ssh question

Dazed_75 lthielster at gmail.com
Sat Jun 18 11:23:14 MST 2011 

On Sat, Jun 18, 2011 at 8:00 AM, Lisa Kachold <lisakachold at obnosis.com>wrote:

>
>
> On Sat, Jun 18, 2011 at 12:30 AM, Dazed_75 <lthielster at gmail.com> wrote:
>
>> Mike,
>> The netstat lines I think you wanted to see are:
>> tcp        0      0 0.0.0.0:22              0.0.0.0:*
>> LISTEN
>> tcp6       0      0 :::22                   :::*
>> LISTEN
>>
>> Yes, ssh localhost works on all machines including lapdog2.  Not sure that
>> proves anything as the only problem is ssh TO lapdog2 from any other
>> machine.
>>
>> stop is not a valid argument to iptables and selinux is not in play.
>>
>> Steve,
>> Nothing in the host files.
>>
>> Lisa,
>> Name resolution is done by dnsmasq in the router for hosts on the LAN.
>> Although nsswitch.conf shows files before dns, there is nothing in any of
>> the host files or on resolv.conf.  No dynamic dns is is use for anything on
>> the network.
>>
>> Had you read the posts and replies, you would have seen there was no IP
>> error.  It was an error between the keyboard and my chair.
>>
>
> Whoa little buddy!  What a terse response.  Generally when someone assists
> you, it's very poor form to accuse them of not reading your message?
>
> I read a confused message indicating that your lapdog2 machine had changed
> dynamic IP and now you could no longer ssh to it.  I did not see what
> message you received (timeout?) that indicates the issue.  Specifics are
> very important in linux/unix/os x troubleshooting!  What message was that?
>
>

The second message in this thread stated that there was no wrong IP being
used.  I stated the my observation of the wrong IP was because I forgot that
terminal was logged into a remote machine.


>
> 0) When you do a:
>
> # ping lapdog2
>
> Are you using the "new" address?
>
> If not you are using a cache.
>

The fifth message in the thread states that a ping of lapdog2 by name works
properly.

>
> 1) When you do a:
>
> # nmap lapdog2
>

larry at fogtest:~$ sudo nmap lapdog2
Starting Nmap 5.00 ( http://nmap.org ) at 2011-06-18 10:21 MST
All 1000 scanned ports on lapdog2 (192.168.2.124) are filtered
MAC Address xx:xx:xx:xx:xx;xx (Quanta Computer) <------ I removed the real
mac addr
Nmap done: 1 IP address (1 host up) scanned in 21.56 seconds

Since I am not sure what filtered means, this could be the issue I suppose.
BTW, I am at Eric;s server install workshop so I enable UFW which was not
enabled at home.

>
> Can you see that port 22 is open?
>

Don't really know how to tell.  Sorry.  Note in my previous message that
port 22 was being LISTENed to.


> Can you ssh via IP address?
>

No,  I did try.  As previously noted, none of the systems was ever using the
wrong IP.

>
> 2) Did you verify if you have strict host checking on
> [/etc/ssh/sshd_config] or a key in your $HOME/.ssh/known_hosts file?
>

Strictmodes yes in /etc/ssh/sshd_config
$HOME/.ssh/known_hosts seems to have 5 listed hosts but I have no way to
know what host each is for.  No host names are in clear text.

>
> You can delete that key in the known_hosts file.  Edit it and search
> forward for machine name lapdog2 then delete the whole line.  Be sure to
> copy the file to backup before you do so, just in case.
>

Cannot do this sine no host names are in clear text.

>
> 3) Take Stephen's advise and enter a hosts entry just to see what happens
> [and to rule out/verify the sshd_config strict host checking (which is
> certainly also was a factor)]?  Since you /etc/nsswitch.conf says file then
> dns, you will use the host file FIRST.
>

Which means that with no entry in the hosts file, will always use dns which
is always resolving correctly.  Since I don't know what strict host checking
means, I may be missing your point.

>
> 4) You can also setup manual DNS for all your machines, using an /etc/hosts
> file to provide name to ip resolution inside so this won't happen every time
> you get a new dynamic dns address.
>

Again, name/ip resolution is not a problem and is always working correctly.
BTW, here is an attempt from today:
larry at fogtest:~$ ssh -v lapdog2
OpenSSH_5.3p1 Debian-3ubuntu6, OpenSSL 0.9.8k 25 Mar 2009
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to lapdog2 [192.168.2.124] port 22.
debug1: connect to address 192.168.2.124 port 22: Connection timed out
ssh: connect to host lapdog2 port 22: Connection timed out
larry at fogtest:~$ ping -c 3 lapdog2
PING lapdog2 (192.168.2.124) 56(84) bytes of data.
64 bytes from lapdog2 (192.168.2.124): icmp_seq=1 ttl=64 time=0.587 ms
64 bytes from lapdog2 (192.168.2.124): icmp_seq=2 ttl=64 time=0.856 ms
64 bytes from lapdog2 (192.168.2.124): icmp_seq=3 ttl=64 time=0.996 ms

--- lapdog2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.587/0.813/0.996/0.169 ms
larry at fogtest:~$

Clearly the issue seems to be what is blocking communication to port 22 even
though sshd is listening on it, iptables seems to allow it and ufw was
disabled yesterday and being enabled today seems to change nothing.

>
> This is basic networking, basic ssh and basic host resolution.  I suggest
> you either give a presentation (so you can learn yourself) on these
> subjects.
>
>>
>>
>>
>> On Fri, Jun 17, 2011 at 10:04 AM, Stephen <cryptworks at gmail.com> wrote:
>>
>>> Gonna toss out an obvious was there a hosts entry?
>>> On Jun 17, 2011 8:49 AM, "Dazed_75" <lthielster at gmail.com> wrote:
>>> > These machines are all gigabit ethernet and connected to the same
>>> gigabit
>>> > switch with little network traffic at the time of these attempts.
>>> >
>>> > On Fri, Jun 17, 2011 at 6:23 AM, Joseph Sinclair
>>> > <plug-discussion at stcaz.net>wrote:
>>> >
>>> >> A connection timed out usually occurs due to:
>>> >> 1) The ip address has no host (ping the same IP address, then use
>>> telnet to
>>> >> connect to port 22)
>>> >>
>>> >
>>> > I realized after sending the message I should have included the
>>> successful
>>> > ping of lapdog2 which was done by name. Telnet also fails.
>>> >
>>> > 2) tcp wrappers is dropping the connection (check /et/hosts.allow and
>>> >> /etc/hosts.deny on lapdog3)
>>> >>
>>> >
>>> > Nothing but comments in either file.
>>> >
>>> >
>>> >> 3) the firewall on lapdog3 is dropping the connection (check the
>>> firewall
>>> >> configuration on lapdog3 via iptables-save or ufw status)
>>> >>
>>> >
>>> > ufw status was inactive at that time. As far as I can tell this
>>> morning,
>>> > iptables says nothing about port 22 or ssh though last night I could
>>> have
>>> > sworn it did and said to accept. In any case, I get the same result
>>> this
>>> > morning though I am on a different machine trying to ssh to lapdog2.
>>> >
>>> >
>>> >> 4) SSHD is not on port 22 or dropping connections (check sshd
>>> configuration
>>> >> on lapdog3)
>>> >>
>>> >
>>> > It is using port 22. I do not know how to check for dropping
>>> connections.
>>> > I did check syslog and dmesg/messages. NOTE: lapdog2 is able to ssh to
>>> this
>>> > machine but then ssh'ing back to lapdog 2 gives the same results as
>>> doing it
>>> > directly on this machine.
>>> >
>>> >
>>> >>
>>> >> On 06/17/2011 02:14 AM, Dazed_75 wrote:
>>> >> > Ignore the original question. I checked lapdog2's IP in a terminal
>>> that
>>> >> was
>>> >> > logged into a different machine. The ssh was using the right IP but
>>> >> getting
>>> >> > this result and I cannot figure out why:
>>> >> >
>>> >> > larry at hammerhead:~$ ssh -v lapdog2
>>> >> >> OpenSSH_5.8p1 Debian-1ubuntu3, OpenSSL 0.9.8o 01 Jun 2010
>>> >> >> debug1: Reading configuration data /etc/ssh/ssh_config
>>> >> >> debug1: Applying options for *
>>> >> >> debug1: Connecting to lapdog2 [192.168.2.124] port 22.
>>> >> >> debug1: connect to address 192.168.2.124 port 22: Connection timed
>>> out
>>> >> >> ssh: connect to host lapdog2 port 22: Connection timed out
>>> >> >> larry at hammerhead:~$
>>> >> >>
>>> >> >
>>> >> >
>>> >> > On Fri, Jun 17, 2011 at 2:00 AM, Dazed_75 <lthielster at gmail.com>
>>> wrote:
>>> >> >
>>> >> >> I tried to ssh from this machine to my laptop (ssh lapdog3) and
>>> find
>>> >> that
>>> >> >> ssh is somehow using an old IP instead of doing name resolution on
>>> th e
>>> >> name
>>> >> >> lapdog2 which now has a new lease on a different IP.
>>> >> >>
>>> >> >> 1) How do I fix this?
>>> >> >> 2) Why does ssh use an old, apparently, stored IP?
>>> >> >>
>>> >> >> --
>>> >> >> Dazed_75 a.k.a. Larry
>>> >> >>
>>> >> >> The spirit of resistance to government is so valuable on certain
>>> >> occasions,
>>> >> >> that I wish it always to be kept alive.
>>> >> >> - Thomas Jefferson
>>> >> >>
>>> >> >
>>> >> >
>>> >> >
>>> >> >
>>> >> >
>>> >> > ---------------------------------------------------
>>> >> > PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>>> >> > To subscribe, unsubscribe, or to change your mail settings:
>>> >> > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>> >>
>>> >>
>>> >> ---------------------------------------------------
>>> >> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>>> >> To subscribe, unsubscribe, or to change your mail settings:
>>> >> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>> >>
>>> >
>>> >
>>> >
>>> > --
>>> > Dazed_75 a.k.a. Larry
>>> >
>>> > The spirit of resistance to government is so valuable on certain
>>> occasions,
>>> > that I wish it always to be kept alive.
>>> > - Thomas Jefferson
>>>
>>> ---------------------------------------------------
>>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>>> To subscribe, unsubscribe, or to change your mail settings:
>>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>>
>>
>>
>>
>> --
>> Dazed_75 a.k.a. Larry
>>
>> The spirit of resistance to government is so valuable on certain
>> occasions, that I wish it always to be kept alive.
>>   - Thomas Jefferson
>>
>> ---------------------------------------------------
>> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
>> To subscribe, unsubscribe, or to change your mail settings:
>> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>>
>
>
>
> --
> (602) 791-8002  Android
> (623) 239-3392 Skype
> (623) 688-3392 Google Voice
> **
> HomeSmartInternational.com <http://www.homesmartinternational.com>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>



-- 
Dazed_75 a.k.a. Larry

The spirit of resistance to government is so valuable on certain occasions,
that I wish it always to be kept alive.
  - Thomas Jefferson
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20110618/270bd0b5/attachment.html>

More information about the PLUG-discuss mailing list