# [solved] ssh refuses external connections...

## tufelkinder

Hi,

Just completed my first installation of Gentoo and am trying

to SSH into the box, but it rejects the login attempts when I

try it from another computer on my network. If I try ssh to

localhost, it lets me connect and login.

Any idea what I'm doing wrong...?

Thanks,

Walt

-~Last edited by tufelkinder on Wed Sep 07, 2005 8:27 pm; edited 1 time in total

----------

## christsong84

what's the listenaddress set to in the /etc/ssh/sshd_config ?

any firewalls running?

----------

## lamekain

It sounds like your firewall is stopping the connections. What are you using to control iptables (firewall)? If you don't know your probably not using anything. You can set the firewall rules on the command line with iptables (see man iptables) or use some software for an easier setup. 

I'm using shorewall. It's quite easy to set up. Just "emerge shorewall" and surf to shorewall site and see the quick guide for standalone system.

----------

## tufelkinder

No firewall is setup yet; listenaddress is 0.0.0.0, I believe.

[edit] But ListenAddress is commented out in the config file...

should that be set to something?

Also, if I have no installed a firewall app yet, then there is

no firewall right? Plus, my external computers connect to

the box and are prompted for logins, but then the login is

rejected. I don't think it's firewall related...

In addition, I've tried setting PermitRootLogins to yes and

logging in with a non-root user; both fail remotely, both

work locally.

The specific error it gives (remotely) is: Access denied

Thanks!

Walt

-~

----------

## m27315

Can you post your /etc/ssh/sshd_config file?  It will help considerably.

You may want to check your AllowUsers and AllowGroups statements.  If these are defined, and the user id does not satisfy both requirements, then you will get the errors that you are reporting.

Also, if you permit root cannot override the AllowUsers/Groups.  You include 'root' in these lines, if you have them already activated.

If these statements are not defined, then this is not the problem, since they offer no restriction when undefined.

Any good leads in your log files?  /var/log/sshd/current

----------

## tufelkinder

I have no AllowUsers or AllowGroups statements. Here are

the active lines in my sshd_config:

  Protocol 2

  PermitRootLogin yes

  PasswordAuthentication no

  UsePAM no

  Subsystem	sftp	/usr/lib/misc/sftp-server

So then I added:

  AllowGroups wheel admin root

  AllowUsers pippin root

and restarted sshd but it still doesn't work.

I have no sshd directory in /var/log... could that be part

of the problem...?

Thanks,

Walt

-~

----------

## m27315

hmm, no - it just means you are using something besides metalog for your logger, which is what I use - hopefully you are using syslog or syslog-ng.  Do you know which logger you are using?  Admittedly, this is off topic.  It will only help you find the log files, which are useful for debug; but it should not directly affect or fix the problem.

----------

## tufelkinder

I installed syslog-ng. In addition, I uncommented the log lines

from the config file, but I still see no log files in /var/log...

Should I be looking somewhere else now?

Thanks,

Walt

-~

----------

## tufelkinder

Don't know exactly what fixed it, but I enabled a couple 

different login types (tunneled text passwords, and more)

and now it lets me login just fine.

Very strange.

Thanks for the help!

Walt

-~

----------

## m27315

Looking at your config a little more closely, I think the problem is this line:

```
 PasswordAuthentication no

```

Unless you have pubkey authentication enabled and setup properly, this will surely fail.  I was able to replicate your error by disabling password authentication, just as you had it.  I bet this is one of the swtiches you flipped in your experimentation.  Do you mind dumping your conf file back out, so others can learn?

BTW, you probably want to activate PAM.  I believe this will improve the security of your login process.  You should have:

```
 UsePAM yes

```

Just for reference is my condensed /etc/ssh/sshd_config file:

```
$ grep -v '^#' /etc/ssh/sshd_config

Protocol 2

SyslogFacility AUTH

LogLevel DEBUG1

PermitRootLogin no

MaxAuthTries 3

PubkeyAuthentication yes

AuthorizedKeysFile      .ssh/authorized_keys

PasswordAuthentication yes

PermitEmptyPasswords no

UsePAM yes

AllowTcpForwarding yes

X11Forwarding yes

X11DisplayOffset 10

X11UseLocalhost yes

UseLogin no

MaxStartups 3

Banner /etc/security/banner.txt

Subsystem       sftp    /usr/lib/misc/sftp-server

AllowUsers user1 user2 user3

```

I have enabled automatic X-forwarding and some other non-default settings, which are unrelated to this post, but I encluded them for completeness.

Glad you got it working!

----------

## tufelkinder

Lines asterisked are what I changed last, except for

re-enabling UsePAM:

```
Protocol 2

SyslogFacility AUTH

LogLevel INFO

PermitRootLogin yes

AllowGroups wheel admin root

AllowUsers pippin root

*RSAAuthentication yes

*PubkeyAuthentication yes

*PasswordAuthentication yes

PermitEmptyPasswords no

UsePAM yes

Subsystem   sftp   /usr/lib/misc/sftp-server
```

Thanks again!

Walt

-~

----------

## m27315

BTW, if your box is going to be available to the web, I would advise you to disable root login.  You can login using your other user, and then su to root:

```
$ ssh pippin@hobbitsbox

Password:******

su -

Password:******
```

If you leave root open, hackers can brute force their way into your box.  They know a valid account, root, so it is just a matter of trying enough passwords before they finally force their way into your box.  Some people have an army of zombie boxes doing this very thing, reporting their results to a central location (often via IRC).  This way the attack comes from many computers and IP addresses, instead of an easily blocked, single IP address.

BTW, Depending on how your box is configured, you may have trouble su-ing, if pippin is not in the wheel group.

Of course, if you are not exposing port 22, ssh, to the wibly web, then it is a lesser issue.  (Someone might still be able to hack into another box inside your LAN, maybe Windoze, and from there, they could launch a brute force attack.  It's much less likely, but still possible.)

HTH

----------

## tufelkinder

ah, good point(s). During setup this computer will not be

on the internet, but eventually, hopefully, it will be, so I'll

need to watch that when I do face it to the evil world!

The helpfulness of this forum puts the vast, vast majority

of others I've posted questions to completely to shame.

I greatly appreciate the advice and input!

Thank you all!

Walt

-~

----------

## m27315

np - glad to help

BTW, would you mind "editing" your first post, and appending "[SOLVED]" to the subject line?  This will informally "close" the issue.  It helps people focus on the other people who still need help.

----------

## klatk

Help!

So after reconfiguring my kernel (in an attempt to get my usb mouse working) I am no longer able to ssh into my gentoo box. The sshd_config file hasn't been touched, and neither have the hosts.allow or hosts.deny files.

Although my sshd_config file has Password Authentication no, it was like that before and things still worked (I had UsePAM yes though).

Any ideas?

----------

## tufelkinder

What errors/symptoms are you able to see?

What finally helped me trace this down was trying to

copy a file to my server from a windows box with

pscp http://www.softpedia.com/get/Network-Tools/Telnet-SSH-Clients/PuTTY.shtml

and I got the error "No authentication mechanisms

available!" or something like that.

Did you follow the above recommendations? Can you

show us your config file? What do your log files say?

Walt

-~

----------

## m27315

Yes - please post your condensed sshd_config (minus comments and blank lines).  Also, what is the result of this command?

```
$ /etc/init.d/sshd status

 * status:  started
```

Do you see something else?  If so, then you probably have another problem further upstream, like netmount, eth0, or dhcpd.  My first guess is that you may have messed up your network connection.  What is the result of the following?

```
$ ifconfig -a
```

Can you get to anything outside of your Gentoo box?  Are you using a firewall (iptables, shorewall, etc.) on the Gentoo box?  Do you have a hardware firewall (router)?

How were you previously logging into the Gentoo box?  By password or keys?

----------

## klatk

hmmm, well looking at my logs was a pretty good idea. I'm getting this error with sshd where I didn't used to before:

error: Bind to port 22 on 0.0.0.0 failed: Address already in use.

I'm not exactly sure what I did in reconfiguring the kernel that caused 0.0.0.0 to already be used. I guess I've got to do some searching to see what I can use instead of 0.0.0.0, or else find out what's taking up that address. Anybody already know the answer to that?

----------

## daywalkerNT

I had a similar 'ssh refusing connection' issue.

ListenPort 22

it turned out to be my speedstream modem, it was blocking ALL ports except port 80 :-/

I tried to reset it to factory default and it appeared that the firmware on it wouldn't allow me

to configure anything on it....at all.

So i changed it to "bridge" mode and then setup my Linksys router to do any port forwarding,

etc.

...if you have dsl and not cable/static_IP , you can use www.no-ip.com and download the

linux client (pretty easy to setup) and you can get a free domain name from the list they have

available there and you won't have to :

1. remember your IP  :Smile: 

2. be afraid to reboot your pc b/c it'll come up with a different ip that you won't be able to

   figure out.

----------

