# Cannot get access to gentoo desktop via ssh

## net_immigrant

Hi all,

I installed sshd on my gentoo desktop, but I cannot get access to it via ssh from another computer. I'm using putty on client-pc and get following information from server:

login as: XXX

Using keyboard-interactive authentication.

Password:

Access denied

What is my problem? I understand that I didn't described the problem well, but, please, ask questions, if it is not clear for you

----------

## dirk_salewski

Hmmm, would you like to post your sshd config?

----------

## net_immigrant

```
Port 22

AddressFamily any

Protocol 2

# HostKeys for protocol version 2

HostKey /etc/ssh/ssh_host_rsa_key

HostKey /etc/ssh/ssh_host_dsa_key

KeyRegenerationInterval 3600

ServerKeyBits 1024

SyslogFacility AUTH

LogLevel INFO

# Authentication:

LoginGraceTime 120

PermitRootLogin yes

StrictModes yes

RSAAuthentication yes

PubkeyAuthentication yes

HostbasedAuthentication no

IgnoreRhosts yes

PasswordAuthentication yes

PermitEmptyPasswords no

ChallengeResponseAuthentication no

UsePAM no

X11Forwarding yes

X11DisplayOffset 10

PrintMotd no

PrintLastLog yes

TCPKeepAlive yes

UsePrivilegeSeparation yes

PidFile /var/run/sshd.pid

MaxStartups 10

Subsystem   sftp   /usr/lib64/misc/sftp-server

Match User root

   X11Forwarding no
```

----------

## tuber

Are there any error messages in /var/log/messsages or dmesg?

----------

## net_immigrant

no error messages neither here nor there

----------

## Aquiles

Try having a look at /etc/hosts.deny and /etc/hosts.allow. If you have 'ALL:ALL' in /etc/hosts.deny then you should explicitly add a line in /etc/hosts.allow to let in connections from trusted computers. Something like

sshd: trusted.host1 192.168.1.4 trused.host2

I don't know, maybe that's the problem... or maybe not!

Let us know how it goes.

----------

## R.Aven

 *Aquiles wrote:*   

> Try having a look at /etc/hosts.deny and /etc/hosts.allow. If you have 'ALL:ALL' in /etc/hosts.deny then you should explicitly add a line in /etc/hosts.allow to let in connections from trusted computers. Something like
> 
> sshd: trusted.host1 192.168.1.4 trused.host2
> 
> I don't know, maybe that's the problem... or maybe not!
> ...

 

I don't know whether encoding influences the authentification progress, but perhaps you have to set the correct server encoding (UTF-8 or whatever) explicitly in putty.

And you could try to connect to the sshd from the server itself (localhost) to eliminate all problems putty could cause.

----------

## net_immigrant

sorry for delay.

The problem is not in sshd. My Internet provider uses NAT and I'm using its gray ip. I'm behind NAT server. They told me that they won't map ports for their clients. Is there any opportunity to use ssh through some other server which to which I has an access from my gentoo destop and from some other computer. So the idea is to access gentoo desktop with gray ip behind NAT through some server which I can access from both sides via ssh or through other port. Does somebody has any idea?

----------

## net_immigrant

I wanna develop a daemon which will be run under gentoo desktop and each N seconds connect to some server for new tasks. I will put these tasks from other computer to the server via ftp. That would be bash scripts. The daemon gets a task and processes it redirecting stdin and stderr to some files which will be uploaded to the server by the daemon. It is like rudimentary shell.

Please, let me know is there any better opportunity to establish a connection between my gentoo desktop behind NAT and some other computer.

----------

## Naib

can you ssh locally?

ie

ssh 127.0.0.1

That will show if it is a ssh config issue or a wider networking issue

----------

## net_immigrant

 *Naib wrote:*   

> can you ssh locally?
> 
> ie
> 
> ssh 127.0.0.1
> ...

 

look two posts above. I'm behind NAT and they won't do port mapping for me.

----------

## lesourbe

 *net_immigrant wrote:*   

>  *Naib wrote:*   can you ssh locally?
> 
> ie
> 
> ssh 127.0.0.1
> ...

 

and putty tell you that :

 *putty wrote:*   

> 
> 
> Access denied
> 
> 

 

 :Question: 

----------

## net_immigrant

yap.

```
Login as: XXX

Using keyboard-interactive authentication

Password:

Access denied
```

look at the very first post.

When I try to access that gray ip which NAT gives me I can't. I can't even traceroute it. And I think when I try to access it I establish a connection with NAT server. I can't pass that NAT server and connect to my gentoo desktop

----------

## chrbecke

If 

```
GatewayPorts yes
```

 is set in the sshd config on the server, you could do the following on your Gentoo box:

```
ssh -N -R *:2200:localhost:22 -l <user at server> <server>
```

 on your Gentoo box. This will make the server listen on port 2200 and forward connections made to port 2200 to your Gentoo box port 22, so you should be able to ssh into your Gentoo box with e.g. 

```
ssh -p 2200 -l <user at Gentoo box> <server>
```

.

Another possibility would be to set up a VPN on the server and make your Gentoo box connect to the VPN.

HTH,

Chris

----------

## net_immigrant

chrbecke, thanks a lot, that is a brilliant solution, it is exactly what I need!

I wrote an init script for running ssh forwarder automatically. That is the script

```
localhost XXX # cat /etc/init.d/ssh_forwarder

#!/sbin/runscript

depend() {

 need net sshd

 after sshd

}

SSH_FORWARDER_PIDFILE=${SSH_FORWARDER_PIDFILE:-/var/run/${SVCNAME}.pid}

SSH_FORWARDER_SCRIPT=${SSH_FORWARDER_SCRIPT:-/home/XXX/ssh_forwarder.sh}

start() {

 ebegin "Starting ${SVCNAME}"

 start-stop-daemon --background --make --start --exec "${SSH_FORWARDER_SCRIPT}" --pidfile ${SSH_FORWARDER_PIDFILE}

 eend $?

}

stop() {

 ebegin "Stopping ${SVCNAME}"

 start-stop-daemon --stop --exec "${SSH_FORWARDER_SCRIPT}" \

  --pidfile "${SSH_FORWARDER_PIDFILE}" --quiet

 eend $?

}
```

and that is a script /home/XXX/ssh_forwarder.sh

```
#!/bin/sh

ssh -N -R *:6661:localhost:22 -l XXX IP_ADDRESS
```

for those who have good eyes  :Smile:  I'll tell that I use one of irc's ports (6661) on purpose because all non-standard ports are closed at that place from where I want to ssh my gentoo desktop.

I have another question. When I start the service

```
/etc/init.d/ssh_forwarder start
```

it starts normally, but when I do

```
/etc/init.d/ssh_forwarder stop
```

it kills only ssh_forwarder.sh process, but not ssh -N -R *:6661:localhost:22 -l XXX IP_ADDRESS which it runs. I need to kill it manually:

```
ps aux | grep ssh

kill [that one process]
```

What do I need to change in some of that two scripts to make it works properly, so that when it stops it kills all the processes it starts?

----------

## net_immigrant

I realized a new problem: each time I restart ssh_forwarder.sh script I need to restart sshd on remote server   :Shocked:  That is awful. I think it happens because the socket 6661 stands open on the server. How can I prevent that? Sometimes I can't even open more than one ssh sessions

----------

## chrbecke

Try either to modify your rc script:

```
#!/sbin/runscript

depend() {

 need net sshd

}

SSH_FORWARDER_PIDFILE=${SSH_FORWARDER_PIDFILE:-/var/run/${SVCNAME}.pid}

SSH_FORWARDER_REMOTE_PORT=${SSH_FORWARDER_REMOTE_PORT:-6661}

SSH_FORWARDER_REMOTE_USER=${SSH_FORWARDER_REMOTE_USER:-XXX}

SSH_FORWARDER_REMOTE_HOST=${SSH_FORWARDER_REMOTE_HOST:-IP_ADDRESS}

start() {

 ebegin "Starting ${SVCNAME}"

 start-stop-daemon --background --make-pidfile  --pidfile ${SSH_FORWARDER_PIDFILE} --start --exec ssh -- -N -R *:${SSH_FORWARDER_REMOTE_PORT}:localhost:22 -l ${SSH_FORWARDER_REMOTE_USER} ${SSH_FORWARDER_REMOTE_HOST}

 eend $?

}

stop() {

 ebegin "Stopping ${SVCNAME}"

 start-stop-daemon --quiet --pidfile ${SSH_FORWARDER_PIDFILE} --stop --exec ssh

 eend $?

}
```

("need sshd" makes "after sshd" obsolete, I think, and "man start-stop-daemon" only mentions "--make-pidfile" although "--make" obviously works...)

or to change your ssh_forwarder.sh:

```
#!/bin/sh

exec ssh -N -R *:6661:localhost:22 -l XXX IP_ADDRESS
```

(The exec call replaces the shell process with the ssh process, so your ssh process will have the pid start-stop-daemon knows about and thus can be killed by start-stop-daemon --stop.)

HTH,

Chris

----------

## net_immigrant

chrbecke, thanks again, I was not very attentive reading start-stop-daemon man page. And it is new for me to know about such an opportunity of exec command. May be you know why do I need to restart sshd on remote server each time I restart ssh_forwarder service on gentoo desktop?

----------

## chrbecke

I don't know why you have to restart sshd on the remote machine - I could not reproduce the behaviour you describe on my machines. I guess it has something to do with the ssh process not being killed properly - have you tried with the changes to your scripts I proposed? They should make sure that ssh is terminated properly, maybe that is already enough to not to break sshd.

----------

## net_immigrant

chrbecke, thank you for a nice solution. I ran ssh_forwarder today's morning, checked ssh working from localhost, came to a place from where I wanted to ssh and found out that I couldn't. Server replied with "504: Gateway timeout". I sshed the server (where I'm listening 6661 port), did

```
netstat -lt --numeric-ports
```

it returned that 6661 was being listened. I called to my place and asked a wife to restart /etc/init.d/ssh_forwarder - nothing happened. I restarted sshd remotely on the server and a miracle happened - I got an access. I dunno why that happened.

My ssh_forwarder script is just like you has suggested without ssh_forwarder.sh - I don't need it any more

----------

## net_immigrant

I think that a session of my ssh client is being terminated because neither in my /etc/ssh/ssh_config nor in ~/.ssh/config on gentoo desktop was a string

```
ServerAliveInterval [count]
```

I put

```
ServerAliveInterval 60
```

I will tell you about the result.

I read about an opportunity to put

```
ClientAliveInterval [count]

ClientAliveCountMax [count]
```

to /etc/ssh/sshd_config, but I think that it will generate the same result

----------

## net_immigrant

Well, I can't prevent session termination, but I've done some steps to make ssh on my gentoo desktop listens on a remote port. Here is my ssh_forwarder script which is at /etc/init.d/ssh_forwarder

```
#!/sbin/runscript

depend() {

 need net sshd

}

SSH_FORWARDER_PIDFILE=${SSH_FORWARDER_PIDFILE:-/var/run/${SVCNAME}.pid}

SSH_FORWARDER_REMOTE_PORT=${SSH_FORWARDER_REMOTE_PORT:-6661}

SSH_FORWARDER_REMOTE_USER=${SSH_FORWARDER_REMOTE_USER:-XXX}

SSH_FORWARDER_REMOTE_HOST=${SSH_FORWARDER_REMOTE_HOST:-xxx.xxx.xxx.xxx}

SSH_BIN=${SSH_BIN:-/usr/bin/ssh}

SSH_FORWARDER_BIN=${SSH_FORWARDER_BIN:-/etc/init.d/ssh_forwarder}

SSH_FORWARDER_CRON_STRING=${SSH_FORWARDER_CRON_STRING:-*/5 * * * * /etc/ssh_forwarder/ssh_keepalive.sh}

SSH_FORWARDER_CRONTAB=${SSH_FORWARDER_CRONTAB:-/var/spool/cron/crontabs/root}

start() {

 ebegin "Starting ${SVCNAME}"

 start-stop-daemon --background --make-pidfile --start --pidfile "${SSH_FORWARDER_PIDFILE}" --exec ${SSH_BIN} \

-- -N -R *:"${SSH_FORWARDER_REMOTE_PORT}":localhost:22 -l "${SSH_FORWARDER_REMOTE_USER}" "${SSH_FORWARDER_REMOTE_HOST}"

 cat "${SSH_FORWARDER_CRONTAB}" | sed '/^"${SSH_FORWARDER_CRON_STRING}"$/d' > "${SSH_FORWARDER_CRONTAB}"

 echo "${SSH_FORWARDER_CRON_STRING}" >> "${SSH_FORWARDER_CRONTAB}"

 eend $?

}

stop() {

 ebegin "Stopping ${SVCNAME}"

 start-stop-daemon --stop --exec ${SSH_BIN} \

  --pidfile "${SSH_FORWARDER_PIDFILE}" --quiet

 cat "${SSH_FORWARDER_CRONTAB}" | sed '/^"${SSH_FORWARDER_CRON_STRING}"$/d' > "${SSH_FORWARDER_CRONTAB}"

 eend $?

}
```

and my ssh_keepalive.sh which is being run by crontab every 5 minutes

```
#!/bin/sh

SSH_FORWARDER_REMOTE_PORT=${SSH_FORWARDER_REMOTE_PORT:-6661}

SSH_FORWARDER_REMOTE_USER=${SSH_FORWARDER_REMOTE_USER:-XXX}

SSH_FORWARDER_REMOTE_HOST=${SSH_FORWARDER_REMOTE_HOST:-xxx.xxx.xxx.xxx}

SSH_BIN=${SSH_BIN:-/usr/bin/ssh}

SSH_FORWARDER_BIN=${SSH_FORWARDER_BIN:-/etc/init.d/ssh_forwarder}

is_alive=`"${SSH_BIN}" -l "${SSH_FORWARDER_REMOTE_USER}" "${SSH_FORWARDER_REMOTE_HOST}" "netstat -ltn | grep ${SSH_FORWARDER_REMOTE_PORT}"`

if [ -z "${is_alive}" ] ; then

 "${SSH_FORWARDER_BIN}" restart

fi

```

that's it. If ssh_forwarder finishes to listen on remote 6661 port for some reason it will be reconnected not later than in 5 minutes.

May be somebody has an idea why my connection is being broken? This is indeterminate behaviour. I'm running putty from some other desktop and connect to my gentoo desktop via the described tunnel. Some time passes and my connection breaks. It is interesting to notice that when I'm connected via putty to the server on which 6661 port is being listened by ssh_forwarder, the connection is stable and nothing breaks it. Here are ssh_config from my gentoo destop:

```
Host *

   PasswordAuthentication yes

   HostbasedAuthentication no

   ServerAliveInterval 0

   ServerAliveCountMax 0

   AddressFamily any

   Port 22

   Protocol 2,1
```

and sshd_config

```
Port 22

AddressFamily any

Protocol 2

HostKey /etc/ssh/ssh_host_rsa_key

HostKey /etc/ssh/ssh_host_dsa_key

KeyRegenerationInterval 3600

ServerKeyBits 1024

SyslogFacility AUTH

LogLevel INFO

LoginGraceTime 120

PermitRootLogin no

StrictModes yes

RSAAuthentication yes

PubkeyAuthentication yes

RhostsRSAAuthentication no

HostbasedAuthentication no

IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!

PasswordAuthentication yes

PermitEmptyPasswords no

# Change to no to disable s/key passwords

ChallengeResponseAuthentication no

UsePAM yes

X11Forwarding yes

X11DisplayOffset 10

PrintMotd no

PrintLastLog yes

TCPKeepAlive yes

UsePrivilegeSeparation yes

ClientAliveInterval 60

ClientAliveCountMax 60

PidFile /var/run/sshd.pid

MaxStartups 10

Subsystem   sftp   /usr/lib64/misc/sftp-server
```

----------

## net_immigrant

no idea why can my connection be broken?

----------

## g-user

maybe you will interesting to look this one.

http://koti.mbnet.fi/jtko/

http://www.destinyforge.com/blogs/?p=15

It's about VNC repeater. Anyway i think ssh more secure and more preferred solution.

----------

## net_immigrant

g-user, I don't need any remote control tool. I know few of them. I need ssh tunnel. It works. The connection is being broken for some reason. I need to know why.

----------

