[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: ssh-ing in inside private network

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Thu, Mar 31, 2016 at 01:27:35PM +0100, Lisi Reisz wrote:
> Great!  Thankl you!  I now have a starting point for my questions.
> 
> On Thursday 31 March 2016 12:28:57 tomas@tuxteam.de wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > On Thu, Mar 31, 2016 at 12:43:49PM +0100, Lisi Reisz wrote:
> > > I want all the computers on my private network to be able to shh into
> > > each other.  In Jessie, what do I have to do where in what config file?
> > > Presumably some port is shut??
> 
> > Since your question was pretty general, I preferred to go with a terse,
> > bird's perspective answer. Let's tackle the details when they come up.
> 
> Great!  Thankl you!  I now have a starting point for my questions.
> >
> > 0. Each computer should be able to "see" port 22 (ssh) of each other's
> >    (I'm assuming you go with the default port for ssh, this can be
> >    changed, but I wouldn't do that without some reason)
> 
> How do I check this?  I suspect that it may be the problem, so the problem may 
> in fact be on the computer I want to ssh from, if the Jessie computer cannot 
> see it?  Oh!  Let us use their names.  the computer running Wheezy is called 
> Tux-II.  The computer running Jessie is called Eros.
> 
> > 1. Each computer should have an SSH server running (on Debian that would
> >    be package openssh-server: in Debian it has priority "optional": I'd
> >    double-check that it's installed)
> 
> It is installed.  How do I check that it is running?

By default it will be running when installed. To double-check that there
are several ways to do it:

  tomas@rasputin:~$ ps wwwaux | grep sshd
  root      3224  0.0  0.0  55336  3364 ?        Ss   12:53   0:00 /usr/sbin/sshd
  tomas     8721  0.0  0.0   7960   736 pts/4    S+   14:48   0:00 grep sshd

...there you see the sshd process on my box running and willing to serve.
Or this:

  tomas@rasputin:~$ sudo netstat -antp | grep sshd
  tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      3224/sshd       
  tcp6       0      0 :::22                   :::*                    LISTEN      3224/sshd       

...here you see sshd on my box listening on port 22 and willing to play.
But I think you're already past that point, see below.

> > 3. To connect, you need also an openssh-client (since this has priority
> >    "standard" n Debian, chances are that it's there already)
> 
> It is installed and running.  I can ssh from Eros, but not into it.  If I just 
> try to ssh from Tux-II to Eros, I get the error "Could not connect to host 
> 192.168.0.4.".  I'm actually "fish"ing, but same difference.
> 
> I get a more helpful message form ssh:
> lisi@Tux-II:~$ ssh peter@192.168.0.4
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> @    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
> @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
> IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
> Someone could be eavesdropping on you right now (man-in-the-middle attack)!
> It is also possible that a host key has just been changed.
> The fingerprint for the ECDSA key sent by the remote host is
> d9:2e:38:29:07:f8:8a:6d:4b:dd:28:60:ad:c9:e5:a3.
> Please contact your system administrator.
> Add correct host key in /home/lisi/.ssh/known_hosts to get rid of this 
> message.
> Offending ECDSA key in /home/lisi/.ssh/known_hosts:3
> ECDSA host key for 192.168.0.4 has changed and you have requested strict 
> checking.
> Host key verification failed.
> lisi@Tux-II:~$

Ah, yes. That means that Eros's (that is 192.168.0.4, right?) "ssh host key"
has changed. Every host gets a "host key" the first time its ssh server is
set up (usually assigned by random), which it presents to the client as
an identification [1]. The client itself registers it the first time it sees
it and yells bloody murder if that ever changes: that's what you are seeing
above. Someone nasty is impersonating your good old Eros.

If you know Eros has just "changed personality", you just have to delete
the record your ssh client has on Tux-II of that old host key. The text
above tells you where: it's in /home/lisi/.ssh/known_hosts, line 3.

The next time you ssh into Eros you'll get a notice that Eros isn't known
and whether to trust it -- from then on it's as before.

> Previously (under Wheezy) using Fish, I have been getting the first part of 
> the message and asked if I want to accept the new identification.  Fish 
> presumably then edited the file.  So I need static IPs fast!  or a hosts 
> file?  I have some learning to do.  Static IPs I have no problem over, I just 
> need to do it.  It clearly needs to move up my priority list.  (New router.  
> reserved MAC numbers not yet set up in teh DHCP section.)

Basically it hasn't much to do with that -- only that your SSH clients (be
it fish, be it ssh) associate the host name/IP address they see with the
host keys. Of course, if the IPs keep changing, then they have a moving
target, and you'll have a difficult life :-)

> I have to go now, but I think you have solved it!!  (I hadn't researched how 
> to use ssh itself.  :-(  I was scared of it. :-(  )

If you aren't scared of shell, you should easily make friends with ssh.
It's a very nice fellow :-)

> Thank you.  I'll continue later!
> 
> I'm most grateful, Tomas.

You're most welcome :-)

- - - - -
[1] It presents the "public" part of the key -- and keeps the private part
   to itself, to be more precise.

regards
- -- t
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)

iEYEARECAAYFAlb9GWcACgkQBcgs9XrR2kaB2wCfa3WfNbWFUsrxcp/OhI+1jSP1
rzIAnRnhUtw/m0+t1LJ6SC8NcskcObmw
=Mw74
-----END PGP SIGNATURE-----
Reply to: