# Help me set up SSH; I don't need security, just working.

## nosatalian

When I read the tutorial for setting up SSH I got lost in all the jargon.  I DONT need security keys, and dont want to specify which hosts can access me, or want to have to have a my server's key stored on all remote machines I use.

I want to be able to ssh to my server remotely from any computer I can get my hands on, without needing any special settings on the remote computer's end.  Security is not a huge issue for me, and my password is the only authentication that I would require? How can I do this?

I have already emerged sshd.  What config files do I need to change?

Right now when I try to access myself, I get permission denied even with the correct password.

----------

## kitano

simple.

all you have to do is start the sshd-server via:

```
/etc/init.d/sshd start
```

and you can login using any existing user, even root.

that's it...

----------

## nosatalian

Ok, when I do that- I get the message=

 * Bringing eth0 up via DHCP...

however, this will fail ( i didn't let it time out, just hit ^C)

since eth0 is my ethernet card, and I am connected wirelessly through eth1.

How do I tell it to use eth1?

Also here is my sssh_config

#	$OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $

# This is the sshd server system-wide configuration file.  See

# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented.  Uncommented options change a

# default value.

#Port 22

Protocol 2

#ListenAddress 0.0.0.0

#ListenAddress ::

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h

#ServerKeyBits 768

# Logging

#obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

#LogLevel INFO

# Authentication:

#LoginGraceTime 2m

PermitRootLogin yes

#StrictModes yes

RSAAuthentication yes

#PubkeyAuthentication yes

#AuthorizedKeysFile	.ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!

#PasswordAuthentication yes

#PermitEmptyPasswords no

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

# GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCreds yes

# Set this to 'yes' to enable PAM authentication (via challenge-response)

# and session processing. Depending on your PAM configuration, this may

# bypass the setting of 'PasswordAuthentication'

UsePAM yes

#AllowTcpForwarding yes

#GatewayPorts no

#X11Forwarding no

#X11DisplayOffset 10

#X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

#KeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

#Compression yes

#ClientAliveInterval 0

#ClientAliveCountMax 3

#UseDNS yes

#PidFile /var/run/sshd.pid

#MaxStartups 10

# no default banner path

#Banner /some/path

# override default of no subsystems

Subsystem	sftp	/usr/lib/misc/sftp-server

-------------------

----------

## kitano

just don't start eth0.

remove it from your startup

```
rc-update del eth0 default
```

is your eth1 connected while starting sshd? if so, nothing should make problems now.

sshd_config is quite ok in defualt config.

if your machine is "in the wild" you should put PermitRootLogin to "no" and add your users, which are allowed to su to root in the wheel-group.

Setting this option makes root uninloggable via ssh.

----------

## nosatalian

I got the message:

 * eth0 not found in any of the specified runlevels.

However, 

It still says 

*Bringing eth0 up via DHCP...

Which hangs. But when I ^C that it says starting sshd-ok.

But I still can't actually log in remotely

Thanks for help so far!

----------

## kitano

seems to be something less shallow.

please paste output from "ifconfig -a" here, together with your /etc/conf.d/net 

is it a laptop? and you are connected via eth1, which has an ip address and a working connection to another machine (i.e. you can ping and get pinged)?

kitano

----------

## OdinsDream

 *nosatalian wrote:*   

> I got the message:
> 
>  * eth0 not found in any of the specified runlevels.
> 
> However, 
> ...

 

I believe the command should have been rc-update del net.eth0 default, which you can use to disable automatically starting your wired NIC interface. If you just want to temporarily disable it, try /etc/init.d/net.eth0 stop . You may want to look into the /etc/conf.d/net file to double check your network settings. The wireless NIC will be eth1, and your wired NIC will be eth0. DHCP should only be used if your network has a DHCP server that will give out IP addresses, something like a router or base station can serve this purpose. Otherwise, you'll want to specify a static IP address in the file previously mentioned.

Your problem sounds completely unrelated to SSH, and much more about getting your basic network settings correct. Can you ping google.com or ping <some internal ip> and get a respose? Like others have said, SSH is a simple matter of doing /etc/init.d/sshd start to enable the ssh server until the next reboot. If you'd like to always have the SSH server enabled, execute: rc-update add sshd default at the prompt.

The SSH server will listen on all available interfaces, eth0, eth1, etc. I've never had to specify which one to use.

To get your wireless stuff working, you'll need to install pcmcia-cs, and depending on whether you're using a 2.4 or 2.6 series kernel, either disable the kernel drivers or enable them, respectively. There are several posts on the forum about wireless connections, try searching for your card model. Good luck!

----------

## nosatalian

The problem is not about getting basic networking to work.  I am using the wireless eth1 to post this message, and have been using this properly configured DHCP (via my router) network for weeks.

eth0 is NOT automatically started with my notebook, and it shouldn't be since I have no wired connection in this house.

The following is the exact output when I attempt to start sshd:

```

pwned randy # /etc/init.d/sshd start

 * Bringing eth0 up via DHCP...                                           [ !! ]

 * Starting sshd...                                                       [ ok ]

```

How do I stop it from trying to bring up eth0? This must be the problem because when I try to ssh into my box by issuing the command 

ssh randy@<myip>

I get permission denied even with the correct password.

Do I need to add users to something like an "ssh" group? Similar to my wheel group??

[/code]

----------

## nosatalian

By removing eth0 "dhcp" line from /etc/conf.d/net I got it to stop checking for eth0 with dhcp.

Now I get this message when starting sshd.

pwned randy # /etc/init.d/sshd restart

 * Stopping sshd...                                                       [ ok ]

 * Bringing eth0 up (192.168.0.2)...                                      [ ok ]

 * Starting sshd...                                                       [ ok ]

And when I try to connect, I receive:

randy@pwned randy $ ssh root@64.58.31.42

root@64.58.31.42's password:

Permission denied, please try again.

root@64.58.31.42's password:

Permission denied, please try again.

root@64.58.31.42's password:

Permission denied (publickey,password,keyboard-interactive).

Despite using correct password.

----------

## vonhelmet

 *nosatalian wrote:*   

> By removing eth0 "dhcp" line from /etc/conf.d/net I got it to stop checking for eth0 with dhcp.
> 
> Now I get this message when starting sshd.
> 
> pwned randy # /etc/init.d/sshd restart
> ...

 

Use ssh -l root 64.58.31.42 and see if that works.

----------

## nosatalian

Ok. I can now ssh localhost with either "root" or user "randy"

However, I still cannot ssh into my box from the outside world by either using ssh "myip" on this box, or any outside computer.  However, I *can* ping my ip from both locations.

----------

## OdinsDream

 *nosatalian wrote:*   

> Ok. I can now ssh localhost with either "root" or user "randy"
> 
> However, I still cannot ssh into my box from the outside world by either using ssh "myip" on this box, or any outside computer.  However, I *can* ping my ip from both locations.

 

If you're using a NAT setup, which from your 192.* address I assume you are, you'll need to forward port 22 to the machine inside your network running the SSH server. Do you use a broadband router/firewall/base station that lets your computers share a single public IP address? Check its configuration for the ability to port forward. The pings are being answered by this device.

If you have several machines you'd like to SSH into, set each one's SSH server to use separate port numbers in the config file you posted earlier, and then forward each port to the correct machine. From outside, depending on whicn port you ask for, your request will go to different machines.

To ask for the machine running SSH on port 6622: ssh -p6622 root@<public IP>

----------

## Lajasha

 *OdinsDream wrote:*   

>  *nosatalian wrote:*   Ok. I can now ssh localhost with either "root" or user "randy"
> 
> However, I still cannot ssh into my box from the outside world by either using ssh "myip" on this box, or any outside computer.  However, I *can* ping my ip from both locations. 
> 
> If you're using a NAT setup, which from your 192.* address I assume you are, you'll need to forward port 22 to the machine inside your network running the SSH server. Do you use a broadband router/firewall/base station that lets your computers share a single public IP address? Check its configuration for the ability to port forward. The pings are being answered by this device.
> ...

 

This does indeed sound like the issue but as far as the accessing multiple pcs things I would just ssh from the box on port 22 to the others. This should not introduce any lag as it is on the lan and would keep you from having to remember the other ports.

----------

## nosatalian

I only have 1 machine in this home network I need ssh access to. 

It is configured as 192.168.0.2, and I have set up SSH service (port 22) to be forwarded to this computer.

Furthermore, this computer is also set up as DMZ, which should work as though it in not behind a firewall?

but still I cannot cannot from outside

----------

## OdinsDream

Try using netstat on the system while you attempt a connection from an outside computer. See if you notice the connection or not. If this doesn't work, try directly connecting your PC to the line coming from the ISP. If you Still can't connect, maybe your ISP is blocking the port.

----------

## nosatalian

It just hit me, that everytime I have tried to ssh into my home computer, I have issued that command through an secure shell on a different computer.  Would having an existing outgoing ssh connection prevent an incoming one?

----------

## neysx

 *nosatalian wrote:*   

> It just hit me, that everytime I have tried to ssh into my home computer, I have issued that command through an secure shell on a different computer.  Would having an existing outgoing ssh connection prevent an incoming one?

 I hope it did not hit you too hard  :Wink: 

It's no problem ssh'ing out to a remote shell and ssh back home, that's how I test if my box is reachable.

Maybe you could try with UsePAM no. It does not make any difference for me, but you could try. Here's my sshd_config

```
Protocol 2

ListenAddress 10.0.0.2:22

ListenAddress 10.0.0.2:12345

LogLevel VERBOSE

PermitRootLogin no

RSAAuthentication no

PubkeyAuthentication yes

AuthorizedKeysFile      .ssh/authorized_keys

PasswordAuthentication yes

PermitEmptyPasswords no

ChallengeResponseAuthentication yes

UsePAM no

AllowTcpForwarding yes

X11Forwarding no

KeepAlive yes

UseLogin yes

Compression yes

UseDNS yes

MaxStartups 4

Subsystem       sftp    /usr/lib/misc/sftp-server
```

Using an explicit listen address should not make any difference. FYI, I forward incoming requests on :22 to :12345, it should not make any difference either. I usually use public keys, but I tried keyword auth with the above sample and it worked.

Hth

----------

## nosatalian

Should my listen address be my address on the router's network? i.e. 192.168.0.2 ?

----------

## nosatalian

Here is the full output of my ssh attempt.

OpenSSH_3.8p1, SSH protocols 1.5/2.0, OpenSSL 0.9.7c 30 Sep 2003

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Applying options for *

debug1: Connecting to 65.58.31.42 [65.58.31.42] port 22.

debug1: Connection established.

debug1: identity file /home/scf-02/rmrobert/.ssh/identity type -1

debug1: identity file /home/scf-02/rmrobert/.ssh/id_rsa type -1

debug1: identity file /home/scf-02/rmrobert/.ssh/id_dsa type -1

debug1: Remote protocol version 1.99, remote software version OpenSSH_2.9 FreeBS

D localisations 20020307

debug1: match: OpenSSH_2.9 FreeBSD localisations 20020307 pat OpenSSH_2.*,OpenSS

H_3.0*,OpenSSH_3.1*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_3.8p1

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: kex: server->client aes128-cbc hmac-md5 none

debug1: kex: client->server aes128-cbc hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug1: Host '64.58.31.42' is known and matches the DSA host key.

debug1: Found key in /home/scf-02/rmrobert/.ssh/known_hosts:2

debug1: ssh_dss_verify: signature correct

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug1: Authentications that can continue: publickey,password,keyboard-interacti                                                         ve

debug1: Next authentication method: publickey

debug1: Trying private key: /home/scf-02/rmrobert/.ssh/identity

debug1: Trying private key: /home/scf-02/rmrobert/.ssh/id_rsa

debug1: Trying private key: /home/scf-02/rmrobert/.ssh/id_dsa

debug1: Next authentication method: password

randy@65.58.31.42's password:

debug1: Authentications that can continue: publickey,password,keyboard-interactive

Permission denied, please try again.

randy@65.58.31.42's password:

debug1: Authentications that can continue: publickey,password,keyboard-interactive

Permission denied, please try again.

randy@65.58.31.42's password:

debug1: Authentications that can continue: publickey,password,keyboard-interactive

debug1: Next authentication method: keyboard-interactive

debug1: Authentications that can continue: publickey,password,keyboard-interactive

debug1: No more authentication methods to try.

Permission denied (publickey,password,keyboard-interactive).

Any ideas?

----------

