Re: no scp or ftp

To: Mark Strasheim <Strasheim@web.de>
Cc: debian-firewall@lists.debian.org
Subject: Re: no scp or ftp
From: Ian Greenhoe <ihgreenman@yahoo.com>
Date: Sat, 29 Jan 2005 00:39:47 -0800
Message-id: <1106987987.5847.20.camel@ptah>
In-reply-to: <1521437506@web.de>
References: <1521437506@web.de>

Hrm...  If I'm understanding you right, this isn't a firewall issue at
all, since you can connect via ssh.  scp and sftp don't use new ports --
in fact, they use the same port as ssh. (This is assuming that you are
talking about sftp, and not plain ftp which is a beast of a different
color.  ftp in normal mode requires bi-directional communications and is
all-round nasty from a security point of view.)

For this email, we'll have two machines. Call the machine that you are
initiating the scp/sftp session *from* the "source machine". In the same
vein, call the machine that you are connecting *to* the "target
machine".

First question, assuming scp/sftp is broken completely:  Can you ssh
from the target machine to itself?  (127.0.0.1 on the target machine.)
If not, this suggests something broken with your firewall config.

Second question is, assuming scp/sftp is broken completely:  Can you
scp/sftp from the target machine to itself?  If you can't, then this
suggests that the scp and/or sftp protocols are not turned on in the ssh
config file.

If both of the first two items work, then are really asking about how to
configure it so that scp uses a public/private key pair for
authentication?  (So that you can either configure secure no-password
connections or use "ssh-add" to prevent you from having to type your
password a million times.)

In that case, the recipe is:  do "ssh-keygen -t rsa -b 4096" on the
source machine, place the contents of the resulting id_rsa.pub on the
target machine in the file called "~/.ssh/authorized_keys".  Make sure
that /etc/ssh*/sshd_config has the line "RSAAuthentication yes" in it.
Voila.

HTH,
-Ian

On Fri, 2005-01-28 at 18:13 +0100, Mark Strasheim wrote:
> Aloha
> 
> i have a singel interface and do the following iptables commands
> everthings works as i should ( there are some more services with UDP )
> 
> iptables -N allowed
> iptables -A allowed -j ACCEPT
> iptables -A INPUT -p TCP --dport 22 -j allowed
> iptables -A INPUT -p TCP --dport 21 -j allowed
> iptables -A INPUT -p UDP --dport 68 -j allowed
> iptables -A INPUT -m state --state RELATED -j allowed
> iptables -A INPUT -m state --state ESTABLISHED -j allowed
> iptables -A INPUT -j DROP
> 
> i can also login per ssh and connect to ftp, but scp and ftp auth don't work.
> I anderstand that they talk about a new port and that the firewall don't see 
> the exchange of that data and therefor can get set the state engine to related or established.
> For ftp i loaded the con tracking module ... ( i know it for nat but i hopped :) ) but i didn't work.
> 
> My question is how can, with only a few lines, get this to work.
> 
> with regards
> Mark Strasheim
> 
> __________________________________________________________
> Mit WEB.DE FreePhone mit hoechster Qualitaet ab 0 Ct./Min.
> weltweit telefonieren! http://freephone.web.de/?mc=021201
> 
>

Reply to:

References:
- no scp or ftp
  - From: "Mark Strasheim" <Strasheim@web.de>

Prev by Date: Re: no scp or ftp
Next by Date: TCPDUMP Problem...
Previous by thread: Re: no scp or ftp
Next by thread: Hierarquia de regras no iptables
Index(es):
- Date
- Thread