# Can't SSH Home From Certain Servers

## maltheus

I'm trying to SSH into home from work. It prompt's me to accept the RSA fingerprint (proving that it's at least sort of getting through the firewall), but then it hangs, without prompting me for the password. This eventually leads to a "Connection reset by peer." I do have UseDNS set to no. The strange thing though, is that out of dozens of attempts today, I did make it through once, by using the "PasswordAuthentication=password" option. But I was unable to repeat that stroke of luck.

Here's my sshd_config:

```

Port 9052

ServerKeyBits 2048

SyslogFacility AUTH

LogLevel INFO

LoginGraceTime 60

PermitRootLogin no

RSAAuthentication no

PubkeyAuthentication yes

PasswordAuthentication yes

PermitEmptyPasswords no

Compression yes

KeepAlive yes

ClientAliveInterval 30

ClientAliveCountMax 4

Protocol 2

UsePAM yes

UseDNS no

Subsystem       sftp    /usr/lib64/misc/sftp-server

```

Here's the debug from the server:

```

Nov  5 13:05:06 homeserver sshd[14689]: debug3: fd 5 is not O_NONBLOCK

Nov  5 13:05:06 homeserver sshd[17421]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8

Nov  5 13:05:06 homeserver sshd[14689]: debug1: Forked child 17421.

Nov  5 13:05:06 homeserver sshd[14689]: debug3: send_rexec_state: entering fd = 8 config len 507

Nov  5 13:05:06 homeserver sshd[14689]: debug3: ssh_msg_send: type 0

Nov  5 13:05:06 homeserver sshd[14689]: debug3: send_rexec_state: done

Nov  5 13:05:06 homeserver sshd[17421]: debug1: inetd sockets after dupping: 3, 3

Nov  5 13:05:06 homeserver sshd[17421]: Connection from 199.82.149.201 port 38632

Nov  5 13:05:06 homeserver sshd[17421]: debug1: Client protocol version 2.0; client software version OpenSSH_5.2

Nov  5 13:05:06 homeserver sshd[17421]: debug1: match: OpenSSH_5.2 pat OpenSSH*

Nov  5 13:05:06 homeserver sshd[17421]: debug1: Enabling compatibility mode for protocol 2.0

Nov  5 13:05:06 homeserver sshd[17421]: debug1: Local version string SSH-2.0-OpenSSH_5.2

Nov  5 13:05:06 homeserver sshd[17421]: debug2: fd 3 setting O_NONBLOCK

Nov  5 13:05:06 homeserver sshd[17421]: debug2: Network child is on pid 17422

Nov  5 13:05:06 homeserver sshd[17421]: debug3: preauth child monitor started

Nov  5 13:05:06 homeserver sshd[17421]: debug3: mm_request_receive entering

Nov  5 13:05:06 homeserver sshd[17421]: debug3: monitor_read: checking request 0

Nov  5 13:05:06 homeserver sshd[17421]: debug3: mm_answer_moduli: got parameters: 1024 1024 8192

Nov  5 13:05:06 homeserver sshd[17421]: debug3: mm_request_send entering: type 1

Nov  5 13:05:06 homeserver sshd[17421]: debug2: monitor_read: 0 used once, disabling now

Nov  5 13:05:06 homeserver sshd[17421]: debug3: mm_request_receive entering

Nov  5 13:05:06 homeserver sshd[17421]: debug3: monitor_read: checking request 4

Nov  5 13:05:06 homeserver sshd[17421]: debug3: mm_answer_sign

Nov  5 13:05:06 homeserver sshd[17421]: debug3: mm_answer_sign: signature 0x67d9f0(271)

Nov  5 13:05:06 homeserver sshd[17421]: debug3: mm_request_send entering: type 5

Nov  5 13:05:06 homeserver sshd[17421]: debug2: monitor_read: 4 used once, disabling now

Nov  5 13:05:06 homeserver sshd[17421]: debug3: mm_request_receive entering

```

Here's the debug from the client:

```

OpenSSH_5.2p1, OpenSSL 0.9.8k 25 Mar 2009

debug1: Reading configuration data /etc/ssh/ssh_config

debug2: ssh_connect: needpriv 0                       

debug1: Connecting to 111.22.33.44 [111.22.33.44] port 21.

debug1: Connection established.                             

debug1: identity file /home/myusername/.ssh/identity type -1  

debug1: identity file /home/myusername/.ssh/id_rsa type -1    

debug1: identity file /home/myusername/.ssh/id_dsa type -1    

debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2

debug1: match: OpenSSH_5.2 pat OpenSSH*                                 

debug1: Enabling compatibility mode for protocol 2.0                    

debug1: Local version string SSH-2.0-OpenSSH_5.2

debug2: fd 3 setting O_NONBLOCK

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib

debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib

debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: mac_setup: found hmac-md5

debug1: kex: server->client aes128-ctr hmac-md5 none

debug2: mac_setup: found hmac-md5

debug1: kex: client->server aes128-ctr hmac-md5 none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

debug2: dh_gen_key: priv key bits set: 133/256

debug2: bits set: 489/1024

debug1: SSH2_MSG_KEX_DH_GEX_INIT sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

debug3: put_host_port: [111.22.33.44]:21

debug3: put_host_port: [111.22.33.44]:21

debug3: check_host_in_hostfile: filename /home/myusername/.ssh/known_hosts

debug3: check_host_in_hostfile: match line 2

debug3: check_host_in_hostfile: filename /home/myusername/.ssh/known_hosts

debug3: check_host_in_hostfile: match line 2

debug1: Host '[111.22.33.44]:21' is known and matches the RSA host key.

debug1: Found key in /home/myusername/.ssh/known_hosts:2

debug2: bits set: 510/1024

debug1: ssh_rsa_verify: signature correct

debug2: kex_derive_keys

debug2: set_newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug2: set_newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: SSH2_MSG_SERVICE_REQUEST sent

Read from socket failed: Connection reset by peer

```

Sometimes it only makes it as far as "expecting SSH2_MSG_KEX_DH_GEX_REPLY." The reason for port 21 up above is that it seems to be the only port that comcast will let me ssh in from my work place. From other outside servers, I can also make it through on ports 20, 22, 80 and 443 (and have no problem SSHing in). I suspect my workplace firewall is causing some issues, but I can ssh into other external boxes, so it seems to be a synergistic clusterfuck with comcast. I'm using a Linksys WRT54GL router with Tomato installed, but I only went that route after being unable to to this with my other Netgear router (w/vanilla firmware). And yes, I'm forwarding port 21 to 9052 on my server (which is what I'm running ssh on). I've also tried deleting my known_hosts file as well.

Does anyone have any ideas? Unfortunately, I can only try so much each day as I have no way of SSHing into work from home either. There has to be some way to do this if I managed to make it through once. Thanks!

----------

## cach0rr0

I have nothing to add to this really, other than to say I use Comcast, and they are NOT blocking port 22 

Indeed I would look very carefully at your work firewall as a culprit - could well be the case they're attempting to do some level of content filtering.

----------

## maltheus

Well yes, I can SSH home on port 22 from any other outside server (even through a firewall on my last job) and I can SSH into other external servers from work without any problem. They do indeed have some kind of proxy set up that's been a pain in the butt for me (don't know the settings, can only get the browser to auto-detect). But I am getting as far as receiving the fingerprint and I was able to get through once today for some odd reason. So I was hoping that indicates that it's possible to get through consistently with the right combination of settings.

----------

## qubix

have you tried putting your SSH server at home on port 443? It solves most strange port blocking/routing problems. There's even NTLMAPS for people that would like to use M$ ISA to use SSH over 443  :Smile: 

----------

## maltheus

Yes, I've tried port 443 (and many others). But for some reason, only port 21 gets me as far as producing the SSH fingerprint.

----------

## depontius

Whaddya know!  I can't ssh in, either.  I'm also on Comcast.

I run an OpenVPN endpoint on my home system, and normally use that to get into my home systems from outside.  I also have ssh set up, but it's double-filtered and tcp-wrapped so I can only get in from one of my employer's network.  (double-filtered - filtered at my appliance firewall and at my Linux server/router.)

I don't try the direct ssh path, so I hadn't noticed that anything was wrong.

----------

