# ssh only working in one direction

## jkcunningham

I have is_rsa.pub keys swapped in .ssh/authorized_keys files (as usual) between all machines on my lan. The Gentoo machine can connect to any of the others if it initiates. However, non of the other machines can connect to it. They see a message: "port 22: Connection refused". The Gentoo log shows:

May 11 15:36:09 [login(pam_unix)] check pass; user unknown

May 11 15:36:09 [login(pam_unix)] authentication failure; logname= uid=0 euid=0 tty=/dev/vc/1 ruser= rhost= 

May 11 15:36:11 [login] FAILED LOGIN 1 FROM /dev/vc/1 FOR UNKNOWN, Authentication failure

Any idea what's eating this thing? I double checked that the keys were right, and they look fine. 

Thanks.

-Jeff

----------

## puggy

What happens if you remove the key and try and connect? Do you still get the message?

Puggy

----------

## jkcunningham

Weird! I tried moving the keys on the SuSE machine into a tmp directory and I could still connect to it form the Gentoo machine. So, I moved the known_hosts and everything else to the tmp directory - still connects. So then I moved all the keys and everything out of .ssh on the gentoo machine to a tmp directory, and it STILL connects. I don't get it. How can it connect without the keys on the far end? It asks for the password, and knows if I type it wrong (I tested it). 

I thought I knew how ssh worked - now I'm confused. 

-Jeff

----------

## puggy

ok. The authorized keys folder is only for using rsa keys. These keys are not necessary for ssh to operate and are only there so that you can be even more secure than the standard ssh encrypted passwords. The authorized keys also enable you to do nifty things like passwordless ssh while still being secure.

Simple put, ssh basically just requires your password for the remote system when you login as you (without rsa keys I'm talking). Known hosts is just a record of either a past connection you were sure was from a certain host so you can verify that nobody is acting as a middleman in your communication to steal your password.

Are you still having your problem?

Puggy

----------

## jkcunningham

Yes - from the Gento machine I can log on as myself to any of the other machines on my LAN, but not the other direction from any other machine to the Gento machine. Where do I go from here?

-Jeff

----------

## puggy

You've set up sshd on your gentoo machine properly?

Maybe post your /etc/ssh/sshd_config

It looks like a PAM problem to me though, have you got any crazy grsecurity or anything installed? I don't really know anything about PAM yet as I haven't had any problems with it myself.

Puggy

----------

## uzik

Do you have a firewall on your machines?

Did you open the firewall both directions?

----------

## jkcunningham

I'm guessing I haven't set up sshd_config properly (since I've left it in its default setup). There is no firewall running on the Gentoo machine. Here is its listing:

#	$OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $

# This is the sshd server system-wide configuration file.  See

# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented.  Uncommented options change a

# default value.

#Port 22

#Protocol 2,1

#ListenAddress 0.0.0.0

#ListenAddress ::

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 3600

#ServerKeyBits 768

# Logging

#obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

#LogLevel INFO

# Authentication:

#LoginGraceTime 120

#PermitRootLogin yes

#StrictModes yes

#RSAAuthentication yes

#PubkeyAuthentication yes

#AuthorizedKeysFile	.ssh/authorized_keys

# rhosts authentication should not be used

#RhostsAuthentication no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!

#PasswordAuthentication yes

#PermitEmptyPasswords no

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#AFSTokenPassing no

# Kerberos TGT Passing only works with the AFS kaserver

#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication 

# Warning: enabling this may bypass the setting of 'PasswordAuthentication'

#PAMAuthenticationViaKbdInt no

#X11Forwarding no

#X11DisplayOffset 10

#X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

#KeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

#Compression yes

#MaxStartups 10

# no default banner path

#Banner /some/path

#VerifyReverseMapping no

# override default of no subsystems

Subsystem	sftp	/usr/lib/misc/sftp-server

I appreciate the help, guys.

-Jeff

----------

## ARC2300

Firstly, you have to uncomment the line that says #Port 22 so that sshd actually listens on that port.

Here's what my sshd_config looks like:

```
#   $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $

# This is the sshd server system-wide configuration file.  See

# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented.  Uncommented options change a

# default value.

Port 22

Protocol 2,1

ListenAddress 0.0.0.0

#ListenAddress ::

# HostKey for protocol version 1

HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

HostKey /etc/ssh/ssh_host_rsa_key

HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key

KeyRegenerationInterval 600

ServerKeyBits 768

# Logging

#obsoletes QuietMode and FascistLogging

SyslogFacility AUTH

LogLevel INFO

# Authentication:

LoginGraceTime 30

PermitRootLogin no

StrictModes yes

#RSAAuthentication yes

PubkeyAuthentication yes

AuthorizedKeysFile   .ssh/authorized_keys

# rhosts authentication should not be used

RhostsAuthentication no

# Don't read the user's ~/.rhosts and ~/.shosts files

IgnoreRhosts yes

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

IgnoreUserKnownHosts yes

# To disable tunneled clear text passwords, change to no here!

PasswordAuthentication yes

PermitEmptyPasswords no

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#AFSTokenPassing no

# Kerberos TGT Passing only works with the AFS kaserver

#KerberosTgtPassing no

# Set this to 'yes' to enable PAM keyboard-interactive authentication 

# Warning: enabling this may bypass the setting of 'PasswordAuthentication'

#PAMAuthenticationViaKbdInt no

#X11Forwarding no

#X11DisplayOffset 10

#X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

#KeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

#Compression yes

MaxStartups 4

# no default banner path

#Banner /some/path

#VerifyReverseMapping no

# override default of no subsystems

#Subsystem   sftp   /usr/lib/misc/sftp-server
```

Hope that helps a little in what you need and don't need.

----------

## jkcunningham

Uh...I didn't do my homework. Sorry about that. Its running, now that I changed a couple things in sshd_config (like turning on PubkeyAuthentication, etc. It generated a Hostkey, DSA-Hostkey, and RSA-Hostkey when I restarted the daemon. I assume that is as it should be (I restarted the daemon as su). 

I can now log onto the Gentoo machine from others on the lan, although it doesn't challenge for a password as I believe it should. I'll rtfm some more. 

My problem here is that the SuSE installation machinary obviously enabled some of this stuff for me without me learning anything about it. 

-Jeff

----------

## jkcunningham

My understanding was that sshd listens on all ports if you don't specify a port (that's what the default config says and, I believe, the man pages). But I'm going to try it your way. Thanks. 

-Jeff

----------

## ARC2300

 *Quote:*   

> My problem here is that the SuSE installation machinary obviously enabled some of this stuff for me without me learning anything about it. 

 

That's the same reason I strayed away from Mandrake and Red Hat.  I was ready to learn much more about Linux, and have I ever after going to Gentoo.   :Very Happy: 

RTFM??  Why do that??  It's more fun to just plunge in and screw stuff up.   :Razz:   (It's how I did it).

Anyways, glad it's somewhat working for you now.   :Very Happy: 

----------

## puggy

sshd definitley doesn't listen on all ports if not told to listen on port 22. However, it will listen on port 22 by default without changing this option.

Puggy

----------

