On 5 May 2001, James Moore wrote:
> I may be missing something obvious, but don't see it - any help
> would be appreciated. Here's the deal:
>
> I wanna' make ftp connections from the private network to my OBSD 2.8
> stable firewall host (darla) via a Windows ssh client - vandyke
> securefx. FWIW, this client works fine w/ the OBSD 2.7 box outside the
> firewall. Attempts to make an ssh connection from the 'securefx' client
> to darla yield the following:
>
> From authlog:
> May 3 10:30:51 darla sshd[16903]: Accepted password for jamoore from
> 192.168.1.5 port 1853 ssh2
> May 3 10:40:51 darla sshd[28141]: fatal: Timeout before authentication
> for 127.0.0.1.
A bit of additional information that may help... I cranked the logging
option in sshd_config up to 'DEBUG'. Following are the relevant entries:
May 5 11:50:13 darla sshd[14228]: Connection from 192.168.1.5 port 1584
May 5 11:50:13 darla sshd[14228]: Enabling compatibility mode for
protocol 2.0
May 5 11:50:15 darla sshd[14228]: Accepted password for jamoore from
192.168.1.5 port 1584 ssh2
May 5 11:50:15 darla sshd[17126]: Connection from 127.0.0.1 port 1476
May 5 12:00:15 darla sshd[17126]: fatal: Timeout before authentication
for 127.0.0.1.
May 5 12:00:15 darla sshd[14228]: Closing connection to 192.168.1.5
Could this all be due to NAT?
>
> After reviewing my sshd_config file, re-reading the FAQ :), and
> comparing it to the sshd_config file on the OBSD 2.7 box I've concluded
> that the config is OK (see sshd_config below).
>
> So I figured it must have something to do with the firewall. I didn't
> see anything obvious, but just to make sure I added logging to every
> blocking rule. Checking the ipflog following the auth timeout showed
> nothing relevant; i.e. ipfilter doesn't seem to be causing the timeouts.
>
> Any ideas???
>
> Thanks,
> James Moore
>
> /etc contains two key files: ssh_host_dsa_key, ssh_host_key
>
> following is my /etc/sshd_config file:
> # This is ssh server systemwide configuration file.
>
> Port 22
> #Protocol 2,1
> #ListenAddress 0.0.0.0
> #ListenAddress ::
> HostKey /etc/ssh_host_key
> HostKey /etc/ssh_host_dsa_key
> ServerKeyBits 768
> LoginGraceTime 600
> KeyRegenerationInterval 3600
> PermitRootLogin yes
> #
> # Don't read ~/.rhosts and ~/.shosts files
> IgnoreRhosts yes
> # Uncomment if you don't trust ~/.ssh/known_hosts for
> RhostsRSAAuthentication
> #IgnoreUserKnownHosts yes
> StrictModes yes
> X11Forwarding no
> X11DisplayOffset 10
> PrintMotd yes
> KeepAlive yes
>
> # Logging
> SyslogFacility AUTH
> LogLevel INFO
> #obsoletes QuietMode and FascistLogging
>
> RhostsAuthentication no
> #
> # For this to work you will also need host keys in /etc/ssh_known_hosts
> RhostsRSAAuthentication no
> #
> RSAAuthentication yes
>
> # To disable tunneled clear text passwords, change to no here!
> PasswordAuthentication yes
> PermitEmptyPasswords no
> # Uncomment to disable s/key passwords
> #SkeyAuthentication no
> #KbdInteractiveAuthentication yes
>
> # To change Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #AFSTokenPassing no
> #KerberosTicketCleanup no
>
> # Kerberos TGT Passing does only work with the AFS kaserver
> #KerberosTgtPassing yes
>
> #CheckMail yes
> #UseLogin no
>
> # Uncomment if you want to enable sftp
> #Subsystem sftp /usr/libexec/sftp-server
> #MaxStartups 10:30:60
>
