# know of a good ssh / sshd walkthrough?

## bung-foo

I'm trying to set up ssh/sshd on my machine so one of my friends can connect to it from his house through my linksys firewall/router.  There are two things I need:

1.  Good simple walkthough on how to configure ssh/sshd.  I've got it installed and sshd is running but I cannot login using my user.

sh-2.05a$ ssh ilinisa.bung-foo.com

bung-foo@ilinisa.bung-foo.com's password: 

Permission denied, please try again.

bung-foo@ilinisa.bung-foo.com's password: 

Permission denied (publickey,password,keyboard-interactive).

There's what happens when I try to login from the local machine.

2.  Anybody know of a good explanation/tutorial on how to set up port forwarding with linksys routers?  Mines a befsr41

thanks folks.

----------

## delta407

If sshd is running, you should be able to log in as that user. SSH will attempt to connect using the same username; so if you're logged onto oe computer as "bung-foo" it will try to log into the other computer using user "bung-foo". If you want a different user, pass the -l switch.

2. You should be able to go into the web configuration thingy and tell it to forward a port. I don't have one, but last I used one it wasn't that hard to figure out. (By the way, if you're using DHCP, your internal IP might change and break the port mapping. Just so you're aware...)

----------

## bung-foo

yea, I've tried logging in on my gentoo machine and on a windows machine on my local network using winscp.  In both cases my password is rejected and I am not allowed to login.

Do I need to create a password or something?  In freebsd (where all of my ssh usage is) all I have to do is login on the local machine and then I can login on any machine on my network.  Its so easy that I used ssh without learning anything about it.  Dumb of me I guess.

Bung-Foo

----------

## delta407

No, that's how it is on Linux too. Make sure your password is set right, I guess.

----------

## bung-foo

do I have to make a ssh password or do I use the password that the user uses to login?

----------

## delta407

sshd uses the standard authentication system, so it will use the same password as your account.

No configuration necessary to use sshd, really; just "rc-update add sshd default" and everything is good to go.

----------

## bung-foo

thats what I did.  I don't have to generate a key for each user or anything?  damn, maybe I should

emerge unmerge ssh

and reemerge it.  perhapse something is screwed up.

----------

## delta407

I'm pretty sure your sshd is installed fine.

This is silly, but double-check your password.

----------

## bung-foo

I checked and there were two version of openssh installed.  I unmerge 3.1, made a new password and tried again.  Still no goodness.

lol.  this IS silly.

----------

## delta407

Err... you did verify that your password is what you think it is, right?

----------

## bung-foo

well, I can login to a new virtual console with the password I'm trying to use with ssh.  That should confirm that I'm entering it in correctly right?

----------

## delta407

Yeah... hmm...

Can you "ssh localhost"?

----------

## bung-foo

nope, permission denied.

I have to go to work.  I'll check the board here again in about 8 hours.

Thanks for your time and help.  I really appreciate it.

Bung-Foo

hmm, in a fit of desperation I tried

ssh localhost

as root and it accepted my password and logged me in.  I thought that might help us narrow it down since it appears that only users can't login.

----------

## rac

A couple of useful things for debugging ssh problems:

1. You can run the daemon manually using the -d option, and it will not fork and will display debug output on the console, so you can see what it's thinking.

2. You can add -v (or -vv or -vvv) on the client invocation, which will display progressively more debugging information from the client side, so you can see what it's thinking.

...and once you get it working with passwords, a great thing to do is to append the contents of the id_dsa.pub file on the client machine to .ssh/authorized_keys in your home directory on the server side.  Now, you can ssh without having to enter your password.  More detailed instructions are written up in a HOWTO somewhere I think; try google ssh without password howto.

----------

## credmp

Hey,

Just out of curiosity... the user you are trying to connect with is in on of the 'AllowGroup's in /etc/ssh/sshd_config right? 

-- Arjen

----------

## bung-foo

by manually creating dsa and rsa keys in ~/bung-foo/.ssh and then copying id_dsa.pub to authorized_keys2, my user can now login from the local machine using ssh.  However, I still cannot login from a machine on the lan or from the internet and I still have to enter a password. (rac implied that I wouldn't need to do that when I had done this)

there was no AllowGroups line in /etc/ssh/sshd_config, I aded one but it didn't make much difference.  Users still cannot login from a remote machine even though they can from the local machine.

the howto that I found said to add the host names/ip address of the remote machines I want to be able to login to my /etc/hosts.allow file.  This file doesn't exist on my system. (gentoo 1.2 used third stage tarball.)  Perhapse that is where the problem is?

apologies for any incoherence in my writing this morning.  I've only been awake for a few minutes.

Bung-Foo

----------

## rac

 *bung-foo wrote:*   

> by manually creating dsa and rsa keys in ~/bung-foo/.ssh and then copying id_dsa.pub to authorized_keys2, my user can now login from the local machine using ssh.  However, I still cannot login from a machine on the lan or from the internet and I still have to enter a password. (rac implied that I wouldn't need to do that when I had done this)

 

You will need to add the contents of id_dsa.pub from each machine that you wish to log in from in order to be able to log in without entering a password.

 *bung-foo wrote:*   

> The howto that I found said to add the host names/ip address of the remote machines I want to be able to login to my /etc/hosts.allow file.  This file doesn't exist on my system. (gentoo 1.2 used third stage tarball.)  Perhapse that is where the problem is?

 

hosts.allow is a tcpwrappers thing.  The absence of any hosts.allow or hosts.deny files is the same as turning tcpwrappers off entirely - all access is allowed.  So simply not having a hosts.allow will not cause this problem.

Can you get to the SSH port from the network?  For example, does telnet to port 22 on the SSH server work?  Can you tell where the connection is failing from analyzing output using the debugging flags I mentioned earlier?

----------

## sulu

Hi

Have you ensured that it is your box rejecting the connection. I had the same problem once. No one could login for the outer world. Then, as my patince wnet infinitesimal thin i called my ISP asking them if they block the port 22 (ssh-port). They denied, but miraculously it works since then.

So my advice is to check where the blocking/denial of the connection happens. If you have a firewall running, just enable looging. 

Oh, before i forget, try ethereal, its a nifty tool to debug/watch connections. Start ethereal an have someone for outside try a ssh-connection to your box. You should see his/her atempts.

Greetz

Sulu

----------

## stirlitz

Okay I finally fixed similar problem that you  have.

when ussing useradd command, gentoo doesn't add

/bin/bash option for the user so my ssh only worked when

logged in as root.

to fix this I edited /etc/passwd to look like this

```
stirlitz:x:1000:100::/home/stirlitz:/bin/bash
```

it's imporant to have :/bin/bash at the end of the line !!!

PS you can take your ~/.ssh/ dirs, since you don't need them.

----------

## bung-foo

hey that did it  :Wink:   too freakin easy.

thx a lot!

Bung-Foo

----------

## cyc

he just forgot the shell. had that problem too on my first gentoo install  :Wink: 

----------

## bung-foo

yep.  I'm dumb and I suffer from poor documentation  :Wink: 

----------

