#
DNAT net loc:192.168.1.254 tcp 8080
DNAT net loc:192.168.1.128 tcp 80
DNAT net loc:192.168.1.128 tcp 21 1021
DNAT net loc:192.168.1.128 tcp 1021
DNAT net loc:192.168.1.128 tcp 25
DNAT net loc:192.168.1.128 tcp 110
DNAT net loc:192.168.1.128 tcp 1080
DNAT net loc:192.168.1.128 tcp 5631
DNAT net loc:192.168.1.128 tcp 5632
DNAT net loc:192.168.1.128 udp 5631
DNAT net loc:192.168.1.128 udp 5632
DNAT net loc:192.168.1.128 tcp 
DNAT net loc:192.168.1.128 tcp 9925
#LAST LINE -- ADD YOUR ENTRIES BEFORE THIS ONE -- DO NOT REMOVE


===
Work:   http://www.olgclotteries.com
[EMAIL PROTECTED]
888-345-7568 ext. 2205

Personal:   http://www.mullan.ca
[EMAIL PROTECTED]
MSN:[EMAIL PROTECTED]
===





---
This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your  SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

AW: [leaf-user] SSH question

[Alex Rhomberg]

 A little pre-amble:  When setting up my buddies LEAF box, I made an exact
 copy of my LEAF setup, changing PPPoE user/password, some host names, and
 that was pretty much it.  Everything works exactly like mine.

 Well, almost everything.  While I can login to my LEAF box (over the
 internet) with SSH (TeraTermPro), I cannot with his.  I keep getting
 connection refused.

Try opening a telnet connection to the ssh daemon
telnet x.x.x.x 22
If it answers with SSH-2.0-OpenSSH_3.5p1 or something similar, then the
problem is with the SSH daemon configuration or the password, because you
know that you have a running sshd and an firewall that allows connections to
it

 What should I look for?  Could there be something with the possibility of
 identical keys having copied my installation?

There should be no problem with using identical keys though it is clearly
not recommended.

 DNAT net loc:192.168.1.128 tcp 21 1021
 DNAT net loc:192.168.1.128 tcp 1021

Are these two 1021 intentional?

Regards
Alex



---
This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your  SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] SSH question

[John Mullan]

Yes, they are intentional.  I want to keep the FTP server on port 1021.  If
anyone comes in from outside without specifying port 1021, they will still
get to my FTP server.  That leaves me the future opportunity to have
another FTP server on 21 but only accessible from internal.

At least, that is the way I figure it.

I will attempt the Telnet idea later.  Work doesn't open very many ports.
I don't even get port 80 access from this workstation :(

===
Work:   http://www.olgclotteries.com
[EMAIL PROTECTED]
888-345-7568 ext. 2205

Personal:   http://www.mullan.ca
[EMAIL PROTECTED]
MSN:[EMAIL PROTECTED]
===



   

  Alex Rhomberg  

  alex.lists@bluewTo:   John Mullan 
[EMAIL PROTECTED], [EMAIL PROTECTED] 
  in.ch   cc: 

   Subject:  AW: [leaf-user] SSH question  

  14-02-03 08:29 AM

   

   





 A little pre-amble:  When setting up my buddies LEAF box, I made an exact
 copy of my LEAF setup, changing PPPoE user/password, some host names, and
 that was pretty much it.  Everything works exactly like mine.

 Well, almost everything.  While I can login to my LEAF box (over the
 internet) with SSH (TeraTermPro), I cannot with his.  I keep getting
 connection refused.

Try opening a telnet connection to the ssh daemon
telnet x.x.x.x 22
If it answers with SSH-2.0-OpenSSH_3.5p1 or something similar, then the
problem is with the SSH daemon configuration or the password, because you
know that you have a running sshd and an firewall that allows connections
to
it

 What should I look for?  Could there be something with the possibility of
 identical keys having copied my installation?

There should be no problem with using identical keys though it is clearly
not recommended.

 DNAT net loc:192.168.1.128 tcp 21 1021
 DNAT net loc:192.168.1.128 tcp 1021

Are these two 1021 intentional?

Regards
Alex








---
This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your  SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] SSH question

[Tom Eastep]

John Mullan wrote:

Yes, they are intentional.  I want to keep the FTP server on port 1021.  If
anyone comes in from outside without specifying port 1021, they will still
get to my FTP server.  That leaves me the future opportunity to have
another FTP server on 21 but only accessible from internal.

At least, that is the way I figure it.


Your first rule actually insists that the CLIENT port be 1021 -- rather 
odd requirement.


I will attempt the Telnet idea later.  Work doesn't open very many ports.
I don't even get port 80 access from this workstation :(



Also be sure that your sshd is listening on 0.0.0.0 and/or on the 
exernal IP address of your firewall.

-Tom
--
Tom Eastep\ Shorewall - iptables made easy
Shoreline, \ http://www.shorewall.net
Washington USA  \ [EMAIL PROTECTED]



---
This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your  SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] SSH question

[John Mullan]

Thanks Tom, I will double check the listening address.  It may have gotten
changed somehow.

I'm not sure about your reference to 'odd requirement'.  Do you mean
choosing port 1021?

My only intention is, that if external clients make an FTP request using
default port of 21 that they get routed to 1021 on the appropriate machine.
Saves me explaining to friends to use 1021.  Would it be more appropriate
to use a REDIRECT instead of DNAT??

John
===
Work:   http://www.olgclotteries.com
[EMAIL PROTECTED]
888-345-7568 ext. 2205

Personal:   http://www.mullan.ca
[EMAIL PROTECTED]
MSN:[EMAIL PROTECTED]
===



   
 
  Tom Eastep   
 
  [EMAIL PROTECTED]   To:   John Mullan 
[EMAIL PROTECTED]  
  Sent by:  cc:   
[EMAIL PROTECTED]   
  [EMAIL PROTECTED]Subject:  Re: [leaf-user] SSH 
question  
  ceforge.net  
 
   
 
   
 
  14-02-03 10:04 AM
 
   
 
   
 




John Mullan wrote:
 Yes, they are intentional.  I want to keep the FTP server on port 1021.
If
 anyone comes in from outside without specifying port 1021, they will
still
 get to my FTP server.  That leaves me the future opportunity to have
 another FTP server on 21 but only accessible from internal.

 At least, that is the way I figure it.

Your first rule actually insists that the CLIENT port be 1021 -- rather
odd requirement.


 I will attempt the Telnet idea later.  Work doesn't open very many ports.
 I don't even get port 80 access from this workstation :(


Also be sure that your sshd is listening on 0.0.0.0 and/or on the
exernal IP address of your firewall.

-Tom
--
Tom Eastep\ Shorewall - iptables made easy
Shoreline, \ http://www.shorewall.net
Washington USA  \ [EMAIL PROTECTED]



---
This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your  SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html







---
This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your  SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] SSH question

[Tom Eastep]

John Mullan wrote:

Thanks Tom, I will double check the listening address.  It may have gotten
changed somehow.

I'm not sure about your reference to 'odd requirement'.  Do you mean
choosing port 1021?

My only intention is, that if external clients make an FTP request using
default port of 21 that they get routed to 1021 on the appropriate machine.
Saves me explaining to friends to use 1021.  Would it be more appropriate
to use a REDIRECT instead of DNAT??

John
===
Work:   http://www.olgclotteries.com
[EMAIL PROTECTED]
888-345-7568 ext. 2205

Personal:   http://www.mullan.ca
[EMAIL PROTECTED]
MSN:[EMAIL PROTECTED]
===




  Tom Eastep
  [EMAIL PROTECTED]   To:   John Mullan [EMAIL PROTECTED]  
  Sent by:  cc:   [EMAIL PROTECTED]   
  [EMAIL PROTECTED]Subject:  Re: [leaf-user] SSH question  
  ceforge.net   


  14-02-03 10:04 AM 






John Mullan wrote:

Yes, they are intentional.  I want to keep the FTP server on port 1021.


If


anyone comes in from outside without specifying port 1021, they will


still


get to my FTP server.  That leaves me the future opportunity to have
another FTP server on 21 but only accessible from internal.

At least, that is the way I figure it.




This is the rule that you posted:

DNAT net loc:192.168.1.128 tcp 21 1021

That rule says to DNAT tcp connection requests from the net to 
192.168.1.128 if the destination port is 21 AND THE SOURCE PORT IS 1021.

If you wanted to accept either 21 or 1021 then the rule would have been:

DNAT net loc:192.168.1.128 tcp 21,1021

And of course you must tell ip_conntrack_ftp and ip_nat_ftp to consider 
1021 to be an ftp port.

-Tom
--
Tom Eastep\ Shorewall - iptables made easy
Shoreline, \ http://www.shorewall.net
Washington USA  \ [EMAIL PROTECTED]



---
This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your  SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] SSH question

[Ray Olszewski]

At 07:44 AM 2/14/03 -0500, John Mullan wrote:

Hello folks

A little pre-amble:  When setting up my buddies LEAF box, I made an exact
copy of my LEAF setup, changing PPPoE user/password, some host names, and
that was pretty much it.  Everything works exactly like mine.

Well, almost everything.  While I can login to my LEAF box (over the
internet) with SSH (TeraTermPro), I cannot with his.  I keep getting
connection refused.

I can do it within the internal net no problem (again, same as mine).

What should I look for?  Could there be something with the possibility of
identical keys having copied my installation?  I'm not familiar with how
that part may or may no affect the situation.

[details deleted]

Your guess about keys seems implausible. The fact that you can connect from 
the LAN side indicates that sshd (or inetd) is listening on port 22. And 
the bare connection refused message almost always means a failure before 
ssh authentication (I say almost because I haven't used TT in years, and 
it may be different from the Linux ssh client and PuTTY in how it reports 
authentication failures).

How are you determining the IP address to connect to? Since this problem is 
taking place in a setting of dynamic addressing (PPPoE), are you certain 
you are connecting to the right IP address?

The Shorewall rules you list look OK to me (and more important, Tom seems 
to think the relevant ones are OK). But the way to be sure is to run 
shorewall status *after* a connection failure to see if the packets are 
arriving and what rule is blocking them. Also check the logs for any 
messages from sshd after a failure (might there be a reverse-lookup 
problem? wild guess here).

Do you and your friend use the same ISP? I've never actually heard of an 
ISP who blocks ssh connections, but I no longer dismiss the possibility of 
ANY ISP action on the grounds that it is stupid or inconvenient for customers.

A final long shot ... where are you connecting *from*? Are you connecting 
to both your and your friend's router from the same location? If so, could 
there be anything about the source end that makes the two connections look 
different (I ask only because you mentioned in a followup that at work you 
have a restrictive firewall in place)? If not, could there be some 
difference of consequence between the two locations you try to connect from?


--
---Never tell me the odds!
Ray Olszewski	-- Han Solo
Palo Alto, California, USA			  [EMAIL PROTECTED]
---



---
This SF.NET email is sponsored by: FREE  SSL Guide from Thawte
are you planning your Web Server Security? Click here to get a FREE
Thawte SSL guide and find the answers to all your  SSL security issues.
http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0026en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] SSH Sentinel

[Heriberto Höhlke]

Hello

Does SSH Sentinel support Dynamic DNS IPs?

Thanks
Herbert

Ahora podés usar Yahoo! Messenger desde tu celular. Aprendé cómo hacerlo en Yahoo! 
Móvil: http://ar.mobile.yahoo.com/sms.html


---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] SSH Sentinel

[Todd Pearsall]

Not 100% what you mean, are you asking if the client is dynamic can you
SSH Sentinel on the client?  If so they the answer is yes, they have
some great docs on there site for integrating with FreeSwan.

- Todd

 -Original Message-
 From: [EMAIL PROTECTED] 
 [mailto:[EMAIL PROTECTED]] On Behalf Of 
 Heriberto Höhlke
 Sent: Thursday, January 30, 2003 8:38 AM
 To: [EMAIL PROTECTED]
 Subject: [leaf-user] SSH Sentinel
 
 
 Hello
 
 Does SSH Sentinel support Dynamic DNS IPs?
 
 Thanks
 Herbert
 
 Ahora podés usar Yahoo! Messenger desde tu celular. Aprendé 
 cómo hacerlo en Yahoo! Móvil: http://ar.mobile.yahoo.com/sms.html
 
 
 ---
 This SF.NET email is sponsored by:
 SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
 http://www.vasoftware.com
 --
 --
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
 



---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] SSH Sentinel

[Heriberto Höhlke]

Yes, my question was if the client SSH Sentinel could be dynamic
Thanks

Not 100% what you mean, are you asking if the client is dynamic can you
SSH Sentinel on the client?  If so they the answer is yes, they have
some great docs on there site for integrating with FreeSwan.

- Todd

 -Original Message-
 From: [EMAIL PROTECTED]
 [mailto:[EMAIL PROTECTED]] On Behalf Of
 Heriberto Höhlke
 Sent: Thursday, January 30, 2003 8:38 AM
 To: [EMAIL PROTECTED]
 Subject: [leaf-user] SSH Sentinel


 Hello

 Does SSH Sentinel support Dynamic DNS IPs?

 Thanks
 Herbert

 Ahora podés usar Yahoo! Messenger desde tu celular. Aprendé
 cómo hacerlo en Yahoo! Móvil: http://ar.mobile.yahoo.com/sms.html


 ---
 This SF.NET email is sponsored by:
 SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
 http://www.vasoftware.com
 --
 --
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html


Ahora podés usar Yahoo! Messenger desde tu celular. Aprendé cómo hacerlo en Yahoo! 
Móvil: http://ar.mobile.yahoo.com/sms.html


---
This SF.NET email is sponsored by:
SourceForge Enterprise Edition + IBM + LinuxWorld = Something 2 See!
http://www.vasoftware.com

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] Ssh and portforwarding

[Stefke]

Hi,

I'm getting the following error in my logs :

sshd[1986]: channel 3: open failed: connect failed: Remote port is not
recognised

Can anyone tell me what this error means and/or what is causing it ?
My guess is it has something todo with portforwarding, but searching Google
doesn't give me any hints :-(
I'm using OpenSSH_3.0p1 on an Eigerstein CD configuration.

Stefaan



---
This SF.NET email is sponsored by: Thawte.com
Understand how to protect your customers personal information by implementing
SSL on your Apache Web Server. Click here to get our FREE Thawte Apache 
Guide: http://ads.sourceforge.net/cgi-bin/redirect.pl?thaw0029en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] ssh running on firewall

[George Luft]

 -Original Message-
 From: Timothy J. Massey [mailto:modernmerchant;yahoo.com]
 Sent: Thursday, November 07, 2002 11:40 AM
 Subject: RE: [leaf-user] Unable to serve large files (Dachstein 1.0.2)
snip

 Anyway, I am not physically in front of the firewall,
 and I don't have SSH on that box (it's against my
 religion to put methods to access the firewall on the
 firewall), I will have to change the MTU later today. 
 Hopefully, that will fix it.
 

I don't have SSH on my firewall either, but I ssh into a forwarded host
inside the network and then connect to the router via null modem cable from
there.


---
This sf.net email is sponsored by: See the NEW Palm 
Tungsten T handheld. Power  Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0001en

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] ssh

[ArisB]

- Original Message -
From: David Douthitt [EMAIL PROTECTED]
To: ArisB [EMAIL PROTECTED]
Cc: Jeff Newmiller [EMAIL PROTECTED];
[EMAIL PROTECTED]
Sent: Thursday, October 10, 2002 4:06 AM
Subject: Re: [leaf-user] ssh


 Shutdown the sshd daemon on the firewall, and start it from the command
 line like so:

 sshd -ddd

 ...and watch what happens when you connect.  Likewise, when connecting,
use:

 slogin -v me@myfirewall

 ...or:

 ssh -v me@myfirewall

 Then report what the server said, and report what the client said.
 Note that after a connection (successful or not) the sshd client
 running in debug mode quits.  You'll have to restart your sshd
 server normally - but if it doesn't work, it may not matter...


When i start the demon like this sshd -ddd i get this on my screen:
debug1: sshd version OpenSSH_3.4p1
debug1: private host key: #0 type0 RSA1
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 RSA
Privilege separation user sshd does not exist

When i run the client i see this:
ssh -v [EMAIL PROTECTED]

OpenSHH_3.4p1, SHH protocols 1.5/2.0, OpenSSL 0x0090605f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts authentication disabled, originating port will not be
trusted.
debug1: ssh_connect: needpriv 0
connecting to: 192.168.1.254 [192.168.1.254] port 22
debug1: connection established
debug1: indentity file /root/.ssh/indentity type -1
debug1: indentity file /root/.ssh/id_rsa type -1
debug1: indentity file /root/.ssh/id_dsa type -1
ssh_exchange_identification: Connection closed by remote host
debug1: calling cleanup 0x8061e60(0x0)

It looks like the problem is something with the key files, but im sure
(100%) i created them with makekey.

How can i solve this?
thanks in advance,
Aris




---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] ssh

[Erich Titl]

Aris

At 14:25 10.10.2002, you wrote:

- Original Message -
From: David Douthitt [EMAIL PROTECTED]
To: ArisB [EMAIL PROTECTED]
Cc: Jeff Newmiller [EMAIL PROTECTED];
[EMAIL PROTECTED]
Sent: Thursday, October 10, 2002 4:06 AM
Subject: Re: [leaf-user] ssh



When i start the demon like this sshd -ddd i get this on my screen:
debug1: sshd version OpenSSH_3.4p1
debug1: private host key: #0 type0 RSA1
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 RSA
Privilege separation user sshd does not exist

This is a FAQ  and handled in the bering docs, basically you have to create 
a user sshd. Please browse the archives


When i run the client i see this:
ssh -v [EMAIL PROTECTED]

OpenSHH_3.4p1, SHH protocols 1.5/2.0, OpenSSL 0x0090605f
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Rhosts authentication disabled, originating port will not be
trusted.
debug1: ssh_connect: needpriv 0
connecting to: 192.168.1.254 [192.168.1.254] port 22
debug1: connection established
debug1: indentity file /root/.ssh/indentity type -1
debug1: indentity file /root/.ssh/id_rsa type -1
debug1: indentity file /root/.ssh/id_dsa type -1

Looks like the key/identity files are missing, look into your .ssh directories.

ssh_exchange_identification: Connection closed by remote host
debug1: calling cleanup 0x8061e60(0x0)

It looks like the problem is something with the key files, but im sure
(100%) i created them with makekey.

How can i solve this?

I guess you have to re-read 
http://leaf.sourceforge.net/devel/jnilo/openssh.html

HTH
Erich

THINK
Püntenstrasse 39
8143 Stallikon
mailto:[EMAIL PROTECTED]
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024  8D8A B7D4 FF9D 05B8 0A16



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] ssh

[ArisB]

I'm now using bering instead of dachstein and im trying to setup a sshd
(internal).
So i downloaded ssh,sshd,libz,sshkey from
http://leaf.sourceforge.net/devel/jnilo/
I put them on a disk (1440) and configured bering to start from 2 diskettes.
I have made a key (with makekey) and it seems to be installed.
but when i try to connect from a client i see this:
ssh_exchange_identification : connection closed by remote host (with
redhat 8.0), in windows with putty i only get the message connection closed
by remote host

PS where can i configure silent_deny in bering?

thanks in advance,
Aris



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] ssh

[ArisB]

I've followed the install instructions on the website, it still isn't
working.
but when i install a ssh client on the firewall and then try to connect to
the sshd (wich is allso on the firewall) i still can't connect, then i get
exchange_identification : connection closed by remote host and in the
host.allow is a line ALL: 192.168.1.0/255.255.255.0.

I had allmost the same problem with dachstein, i solved that by getting the
sshd.lrp from the dachstein cd-rom.
I can't find another sshd.lrp for bering, every site links to
http://leaf.sourceforge.net/devel/jnilo/

How can i solve my problem?

PS with SILENT_DENY i mean i don't want to log this message Oct 10 02:01:02
firewall kernel: Shorewall:rfc1918:DROP:IN=eth0 OUT=
MAC=ff:ff:ff:ff:ff:ff:00:80:2d:6a:f5:8b:08:00 SRC=172.31.254.129
DST=255.255.255.255 LEN=348 TOS=0x00 PREC=0x00 TTL=253 ID=45715 DF PROTO=UDP
SPT=67 DPT=68 LEN=328 otherwise i get very large logfiles because i get
this like 3000 times a day.

Thanks in advance,
Aris

- Original Message -
From: Jeff Newmiller [EMAIL PROTECTED]
To: ArisB [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Sent: Thursday, October 10, 2002 2:40 AM
Subject: Re: [leaf-user] ssh


 On Thu, 10 Oct 2002, ArisB wrote:

  I'm now using bering instead of dachstein and im trying to setup a sshd
  (internal).
  So i downloaded ssh,sshd,libz,sshkey from

 ssh.lrp shouldn't be necessary, and may actually be a bad idea for a
 firewall.

  http://leaf.sourceforge.net/devel/jnilo/
  I put them on a disk (1440) and configured bering to start from 2
diskettes.
  I have made a key (with makekey) and it seems to be installed.
  but when i try to connect from a client i see this:
  ssh_exchange_identification : connection closed by remote host (with
  redhat 8.0), in windows with putty i only get the message connection
closed
  by remote host

 Is /etc/hosts.allow configured to let you connect?

 Have you followed the instructions for configuring an sshd user for
 privilege separation? http://leaf.sourceforge.net/devel/jnilo/openssh.html

  PS where can i configure silent_deny in bering?

 If you mean use DENY rather than REJECT for default packet handling... in
 the Shorewall policy file.

 --
-
 Jeff NewmillerThe .   .  Go
Live...
 DCN:[EMAIL PROTECTED]Basics: ##.#.   ##.#.  Live
Go...
   Live:   OO#.. Dead: OO#..  Playing
 Research Engineer (Solar/BatteriesO.O#.   #.O#.  with
 /Software/Embedded Controllers)   .OO#.   .OO#.
rocks...2k
 --
-




---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] ssh

[David Douthitt]

On Thu, Oct 10, 2002 at 03:27:03AM +0200, ArisB wrote:

 I've followed the install instructions on the website, it still isn't
 working.
 but when i install a ssh client on the firewall and then try to connect to
 the sshd (wich is allso on the firewall) i still can't connect, then i get
 exchange_identification : connection closed by remote host and in the
 host.allow is a line ALL: 192.168.1.0/255.255.255.0.

Shutdown the sshd daemon on the firewall, and start it from the command
line like so:

sshd -ddd

...and watch what happens when you connect.  Likewise, when connecting, use:

slogin -v me@myfirewall

...or:

ssh -v me@myfirewall

Then report what the server said, and report what the client said.
Note that after a connection (successful or not) the sshd client
running in debug mode quits.  You'll have to restart your sshd
server normally - but if it doesn't work, it may not matter...



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] SSH Bering Leaf

[sr]

I would like to enable SSH from the Internet on a LEAF Bering box tomorrow
so I can remotely monitor it. I already have libz, sshd and sshkey loaded
from syslinux.cfg. Assuming I do a makekey and can connect from inside
(i.e., loc), is it sufficient to add the following to my Shorewall rules
file:
ACCEPT net fw tcp 22

or is there more to do?

Thanks!

-sr




---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] SSH Bering Leaf

[Jacques Nilo]

Le Dimanche 22 Septembre 2002 21:31, sr a écrit :
 I would like to enable SSH from the Internet on a LEAF Bering box tomorrow
 so I can remotely monitor it. I already have libz, sshd and sshkey loaded
 from syslinux.cfg. Assuming I do a makekey and can connect from inside
 (i.e., loc), is it sufficient to add the following to my Shorewall rules
 file:
 ACCEPT net fw tcp 22

 or is there more to do?

Yes
Check hosts.allow :-)

Jacques


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] SSH Bering Leaf

[Matthew Schalit]

Jacques Nilo wrote:
 Le Dimanche 22 Septembre 2002 21:31, sr a écrit :

or is there more to do?

 Yes
 Check hosts.allow :-)
 
 Jacques



Hosts.allow only comes into play if sshd is being started via /etc/inted.conf:
===
#:OTHER: Other services
sshstream  tcp nowait  root/usr/sbin/tcpd  /usr/sbin/sshd -i
===

Following your docs, this would be commented out, and
the daemon would be running standalone from init.  A better
line in your /etc/shorewall/rules would be something like:

ACCEPT  net:128.287.333.12 fw   tcp   22

or

ACCEPT  net:128.287.333.0/24   fw   tcp   22

if'n you know where'n ya'll are gonna be comin' from,
because it's more restrictive.

regards,
matthew




---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] SSH Bering Leaf

[Jeff Newmiller]

On Sun, 22 Sep 2002, Matthew Schalit wrote:

 
 Jacques Nilo wrote:
  Le Dimanche 22 Septembre 2002 21:31, sr a écrit :
 
 or is there more to do?
 
  Yes
  Check hosts.allow :-)
  
  Jacques
 
 Hosts.allow only comes into play if sshd is being started via /etc/inted.conf:

Matt... sshd also checks /etc/hosts.allow itself if compiled to do so.  
Most binaries for LEAF boxen are compiled this way.

 ===
 #:OTHER: Other services
 sshstream  tcp nowait  root/usr/sbin/tcpd  /usr/sbin/sshd -i
 ===
 
 Following your docs, this would be commented out, and
 the daemon would be running standalone from init.  A better
 line in your /etc/shorewall/rules would be something like:
 
 ACCEPT  net:128.287.333.12 fw   tcp   22
 
 or
 
 ACCEPT  net:128.287.333.0/24   fw   tcp   22
 
 if'n you know where'n ya'll are gonna be comin' from,
 because it's more restrictive.
 
 regards,
 matthew
 
 
 
 
 ---
 This sf.net email is sponsored by:ThinkGeek
 Welcome to geek heaven.
 http://thinkgeek.com/sf
 
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
 

---
Jeff NewmillerThe .   .  Go Live...
DCN:[EMAIL PROTECTED]Basics: ##.#.   ##.#.  Live Go...
  Live:   OO#.. Dead: OO#..  Playing
Research Engineer (Solar/BatteriesO.O#.   #.O#.  with
/Software/Embedded Controllers)   .OO#.   .OO#.  rocks...2k
---



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] SSH Bering Leaf

[Chutima Subsirin]

Yes, it's OK.  But I think net is too wide.  May be you want to specify only your 
network to connect it. Such as: 
ACCEPT net:202.22.34.0/24 fw tcp 22

Cheers
Chutima S.

-Original Message-
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]]On Behalf Of sr
Sent: 23 September, 2002 2:32 AM
To: LEAF
Subject: [leaf-user] SSH  Bering Leaf


I would like to enable SSH from the Internet on a LEAF Bering box tomorrow
so I can remotely monitor it. I already have libz, sshd and sshkey loaded
from syslinux.cfg. Assuming I do a makekey and can connect from inside
(i.e., loc), is it sufficient to add the following to my Shorewall rules
file:
ACCEPT net fw tcp 22

or is there more to do?

Thanks!

-sr




---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
áŠËë^™¨¥ŠË)¢{(­ç[É8bžAžzEž•ÊzÚ 
yé!y«Þžm§ÿí†)äç¤r‰¿±ù^iû¬z¹šŠX§‚X¬¶Wš~ë®X¬¶Ë(º·~Šàzw­†Ûi³ÿåŠËl²‹«qç讧zßåŠËlþX¬¶)ߣù^iû¬z´‘!¶ÚþWš~šèç-¢¸?¦æÿv‡?v‡jv z¿Ý¡È×Ïu†Ù¥

Re: [leaf-user] SSH Bering Leaf

[Matthew Schalit]

Jeff Newmiller wrote:
 On Sun, 22 Sep 2002, Matthew Schalit wrote:
Hosts.allow only comes into play if sshd is being started via /etc/inted.conf:


 Matt... sshd also checks /etc/hosts.allow itself if compiled to do so.  
 Most binaries for LEAF boxen are compiled this way.


Yea, I've messed with that when compiling it myself,
and I was was wrong to make such a blanket statement.

But it's not enabled on the pre-rolled sshd-3.4p1 by JN.
So that specific version won't use hosts.allow when
running standalone.  That's what I was thinking after
having tested it.

thanks,
matt



---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] ssh error

[guitarlynn]

I recently switched out a Dachstein floppy firewall with a 
Dachstein CD firewall. The major difference between the
two firewalls was the addition of ssh on the new one running
DCD. My problem is any attempt to ssh to a WAN client ends
in a server refused a secure connection error. I can ssh to
the firewall itself from any LAN computer and I can ssh to
a remote host from the firewall itself fine. It appears as if
the firewall is not forwarding the ssh request packets to 
the WAN boxes. 

I have been unable to find the same error in the archives 
and since I am initiating the connection on the LAN, the
connection should be using a non-priviledged port.
Is there anyone else that has run into this error and/or
has someone come up with a better solution than simply
eliminating ssh on the firewall???

TIA
-- 

~Lynn Avants
aka Guitarlynn

guitarlynn at users.sourceforge.net
http://leaf.sourceforge.net

If linux isn't the answer, you've probably got the wrong question!


---
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] ssh error

[Charles Steinkuehler]

 I recently switched out a Dachstein floppy firewall with a
 Dachstein CD firewall. The major difference between the
 two firewalls was the addition of ssh on the new one running
 DCD. My problem is any attempt to ssh to a WAN client ends
 in a server refused a secure connection error. I can ssh to
 the firewall itself from any LAN computer and I can ssh to
 a remote host from the firewall itself fine. It appears as if
 the firewall is not forwarding the ssh request packets to
 the WAN boxes.

 I have been unable to find the same error in the archives
 and since I am initiating the connection on the LAN, the
 connection should be using a non-priviledged port.
 Is there anyone else that has run into this error and/or
 has someone come up with a better solution than simply
 eliminating ssh on the firewall???

The above is very strange...you shouldn't have any problems connecting
via ssh to a remote machine just because you run ssh on the firewall.  I
run ssh on all my Dachstein-CD boxes, and can ssh to either the firewall
or various remote hosts with no problems.

Can you really connect with exactly the same setup, excpet for
Dachstein-floppy instead of Dachstein-CD as your firewall?  With the
error you report, I'd suspect something more like:

- Remote server is refusing connections on port-22 (ssh)

- Remote server only accepts ssh-V2, and you're running ssh-V1

- Remote server configured to only allow connections authenticated by
public key

- Incorrect username/password embedded in some gui ssh client

...or similar issues, unless of course, you manually added some REDIRECT
rules to the ipchains ruleset or something :-)

Charles Steinkuehler
http://lrp.steinkuehler.net
http://c0wz.steinkuehler.net (lrp.c0wz.com mirror)



---
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] ssh error

[guitarlynn]

On Friday 30 August 2002 13:06, Charles Steinkuehler wrote:

 The above is very strange...you shouldn't have any problems
 connecting via ssh to a remote machine just because you run ssh on
 the firewall.  I run ssh on all my Dachstein-CD boxes, and can ssh to
 either the firewall or various remote hosts with no problems.

Got it (finally!). The NOMASQ_DEST variable was set for ssh in
network.conf. I wonder when I set that option The new firewall
is a spare 1U box I made that was lying around w/o a CF reader
figured it might be more convient since the ISP was down for a 
while. I keep thinking I know how to troubleshoot my own system.

Thanks again Charles!
-- 

~Lynn Avants
aka Guitarlynn

guitarlynn at users.sourceforge.net
http://leaf.sourceforge.net

If linux isn't the answer, you've probably got the wrong question!


---
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] ssh error

[Erich Titl]

Lynn

guitarlynn wrote the following at 19:56 30.08.2002:
I recently switched out a Dachstein floppy firewall with a
Dachstein CD firewall. The major difference between the
two firewalls was the addition of ssh on the new one running
DCD. My problem is any attempt to ssh to a WAN client ends
in a server refused a secure connection error. I can ssh to
the firewall itself from any LAN computer and I can ssh to
a remote host from the firewall itself fine. It appears as if
the firewall is not forwarding the ssh request packets to
the WAN boxes.

I have been unable to find the same error in the archives
and since I am initiating the connection on the LAN, the
connection should be using a non-priviledged port.
Is there anyone else that has run into this error and/or
has someone come up with a better solution than simply
eliminating ssh on the firewall???

I believe you are barking up the wrong tree.
Unless you do some fancy port forwarding I don't see how the presence of 
ssh on the firewall should prevent you from passing a ssh connection 
through it. I have been running a floppy based box including ssh exactly 
the way you want to.

cheers

Erich


THINK
Püntenstrasse 39
8143 Stallikon
mailto:[EMAIL PROTECTED]
PGP Fingerprint: BC9A 25BC 3954 3BC8 C024  8D8A B7D4 FF9D 05B8 0A16



---
This sf.net email is sponsored by: OSDN - Tired of that same old
cell phone?  Get a new here for FREE!
https://www.inphonic.com/r.asp?r=sourceforge1refcode1=vs3390

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] ssh Ctrl-C behavior

[Dragon Wood]

I apologize if this is a little unrelated, but one of
my bering boxes behaves differently from my other
bering boxes in a ssh session. The ssh session simply
disconnects when I press ctrl-c at the # prompt. This
does not happen on the other boxes. I am using the
same client (putty) to access these boxes. It's very
annoying as I use ctrl-c to stop processes like ping,
and it terminates the ssh session and I need to
reconnect. Ugh! 

__
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com


---
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] ssh Ctrl-C behavior

[Stephen Lee]

On Thu, 2002-06-27 at 12:45, Dragon Wood wrote:
 I apologize if this is a little unrelated, but one of
 my bering boxes behaves differently from my other
 bering boxes in a ssh session. The ssh session simply
 disconnects when I press ctrl-c at the # prompt. This
 does not happen on the other boxes. I am using the
 same client (putty) to access these boxes. It's very
 annoying as I use ctrl-c to stop processes like ping,
 and it terminates the ssh session and I need to
 reconnect. Ugh! 
 

I had the same problem with bering rc2 on CD. The fix was to replace the
sshd package with the latest one.

Stephen




---
Sponsored by:
ThinkGeek at http://www.ThinkGeek.com/

leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] SSH via http ?

[Reginald R. Richardson]

-Original Message-
From: Jack Coates [mailto:[EMAIL PROTECTED]] 
Sent: Saturday, May 25, 2002 17:09
To: [EMAIL PROTECTED]
Cc: leaf
Subject: Re: [leaf-user] SSH via http ?


Use corkscrew (http://www.agroman.net/corkscrew); you may need to use 
cygwin if coming from windows.

Works like a charm at my work, which also only allows HTTP/S out.

Jack


On Fri, 24 May 2002, David Ondzes wrote:

 I have seen a commercial product that lets you use a
 browser to connect to a SSH server and get terminal
 access. Does anyone know if there a similar type
 application available for LEAF ?
 
 The reason I ask is because my company only lets http
 traffic pass through firewall (via a proxy server) and
 it would be nice to be able to reach my machine at home.
 
 __
 Do You Yahoo!?
 LAUNCH - Your Yahoo! Music Experience
 http://launch.yahoo.com
 
 ___
 
 Don't miss the 2002 Sprint PCS Application Developer's Conference 
 August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
 
 --
 --
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
 

-- 
Jack Coates
Monkeynoodle: A Scientific Venture...


___

Don't miss the 2002 Sprint PCS Application Developer's Conference August
25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas - 
http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] SSH via http ?

[Reginald R. Richardson]

Oops...forgot the data

If you're using a windows client, u can try http-tunnel, what it does is
tunnel all traffic, via the proxy server on port 80

cheers

-Original Message-
From: Jack Coates [mailto:[EMAIL PROTECTED]] 
Sent: Saturday, May 25, 2002 17:09
To: [EMAIL PROTECTED]
Cc: leaf
Subject: Re: [leaf-user] SSH via http ?


Use corkscrew (http://www.agroman.net/corkscrew); you may need to use 
cygwin if coming from windows.

Works like a charm at my work, which also only allows HTTP/S out.

Jack


On Fri, 24 May 2002, David Ondzes wrote:

 I have seen a commercial product that lets you use a
 browser to connect to a SSH server and get terminal
 access. Does anyone know if there a similar type
 application available for LEAF ?
 
 The reason I ask is because my company only lets http
 traffic pass through firewall (via a proxy server) and
 it would be nice to be able to reach my machine at home.
 
 __
 Do You Yahoo!?
 LAUNCH - Your Yahoo! Music Experience
 http://launch.yahoo.com
 
 ___
 
 Don't miss the 2002 Sprint PCS Application Developer's Conference 
 August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
 
 --
 --
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
 

-- 
Jack Coates
Monkeynoodle: A Scientific Venture...


___

Don't miss the 2002 Sprint PCS Application Developer's Conference August
25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas - 
http://devcon.sprintpcs.com/adp/index.cfm?source=osdntextlink


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] SSH Help

[Jonathan Berglund]

I installed SSH on my LEAF box (running Dachstein) with the help of
http://leaf.sourceforge.net/devel/jnilo/openssh2.html . I did it exactly
as it said and I ran makekey to generate the key. So it should be
working, but I'm gettig a connection refused error. I'm using Putty to
connect to my LRP box (192.168.1.254:22). Are there any settings I have
to set, or changes to the ssh files on router?

Thanks,

Jon


___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] SSH Help

[Stephen Lee]

On Sat, 2002-06-01 at 12:13, Jonathan Berglund wrote:
 I installed SSH on my LEAF box (running Dachstein) with the help of
 http://leaf.sourceforge.net/devel/jnilo/openssh2.html . I did it exactly
 as it said and I ran makekey to generate the key. So it should be
 working, but I'm gettig a connection refused error. I'm using Putty to
 connect to my LRP box (192.168.1.254:22). Are there any settings I have
 to set, or changes to the ssh files on router?
 
Try the following:

In /etc/init.d/sshd comment out 
#echo Secure Shell server via inetd: sshd
#exit 0

and then run svi sshd restart. ps ax | grep sshd should show
/usr/sbin/sshd running. Now, try connecting to the LEAF box.

Stephen



___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] SSH Help

[Prabhakar Chaganti]

Are you allowing ssh connections to your box? Check your /etc/hosts.allow.

-prabhakar

 I installed SSH on my LEAF box (running Dachstein) with the help of
 http://leaf.sourceforge.net/devel/jnilo/openssh2.html . I did it exactly
 as it said and I ran makekey to generate the key. So it should be
 working, but I'm gettig a connection refused error. I'm using Putty to
 connect to my LRP box (192.168.1.254:22). Are there any settings I have
 to set, or changes to the ssh files on router?


___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

RE: [leaf-user] SSH Help

[Jonathan Berglund]

Thanks!!! I love you guys! LOL. Thanks for the help to everyone on this
mailing list. Now I got port forwarding working and remote access to my
LRP box (no more need for this extra monitor!!!). Thanks so much!

If I have any other questions, I know where to ask.

- Jon

-Original Message-
From: Stephen Lee [mailto:[EMAIL PROTECTED]] 
Sent: Saturday, June 01, 2002 12:58 PM
To: [EMAIL PROTECTED]
Cc: Leaf-user
Subject: Re: [leaf-user] SSH Help


On Sat, 2002-06-01 at 12:13, Jonathan Berglund wrote:
 I installed SSH on my LEAF box (running Dachstein) with the help of 
 http://leaf.sourceforge.net/devel/jnilo/openssh2.html . I did it 
 exactly as it said and I ran makekey to generate the key. So it should

 be working, but I'm gettig a connection refused error. I'm using 
 Putty to connect to my LRP box (192.168.1.254:22). Are there any 
 settings I have to set, or changes to the ssh files on router?
 
Try the following:

In /etc/init.d/sshd comment out 
#echo Secure Shell server via inetd: sshd
#exit 0

and then run svi sshd restart. ps ax | grep sshd should show
/usr/sbin/sshd running. Now, try connecting to the LEAF box.

Stephen




___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] SSH problems from external network

[Adam Drake]

Jacques,

Thanks so much for the swift, short and CORRECT answer! I changed the
hosts.allow file and all works wonderfully now.

Could this also be the reason my qmail wasn't working, or is that more
complex? (See previous posting).

Thanks once again,

Adam.

- Original Message -
From: Jacques Nilo [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Sent: Monday, May 27, 2002 3:23 PM
Subject: Re: [leaf-user] SSH problems from external network


 Le Lundi 27 Mai 2002 19:35, [EMAIL PROTECTED] a écrit :
  My Bering 2.4.18 firewall is installed on a 486 with HD booting.
 
  I use SSH (PuTTY) to access the firewall from internally, and all works
  well. I set up a rule in SHOREWALL to allow this:
 
  ACCESS loc fw tcp  22
 
  Now I want to use SSH to access from the internet. I enter:
 
  ACCESS net fw tcp  22
 
  But unfortunately, it won't work. PuTTY runs, and I get the black screen
  with my ip address showing and it seems to be waiting to display the
  login: but nothing appears. Then PuTTY quits.
 
  Any ideas?
 Check hosts.allow :-)

 jacques


___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] SSH problems from external network

[ja_drake]

My Bering 2.4.18 firewall is installed on a 486 with HD booting.

I use SSH (PuTTY) to access the firewall from internally, and all works well. I 
set up a rule in SHOREWALL to allow this:

ACCESS loc fw tcp  22

Now I want to use SSH to access from the internet. I enter:

ACCESS net fw tcp  22

But unfortunately, it won't work. PuTTY runs, and I get the black screen with 
my ip address showing and it seems to be waiting to display the login: but 
nothing appears. Then PuTTY quits.

Any ideas?

Adam Drake.

-
This mail sent via Golden Triangle Web-Mail
http://www.golden.net


___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] SSH problems from external network

[Jacques Nilo]

Le Lundi 27 Mai 2002 19:35, [EMAIL PROTECTED] a écrit :
 My Bering 2.4.18 firewall is installed on a 486 with HD booting.

 I use SSH (PuTTY) to access the firewall from internally, and all works
 well. I set up a rule in SHOREWALL to allow this:

 ACCESS loc fw tcp  22

 Now I want to use SSH to access from the internet. I enter:

 ACCESS net fw tcp  22

 But unfortunately, it won't work. PuTTY runs, and I get the black screen
 with my ip address showing and it seems to be waiting to display the
 login: but nothing appears. Then PuTTY quits.

 Any ideas?
Check hosts.allow :-)

jacques

___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] SSH via http ?

[Jack Coates]

Use corkscrew (http://www.agroman.net/corkscrew); you may need to use 
cygwin if coming from windows.

Works like a charm at my work, which also only allows HTTP/S out.

Jack


On Fri, 24 May 2002, David Ondzes wrote:

 I have seen a commercial product that lets you use a
 browser to connect to a SSH server and get terminal
 access. Does anyone know if there a similar type
 application available for LEAF ?
 
 The reason I ask is because my company only lets http
 traffic pass through firewall (via a proxy server) and
 it would be nice to be able to reach my machine at home.
 
 __
 Do You Yahoo!?
 LAUNCH - Your Yahoo! Music Experience
 http://launch.yahoo.com
 
 ___
 
 Don't miss the 2002 Sprint PCS Application Developer's Conference
 August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
 
 
 leaf-user mailing list: [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user
 SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html
 

-- 
Jack Coates
Monkeynoodle: A Scientific Venture...


___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [leaf-user] ssh to host behind firewall: connect direct or through router?

[Greg Morgan]

Eric House [EMAIL PROTECTED] wrote:
 
 There seem to be two ways to allow ssh access from outside the
 firewall to a host inside: 1. forward some port on the fw to the host;
 2. connect directly to sshd on the fw and use the -Lport:host:port
 flag to forward an additional connection to the host.
 
 Is there agreement on which method is better (where better means
 more secure, I guess)?
 

To answer the security question, I believe you have to look at how often
you are able to get a bug fix on each host.  For example, if your are
using the port forward method in #1. above, that would depend on the
host you are forwarding to.  I know Redhat had a security fix for the
last ssh vulnerability right away.  The same goes for method #2 above.
Jacques Nilo had a ssh package for all the LEAF firewalls.  So if the
timeliness of the patches are the same, it depends on how quickly you
apply the patches as to which method is more secure.

 The fw and host are at home.  Most of the time I'm connecting from
 outside I'm either at work and want to xhost some app, or I want to
 transfer a bunch of files.  Occasionally I need to tweak the router,
 so picking #1 above wouldn't remove the need to have sshd on the
 router's floppy.

This may then depend on style in your case.  If you are more
comfortable port forwarding, method #1, then use it.  If you want to
stop at the firewall first and then jump off to somewhere else on your
home network, then pick method #2 above.  Perhaps there's another task
that you would want to do in the future that would affect your
decision.  For now it does not seem to matter which method you use in
your case.  However, it appears that your ssh tasks appear geared toward
your internal machine--xhosting and scp files-- verses firewall
maintenance.

 
 Connections are always from machines that have keys in the router's
 (and inside host's) .ssh/authorized_keys files.  Password login is
 disabled.
 
 I'm running Bering RC2.
 
 Thanks,
 
 --Eric

Hope this helps,
Greg Morgan

___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] SSH via http ?

[David Ondzes]

I have seen a commercial product that lets you use a
browser to connect to a SSH server and get terminal
access. Does anyone know if there a similar type
application available for LEAF ?

The reason I ask is because my company only lets http
traffic pass through firewall (via a proxy server) and
it would be nice to be able to reach my machine at home.

__
Do You Yahoo!?
LAUNCH - Your Yahoo! Music Experience
http://launch.yahoo.com

___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

[leaf-user] ssh to host behind firewall: connect direct or through router?

[Eric House]

There seem to be two ways to allow ssh access from outside the
firewall to a host inside: 1. forward some port on the fw to the host;
2. connect directly to sshd on the fw and use the -Lport:host:port
flag to forward an additional connection to the host.

Is there agreement on which method is better (where better means
more secure, I guess)?

The fw and host are at home.  Most of the time I'm connecting from
outside I'm either at work and want to xhost some app, or I want to
transfer a bunch of files.  Occasionally I need to tweak the router,
so picking #1 above wouldn't remove the need to have sshd on the
router's floppy.

Connections are always from machines that have keys in the router's
(and inside host's) .ssh/authorized_keys files.  Password login is
disabled.

I'm running Bering RC2.

Thanks,

--Eric

**
* From the desktop of: Eric House, [EMAIL PROTECTED]*
*Crosswords 4.0 for PalmOS is out!: http://www.peak.org/~fixin/xwords  *
**


___

Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm


leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Re: [Leaf-user] ssh firewall revisited

[Greg Morgan]

Henning, Brian [EMAIL PROTECTED] wrote:
 
 Hello-
 I continue to have problems connecting to the webserver on my LAN.
 Here is my configurations using putty. Can anyone see what i am doing wrong?
 I thought i was following the directions.
 Thanks,
 
 brian
 
 putty at work:
 Source port:3005
 Destination: LEAF ip:80
 Local
 
 web browser at work:
 http://localhost:3005/
 
 setup at home:
 Leaf/echowall - port forward ssh
 |
 |
 |
 w2k/apache - port 80
 
 --__--__--

I think you are doing a great job and heading in the right direction. 
It appears that you have all the mechanics setup correctly.  You have
putty on your work computer. If you are using plink, then it appears
that you are using a command similar to
  plink -L 3005:myLEAFipAddress:80 myuser@myW2kboxIPorName

Now let's address the LEAF or W2K problems.
1.)  If you have configured LEAF to port forward port 22 to the W2K box,
then the W2K box needs to have a SSH server on it.  In this
configuration LEAF is not using SSH at all.  LEAF just redirects the
traffic to another server.  I know the putty site does not have a SSH
daemon, nor intends to create one.  If this is your configuration, you
need a SSH daemon on the W2K box to receive the port 22 forwards from
your LEAF firewall.  Perhaps someone else knows of a SSH daemon for
Windows.

2.)  If you are running SSH on your LEAF firewall, then the conection
stops at the firewall i.e. -L 3005:myLEAFipAddress:80 is trying to talk
to weblet.  In this case it appears like you are mixing port forwarding
and server processes.  I do not know if you there is a way to have the
SSH daemon send the decyrpted traffic to the W2K box from the firewall.  

If solutions cannot be found to either of these configurations, then
ipsec  sounds like an alternative.  I cannot address that solution at
this time.

Can anyone else add comments to Brians' configuration issues?

Greg Morgan

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] ssh firewall revisited

[Henning, Brian]

putty at work:
Source port:3005
Destination: ip of w2k machine on the local network:80
Local

web browser at work:
http://localhost:3005/

setup at home:
Leaf/echowall - port forward ssh
|
|
|
w2k/apache - port 80



Greg i got it fixed thanks for you time
i had to use the ip of w2k machine on the local network..





___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] ssh firewall

[Phillip . Watts]

I gotcha.

My problem is I'm always wanting to do updates remotely
and wouldn't want users to have to flip a switch or God forbid reboot.
But a compact flash can be pulled after booting to ramdisk without
harm.  That's pretty write protected.   Problem is to get access to it
again you'll have to power down.

I would be more interested in a heavily software protected mount,
dd, etc.  If these commands were  400 and could only be accessed
via a very secure sudo like thingy.  I mean even root could not get to
then without getiing past security.  Maybe that's impossible   ???

Oh yeah, if you want to solder, break into your IDE cable and run the
write enable thru a switch (don't ask me).  If you're clever you might
even not bring the drive down.  That would be cool.





Matt Schalit [EMAIL PROTECTED] on 04/01/2002 03:14:30 PM

To:   Phillip Watts/austin/Nlynx@Nlynx
cc:   [EMAIL PROTECTED]

Subject:  Re: [Leaf-user] ssh firewall



[EMAIL PROTECTED] wrote:






 Matt Schalit [EMAIL PROTECTED] on 03/30/2002 10:22:44 PM

 To:   [EMAIL PROTECTED]
 cc:(bcc: Phillip Watts/austin/Nlynx)

 Subject:  Re: [Leaf-user] ssh firewall



 4) hardware protectable IDE Flash disk module

  Explain this one , please .


A mass storage device for a firewall preferrably would
have a way to write protect it.  A floppy diskette for
instance has the little tab that you slide into position.
This can not be circumvented by software tricks, ie can't
be circumvented by a potential hacker.

Currently, only a floppies and tapes have hardware write
protect, iirc.

A lot of developers have been keen to gain mass storage
capacity at low cost, but are hampered by a lack of hardware
write protect on hard drives and flash storage.

Mike Noyes picked up an ADM, a flash storage IDE Disk Module,
which was under $20 for 8 MB.  It plugs into your ide plug.
If it only had a micro switch on it for write protect, we
would have glory.  Four of us got together in San Francisco
a couple of weeks ago at the Linux Embedded Systems Conference
to track down vendors and look for a solution.

For all the details, read the leaf-devel archives thread
called ADM write protect and perhaps the earlier one,
CF (write protect) + IDE adapter both posted at the
beginning of February.

The current problem is that the ADM is so small that
soldering in a switch to those micro sized surface
mount contact points is looking very tough.

Regards,
Matthew






___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] ssh firewall

[Matt Schalit]

[EMAIL PROTECTED] wrote:
 
 
 
 
 
 
 Matt Schalit [EMAIL PROTECTED] on 03/30/2002 10:22:44 PM
 
 To:   [EMAIL PROTECTED]
 cc:(bcc: Phillip Watts/austin/Nlynx)
 
 Subject:  Re: [Leaf-user] ssh firewall
 
 
 
 4) hardware protectable IDE Flash disk module
 
  Explain this one , please .


A mass storage device for a firewall preferrably would
have a way to write protect it.  A floppy diskette for
instance has the little tab that you slide into position.
This can not be circumvented by software tricks, ie can't
be circumvented by a potential hacker.

Currently, only a floppies and tapes have hardware write
protect, iirc.

A lot of developers have been keen to gain mass storage
capacity at low cost, but are hampered by a lack of hardware
write protect on hard drives and flash storage.

Mike Noyes picked up an ADM, a flash storage IDE Disk Module,
which was under $20 for 8 MB.  It plugs into your ide plug.
If it only had a micro switch on it for write protect, we
would have glory.  Four of us got together in San Francisco
a couple of weeks ago at the Linux Embedded Systems Conference
to track down vendors and look for a solution.

For all the details, read the leaf-devel archives thread
called ADM write protect and perhaps the earlier one,
CF (write protect) + IDE adapter both posted at the
beginning of February.

The current problem is that the ADM is so small that
soldering in a switch to those micro sized surface
mount contact points is looking very tough.

Regards,
Matthew


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] ssh firewall

[Upnet Joe]

Why don't U use FreeSwan Ipsec...I just woke up hehe

Upnet Joe

- Original Message -
From: Greg Morgan [EMAIL PROTECTED]
To: [EMAIL PROTECTED]; Henning, Brian
[EMAIL PROTECTED]
Sent: Saturday, March 30, 2002 1:57 AM
Subject: Re: [Leaf-user] ssh firewall


 Henning, Brian [EMAIL PROTECTED] wrote:
 
  hello-
 
  I am using echowall on dachstein LRP. I have a windows 2k pro machine
that i
  can ssh into from the outside. i am also running an http server on my
w2k
  machine. I am port forwarding ssh through my router/firewall.  My
problem is
  I am not sure how to tunnel the http to the *outside world*. I am not
sure
  if it is possible. Any thoughts or suggestions?
 
  thanks
 
  brian
 

 Charles gave you the answer to this before, but if you are coming from a
 windows world it may not make sense. I attached his original post at the
 end of this message.  Here's what I'll presume about you.  You are on a
 windows client at work or somewhere else connecting to your LEAF box.
 As you described you have a Windows 2000 box with a web page you want to
 see.  There are allot of things to keep straight in ones mind when you
 start playing with port forwarding and SSH.  In short, you are not
 trying to tunnel the http to the *outside world* but you tell your
 clients how to tunnel to the service.

 First off think of your LEAF box as just a patch cord.  You have taken a
 cord and plugged it into a receptacle named 22 available to the rest of
 the world.  The other end of the cord has been plugged into 22 on your
 W2K box.  That's all port forwarding does in LEAF.  LEAF is completely
 out of the picture now.  All that is is is a pipe for data to flow
 over.  You have successfully done that as you describe above.

 Now let's talk about the magic of SSH.  SSH is one protocol.  It allows
 a person to setup an encrypted link between two computers.  Typically, a
 telnet like feature is used within the SSH suite to talk to another
 server and run commands on it.  A but there are a few more tricks up
 SSH's sleeve.  SSH allows you to build other pipes within the port 22
 pipe.  This is normally referred to as tunneling.  Within the port 22
 pipe you can create multiple tunnels.  For example I have both regular
 SSH and web tunneled to a windows machine.  I created these tunnels to
 try and explain what you'll need to do.  If I wanted to ftp through SSH,
 then you could add this too.  Name a protocol and try it.  You are
 really just redirecting a port that the protocol normally uses on your
 localhost to the desired port on your server.

 There are several SSH packages for Windows.  I'll describe putty.  You
 will need version 0.52. My prior version, 0.51, did not have the
 features to perform the tasks you're asking for.  (And yes I upgraded
 today to try it out. :)   )
 A.8.8 How do I pronounce PuTTY?
 Exactly like the normal word putty. Just like the stuff you put on
 window frames. (One of the reasons it's called PuTTY is because it makes
 Windows usable. :-)
 http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html

 Download the executables from
 http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html.  You
 will want plink.exe especially.  plink is short for putty link.  You
 will want to setup your private key on the windows client computer that
 attaches to LEAF.

 plink.exe takes the SSH part and simplifies building tunnels within the
 port 22 pipe on a Windows PC.  I have a Samba Server on a Linux box that
 acts like your W2K box.  I used a windows PC with putty and plink to
 connect to it.  Here's the command I used where

  myLEAFipAddress is the address to LEAF performing port forwarding.
  myuser is the userid on the W2K box.
  myW2kboxIPorName is the ip or name of your W2k box.  You would need
 to add the name in c:\windows\host
  file for a server name to work.

  plink -L 80:myLEAFipAddress:80 myuser@myW2kboxIPorName

 This establishes the tunnel.  I do not have a web server on my windows
 PC.  However, when I use

   http://localhost/

 in the web browser, I see my what my Apache server is providing me.
 Remember port 80 is the default port used by browsers i.e.
 http://localhost/ is the same as http://localhost:80/.  SSH through
 plink is creating a tunnel to my local machine or a secure patch cord.
 plink forwards whatever connects on my local windows box at port 80 to
 the other server on port 80.  You have to just believe this until it
 makes sense.  Also note the localhost is the name for ip address
 127.0.0.1.  Every networking host has this available to it.

 Perhaps the -L 80:myLEAFipAddress:80 is confusing because the command is
 using the same port numbers on both ends of the pipe or tunnel.  Let's
 try this since I am putting off filling out my 1040 tax forms :}

  plink -L 1040:myLEAFipAddress:80 myuser@myW2kboxIPorName

 Now use

  http://localhost:1040/

 in the web browser.  Once again I see the pages Apache is serving up to
 me

Re: [Leaf-user] ssh firewall

[John Desmond]

Greg/Charles, that was a really good HOWTO you just
wrote. I wish you had done it a few days ago :-)
I spent the last few months puzzling out how to do
exactly what you just described. Just yesterday I
attained my 'holy grail' of networking which was to
click'n'drag files from my Windoze workstation at work
to my Linux workstation behind EigerStein2B4 at home.
I use Secure iXplorer (www.i-tree.org) on the Windoze
machine, which works well with the Putty programs.
It's a GUI front end for the Putty Secure Shell Copy
(PSCP) program.
If anyone needs to see details of the setup, drop me 
a line.
I guess I need a new holy grail now. (I already got
VNC working, too, but my upload speed at home is only
90KB which makes for realy slow screen updates.) Any
suggestions for a new grail?
-John

--- Greg Morgan [EMAIL PROTECTED] wrote:
 Henning, Brian [EMAIL PROTECTED]
 wrote:
  
  hello-
  
  I am using echowall on dachstein LRP. I have a
 windows 2k pro machine that i
  can ssh into from the outside. i am also running
 an http server on my w2k
  machine. I am port forwarding ssh through my
 router/firewall.  My problem is
  I am not sure how to tunnel the http to the
 *outside world*. I am not sure
  if it is possible. Any thoughts or suggestions?
  
  thanks
  
  brian
  
 
 Charles gave you the answer to this before, but if
 you are coming from a
 windows world it may not make sense. I attached his
 original post at the
 end of this message.  Here's what I'll presume about
 you.  You are on a
 windows client at work or somewhere else connecting
 to your LEAF box. 
 As you described you have a Windows 2000 box with a
 web page you want to
 see.  There are allot of things to keep straight in
 ones mind when you
 start playing with port forwarding and SSH.  In
 short, you are not
 trying to tunnel the http to the *outside world*
 but you tell your
 clients how to tunnel to the service.
 
 First off think of your LEAF box as just a patch
 cord.  You have taken a
 cord and plugged it into a receptacle named 22
 available to the rest of
 the world.  The other end of the cord has been
 plugged into 22 on your
 W2K box.  That's all port forwarding does in LEAF. 
 LEAF is completely
 out of the picture now.  All that is is is a pipe
 for data to flow
 over.  You have successfully done that as you
 describe above.
 
 Now let's talk about the magic of SSH.  SSH is one
 protocol.  It allows
 a person to setup an encrypted link between two
 computers.  Typically, a
 telnet like feature is used within the SSH suite to
 talk to another
 server and run commands on it.  A but there are
 a few more tricks up
 SSH's sleeve.  SSH allows you to build other pipes
 within the port 22
 pipe.  This is normally referred to as tunneling. 
 Within the port 22
 pipe you can create multiple tunnels.  For example I
 have both regular
 SSH and web tunneled to a windows machine.  I
 created these tunnels to
 try and explain what you'll need to do.  If I wanted
 to ftp through SSH,
 then you could add this too.  Name a protocol and
 try it.  You are
 really just redirecting a port that the protocol
 normally uses on your
 localhost to the desired port on your server.
 
 There are several SSH packages for Windows.  I'll
 describe putty.  You
 will need version 0.52. My prior version, 0.51, did
 not have the
 features to perform the tasks you're asking for. 
 (And yes I upgraded
 today to try it out. :)   ) 
 A.8.8 How do I pronounce PuTTY?
 Exactly like the normal word putty. Just like the
 stuff you put on
 window frames. (One of the reasons it's called PuTTY
 is because it makes
 Windows usable. :-)

http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html
 
 Download the executables from

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html.
  You
 will want plink.exe especially.  plink is short for
 putty link.  You
 will want to setup your private key on the windows
 client computer that
 attaches to LEAF.
 
 plink.exe takes the SSH part and simplifies building
 tunnels within the
 port 22 pipe on a Windows PC.  I have a Samba Server
 on a Linux box that
 acts like your W2K box.  I used a windows PC with
 putty and plink to
 connect to it.  Here's the command I used where
 
  myLEAFipAddress is the address to LEAF
 performing port forwarding.
  myuser is the userid on the W2K box.
  myW2kboxIPorName is the ip or name of your W2k
 box.  You would need
 to add the name in c:\windows\host
  file for a server name to work.
 
  plink -L 80:myLEAFipAddress:80
 myuser@myW2kboxIPorName
 
 This establishes the tunnel.  I do not have a web
 server on my windows
 PC.  However, when I use 
 
   http://localhost/ 
 
 in the web browser, I see my what my Apache server
 is providing me.
 Remember port 80 is the default port used by
 browsers i.e.
 http://localhost/ is the same as
 http://localhost:80/.  SSH through
 plink is creating a tunnel to my local machine or a
 secure patch cord. 
 plink forwards whatever 

Re: [Leaf-user] ssh firewall

[Matt Schalit]

John Desmond wrote:

 I guess I need a new holy grail now. (I already got
 VNC working, too, but my upload speed at home is only
 90KB which makes for realy slow screen updates.) Any
 suggestions for a new grail?
 -John


1) QoS  (discussed recently, though)
2) multiple ISP load balancing
3) debug.lrp that works on all LEAF distros
4) hardware protectable IDE Flash disk module

Good Luck :)
Matthew



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] ssh firewall

[John Desmond]

--- Matt Schalit [EMAIL PROTECTED] wrote:
 John Desmond wrote:
 Any
  suggestions for a new grail?
  -John

 1) QoS  (discussed recently, though)

The Q stands for 'Quality'. Since my ISP is Verizon, I
probably wouldn't notice any differences.

 2) multiple ISP load balancing

Two Verizons... three Verizons... O, the horror!

 3) debug.lrp that works on all LEAF distros

It's Linux... no need to debug!

 4) hardware protectable IDE Flash disk module

I took some flash pictures of the IDE disk and it
didn't hurt it, so I guess it's protected.

 
 Good Luck :)
 Matthewinfo/leaf-user

Happy April Fool's!

And if you want to get some good ideas for a 'wired
house' go see Panic Room this weekend. I can't see
why, though, they didn't have a 'net connection and a
little LEAF in the corner! :-)

-John



__
Do You Yahoo!?
Yahoo! Greetings - send holiday greetings for Easter, Passover
http://greetings.yahoo.com/

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] ssh/sftp through dachstein firewall

[David Goodrich]

I set up portforwarding to point ssh to my fileserver, in the hopes that i
would be able to secure-ftp into it, but it doesn't seem to like the
portforwarding.

svi network ipfilter list portfw says that port 22 is pointed to the
apropriate internal machine, and i can ssh/sftp into it from the internal
network, just not from the external network.  i'm using dach. 1.02 floppy...
any thoughts?  thanks in advance
 -david

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] ssh/sftp through dachstein firewall

[Matt Schalit]

David Goodrich wrote:
 I set up portforwarding to point ssh to my fileserver, in the hopes that i
 would be able to secure-ftp into it, but it doesn't seem to like the
 portforwarding.
 
 svi network ipfilter list portfw says that port 22 is pointed to the
 apropriate internal machine, and i can ssh/sftp into it from the internal
 network, just not from the external network.  i'm using dach. 1.02 floppy...
 any thoughts?  thanks in advance
  -david


Is your ssh client truely on a the external network?
Do you have any relevant messages appear in any one
of you syslogs?

Have you read the newish Dachstein Port Forwading FAQ?
Look for it on the LEAF site.

You mentioned that the port was forwarded as listed
in the ipfilter output, but is the port open in the
first place so that traffic can get in to be forwarded?


Good Luck,
Matthew



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] ssh/sftp through dachstein firewall

[David Goodrich]

yes.  64.x.x.x
 -david
- Original Message - 
From: rwtech.com [EMAIL PROTECTED]
To: David Goodrich [EMAIL PROTECTED]
Sent: Friday, March 29, 2002 4:02 PM
Subject: Re: [Leaf-user] ssh/sftp through dachstein firewall


 do both dachstein boxes have external (real)ips?  
 brett
 
 --- David Goodrich [EMAIL PROTECTED]
 wrote:
  i did a bit more testing.  the first external box i
  was testing on is also
  behind a dachstein firewall, but a /different/
  dachstein firewall.  I
  ssh'ing into my server from one of the lab
  computers, and didn't have any
  problem.  is this some weird dachstein-dachstein
  interaction?
   -david
  
  - Original Message -
  From: rwtech.com [EMAIL PROTECTED]
  To: David Goodrich
  [EMAIL PROTECTED]
  Sent: Friday, March 29, 2002 3:49 PM
  Subject: Re: [Leaf-user] ssh/sftp through dachstein
  firewall
  
  
   that is odd, i can both ssh and stfp into my
  machine
   from the outside.  i always thought if one works
  so
   would the other.
   sorry, i have nothing helpful at this point.
   brett
  
   --- David Goodrich
  [EMAIL PROTECTED]
   wrote:
yes, i did.  and it turns out i can ssh into it,
just not sftp.  both ssh
and sftp work on the internal network.
 -david
   
- Original Message -
From: rwtech.com [EMAIL PROTECTED]
To: David Goodrich
[EMAIL PROTECTED]
Sent: Friday, March 29, 2002 2:00 PM
Subject: Re: [Leaf-user] ssh/sftp through
  dachstein
firewall
   
   
 hi,
 did you open tcp port 22 on the firewall?

 --- David Goodrich
[EMAIL PROTECTED]
 wrote:
  I set up portforwarding to point ssh to my
  fileserver, in the hopes that i
  would be able to secure-ftp into it, but it
doesn't
  seem to like the
  portforwarding.
 
  svi network ipfilter list portfw says that
  port
22
  is pointed to the
  apropriate internal machine, and i can
  ssh/sftp
into
  it from the internal
  network, just not from the external network.
i'm
  using dach. 1.02 floppy...
  any thoughts?  thanks in advance
   -david
 
 
  ___
  Leaf-user mailing list
  [EMAIL PROTECTED]
 

   
  
 
 https://lists.sourceforge.net/lists/listinfo/leaf-user



  __
 Do You Yahoo!?
 Yahoo! Greetings - send holiday greetings for
Easter, Passover
 http://greetings.yahoo.com/
   
   
  
  
   __
   Do You Yahoo!?
   Yahoo! Greetings - send holiday greetings for
  Easter, Passover
   http://greetings.yahoo.com/
  
  
 
 
 __
 Do You Yahoo!?
 Yahoo! Greetings - send holiday greetings for Easter, Passover
 http://greetings.yahoo.com/

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] ssh firewall

[Greg Morgan]

Henning, Brian [EMAIL PROTECTED] wrote:
 
 hello-
 
 I am using echowall on dachstein LRP. I have a windows 2k pro machine that i
 can ssh into from the outside. i am also running an http server on my w2k
 machine. I am port forwarding ssh through my router/firewall.  My problem is
 I am not sure how to tunnel the http to the *outside world*. I am not sure
 if it is possible. Any thoughts or suggestions?
 
 thanks
 
 brian
 

Charles gave you the answer to this before, but if you are coming from a
windows world it may not make sense. I attached his original post at the
end of this message.  Here's what I'll presume about you.  You are on a
windows client at work or somewhere else connecting to your LEAF box. 
As you described you have a Windows 2000 box with a web page you want to
see.  There are allot of things to keep straight in ones mind when you
start playing with port forwarding and SSH.  In short, you are not
trying to tunnel the http to the *outside world* but you tell your
clients how to tunnel to the service.

First off think of your LEAF box as just a patch cord.  You have taken a
cord and plugged it into a receptacle named 22 available to the rest of
the world.  The other end of the cord has been plugged into 22 on your
W2K box.  That's all port forwarding does in LEAF.  LEAF is completely
out of the picture now.  All that is is is a pipe for data to flow
over.  You have successfully done that as you describe above.

Now let's talk about the magic of SSH.  SSH is one protocol.  It allows
a person to setup an encrypted link between two computers.  Typically, a
telnet like feature is used within the SSH suite to talk to another
server and run commands on it.  A but there are a few more tricks up
SSH's sleeve.  SSH allows you to build other pipes within the port 22
pipe.  This is normally referred to as tunneling.  Within the port 22
pipe you can create multiple tunnels.  For example I have both regular
SSH and web tunneled to a windows machine.  I created these tunnels to
try and explain what you'll need to do.  If I wanted to ftp through SSH,
then you could add this too.  Name a protocol and try it.  You are
really just redirecting a port that the protocol normally uses on your
localhost to the desired port on your server.

There are several SSH packages for Windows.  I'll describe putty.  You
will need version 0.52. My prior version, 0.51, did not have the
features to perform the tasks you're asking for.  (And yes I upgraded
today to try it out. :)   ) 
A.8.8 How do I pronounce PuTTY?
Exactly like the normal word putty. Just like the stuff you put on
window frames. (One of the reasons it's called PuTTY is because it makes
Windows usable. :-)
http://www.chiark.greenend.org.uk/~sgtatham/putty/faq.html

Download the executables from
http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html.  You
will want plink.exe especially.  plink is short for putty link.  You
will want to setup your private key on the windows client computer that
attaches to LEAF.

plink.exe takes the SSH part and simplifies building tunnels within the
port 22 pipe on a Windows PC.  I have a Samba Server on a Linux box that
acts like your W2K box.  I used a windows PC with putty and plink to
connect to it.  Here's the command I used where

 myLEAFipAddress is the address to LEAF performing port forwarding.
 myuser is the userid on the W2K box.
 myW2kboxIPorName is the ip or name of your W2k box.  You would need
to add the name in c:\windows\host
 file for a server name to work.

 plink -L 80:myLEAFipAddress:80 myuser@myW2kboxIPorName

This establishes the tunnel.  I do not have a web server on my windows
PC.  However, when I use 

  http://localhost/ 

in the web browser, I see my what my Apache server is providing me.
Remember port 80 is the default port used by browsers i.e.
http://localhost/ is the same as http://localhost:80/.  SSH through
plink is creating a tunnel to my local machine or a secure patch cord. 
plink forwards whatever connects on my local windows box at port 80 to
the other server on port 80.  You have to just believe this until it
makes sense.  Also note the localhost is the name for ip address
127.0.0.1.  Every networking host has this available to it.

Perhaps the -L 80:myLEAFipAddress:80 is confusing because the command is
using the same port numbers on both ends of the pipe or tunnel.  Let's
try this since I am putting off filling out my 1040 tax forms :}

 plink -L 1040:myLEAFipAddress:80 myuser@myW2kboxIPorName

Now use

 http://localhost:1040/

in the web browser.  Once again I see the pages Apache is serving up to
me.  If you will, plink makes a web server available on your client
windows PC.  Without plink forwarding the web server over SSH to the
windows client, you would receive the typical 404 http error message.

Note that SSH is a server process in this configuration.  If you need
two way communication that is where both ends of the tunnel need to

[Leaf-user] ssh firewall

[Henning, Brian]

hello-

I am using echowall on dachstein LRP. I have a windows 2k pro machine that i
can ssh into from the outside. i am also running an http server on my w2k
machine. I am port forwarding ssh through my router/firewall.  My problem is
I am not sure how to tunnel the http to the *outside world*. I am not sure
if it is possible. Any thoughts or suggestions?

thanks

brian

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] ssh in Bering

[Jim Van Eeckhoutte]

I need help installing sshd in bering . Site info of lrpkg -i
libz,sshd,sshkey doesn't work as far as backing up sshd pkg.


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] ssh in Bering

[guitarlynn]

On Wednesday 27 March 2002 19:59, Jim Van Eeckhoutte wrote:
 I need help installing sshd in bering . Site info of lrpkg -i
 libz,sshd,sshkey doesn't work as far as backing up sshd pkg.


lrpkg -i only loads (installs) the package, you will need to backup
the package from the lrcfg backup menu to keep your changes on
the disk. You will also need to add it to the syslinux.cfg file in
the LRP=.. line.

-- 

~Lynn Avants
aka Guitarlynn

guitarlynn at users.sourceforge.net
http://leaf.sourceforge.net

If linux isn't the answer, you've probably got the wrong question!

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] ssh in Bering

[Jim Van Eeckhoutte]

This the problem im having . I cant back it up I get cant move from tmp
dir error.

-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]] On Behalf Of guitarlynn
Sent: Wednesday, March 27, 2002 7:58 PM
To: [EMAIL PROTECTED]
Subject: Re: [Leaf-user] ssh in Bering

On Wednesday 27 March 2002 19:59, Jim Van Eeckhoutte wrote:
 I need help installing sshd in bering . Site info of lrpkg -i
 libz,sshd,sshkey doesn't work as far as backing up sshd pkg.


lrpkg -i only loads (installs) the package, you will need to backup
the package from the lrcfg backup menu to keep your changes on
the disk. You will also need to add it to the syslinux.cfg file in
the LRP=.. line.

-- 

~Lynn Avants
aka Guitarlynn

guitarlynn at users.sourceforge.net
http://leaf.sourceforge.net

If linux isn't the answer, you've probably got the wrong question!

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] ssh in Bering

[Matt Schalit]

Jim Van Eeckhoutte wrote:
 This the problem im having . I cant back it up I get cant move from tmp
 dir error.


Please post the exact error message, plus a listing of what's in
you /tmp directory, plus explain what I get cant move from tmp dir
error means.

Good Luck,
Matt



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] SSH Problems with DMZ

[Scott Sandeman-Allen]

Hi, me again!

I have configured my Dachstien CD based router and parts are working 
quite fine. My web server can be seen from its dedicated public IP 
and from my masq. network.Unfortunately, I cannot ssh into the server 
via the public-ip  router. This despite the fact I have enabled the 
port in the same places and the same way as with tcp:80.

A few days ago I could only get ssh running by having a separate port 
(222) forwarded to 22 on the server.

Off the top, here are some of the pertinent settings:

DMZ=YES

SSH  WWW open with EXTERN_TCP_PORTn=0/0 ssh public_IP/n etc.

INTERN_SERVERS=tcp_public_IP_ssh_dmz_IP_ssh

DMZ_OPEN_DEST=tcp_public_IP_ssh

(where public-ip is one of my static IPs from the ISP.)

I have been over the settings quite a few times and did find a couple 
of errors but still, no SSH. If I bypass the router,the systems link 
within seconds and it all works fine.

Any thoughts?

Thanks,

Scott

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] SSH Problems with DMZ

[Ray Olszewski]

When you say I cannot ssh into the server ... how much time are you giving
it? Do you wait 3 minutes to see if it connects? If not, consider the
possibility that the DMZ server cannot do DNS lookups properly, and you are
experiencing the well-known delays associated with reverse-lookup failures.
The fix is to get DNS working on the DMZ host. (Or do what I sometimes do;
add an entry in /etc/hosts for the IP address you ssh in from; I use this
when I remote-admin systems, so DNS problems don't delay troubleshooting
connections.)

Only a guess, of course, based largely on your saying a direct connection
succeeds within seconds.

At 09:18 AM 2/13/02 -0700, Scott Sandeman-Allen wrote:
Hi, me again!

I have configured my Dachstien CD based router and parts are working 
quite fine. My web server can be seen from its dedicated public IP 
and from my masq. network.Unfortunately, I cannot ssh into the server 
via the public-ip  router. This despite the fact I have enabled the 
port in the same places and the same way as with tcp:80.

A few days ago I could only get ssh running by having a separate port 
(222) forwarded to 22 on the server.

Off the top, here are some of the pertinent settings:

DMZ=YES

SSH  WWW open with EXTERN_TCP_PORTn=0/0 ssh public_IP/n etc.

INTERN_SERVERS=tcp_public_IP_ssh_dmz_IP_ssh

DMZ_OPEN_DEST=tcp_public_IP_ssh

   (where public-ip is one of my static IPs from the ISP.)

I have been over the settings quite a few times and did find a couple 
of errors but still, no SSH. If I bypass the router,the systems link 
within seconds and it all works fine.



--
Never tell me the odds!---
Ray Olszewski-- Han Solo
Palo Alto, CA[EMAIL PROTECTED]



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] SSH access error

[Doug Sampson]

Running DCD 102 booting off a floppy using openssh 3.0p1.

When I attempt to ssh into the DCD router from the local network using the
latest puTTY client, I receive the following error message:

Network error: connection refused.

The hosts.allow file allows access from the local network as follows:

ALL: 192.168.1.0/255.255.255.0

ps aux shows the following:

  PID  Uid Stat Command
1 root Sinit
2 root S[kflushd]
3 root S[kupdate]
4 root S[kswapd]
5 root S[keventd]
6 root S[mdrecoveryd]
 1086 root S/usr/sbin/dhclient eth0
 1275 root S/sbin/syslogd -m 240
 1277 root S/sbin/klogd
 1281 root S/usr/sbin/inetd
 1285 root S/usr/sbin/watchdog
 1288 root S/usr/sbin/cron
 1309 tinydns  S/usr/bin/tinydns
 1334 dnscache S/usr/bin/dnscache
 1335 root S-sh
 1336 root S/sbin/getty 38400 tty2
 2331 sh-httpd Ssh /usr/sbin/sh-httpd
 2367 sh-httpd Ssh /var/sh-www/cgi-bin/viewsys
 2368 sh-httpd Ssleep 1
 2369 sh-httpd Scat
 2370 sh-httpd Ssh /var/sh-www/cgi-bin/viewsys
 2447 sh-httpd Rps aux

I don't see any entry for the sshd daemon.

I followed the instructions in the DCD documentation for generating the keys
and made a partial backup.  But no dice.

What am I missing here?

~Doug






___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] SSH access error

[Doug Sampson]

I guess I should say that I am quite familiar with SSH in general.

I am unsure whether I should copy the public key from the sshd server to the
client.  Or whether I should enable SSH1 or SSH2 authentication on the client
machine.

I worked on an Eigerstein set-up in the past and it was relatively simple to
set up SSH on that machine.  I did not copy the key over to the client machine
nor did I make any changes to the client configuration.  Unfortunately it
isn't so simple with this Dachstein CD set-up...  But then I've only set up
SSH once before.

Any pointers or tips would be greatly appreciated.

~Doug

-Original Message-
From: Doug Sampson [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, February 12, 2002 12:33 PM
To: '[EMAIL PROTECTED]'
Subject: SSH access error


Running DCD 102 booting off a floppy using openssh 3.0p1.

When I attempt to ssh into the DCD router from the local network using the
latest puTTY client, I receive the following error message:

Network error: connection refused.

The hosts.allow file allows access from the local network as follows:

ALL: 192.168.1.0/255.255.255.0

ps aux shows the following:

  PID  Uid Stat Command
1 root Sinit
2 root S[kflushd]
3 root S[kupdate]
4 root S[kswapd]
5 root S[keventd]
6 root S[mdrecoveryd]
 1086 root S/usr/sbin/dhclient eth0
 1275 root S/sbin/syslogd -m 240
 1277 root S/sbin/klogd
 1281 root S/usr/sbin/inetd
 1285 root S/usr/sbin/watchdog
 1288 root S/usr/sbin/cron
 1309 tinydns  S/usr/bin/tinydns
 1334 dnscache S/usr/bin/dnscache
 1335 root S-sh
 1336 root S/sbin/getty 38400 tty2
 2331 sh-httpd Ssh /usr/sbin/sh-httpd
 2367 sh-httpd Ssh /var/sh-www/cgi-bin/viewsys
 2368 sh-httpd Ssleep 1
 2369 sh-httpd Scat
 2370 sh-httpd Ssh /var/sh-www/cgi-bin/viewsys
 2447 sh-httpd Rps aux

I don't see any entry for the sshd daemon.

I followed the instructions in the DCD documentation for generating the keys
and made a partial backup.  But no dice.

What am I missing here?

~Doug






___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] SSH access error

[guitarlynn]

On Tuesday 12 February 2002 15:08, Doug Sampson wrote:
 I guess I should say that I am quite familiar with SSH in general.

 I am unsure whether I should copy the public key from the sshd server
 to the client.  Or whether I should enable SSH1 or SSH2
 authentication on the client machine.

 I worked on an Eigerstein set-up in the past and it was relatively
 simple to set up SSH on that machine.  I did not copy the key over to
 the client machine nor did I make any changes to the client
 configuration.  Unfortunately it isn't so simple with this Dachstein
 CD set-up...  But then I've only set up SSH once before.

 Any pointers or tips would be greatly appreciated.

Doug,
Are you loading the sshd package? This isn't stock on the DF floppy.
Their are server, client, and key packages for DF. You said floppy 
in the first post, now the cd version  I'm getting confused, exact
details of what you _are_ using and what you have done will help.

When you back-up the key, you either have to back up root.lrp or
add /root to local.lrp... otherwise it's lost forever (or every reboot).

What version of ssh you use will depend on how you set sshd up,
I believe the default config will use either

You don't need to copy a key over unless you get tired of logging in. 

Hope this helps,
-- 

~Lynn Avants
aka Guitarlynn

guitarlynn at users.sourceforge.net
http://leaf.sourceforge.net

If linux isn't the answer, you've probably got the wrong question!

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] SSH access error

[guitarlynn]

On Tuesday 12 February 2002 16:05, Doug Sampson wrote:
 Am running DCD 102 booting off a floppy because the mobo doesn't boot
 off a CD drive.  openssh.lrp is stock on a DCD 102.

I have /usr/sbin/sshd in my ps ax, so as I thought, you are _not_
loading the package. Check the lrpkg.cfg file on your floppy.
The lrpkg.cfg file overrides the LRP= line in syslinux.cfg.
You will also need to add this line to /etc/hosts.allow:
sshd: 192.168.1 127.

 Am backing up sshd.lrp partially as described in Steinkuehler's
 README.txt documentation on the LRP-CD.  Do I need to back up the
 root.lrp as well as the sshd.lrp each time a new key is generated?

I didn't have any luck with that, but I am also running a stand-alone
cd, so I can't say for sure. I always backup both to make sure,
someone else might shed better light on this for me.

 Am setting it up the way Steinkuehler described in his documentation.
  All I want to do is set up SSH and get going.  There are multiple
 problems I am having with the router but must solve the sshd thing in
 order to do a copy and paste function of relevant information for
 troubleshooting purposes.

Yep, sneakernet comes in handy in times such as this. There are a lot
of lib* dependancies with DCD you have to check. It has been working
great for me here for about 4 months w/o a reboot.

 Hope what I've given is helpful.  Let me know if there's anything
 else I should provide.

Yep, it has helped, thx. You really have to get sshd loaded before 
you're going to have any luck.

Good luck!
-- 

~Lynn Avants
aka Guitarlynn

guitarlynn at users.sourceforge.net
http://leaf.sourceforge.net

If linux isn't the answer, you've probably got the wrong question!

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] SSH access error

[Matt Schalit]

 There are multiple
 problems I am having with the router but must solve the sshd thing in
 order to do a copy and paste function of relevant information for
 troubleshooting purposes.



Ahaa.  The copy and paste problem.  It's great to have ssh to help, 
but it's not always there.

 ip addr show  /tmp/pout 21

will place the output of that command in the file /tmp/pout.

 mount -t msdos /dev/fd0u1680 /mnt

will mount your LEAF floppy.

 gzip -c /tmp/pout  /mnt/pout.gz

zip the file and puts it on the floppy.

 umount /mnt

unmount the floppy.

Now you can take the diskette over to any other computer and copy it 
on there because it's a DOS format diskette.

Regards,
Matthew

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] SSH access error

[Doug Sampson]

 I have /usr/sbin/sshd in my ps ax, so as I thought, you are _not_
 loading the package. Check the lrpkg.cfg file on your floppy.
 The lrpkg.cfg file overrides the LRP= line in syslinux.cfg.
 You will also need to add this line to /etc/hosts.allow:
   sshd: 192.168.1 127.

I already have the config file listed in the lrpkg.cfg file.  However I had
appended :R to it- i.e. sshd:R.  I took the :R parameter out and rebooted.
Upon rebooting it reports as follows:

sshd  dev/cdrom dev/fd0u1680 (nf!)

I don't understand why I have to specify sshd: 192.168.1.xxx in the
/etc/hosts.allow file when it contains ALL: 192.168.1.0/255.255.255.0?  This
line exists in DCD's default hosts.allow file.


  Am backing up sshd.lrp partially as described in Steinkuehler's
  README.txt documentation on the LRP-CD.  Do I need to back up the
  root.lrp as well as the sshd.lrp each time a new key is generated?

 I didn't have any luck with that, but I am also running a stand-alone
 cd, so I can't say for sure. I always backup both to make sure,
 someone else might shed better light on this for me.

Looks like I have to regenerate the keys and back up root.lrp as well as
sshd.lrp, eh?

~Doug



___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

RE: [Leaf-user] SSH access error

[Doug Sampson]

I noticed two entries for sshd in the back up menu of LRCFG.  I changed the
first entry's backup destination back to /dev/cdrom leaving the other entry
pointing to the dev/fd0u1680 as its backup destination.  Upon rebooting, sshd
loaded correctly and now I am able to ssh in from my Windoze machine!

I did not have to add an entry in the hosts.allow file as Guitarlynn
suggested.  I did not regenerate the keys- I merely used the ones that were
originally generated.  This means that root.lrp does not have to be backed up
after the keys are generated- only the local configuration file of the
sshd.lrp.

Now that I have conquered the ssh thing (hurrah for this newb!), on to the
silent_deny issue!  Which will be in the next post from me!

~Doug


 
  I have /usr/sbin/sshd in my ps ax, so as I thought, you are _not_
  loading the package. Check the lrpkg.cfg file on your floppy.
  The lrpkg.cfg file overrides the LRP= line in syslinux.cfg.
  You will also need to add this line to /etc/hosts.allow:
  sshd: 192.168.1 127.

 I already have the config file listed in the lrpkg.cfg file.
 However I had
 appended :R to it- i.e. sshd:R.  I took the :R parameter
 out and rebooted.
 Upon rebooting it reports as follows:

 sshd  dev/cdrom dev/fd0u1680 (nf!)

 I don't understand why I have to specify sshd: 192.168.1.xxx in the
 /etc/hosts.allow file when it contains ALL:
 192.168.1.0/255.255.255.0?  This
 line exists in DCD's default hosts.allow file.

 
   Am backing up sshd.lrp partially as described in Steinkuehler's
   README.txt documentation on the LRP-CD.  Do I need to back up the
   root.lrp as well as the sshd.lrp each time a new key is generated?
 
  I didn't have any luck with that, but I am also running a
 stand-alone
  cd, so I can't say for sure. I always backup both to make sure,
  someone else might shed better light on this for me.

 Looks like I have to regenerate the keys and back up root.lrp
 as well as
 sshd.lrp, eh?

 ~Doug



 ___
 Leaf-user mailing list
 [EMAIL PROTECTED]
 https://lists.sourceforge.net/lists/listinfo/leaf-user




___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] ssh / openssh?

[Matthew Schalit]

Julian Church wrote:
 
 Hi All,
 
 I use ssh to access and administer my Dachstein firewalls. (one home, one
 office).
 
 I'm a bit confused because there seem to be two versions of sshd.lrp
 available at the moment -
 
 The one I've always used is quite small, is called sshd.lrp, is available
 at ftp://ftp.linuxrouter.org/linux-router/dists/2.9.8/packages/ and is
 referenced in Steve Peck's sshd howto
 http://c0wz.steinkuehler.net/dox/sshd.txt.
 
 The other one is much bigger (too big for my floppy), is also called
 sshd.lrp, requires that I use libz.lrp and is part of openssh maintained by
 Jaques Nilo at http://leaf.sourceforge.net/devel/jnilo/index.html.
 
 Could someone explain the differences?  Are the differences worth worrying
 about?  Should I consider upgrading?
 
 cheers
 
 Julian


You definitely want to use J. Nilo's most recent ssh package,
which I'm pretty sure is an OpenSSH implementation.  You just 
need a second floppy or to use CDROM for your packages.  Try
Dachstein CD if you want.

Matthew

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] ssh / openssh?

[Julian Church]

Hi All,

I use ssh to access and administer my Dachstein firewalls. (one home, one 
office).

I'm a bit confused because there seem to be two versions of sshd.lrp 
available at the moment -

The one I've always used is quite small, is called sshd.lrp, is available 
at ftp://ftp.linuxrouter.org/linux-router/dists/2.9.8/packages/ and is 
referenced in Steve Peck's sshd howto 
http://c0wz.steinkuehler.net/dox/sshd.txt.

The other one is much bigger (too big for my floppy), is also called 
sshd.lrp, requires that I use libz.lrp and is part of openssh maintained by 
Jaques Nilo at http://leaf.sourceforge.net/devel/jnilo/index.html.

Could someone explain the differences?  Are the differences worth worrying 
about?  Should I consider upgrading?

cheers

Julian

-- 
[EMAIL PROTECTED]
www.ljchurch.co.uk


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] SSH with Secure iXplorer - no remote tree displayed

[LRPLEAF]

I'm trying to use Secure iXplorer on a Win95 box to access a LRP
firewall system on which I am running OpenSSH daemon.  I am able
to copy files to the LRP firewall using iXplorer, but no remote tree is
displayed.  Also, I am unable to create subdirectories using iXplorer.

Using PuTTY, from the same Win95 box, I can issue a 'ls -la'
command receive appropriate directory listing, and I'm able to create
 subdirectories with no problem.

Your thoughts please.

(I'm using iXplorer with the firewall only to try out iXplorer.  My intended
use for it is as an end user tool for accessing internal fileservers at our
remote offices.)

Thanks.


_
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] ssh

[Matthew Schalit]

Bill Hults wrote:
 
 Hi
 Can someone point me to an instruction for setting up ssh on Dachstein.
 I've copied sshd-1.lrp  sshkey-1.lrp to the disk, generated a key,
 saved it but it's still looking for a key.
 TIA
 

Did you use this?

  ssh-keygen -f /etc/ssh/ssh_host_key
  ssh-keygen -t rsa -f /etc/ssh/ssh_host_rsa_key
  ssh-keygen -t dsa -f /etc/ssh/ssh_host_dsa_key

That's what I had to do on Oxygen with OpenSSH-2.9p1.
Perhaps your sshd is looking there or somewhere else.
I think you can enable debug in the sshd_config file
and find out where.

Regards,
Matthew

___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

Re: [Leaf-user] ssh

[Jacques Nilo]

 Hi
 Can someone point me to an instruction for setting up ssh on
Dachstein.
 I've copied sshd-1.lrp  sshkey-1.lrp to the disk, generated a key,
 saved it but it's still looking for a key.
http://leaf.sourceforge.net/devel/jnilo/openssh.html
Jacques


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user

[Leaf-user] ssh

[Bill Hults]

Hi
Can someone point me to an instruction for setting up ssh on Dachstein. 
I've copied sshd-1.lrp  sshkey-1.lrp to the disk, generated a key, 
saved it but it's still looking for a key.
TIA

-- 
Bill Hults   Dir. Network Services
Infinite Technologies of Vermont
71 Millet Street Richmond, VT 05477 
Office(802)434-5393 X20  Home(802)288-9494


___
Leaf-user mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user