iptables (Re: Connection Refused on ssh)

John J. Boyer director at chpi.org
Fri Oct 8 20:43:24 UTC 2004 

Janina,

I never get a password prompt. The debug message just before the 
permission denied message is "no more authentication methods to try." I 
moved the .ssh file. The passwords on the target machine have not changed. 
The source machine can access anothem Redhat machine on our LAN with ssh. 

Thanks,
John


On Fri, 8 Oct 2004, Janina Sajka wrote:

> Hi, John:
> 
> OK, I think there's some progress here. 
> 
> Can you please provide a little more information? At what point does the
> "permission denied" come up? Do you get a password prompt first? That's
> where I am most accustomed to seeing this error.
> 
> Which raises this question, any chance the user passwords
> have changed? Or, perhaps the machine you're address you're coming from
> has had some kind of systems change? 
> 
> Try the following. In the target user home directory, do:
> 
> mv .ssh .ssh-old
> 
> to get all the old user specific ssh data out of the way. Now what
> happens?
> 
> PS: Is this box on the net in a way that I can get to it? I don't need
> an account, it would just be useful to see how it fails.
> 
> John J. Boyer writes:
> > Janina,
> > 
> > Turning off iptables at least produced a change. Now it says "Permission 
> > denied: PublicKey/interactive. The -v option prints out a lot of messages, 
> > but nothing that seems particularly enlightening, excebpt that it is 
> > definitely accessing the user directory on the target machine.
> > 
> > Thanks,
> > John
> > 
> > 
> > On Fri, 8 Oct 2004, Janina Sajka wrote:
> > 
> > > Yes, but you still haven't shown us anything that confirms whether (or
> > > not) sshd is actually running.
> > > 
> > > I've suggested nmap (which is installed with a Fedora or Redhat
> > > "everything" install). Others have suggested more primitive strategies,
> > > such as looking for pidof sshd, or telnet [address] 22, which also
> > > works.
> > > 
> > > Is there actually an sshd listening at that machine/s address, whatever
> > > it happens to be?
> > > 
> > > PS: To get iptables out of the way (certainly an important thing when
> > > debugging) do:
> > > 
> > > service iptables stop
> > > 
> > > John J. Boyer writes:
> > > > John,
> > > > 
> > > > I really think the problem may be with iptables. We've eliminated just
> > > > about everything else. H?owever, there is no ma pagel for netconfig, and
> > > > when I tried running it, I wasn't sure what to do. Really, all I need is
> > > > to let one IP address use ssh. There is a man mage for iptables, but it
> > > > looks so complicated that I wouldn't want to mess with it unless I knew
> > > > exactly what I was doing.
> > > > 
> > > > Thanks,
> > > > John
> > > > 
> > > > 
> > > > On Fri, 8 Oct 2004, John Heim wrote:
> > > > 
> > > > > At 11:22 AM 10/7/2004, Mike Gorse you wrote:
> > > > > >Also, are you sure that sshd is running on the machine (ie, pidof sshd 
> > > > > >returns something)?  If so, then try using ipchains or iptables to make 
> > > > > >sure it isn't being firewalled.  At one point we had a RH box at work on 
> > > > > >which I was trying to enable ssh, but the person who installed rh had 
> > > > > >selected an option for a firewall, so I wound up needing to edit a file in 
> > > > > >/etc/sysconfig (the file did say that manually editing it was not 
> > > > > >recommended, but it didn't say how I was supposed to edit it if not 
> > > > > >manually) to tell it to accept connections on port 22 as it did for 23 and 
> > > > > >others.
> > > > > 
> > > > > 
> > > > > You can run  netconfig. It would allow you to allow ssh connections through 
> > > > > your firewall. When you exit, it saves it's settings in 
> > > > > /etc/sysconfig/iptables. That file is the one that says you shouldn't edit 
> > > > > it manually.
> > > > > 
> > > > > That netconfig program is pretty limited in what it can do.   And the file 
> > > > > it creates has the same format as iptables-save.  So what you can do is 
> > > > > issue iptables commands until you've got your firewall configured just the 
> > > > > way you want it thand do this:
> > > > > 
> > > > > $ iptables-save > /etc/sysconfig/iptables
> > > > > 
> > > > > The next time you reboot, your firewall will be just like it was when you 
> > > > > issued the above command.
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > 
> > > > > _______________________________________________
> > > > > Blinux-list mailing list
> > > > > Blinux-list at redhat.com
> > > > > https://www.redhat.com/mailman/listinfo/blinux-list
> > > > > 
> > > > 
> > > > -- 
> > > > John J. Boyer; Executive Director, Chief Software Developer
> > > > Computers to Help People, Inc.
> > > > http://www.chpi.org
> > > > 825 East Johnson; Madison, WI 53703
> > > > 
> > > > 
> > > > _______________________________________________
> > > > Blinux-list mailing list
> > > > Blinux-list at redhat.com
> > > > https://www.redhat.com/mailman/listinfo/blinux-list
> > > 
> > > 
> > 
> > -- 
> > John J. Boyer; Executive Director, Chief Software Developer
> > Computers to Help People, Inc.
> > http://www.chpi.org
> > 825 East Johnson; Madison, WI 53703
> > 
> > 
> > _______________________________________________
> > Blinux-list mailing list
> > Blinux-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/blinux-list
> 
> 

-- 
John J. Boyer; Executive Director, Chief Software Developer
Computers to Help People, Inc.
http://www.chpi.org
825 East Johnson; Madison, WI 53703

More information about the Blinux-list mailing list