# ssh+port22

## Gecklord

when I try running ssh I always get the message "...port 22: connection refused"

how can I open port22?

----------

## fls

To "open port 22" you need to start your ssh daemon on the box which you want to ssh in.

This is done by first (carefully!) configuring your ssh daemon in /etc/ssh/sshd_config and when it´s setup you can start it with

```
/etc/init.d/sshd start
```

To add it to your default runlevel you might want to do:

```
rc-update add sshd default
```

This means sshd will start at every boot.

Is it that what you meant with your question?

----------

## ketjow

you need to run sshd, the ssh daemon.

```
rc-update add sshd default
```

after the next restart port 22 will be open. If you don't want to reboot, just type

```
/etc/init.d/sshd start
```

greetings

----------

## fls

As an additional note, you might want to read this thread before running sshd on the internet:

https://forums.gentoo.org/viewtopic.php?t=210585&sid=2672af92c083e46cd710f15ecb47b621

----------

## Gecklord

i've already added it to default runlevel - but it didn't work!

for now i'll try to configure it

----------

## fls

If it doesn´t work you can always start the daemon manually in debug mode and see what´s going wrong:

```
sshd -d
```

Keep in mind that the daemon quits after you login in and logout, so this only for debugging.

----------

## Gecklord

sshd -d says that it is listening to port22 on 0.0.0.0

ssh -v "the disered adress" tells my:

```
debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Connection to beo1 [192.168.1.101] port 22.

debug1: Connection established.

debug1: identity file /root/.ssh/identity type -1

debug1: identity file /root/.ssh/id_rsa type -1

debug1: identity file /root/.ssh/id_dsa type -1

ssh_exchange identification: Connection closed by remote host
```

what is wrong now?  :Question: 

----------

## fls

I´m not exactly sure what´s wrong, but from your output I can see that you didn´t generate private keys.

That´s not wrong but it means you can only log in by supplying a password. For this to work you have to have this line in your /etc/ssh/sshd_host (on the host running sshd!):

```
PasswordAuthentication yes
```

Try whether this helps, otherwise increase your logging by using 

```
ssh -vv user@remotehost
```

or even

```
ssh -vvv user@remotehost
```

and post your results here.

You might also want to read up some SSH Howto on how to use publickey authentification instead of passwords. Google is your friend here.

HTH

----------

## Gecklord

changing sshd_config didn't work and -vv or -vvv don't show anything different!   :Crying or Very sad: 

----------

## fls

and what is the output of the ssh daemon on the host you connect to?

For some reason the host you connect to closes the connection, but I can´t see why  :Sad: 

Try 

```
sshd -ddd
```

 and see what you get.

----------

## Gecklord

sshd -ddd tells me besides several things:

```
debug1: Connection refused by tcp wrapper
```

----------

## fls

Ahhh, I´m so dumb, I should have though of tcp wrappers before (I had the same problem the very first time I set ssh up)   :Embarassed: 

You have to set up /etc/hosts.{allow,deny}

They each have a man page which explains the syntax.

It boils down to:

```
echo "SSHD : 192.168.3.0/255.255.255.0" >> /etc/hosts.allow
```

Where 192.168.3.0/24 is the network which is allow to connect through ssh.

To allow access from everywhere (as far as tcp wrappers is concerned) you can use:

```
echo "SSHD : ALL" >> /etc/hosts.allow
```

Does it solve your problem?

----------

## Gecklord

you're great! it works now!   :Very Happy: 

thanks a lot && danke!

----------

## soth

I'm having the same problem. 

```

debug1: Connection refused by tcp wrapper

```

hosts.deny:

```

SSHD : ALL

```

hosts.allow:

```

SSHD : 192.168.3.0/255.255.255.0

```

I have tried this syntax too:

```

sshd: 192.168.0.*

```

To allow...

But I get connection refused from all ip's. 

I have restarted sshd, is there anything else that requires restarting?

----------

## fls

 *soth wrote:*   

> hosts.allow:
> 
> ```
> 
> SSHD : 192.168.3.0/255.255.255.0
> ...

 1. Make sure that you specify the subnet which you are actually using. One time you specified 192.168.3.0/24 and in the other line 192.168.0.0/242. Write the "SSHD" instead of "sshd"

If both changes don't work then leave hosts.deny empty and insert an "ALL : ALL" in hosts.allow. If that works you'll be able to narrow down the problem and fix it (don't leave the allow all policy for production use!).

----------

## soth

I tried SSHD, the subnets was meant as examples, I don't use 192.* for actual use. 

Empty hosts.deny always works and gives access...

tried with SSHD : and SSHD :, same with sshd: and sshd :

tried with a newline at the end and without, which leads med to believe that there is some service that needs to be restarted.

Else I have to acheive the same thing through pam or sshd_config but pam is more work and sshd_config is less flexible =)

----------

## fls

 *soth wrote:*   

> ...which leads med to believe that there is some service that needs to be restarted.

 

Check the portmap service.

Also give us the output of

```
rpcinfo -p <host>
```

----------

## soth

Portmap started...

root@host2 ~ # rpcinfo -p host1

   program vers proto   port

    100000    2   tcp    111  portmapper

    100000    2   udp    111  portmapper

Same output from a host that's not in the net I want to allow access from...

----------

