iptables (Re: Connection Refused on ssh)

Janina Sajka janina at rednote.net
Fri Oct 8 21:37:31 UTC 2004 

Have the passwords on the source machine changed so that they might now
be out of sync with the target? Ditto for ssh keys.

John J. Boyer writes:
> Janina,
> 
> I never get a password prompt. The debug message just before the 
> permission denied message is "no more authentication methods to try." I 
> moved the .ssh file. The passwords on the target machine have not changed. 
> The source machine can access anothem Redhat machine on our LAN with ssh. 
> 
> Thanks,
> John
> 
> 
> On Fri, 8 Oct 2004, Janina Sajka wrote:
> 
> > Hi, John:
> > 
> > OK, I think there's some progress here. 
> > 
> > Can you please provide a little more information? At what point does the
> > "permission denied" come up? Do you get a password prompt first? That's
> > where I am most accustomed to seeing this error.
> > 
> > Which raises this question, any chance the user passwords
> > have changed? Or, perhaps the machine you're address you're coming from
> > has had some kind of systems change? 
> > 
> > Try the following. In the target user home directory, do:
> > 
> > mv .ssh .ssh-old
> > 
> > to get all the old user specific ssh data out of the way. Now what
> > happens?
> > 
> > PS: Is this box on the net in a way that I can get to it? I don't need
> > an account, it would just be useful to see how it fails.
> > 
> > John J. Boyer writes:
> > > Janina,
> > > 
> > > Turning off iptables at least produced a change. Now it says "Permission 
> > > denied: PublicKey/interactive. The -v option prints out a lot of messages, 
> > > but nothing that seems particularly enlightening, excebpt that it is 
> > > definitely accessing the user directory on the target machine.
> > > 
> > > Thanks,
> > > John
> > > 
> > > 
> > > On Fri, 8 Oct 2004, Janina Sajka wrote:
> > > 
> > > > Yes, but you still haven't shown us anything that confirms whether (or
> > > > not) sshd is actually running.
> > > > 
> > > > I've suggested nmap (which is installed with a Fedora or Redhat
> > > > "everything" install). Others have suggested more primitive strategies,
> > > > such as looking for pidof sshd, or telnet [address] 22, which also
> > > > works.
> > > > 
> > > > Is there actually an sshd listening at that machine/s address, whatever
> > > > it happens to be?
> > > > 
> > > > PS: To get iptables out of the way (certainly an important thing when
> > > > debugging) do:
> > > > 
> > > > service iptables stop
> > > > 
> > > > John J. Boyer writes:
> > > > > John,
> > > > > 
> > > > > I really think the problem may be with iptables. We've eliminated just
> > > > > about everything else. H?owever, there is no ma pagel for netconfig, and
> > > > > when I tried running it, I wasn't sure what to do. Really, all I need is
> > > > > to let one IP address use ssh. There is a man mage for iptables, but it
> > > > > looks so complicated that I wouldn't want to mess with it unless I knew
> > > > > exactly what I was doing.
> > > > > 
> > > > > Thanks,
> > > > > John
> > > > > 
> > > > > 
> > > > > On Fri, 8 Oct 2004, John Heim wrote:
> > > > > 
> > > > > > At 11:22 AM 10/7/2004, Mike Gorse you wrote:
> > > > > > >Also, are you sure that sshd is running on the machine (ie, pidof sshd 
> > > > > > >returns something)?  If so, then try using ipchains or iptables to make 
> > > > > > >sure it isn't being firewalled.  At one point we had a RH box at work on 
> > > > > > >which I was trying to enable ssh, but the person who installed rh had 
> > > > > > >selected an option for a firewall, so I wound up needing to edit a file in 
> > > > > > >/etc/sysconfig (the file did say that manually editing it was not 
> > > > > > >recommended, but it didn't say how I was supposed to edit it if not 
> > > > > > >manually) to tell it to accept connections on port 22 as it did for 23 and 
> > > > > > >others.
> > > > > > 
> > > > > > 
> > > > > > You can run  netconfig. It would allow you to allow ssh connections through 
> > > > > > your firewall. When you exit, it saves it's settings in 
> > > > > > /etc/sysconfig/iptables. That file is the one that says you shouldn't edit 
> > > > > > it manually.
> > > > > > 
> > > > > > That netconfig program is pretty limited in what it can do.   And the file 
> > > > > > it creates has the same format as iptables-save.  So what you can do is 
> > > > > > issue iptables commands until you've got your firewall configured just the 
> > > > > > way you want it thand do this:
> > > > > > 
> > > > > > $ iptables-save > /etc/sysconfig/iptables
> > > > > > 
> > > > > > The next time you reboot, your firewall will be just like it was when you 
> > > > > > issued the above command.
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > 
> > > > > > _______________________________________________
> > > > > > Blinux-list mailing list
> > > > > > Blinux-list at redhat.com
> > > > > > https://www.redhat.com/mailman/listinfo/blinux-list
> > > > > > 
> > > > > 
> > > > > -- 
> > > > > John J. Boyer; Executive Director, Chief Software Developer
> > > > > Computers to Help People, Inc.
> > > > > http://www.chpi.org
> > > > > 825 East Johnson; Madison, WI 53703
> > > > > 
> > > > > 
> > > > > _______________________________________________
> > > > > Blinux-list mailing list
> > > > > Blinux-list at redhat.com
> > > > > https://www.redhat.com/mailman/listinfo/blinux-list
> > > > 
> > > > 
> > > 
> > > -- 
> > > John J. Boyer; Executive Director, Chief Software Developer
> > > Computers to Help People, Inc.
> > > http://www.chpi.org
> > > 825 East Johnson; Madison, WI 53703
> > > 
> > > 
> > > _______________________________________________
> > > Blinux-list mailing list
> > > Blinux-list at redhat.com
> > > https://www.redhat.com/mailman/listinfo/blinux-list
> > 
> > 
> 
> -- 
> John J. Boyer; Executive Director, Chief Software Developer
> Computers to Help People, Inc.
> http://www.chpi.org
> 825 East Johnson; Madison, WI 53703
> 
> 
> _______________________________________________
> Blinux-list mailing list
> Blinux-list at redhat.com
> https://www.redhat.com/mailman/listinfo/blinux-list

-- 
	
				Janina Sajka, Chair
				Accessibility Workgroup
				Free Standards Group (FSG)

janina at freestandards.org	Phone: +1 202.494.7040

More information about the Blinux-list mailing list