iptables (Re: Connection Refused on ssh)

Janina Sajka janina at rednote.net
Fri Oct 8 21:35:40 UTC 2004 

Wow! No password prompt, yet you're out of methods to try. More and more
this sounds like it's not an SSH issue at all.

So, several things to try. Please report on all of them ...

*	Now that iptables is stopped, can you telnet?

*	Can you telnet (or ssh) as a different user? e.g:

	ssh [username]@[machine.address]

*	 Can the user you're trying to ssh/telnet in as log in on the
*	 console of this RH8 machine?

*	What happens when you mv the .ssh directory out of the way (to
*	something like .ssh-old) and try to log in?

It sounds like your keys may have changed, or password data changed, or
machine OS installation changed, or user data become corrupted somehow.
Frankly, it sounds like ssh is behaving properly and you just have to
find the right key for that particular lock.

In any case, it should not run out of methods to try without offering a
password as the method to try. I suppose this can be disabled--in that
config file I didn't read--but the above tests should help identify if
it's really ssh, or something else.

John J. Boyer writes:
> Janina,
> 
> I never get a password prompt. The debug message just before the 
> permission denied message is "no more authentication methods to try." I 
> moved the .ssh file. The passwords on the target machine have not changed. 
> The source machine can access anothem Redhat machine on our LAN with ssh. 
> 
> Thanks,
> John
> 
> 
> On Fri, 8 Oct 2004, Janina Sajka wrote:
> 
> > Hi, John:
> > 
> > OK, I think there's some progress here. 
> > 
> > Can you please provide a little more information? At what point does the
> > "permission denied" come up? Do you get a password prompt first? That's
> > where I am most accustomed to seeing this error.
> > 
> > Which raises this question, any chance the user passwords
> > have changed? Or, perhaps the machine you're address you're coming from
> > has had some kind of systems change? 
> > 
> > Try the following. In the target user home directory, do:
> > 
> > mv .ssh .ssh-old
> > 
> > to get all the old user specific ssh data out of the way. Now what
> > happens?
> > 
> > PS: Is this box on the net in a way that I can get to it? I don't need
> > an account, it would just be useful to see how it fails.
> > 
> > John J. Boyer writes:
> > > Janina,
> > > 
> > > Turning off iptables at least produced a change. Now it says "Permission 
> > > denied: PublicKey/interactive. The -v option prints out a lot of messages, 
> > > but nothing that seems particularly enlightening, excebpt that it is 
> > > definitely accessing the user directory on the target machine.
> > > 
> > > Thanks,
> > > John
> > > 
> > > 
> > > On Fri, 8 Oct 2004, Janina Sajka wrote:
> > > 
> > > > Yes, but you still haven't shown us anything that confirms whether (or
> > > > not) sshd is actually running.
> > > > 
> > > > I've suggested nmap (which is installed with a Fedora or Redhat
> > > > "everything" install). Others have suggested more primitive strategies,
> > > > such as looking for pidof sshd, or telnet [address] 22, which also
> > > > works.
> > > > 
> > > > Is there actually an sshd listening at that machine/s address, whatever
> > > > it happens to be?
> > > > 
> > > > PS: To get iptables out of the way (certainly an important thing when
> > > > debugging) do:
> > > > 
> > > > service iptables stop
> > > > 
> > > > John J. Boyer writes:
> > > > > John,
> > > > > 
> > > > > I really think the problem may be with iptables. We've eliminated just
> > > > > about everything else. H?owever, there is no ma pagel for netconfig, and
> > > > > when I tried running it, I wasn't sure what to do. Really, all I need is
> > > > > to let one IP address use ssh. There is a man mage for iptables, but it
> > > > > looks so complicated that I wouldn't want to mess with it unless I knew
> > > > > exactly what I was doing.
> > > > > 
> > > > > Thanks,
> > > > > John
> > > > > 
> > > > > 
> > > > > On Fri, 8 Oct 2004, John Heim wrote:
> > > > > 
> > > > > > At 11:22 AM 10/7/2004, Mike Gorse you wrote:
> > > > > > >Also, are you sure that sshd is running on the machine (ie, pidof sshd 
> > > > > > >returns something)?  If so, then try using ipchains or iptables to make 
> > > > > > >sure it isn't being firewalled.  At one point we had a RH box at work on 
> > > > > > >which I was trying to enable ssh, but the person who installed rh had 
> > > > > > >selected an option for a firewall, so I wound up needing to edit a file in 
> > > > > > >/etc/sysconfig (the file did say that manually editing it was not 
> > > > > > >recommended, but it didn't say how I was supposed to edit it if not 
> > > > > > >manually) to tell it to accept connections on port 22 as it did for 23 and 
> > > > > > >others.
> > > > > > 
> > > > > > 
> > > > > > You can run  netconfig. It would allow you to allow ssh connections through 
> > > > > > your firewall. When you exit, it saves it's settings in 
> > > > > > /etc/sysconfig/iptables. That file is the one that says you shouldn't edit 
> > > > > > it manually.
> > > > > > 
> > > > > > That netconfig program is pretty limited in what it can do.   And the file 
> > > > > > it creates has the same format as iptables-save.  So what you can do is 
> > > > > > issue iptables commands until you've got your firewall configured just the 
> > > > > > way you want it thand do this:
> > > > > > 
> > > > > > $ iptables-save > /etc/sysconfig/iptables
> > > > > > 
> > > > > > The next time you reboot, your firewall will be just like it was when you 
> > > > > > issued the above command.
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > _______________________________________________
> > > > > > Blinux-list mailing list
> > > > > > Blinux-list at redhat.com
> > > > > > https://www.redhat.com/mailman/listinfo/blinux-list
> > > > > > 
> > > > > 
> > > > > -- 
> > > > > John J. Boyer; Executive Director, Chief Software Developer
> > > > > Computers to Help People, Inc.
> > > > > http://www.chpi.org
> > > > > 825 East Johnson; Madison, WI 53703
> > > > > 
> > > > > 
> > > > > _______________________________________________
> > > > > Blinux-list mailing list
> > > > > Blinux-list at redhat.com
> > > > > https://www.redhat.com/mailman/listinfo/blinux-list
> > > > 
> > > > 
> > > 
> > > -- 
> > > John J. Boyer; Executive Director, Chief Software Developer
> > > Computers to Help People, Inc.
> > > http://www.chpi.org
> > > 825 East Johnson; Madison, WI 53703
> > > 
> > > 
> > > _______________________________________________
> > > Blinux-list mailing list
> > > Blinux-list at redhat.com
> > > https://www.redhat.com/mailman/listinfo/blinux-list
> > 
> > 
> 
> -- 
> John J. Boyer; Executive Director, Chief Software Developer
> Computers to Help People, Inc.
> http://www.chpi.org
> 825 East Johnson; Madison, WI 53703
> 
> 
> _______________________________________________
> Blinux-list mailing list
> Blinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/blinux-list

-- 
	
				Janina Sajka, Chair
				Accessibility Workgroup
				Free Standards Group (FSG)

janina at freestandards.org	Phone: +1 202.494.7040

More information about the Blinux-list mailing list