# [SOLVED] sshd can be accessed with telnet, but not ssh

## nixscripter

Okay, this one is stuck. I'm getting a very strange complaint I feel powerless to debug.

I have an SSH server visible on the internet. However, one authorized user can't get in. Both with a Mac (OS X leopard) and a Linux box (Ubuntu 11.04), this is the result:

- Can ping the server

- Can run telnet on the custom port and get the "OpenSSH" string (meaning the server is up and the packets arrive)

- The ssh client hangs, like this (level 3 debug):

```

OpenSSH_5.8p1 Debian-1ubuntu3, OpenSSL 0.9.8o 01 Jun 2010

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Applying options for *

debug2: ssh_connect: needpriv 0

debug1: Connecting to XX.XX.XX.XX [XX.XX.XX.XX] port 65432.

```

And then times out. When I sniff the interface while they try to connect, I see no packets with SSH (and do with telnet, obviously).

It's probably not my fault because others can get in, but I have never seen anything like this. Any suggestions?Last edited by nixscripter on Mon Sep 26, 2011 6:44 pm; edited 1 time in total

----------

## Hu

Ask the affected user to collect a tcpdump of both the successful (telnet) and unsuccessful (ssh) connections.  Compare to see where they deviate.

----------

## mp342

 *nixscripter wrote:*   

> It's probably not my fault because others can get in, but I have never seen anything like this. Any suggestions?

 

They are behind a firewall witch deny ssh because you can bypass all the security measures with it ? (with tunneling)

----------

## Hu

 *mp342 wrote:*   

>  *nixscripter wrote:*   It's probably not my fault because others can get in, but I have never seen anything like this. Any suggestions? 
> 
> They are behind a firewall witch deny ssh because you can bypass all the security measures with it ? (with tunneling)

 If this is so, then why is the same user able to establish a connection to the same port using telnet?  Additionally, note that the OP stated he is using an unusual port for the traffic, so unless the firewall is configured with a port whitelist or is doing traffic inspection, it should be unaware that ssh is in use.

----------

## mp342

 *Hu wrote:*   

> If this is so, then why is the same user able to establish a connection to the same port using telnet?  Additionally, note that the OP stated he is using an unusual port for the traffic, so unless the firewall is configured with a port whitelist or is doing traffic inspection, it should be unaware that ssh is in use.

 

If the problem is a firewall, it's probably the second hypothesis : the firewall check the protocol used and deny ssh.

It's a basic safeguard if your user is on a secured network. Rely on the port to filter traffic is not serious, nobody in charge of the security of a network use that if a specific protocol should be rejected.

----------

## NeddySeagoon

mp342,

The firewall does not filter outgoing connections ?

Why is port 65432 allowed out at all?

Port 443 is normally allowed out, as its https and firewalls expect to see encryption in use there.

Allow your ssh server to listen on port 443 and see if your odd user can connect.  You will not be able to run an https server on the same IP meanwhile.

----------

## mp342

 *NeddySeagoon wrote:*   

> mp342,
> 
> The firewall does not filter outgoing connections ?
> 
> Why is port 65432 allowed out at all?
> ...

 

It's not me who asked   :Very Happy:  but it's why I suspect there is firewall capable of checking the protocol used. Without this capability, either there isn't any firewall or I don't understand why the port 65432 is allowed too !

----------

## nixscripter

Thanks for the suggestions. I would add something:

FYI, the new Mac OS X firewall is (annoyingly) based on process-by-process whitelisting (see here). They have also had trouble with ssh recently. This is why I had him try a Linux machine -- and was quite astonished the problem persisted. Because telnet works, I have been thinking about this as a process-oriented problem (ssh's fault somehow).

Anyway, I will talk to him on Monday, and see if:

1. Any traffic goes out on the same box (i.e. wireshark + promiscuous mode) when he uses ssh.

2. I can strace telnet and ssh to see what they do differently WRT networking.

3. Make sure he has no firewall rules for outgoing connections.

I'll post back.

----------

## nixscripter

The problem was... a typo. *sigh*

He sent me a packet log, showing the TCP SYNs of ssh going into the ether -- because the IP address was one digit off. A one digit mistake he made, and then retrieved from shell history multiple times.

Sorry to waste your time. I at least hope you got a laugh out of it.

----------

## NeddySeagoon

nixscripter,

Its worth a wry smile.

My email sever, (which uses qmail and spamdyke) began rejecting invoices from my VPS provider because of a typo.  The messages were bounced for not coming from a mail server having a rDNS set. Luckily it wasn't my typo.

----------

