# SSH issues

## insertfunkhere

I've been tring to set up sshd so I can tunnel in to my home machine from work to do whatever, but thus far i've only been able to ssh in from within my home network. My gentoo box sits behind a D-Link 524 router, and I've tried to set it to forward port 22 connections to the gentoo box, but maybe I missed something? Or, perhaps my sshd configuration is screwed up; I really have no idea.

Here's my /etc/ssh/sshd_config file:

```

#   $OpenBSD: sshd_config,v 1.69 2004/05/23 23:59:53 dtucker Exp $

# This is the sshd server system-wide configuration file.  See

# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with

# OpenSSH is to specify options with their default value where

# possible, but leave them commented.  Uncommented options change a

# default value.

Port 22

Protocol 2

#ListenAddress 0.0.0.0

#ListenAddress ::

# HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

# HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key

#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h

#ServerKeyBits 768

# Logging

#obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH

#LogLevel INFO

# Authentication:

#LoginGraceTime 2m

PermitRootLogin no

#StrictModes yes

#MaxAuthTries 6

#RSAAuthentication yes

PasswordAuthentication no

PermitEmptyPasswords no

AllowGroups wheel admin

PubkeyAuthentication yes

AuthorizedKeysFile   .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

# similar for protocol version 2

#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for

# RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

# Don't read the user's ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!

PasswordAuthentication no

#PermitEmptyPasswords no

# Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes

# Kerberos options

#KerberosAuthentication no

#KerberosOrLocalPasswd yes

#KerberosTicketCleanup yes

#KerberosGetAFSToken no

# GSSAPI options

#GSSAPIAuthentication no

#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing, 

# and session processing. If this is enabled, PAM authentication will 

# be allowed through the ChallengeResponseAuthentication mechanism. 

# Depending on your PAM configuration, this may bypass the setting of 

# PasswordAuthentication, PermitEmptyPasswords, and 

# "PermitRootLogin without-password". If you just want the PAM account and 

# session checks to run without PAM authentication, then enable this but set 

# ChallengeResponseAuthentication=no

#UsePAM yes

#AllowTcpForwarding yes

#GatewayPorts no

X11Forwarding yes

#X11DisplayOffset 10

#X11UseLocalhost yes

#PrintMotd yes

#PrintLastLog yes

TCPKeepAlive yes

#UseLogin no

#UsePrivilegeSeparation yes

#PermitUserEnvironment no

#Compression yes

#ClientAliveInterval 0

#ClientAliveCountMax 3

#UseDNS yes

#PidFile /var/run/sshd.pid

#MaxStartups 10

# no default banner path

#Banner /some/path

# override default of no subsystems

Subsystem   sftp   /usr/lib/misc/sftp-server

```

Anyone have any clues/suggestions as to what's up?

----------

## think4urs11

any error messages when trying to connect? (either client errors or some logs from your home machine)

does your corporate firewall allow port 22 outgoing at all?

----------

## insertfunkhere

I've tried connecting from a number of places, not solely from work; i sometimes get "connection refused" and sometimes "connection timed out" error messages. I don't remember where I was specifically when I got each message. Where would I find error messages on my home machine?

----------

## elestedt

Did you open the port in the firewall? Forwarding it does not imply thet the port is opened in the firewall.

----------

## magic919

Hard to say where this problem lies.  SSH works, as proved by SSHong on the LAN.  Assuming you have no firewall (IPTables) on the Gentoo box then you need to get through the D-Link.  Forwarding port 22 to the correct IP of the Gentoo box is sufficient.  You could use NMAP from the Internet to check that you can at least see port 22 open.  Also double check the router config and check iptables on Gentoo box.

This is how I reach my Gentoo machine and, via that, my LAN from here at work.

----------

## insertfunkhere

Stupid question time: how do I tell if I have IPTables running? An "emerge -s iptables" tells me it is installed, but whther its running, I don't know.

----------

## magic919

```
/etc/init.d/iptables status
```

If it is, you can run

```
iptables -L -n -v
```

 to check the settings.

----------

## insertfunkhere

Well, iptables isn't running on my home machine, so that can't be the problem. I think I've configured the router correctly. Maybe all the places I've tried to ssh from block port 22; if that's so, is there any way to get around that? Also, to check whether something has been getting through to my comp, how/where do I check sshd's log?

----------

## magic919

You could have the sshd daemon listen on another port.  Logs typically to /var/log/secure.

----------

## cyberb0b

try setting PasswordAuthentication yes in sshd_config.  Also look for an online port scan such as here.  It should come up with port 22 if your sshd can be reached at all.

----------

## d_m

Also, you can run ssh with the "-v" flag to see debugging output. This is really useful in tracking down these kinds of errors.

```
ssh -v username@host
```

Finally, you should make sure your IP address isn't changing when you're at work. Services like dyndns.org can help with this.

----------

## insertfunkhere

the online port scanner didn't help much. when i ran it from my home machine, port 22 didn't even show up at all.

what confuses me is that the setup of sshd that i have works from within my home network, but even if i put my home machine in the router's "DMZ" (theoretically exposing it directly to the net) i get the same error from PuTTy: "connection timed out"

----------

## insertfunkhere

while my home machine is in the DMZ, scanning with nmap from a remote location tells me this about port 22:

```

PORT     STATE       SERVICE

22/tcp     filtered        ssh

```

a bit further on, it also indicates:

```

PORT     STATE       SERVICE

3689/tcp    open       rendezvous

```

which makes sense, because i have mt-daapd serving music via the iTunes protocol. So how is 22 'filtered' when 3689 isn't? what am i missing? I don't remember having to screw around with my router to get mt-daapd to work...

----------

## magic919

That online scanner doesn't check port 22  :Sad:   You'll need to try another one or get someone to scan it.  Could be your ISP set-up blocking it, for example.

----------

## magic919

mt-daapd UPNP, maybe?  

Maybe port 22 is firewalled by ISP if it's not your router.  Could try a shift to port 222, re-config router and NMAP again as a test.

----------

