Re: ssh connection problem, DNS and ~/.ssh/config (long)

To: debian-user@lists.debian.org
Subject: Re: ssh connection problem, DNS and ~/.ssh/config (long)
From: T o n g <mlist4suntong@yahoo.com>
Date: Sat, 26 Feb 2011 14:57:25 +0000 (UTC)
Message-id: <[🔎] ikb4ck$m8l$1@dough.gmane.org>
References: <[🔎] ik7agb$j7s$1@dough.gmane.org> <[🔎] 4D675DDB.3040601@gmail.com>
Thanks a lot for your answer, elbbit. 

On Fri, 25 Feb 2011 07:44:27 +0000, elbbit wrote:

>>  /etc/init.d/ssh restart
> 
> This method normally includes /etc/ssh/sshd_config when it starts the
> sshd binary.  The directive you are looking for in the file is probably
> "PermitRootLogin yes".  Adding or changing this entry in the sshd_config
> file will enable you to log in remotely as the root user.

Thanks, I double checked, and it *is* turned on (in the remote host), as 
always:

% grep PermitRootLogin /etc/ssh/sshd_config
PermitRootLogin yes

>> [1] sudo ssh -C -A -X maroon
> 
> FYI, this can also been accomplished as "ssh -l root -CAX maroon" or
> even as "ssh -CAX root@maroon".

Thanks for the tip. I setup and use sudo ssh mechanism instead because I 
also need it for scp and rsync transferring files that is not readable to 
me. 

OK, back to the problem. I dig deeper following your tips, using non-root 
user instead, and now it seems to be much more complicated than I ever 
seen before. In OP, I *simplified* my question, and now I need to 
describe exactly my situation.  

In summary, 

- I'm using the  ~/.ssh/config file for remote host connection
- my sshd is listening on port 21
- remote host is named maroon, and client is named coral

Now the problem in summary, 

- using hostname for remote host NOK.
- using ~/.ssh/config file NOK.

Here are the details (long!). 

Problem #1, using hostname for remote host NOK

  tong@coral:~$ ssh -C -A -X -p 21 -o UserKnownHostsFile=/tmp/32083.tmpf.32124.uknf maroon -v
  OpenSSH_5.5p1 Debian-4ubuntu4, OpenSSL 0.9.8o 01 Jun 2010
  debug1: Reading configuration data /home/tong/.ssh/config
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: Applying options for *
  debug1: Connecting to maroon [::1] port 21.
  debug1: Connection established.
  debug1: identity file /home/tong/.ssh/id_rsa type 1
  debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
  debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
  debug1: identity file /home/tong/.ssh/id_rsa-cert type -1
  debug1: identity file /home/tong/.ssh/id_dsa type 2
  debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
  debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
  debug1: identity file /home/tong/.ssh/id_dsa-cert type -1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-4ubuntu4
  debug1: match: OpenSSH_5.5p1 Debian-4ubuntu4 pat OpenSSH*
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu4
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: server->client aes128-ctr hmac-md5 zlib@openssh.com
  debug1: kex: client->server aes128-ctr hmac-md5 zlib@openssh.com
  debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
  debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
  debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
  debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
  debug1: Host '[maroon]:21' is known and matches the RSA host key.
  debug1: Found key in /tmp/32083.tmpf.32124.uknf:1
  debug1: ssh_rsa_verify: signature correct
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: SSH2_MSG_NEWKEYS received
  debug1: Roaming not allowed by server
  debug1: SSH2_MSG_SERVICE_REQUEST sent
  debug1: SSH2_MSG_SERVICE_ACCEPT received
  debug1: Authentications that can continue: publickey
  debug1: Next authentication method: publickey
  debug1: Offering public key: /home/tong/.ssh/id_rsa
  debug1: Server accepts key: pkalg ssh-rsa blen 149
  debug1: Enabling compression at level 6.
  debug1: Authentication succeeded (publickey).
  debug1: channel 0: new [client-session]
  debug1: Requesting no-more-sessions@openssh.com
  debug1: Entering interactive session.
  debug1: Requesting X11 forwarding with authentication spoofing.
  debug1: Requesting authentication agent forwarding.
  debug1: Sending environment.
  debug1: Sending env LANG = C
  Linux coral 2.6.35-22-generic #33-Ubuntu SMP Sun Sep 19 20:32:27 UTC 2010 x86_64 GNU/Linux
  Ubuntu 10.10

I.e., instead of connecting to remote host maroon, the ssh session
connected to my local host (coral) instead (using IPV6?). This is so weird, I
never see this before. How could it be? DNS name look up seems to be fine:

  tong@coral:~$ dig maroon

  ; <<>> DiG 9.7.1-P2 <<>> maroon
  ;; global options: +cmd
  ;; Got answer:
  ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19913
  ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

  ;; QUESTION SECTION:
  ;maroon.                                IN      A

  ;; ANSWER SECTION:
  maroon.                 0       IN      A       192.168.2.100

  ;; Query time: 0 msec
  ;; SERVER: 192.168.2.100#53(192.168.2.100)
  ;; WHEN: Sat Feb 26 09:22:39 2011
  ;; MSG SIZE  rcvd: 40

  tong@coral:~$ ping maroon
  PING maroon.my.local.domain (192.168.2.100) 56(84) bytes of data.
  64 bytes from maroon.my.local.domain (192.168.2.100): icmp_req=1 ttl=64 time=0.113 ms
  64 bytes from maroon.my.local.domain (192.168.2.100): icmp_req=2 ttl=64 time=0.147 ms
  ^C

  tong@coral:~$ grep maroon /etc/hostname | echo no found
  no found

Directly using IP instead:

  tong@coral:~$ ssh -C -A -X -p 21 -o UserKnownHostsFile=/tmp/32083.tmpf.32124.uknf 192.168.2.100 -v
  OpenSSH_5.5p1 Debian-4ubuntu4, OpenSSL 0.9.8o 01 Jun 2010
  debug1: Reading configuration data /home/tong/.ssh/config
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: Applying options for *
  debug1: Connecting to 192.168.2.100 [192.168.2.100] port 21.
  debug1: Connection established.
  debug1: identity file /home/tong/.ssh/id_rsa type 1
  debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
  debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
  debug1: identity file /home/tong/.ssh/id_rsa-cert type -1
  debug1: identity file /home/tong/.ssh/id_dsa type 2
  debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
  debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
  debug1: identity file /home/tong/.ssh/id_dsa-cert type -1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6
  debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu4
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: server->client aes128-ctr hmac-md5 zlib@openssh.com
  debug1: kex: client->server aes128-ctr hmac-md5 zlib@openssh.com
  debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
  debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
  debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
  debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
  debug1: checking without port identifier
  Failed to add the host to the list of known hosts (/tmp/32083.tmpf.32124.uknf).
  debug1: ssh_rsa_verify: signature correct
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: SSH2_MSG_NEWKEYS received
  debug1: Roaming not allowed by server
  debug1: SSH2_MSG_SERVICE_REQUEST sent
  debug1: SSH2_MSG_SERVICE_ACCEPT received
  debug1: Authentications that can continue: publickey
  debug1: Next authentication method: publickey
  debug1: Offering public key: /home/tong/.ssh/id_rsa
  debug1: Server accepts key: pkalg ssh-rsa blen 149
  debug1: Enabling compression at level 6.
  debug1: Authentication succeeded (publickey).
  debug1: channel 0: new [client-session]
  debug1: Requesting no-more-sessions@openssh.com
  debug1: Entering interactive session.
  debug1: Requesting X11 forwarding with authentication spoofing.
  debug1: Requesting authentication agent forwarding.
  debug1: Sending environment.
  debug1: Sending env LANG = C
  Linux maroon.my.local.domain 2.6.36-grml64 #1 SMP PREEMPT Mon Dec 13 13:16:48 UTC 2010 x86_64

I.e., using hostname for remote host NOK while directly using IP is OK. 

I did a comparison of the above logs:

  @@ -4,3 +4,3 @@
   debug1: Applying options for *
  -debug1: Connecting to maroon [::1] port 21.
  +debug1: Connecting to 192.168.2.100 [192.168.2.100] port 21.
   debug1: Connection established.
  @@ -14,4 +14,4 @@
   debug1: identity file /home/tong/.ssh/id_dsa-cert type -1
  -debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-4ubuntu4
  -debug1: match: OpenSSH_5.5p1 Debian-4ubuntu4 pat OpenSSH*
  +debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6
  +debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
   debug1: Enabling compatibility mode for protocol 2.0
  @@ -26,4 +26,4 @@
   debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
  -debug1: Host '[maroon]:21' is known and matches the RSA host key.
  -debug1: Found key in /tmp/32083.tmpf.32124.uknf:1
  +debug1: checking without port identifier
  +Failed to add the host to the list of known hosts (/tmp/32083.tmpf.32124.uknf).
   debug1: ssh_rsa_verify: signature correct
  @@ -48,2 +48,2 @@
   debug1: Sending env LANG = C
  -Linux coral 2.6.35-22-generic #33-Ubuntu SMP Sun Sep 19 20:32:27 UTC 2010 x86_64 GNU/Linux
  +Linux maroon.my.local.domain 2.6.36-grml64 #1 SMP PREEMPT Mon Dec 13 13:16:48 UTC 2010 x86_64

The only key difference is where the ssh connected to.  

Now problem #2, using ~/.ssh/config file NOK.

  tong@coral:~$ ssh -C -A -X -p 21 192.168.2.100 -v
  OpenSSH_5.5p1 Debian-4ubuntu4, OpenSSL 0.9.8o 01 Jun 2010
  debug1: Reading configuration data /home/tong/.ssh/config
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: Applying options for *
  debug1: Connecting to 192.168.2.100 [192.168.2.100] port 21.
  debug1: Connection established.
  debug1: identity file /home/tong/.ssh/id_rsa type 1
  debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
  debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
  debug1: identity file /home/tong/.ssh/id_rsa-cert type -1
  debug1: identity file /home/tong/.ssh/id_dsa type 2
  debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
  debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
  debug1: identity file /home/tong/.ssh/id_dsa-cert type -1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6
  debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu4
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: server->client aes128-ctr hmac-md5 zlib@openssh.com
  debug1: kex: client->server aes128-ctr hmac-md5 zlib@openssh.com
  debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
  debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
  debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
  debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
  debug1: checking without port identifier
  The authenticity of host '[192.168.2.100]:21 ([192.168.2.100]:21)' can't be established.
  RSA key fingerprint is ff:7e:df:4a:a3:b8:33:e4:14:9c:27:62:f2:0e:cb:62.
  Are you sure you want to continue connecting (yes/no)? yes
  Warning: Permanently added '[192.168.2.100]:21' (RSA) to the list of known hosts.
  debug1: ssh_rsa_verify: signature correct
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: SSH2_MSG_NEWKEYS received
  debug1: Roaming not allowed by server
  debug1: SSH2_MSG_SERVICE_REQUEST sent
  debug1: SSH2_MSG_SERVICE_ACCEPT received
  debug1: Authentications that can continue: publickey
  debug1: Next authentication method: publickey
  debug1: Offering public key: /home/tong/.ssh/id_rsa
  debug1: Server accepts key: pkalg ssh-rsa blen 149
  debug1: Enabling compression at level 6.
  debug1: Authentication succeeded (publickey).
  debug1: channel 0: new [client-session]
  debug1: Requesting no-more-sessions@openssh.com
  debug1: Entering interactive session.
  debug1: Requesting X11 forwarding with authentication spoofing.
  debug1: Requesting authentication agent forwarding.
  debug1: Sending environment.
  debug1: Sending env LANG = C
  Linux maroon.my.local.domain 2.6.36-grml64 #1 SMP PREEMPT Mon Dec 13 13:16:48 UTC 2010 x86_64

Mow, 

  $ tail -4 ~/.ssh/config
  Host mhmi
    HostName 192.168.2.100
    User tong
    IdentityFile /home/tong/.ssh/id_rsa

  tong@coral:~$ ssh -C -A -X -p 21 mhmi -v
  OpenSSH_5.5p1 Debian-4ubuntu4, OpenSSL 0.9.8o 01 Jun 2010
  debug1: Reading configuration data /home/tong/.ssh/config
  debug1: Applying options for mh*
  debug1: Applying options for mhmi
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: Applying options for *
  debug1: Connecting to 192.168.2.100 [192.168.2.100] port 21.
  debug1: Connection established.
  debug1: identity file /path/to/other/key type -1
  debug1: identity file /path/to/other/key-cert type -1
  debug1: identity file /home/tong/.ssh/id_rsa type 1
  debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
  debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
  debug1: identity file /home/tong/.ssh/id_rsa-cert type -1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6
  debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu4
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug1: kex: server->client aes128-ctr hmac-md5 zlib@openssh.com
  debug1: kex: client->server aes128-ctr hmac-md5 zlib@openssh.com
  debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
  debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
  debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
  debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
  debug1: Host '[192.168.2.100]:21' is known and matches the RSA host key.
  debug1: Found key in /home/tong/.ssh/known_hosts:52
  debug1: ssh_rsa_verify: signature correct
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug1: SSH2_MSG_NEWKEYS received
  debug1: Roaming not allowed by server
  debug1: SSH2_MSG_SERVICE_REQUEST sent
  debug1: SSH2_MSG_SERVICE_ACCEPT received
  debug1: Authentications that can continue: publickey
  debug1: Next authentication method: publickey
  debug1: Offering public key: /home/tong/.ssh/id_rsa
  debug1: Authentications that can continue: publickey
  debug1: Trying private key: /path/to/other/key
  debug1: No more authentication methods to try.
  Permission denied (publickey).

I.e., with everything seems to be the same to me, using
~/.ssh/config file NOK.

Any ideas? Is there any way to trouble shoot the default sshd daemon? (I can still
ssh to remote host as root using a secondary session)

As mentioned before. I've still got one ssh connection open to the head-
less remote host as root for configuration & testing), I' afraid to 
reboot or restart my local network connection to iron over the problems. 

Thanks

-- 
Tong (remove underscore(s) to reply)
  http://xpt.sourceforge.net/techdocs/
  http://xpt.sourceforge.net/tools/
Reply to:
References:
- ssh connection, secondary ok while prime not
  - From: T o n g <mlist4suntong@yahoo.com>
- Re: ssh connection, secondary ok while prime not
  - From: elbbit <elbbit@gmail.com>
Prev by Date: Re: Fontconfig error
Next by Date: one-line html post
Previous by thread: Re: ssh connection, secondary ok while prime not
Next by thread: Unrecognized security certificate warning is gone
Index(es):
- Date
- Thread