Re: ssh connection problem, DNS and ~/.ssh/config (long)
Thanks a lot for your answer, elbbit.
On Fri, 25 Feb 2011 07:44:27 +0000, elbbit wrote:
>> /etc/init.d/ssh restart
>
> This method normally includes /etc/ssh/sshd_config when it starts the
> sshd binary. The directive you are looking for in the file is probably
> "PermitRootLogin yes". Adding or changing this entry in the sshd_config
> file will enable you to log in remotely as the root user.
Thanks, I double checked, and it *is* turned on (in the remote host), as
always:
% grep PermitRootLogin /etc/ssh/sshd_config
PermitRootLogin yes
>> [1] sudo ssh -C -A -X maroon
>
> FYI, this can also been accomplished as "ssh -l root -CAX maroon" or
> even as "ssh -CAX root@maroon".
Thanks for the tip. I setup and use sudo ssh mechanism instead because I
also need it for scp and rsync transferring files that is not readable to
me.
OK, back to the problem. I dig deeper following your tips, using non-root
user instead, and now it seems to be much more complicated than I ever
seen before. In OP, I *simplified* my question, and now I need to
describe exactly my situation.
In summary,
- I'm using the ~/.ssh/config file for remote host connection
- my sshd is listening on port 21
- remote host is named maroon, and client is named coral
Now the problem in summary,
- using hostname for remote host NOK.
- using ~/.ssh/config file NOK.
Here are the details (long!).
Problem #1, using hostname for remote host NOK
tong@coral:~$ ssh -C -A -X -p 21 -o UserKnownHostsFile=/tmp/32083.tmpf.32124.uknf maroon -v
OpenSSH_5.5p1 Debian-4ubuntu4, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/tong/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to maroon [::1] port 21.
debug1: Connection established.
debug1: identity file /home/tong/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
debug1: identity file /home/tong/.ssh/id_rsa-cert type -1
debug1: identity file /home/tong/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: identity file /home/tong/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-4ubuntu4
debug1: match: OpenSSH_5.5p1 Debian-4ubuntu4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 zlib@openssh.com
debug1: kex: client->server aes128-ctr hmac-md5 zlib@openssh.com
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '[maroon]:21' is known and matches the RSA host key.
debug1: Found key in /tmp/32083.tmpf.32124.uknf:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/tong/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 149
debug1: Enabling compression at level 6.
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: Requesting authentication agent forwarding.
debug1: Sending environment.
debug1: Sending env LANG = C
Linux coral 2.6.35-22-generic #33-Ubuntu SMP Sun Sep 19 20:32:27 UTC 2010 x86_64 GNU/Linux
Ubuntu 10.10
I.e., instead of connecting to remote host maroon, the ssh session
connected to my local host (coral) instead (using IPV6?). This is so weird, I
never see this before. How could it be? DNS name look up seems to be fine:
tong@coral:~$ dig maroon
; <<>> DiG 9.7.1-P2 <<>> maroon
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19913
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;maroon. IN A
;; ANSWER SECTION:
maroon. 0 IN A 192.168.2.100
;; Query time: 0 msec
;; SERVER: 192.168.2.100#53(192.168.2.100)
;; WHEN: Sat Feb 26 09:22:39 2011
;; MSG SIZE rcvd: 40
tong@coral:~$ ping maroon
PING maroon.my.local.domain (192.168.2.100) 56(84) bytes of data.
64 bytes from maroon.my.local.domain (192.168.2.100): icmp_req=1 ttl=64 time=0.113 ms
64 bytes from maroon.my.local.domain (192.168.2.100): icmp_req=2 ttl=64 time=0.147 ms
^C
tong@coral:~$ grep maroon /etc/hostname | echo no found
no found
Directly using IP instead:
tong@coral:~$ ssh -C -A -X -p 21 -o UserKnownHostsFile=/tmp/32083.tmpf.32124.uknf 192.168.2.100 -v
OpenSSH_5.5p1 Debian-4ubuntu4, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/tong/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.2.100 [192.168.2.100] port 21.
debug1: Connection established.
debug1: identity file /home/tong/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
debug1: identity file /home/tong/.ssh/id_rsa-cert type -1
debug1: identity file /home/tong/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: identity file /home/tong/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6
debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 zlib@openssh.com
debug1: kex: client->server aes128-ctr hmac-md5 zlib@openssh.com
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: checking without port identifier
Failed to add the host to the list of known hosts (/tmp/32083.tmpf.32124.uknf).
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/tong/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 149
debug1: Enabling compression at level 6.
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: Requesting authentication agent forwarding.
debug1: Sending environment.
debug1: Sending env LANG = C
Linux maroon.my.local.domain 2.6.36-grml64 #1 SMP PREEMPT Mon Dec 13 13:16:48 UTC 2010 x86_64
I.e., using hostname for remote host NOK while directly using IP is OK.
I did a comparison of the above logs:
@@ -4,3 +4,3 @@
debug1: Applying options for *
-debug1: Connecting to maroon [::1] port 21.
+debug1: Connecting to 192.168.2.100 [192.168.2.100] port 21.
debug1: Connection established.
@@ -14,4 +14,4 @@
debug1: identity file /home/tong/.ssh/id_dsa-cert type -1
-debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-4ubuntu4
-debug1: match: OpenSSH_5.5p1 Debian-4ubuntu4 pat OpenSSH*
+debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6
+debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
@@ -26,4 +26,4 @@
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
-debug1: Host '[maroon]:21' is known and matches the RSA host key.
-debug1: Found key in /tmp/32083.tmpf.32124.uknf:1
+debug1: checking without port identifier
+Failed to add the host to the list of known hosts (/tmp/32083.tmpf.32124.uknf).
debug1: ssh_rsa_verify: signature correct
@@ -48,2 +48,2 @@
debug1: Sending env LANG = C
-Linux coral 2.6.35-22-generic #33-Ubuntu SMP Sun Sep 19 20:32:27 UTC 2010 x86_64 GNU/Linux
+Linux maroon.my.local.domain 2.6.36-grml64 #1 SMP PREEMPT Mon Dec 13 13:16:48 UTC 2010 x86_64
The only key difference is where the ssh connected to.
Now problem #2, using ~/.ssh/config file NOK.
tong@coral:~$ ssh -C -A -X -p 21 192.168.2.100 -v
OpenSSH_5.5p1 Debian-4ubuntu4, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/tong/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.2.100 [192.168.2.100] port 21.
debug1: Connection established.
debug1: identity file /home/tong/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
debug1: identity file /home/tong/.ssh/id_rsa-cert type -1
debug1: identity file /home/tong/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: identity file /home/tong/.ssh/id_dsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6
debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 zlib@openssh.com
debug1: kex: client->server aes128-ctr hmac-md5 zlib@openssh.com
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: checking without port identifier
The authenticity of host '[192.168.2.100]:21 ([192.168.2.100]:21)' can't be established.
RSA key fingerprint is ff:7e:df:4a:a3:b8:33:e4:14:9c:27:62:f2:0e:cb:62.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '[192.168.2.100]:21' (RSA) to the list of known hosts.
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/tong/.ssh/id_rsa
debug1: Server accepts key: pkalg ssh-rsa blen 149
debug1: Enabling compression at level 6.
debug1: Authentication succeeded (publickey).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
debug1: Requesting X11 forwarding with authentication spoofing.
debug1: Requesting authentication agent forwarding.
debug1: Sending environment.
debug1: Sending env LANG = C
Linux maroon.my.local.domain 2.6.36-grml64 #1 SMP PREEMPT Mon Dec 13 13:16:48 UTC 2010 x86_64
Mow,
$ tail -4 ~/.ssh/config
Host mhmi
HostName 192.168.2.100
User tong
IdentityFile /home/tong/.ssh/id_rsa
tong@coral:~$ ssh -C -A -X -p 21 mhmi -v
OpenSSH_5.5p1 Debian-4ubuntu4, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/tong/.ssh/config
debug1: Applying options for mh*
debug1: Applying options for mhmi
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to 192.168.2.100 [192.168.2.100] port 21.
debug1: Connection established.
debug1: identity file /path/to/other/key type -1
debug1: identity file /path/to/other/key-cert type -1
debug1: identity file /home/tong/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
debug1: identity file /home/tong/.ssh/id_rsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6
debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 zlib@openssh.com
debug1: kex: client->server aes128-ctr hmac-md5 zlib@openssh.com
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '[192.168.2.100]:21' is known and matches the RSA host key.
debug1: Found key in /home/tong/.ssh/known_hosts:52
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Offering public key: /home/tong/.ssh/id_rsa
debug1: Authentications that can continue: publickey
debug1: Trying private key: /path/to/other/key
debug1: No more authentication methods to try.
Permission denied (publickey).
I.e., with everything seems to be the same to me, using
~/.ssh/config file NOK.
Any ideas? Is there any way to trouble shoot the default sshd daemon? (I can still
ssh to remote host as root using a secondary session)
As mentioned before. I've still got one ssh connection open to the head-
less remote host as root for configuration & testing), I' afraid to
reboot or restart my local network connection to iron over the problems.
Thanks
--
Tong (remove underscore(s) to reply)
http://xpt.sourceforge.net/techdocs/
http://xpt.sourceforge.net/tools/
Reply to: