Koozali.org: home of the SME Server
Legacy Forums => General Discussion (Legacy) => Topic started by: jreijsenbach on September 21, 2004, 11:53:38 AM
-
Hi,
Problem:
Can no longer login as root or any other user using ssh, neither from a remote network nor the local network.
Situation & what I tried:
Using server-manager I disabled all 3 ssh access settings then reenabled them. Server-manager says all's ok but still no access (access denied).
I did recently update (among others) ssh using the ones I found on http://sme.swerts-knudsen.dk/. I used the same procedure on 2 basically identical sme servers and only one has this problem.
I can logon to the machine itself using root no problem there. Just no external access.
Question:
How can I enable ssh external access using command-line? Since I can logon on the machine itself and the server-manager does not change the settings for me this might be the only way to fix it.
Any help suggestions are more than welcome.
With kind regards,
Jan
-
Hello,
I can logon to the machine itself using root no problem there. Just no external access.
Since you can logon, try going to /home/e-smith and have a look into file "configuration" to find the line about sshd. It'd have a look similar to this : sshd=service|PasswordAuthentication|yes|PermitRootLogin|yes|access|private|status|enabled
If not, try to correct and then restart sshd.
-
Hi onsy,
Checked it looks alle ok. But doesn't seem to work. If you have any further suggestions pleas tell. Thanks so far anyway :)
regards,
Jan
-
I had exactly the same problem. Installed the same updates. After installing updates no SSH access possible.
My SME version 6.01.
egards,
Lourens
-
what does the command...
/sbin/e-smith/config show sshd
show?
Are you using PUTTY to connect? if so make sure you use the latest... I had problems logging in on a machine and it turned out the ssh had disabled ssh v1
Have you checked the logs to see what they say?
HTH
-
Same problem here,
I used also the update file's from swert (after rkhunter).
And i disabled the remote access for 1 day now after i enable remote access i can't access the server remote.
-
Hello,
Try to look at the log file "messages" and examine the lines about sshd to get more infos.
-
Well i did the proverbial cannon and fly solution and did a clean install. But the problem only happened on one of two basically identical machines.
In the logs I only saw some authentication failures. Nothing out of the ordinary.
I'm sorry I can no longer be of assistance here since I basically killed off all traces of the problem.... I think/hope. ;) If the problem reoccurs I'll be sure to look in here first.
Good luck all.
regards,
Jan
-
Everybody having this problem:
(You need to upgrade ssh, client and server in one run ;-)
FIX:
- login locally as root
- make sure you have all ssh components in one directory mynewssh
openssh-3.9p1-1es1.i386.rpm
openssh-clients-3.9p1-1es1.i386.rpm
openssh-server-3.9p1-1es1.i386.rpm
- go into that dir:
cd mynewssh
- then do the upgrade in one run:
rpm -Uvh openssh*
...note the "*" and you should be set
_if_ you still have ssh enabled in the SME Server Manager
(if not you know where to reenable ;-)
Reinhold
-
jreijsenbach
a new install will still 'new'-ly install the vulnerable ssh package :-(
...so make sure that you upgrade !
Reinhold
-
Reinhold,
Thanks for the tip I actually did that myself not knowing this would prevent future occurences of this problem. Good to know :-)
kind regards,
Jan
-
Hi, Reinhold
Everybody having this problem:
(You need to upgrade ssh, client and server in one run ;-)
....
- then do the upgrade in one run:
rpm -Uvh openssh*
Reinhold
Sorry, this does not solve the problem. No ssh-access. The apropriate RPMs are already installed. Even rpm e- and re-installation did not help.
-
Alexander,
"doesn't work" isn't working <grin> ...i.e. not really helpful 8-)
You may try a:
# /sbin/e-smith/signal-event remoteaccess-update
while logged in locally.
...else please tell us what byte and onsy already asked for ... YOU ARE USING SME 6.0x are you ?
Regards
Reinhold
-
Reinhold,
i did everything mentioned here:
- checked configuration entries they are o.k.
- did "rpm -e openssh*. ..."
- did "rpm -Uvh openssh*"
- did post upgrade / reboot
and still get "connection refused" when trying to establish connection via ssh 1 or ssh 2 and putty.
Logfiles say:
Sep 22 07:55:43 pollux sshd[22212]: Accepted password for root from 192.168.1.4 port 1893 ssh2
Sep 22 07:56:35 pollux sshd[22212]: Received disconnect from 192.168.1.4: 11: All open channels closed
Sep 22 17:49:19 pollux sshd[22878]: Accepted password for root from 192.168.1.4 port 1125 ssh2
Sep 22 22:35:42 pollux sshd[22878]: Received disconnect from 192.168.1.4: 11: All open channels closed
Sep 22 22:38:32 pollux sshd[24265]: Accepted password for root from 192.168.1.4 port 1916 ssh2
Sep 22 22:40:01 pollux sshd[12897]: Received signal 15; terminating.
Sep 22 22:40:01 pollux sshd: sshd -TERM succeeded
Sep 23 08:20:43 pollux /etc/e-smith/web/panels/manager/cgi-bin/remoteaccess[11168]: /home/e-smith/configuration: OLD sshd=service|PasswordAuthentication|yes|PermitRootLogin|yes|access|private|status|enabled
Sep 23 08:20:43 pollux /etc/e-smith/web/panels/manager/cgi-bin/remoteaccess[11168]: /home/e-smith/configuration: NEW sshd=service|PasswordAuthentication|yes|PermitRootLogin|yes|access|public|status|enabled
Sep 23 20:03:03 pollux /etc/e-smith/web/panels/manager/cgi-bin/remoteaccess[12105]: /home/e-smith/configuration: OLD sshd=service|PasswordAuthentication|yes|PermitRootLogin|yes|access|public|status|enabled
Sep 23 20:03:03 pollux /etc/e-smith/web/panels/manager/cgi-bin/remoteaccess[12105]: /home/e-smith/configuration: NEW sshd=service|Passwo
My later connection attempts were not logged. Perhaps sshd has died forever - even after a reboot?
September 22.40 appx. was the time i applied the update.
Sorry for my stupid post. I am suffering influenza today. And yes: SME 6.0.1-01 with all the latest security updates from jesper installed (that installation was the point, where ssh stopped).
-
I had a similar problem after creating a custom template fragment to disable SSH v1 logins. When I was done I couldn't log in at all, except for physically on the console.
Do you have any custom templates in:
/etc/e-smith/templates-custom/etc/ssh/sshd_config ?
If so what are they?
I had a template that was creating some duplicate entries to my /etc/ssh/sshd_config file and screwing it up so you couldn't log in at all. Once I corrected it, all was fine again.
Do you get a "failed" message when you do:
service sshd reload
or
service sshd stop
service sshd start
-
What version of putty are you using?! I had this problem with an suse 9.1 machine and it turned out the ssh had disabled ssh v1 and the putty i had didnt support v2 so i downloaded latest version and solved my problem :hammer:
-
Do you have any custom templates in:
/etc/e-smith/templates-custom/etc/ssh/sshd_config ?
Yes: 20protocol
If so what are they?
Protocol 2 (just this one line)
Do you get a "failed" message when you do:
service sshd reload
Yes: [failed]
I could do sshd start.
After that again the connection was refused even with the latest putty 0.55!
This is the logfiles:
Sep 24 10:03:37 castor sshd: sshd shutdown failed
Sep 24 10:03:41 castor sshd: succeeded
Sep 24 10:03:41 castor sshd[4355]: Server listening on 0.0.0.0 port 22.
Sep 24 10:03:49 castor sshd[4355]: Received SIGHUP; restarting.
Sep 24 10:03:49 castor sshd: sshd -HUP succeeded
Sep 24 10:03:49 castor sshd[4381]: Server listening on 0.0.0.0 port 22.
Sep 24 10:04:30 castor sshd: refused connect from 192.168.57.9 (192.168.57.9)
Sep 24 10:41:34 castor sshd: refused connect from 192.168.57.9 (192.168.57.9)
Sep 24 10:43:22 castor sshd: refused connect from 192.168.57.9 (192.168.57.9)
Sep 24 10:50:23 castor /etc/e-smith/web/panels/manager/cgi-bin/remoteaccess[5511]: /home/e-smith/configuration: OLD sshd=service|PasswordAuthentication|yes|PermitRootLogin|yes|access|private|status|enabled
Sep 24 10:50:23 castor /etc/e-smith/web/panels/manager/cgi-bin/remoteaccess[5511]: /home/e-smith/configuration: NEW sshd=service|PasswordAuthentication|yes|PermitRootLogin|yes|access|public|status|enabled
Sep 24 10:49:52 castor sshd: refused connect from 192.168.57.9 (192.168.57.9)
-
Hi Alexander,
Hope you'll recover from the flu soon !
Now there IS some confusing data in your posts...
-You used two different servers Castor, Pollux...
Pollux:
Sep 22 07:55:43 pollux sshd[22212]: Accepted password for root from 192.168.1.4 port 1893 ssh2
Sep 22 07:56:35 pollux sshd[22212]: Received disconnect from 192.168.1.4: 11: All open channels closed
That seems strange ... i.e. who is closing ??? Pollux OK? ...note that Pollux seems on sshd private i.e. bound to 192.168.1.x
Castor:
...wasn't running sshd so you couldn't stop it.
Now when you started it was on 0.0.0.0 (???)
and it refused connection from 192.168.57.9 (whereas from above I assume you are in subnet 192.168.1.x)
...even if you have (obviously) /public/enabled there's something fishy about this.
In short: Getting fuzzy here so please give the direct configuration file as in /etc/ssh/sshd_config
...preferably for both castor&pollux
(*) meanwhile you may
- stick things to private sshd and
- go through the webadmin interface once (=set it),
- then use a fresh, standards unmodified putty 0.55 (i.e. ssh2) to
-ip-connect with castor/pollux from within the subnet ... and tell us what happens :-)
Regards
Reinhold
-
Hi Reinhold,
i recovered ;-) - getting closer to the problem now.
1. reinstalled openssh again
2. when doing sshd reload i get sshd re-exec requires absolute path and nothing else happens.
3. my sshd_config in /etc/sshd is like this:
# $OpenBSD: ssh_config,v 1.19 2003/08/13 08:46:31 markus Exp $
# This is the ssh client system-wide configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
# Site-wide defaults for various options
# Host *
# ForwardAgent no
# ForwardX11 no
# RhostsRSAAuthentication no
# RSAAuthentication yes
# PasswordAuthentication yes
# HostbasedAuthentication no
# BatchMode no
# CheckHostIP yes
# AddressFamily any
# ConnectTimeout 0
# StrictHostKeyChecking ask
# IdentityFile ~/.ssh/identity
# IdentityFile ~/.ssh/id_rsa
# IdentityFile ~/.ssh/id_dsa
# Port 22
# Protocol 2,1
# Cipher 3des
# Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
# EscapeChar ~
This must be the standard-file!
4. And in the logs (with a new an clean putty) is still get Oct 2 15:41:49 castor sshd[4142]: Server listening on 0.0.0.0 port 22.
Oct 2 15:42:46 castor sshd: refused connect from 192.168.57.9 (192.168.57.9)
Oct 2 15:47:13 castor sshd: refused connect from 192.168.57.9 (192.168.57.9)
Oct 2 15:50:21 castor sshd: refused connect from 192.168.57.9 (192.168.57.9)
Of course i am connecting from this local network, where this particular server castor is located.
And: sshd dies after reboot. It is not started after reboot.
Very strange...
-
Yep, its a standard sshd config with nothing uncommented. Execute /sbin/e-smith/expand-template /etc/sshd/sshd_config and then recheck the file. If the command errors or the file is not changed then you have a template problem. If you get a good sshd file then restart sshd & try it out.
For your reference my cchd_config file looks like this:
#------------------------------------------------------------
# DO NOT MODIFY THIS FILE! It is updated automatically by the
# SME Server software. Instead, modify the source template in
# an /etc/e-smith/templates-custom directory. For more
# information, see http://www.e-smith.org/custom/
#
# copyright (C) 1999-2003 Mitel Networks Corporation
#------------------------------------------------------------
Port 22
ListenAddress 10.10.10.10
HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_rsa_key
KeyRegenerationInterval 3600
LoginGraceTime 600
ServerKeyBits 768
ChallengeResponseAuthentication no
Compression yes
IgnoreRhosts yes
KbdInteractiveAuthentication no
MaxStartups 10:30:60
PasswordAuthentication yes
PermitEmptyPasswords no
PermitRootLogin yes
RSAAuthentication yes
RhostsRSAAuthentication no
StrictModes yes
UsePrivilegeSeparation yes
Subsystem sftp /usr/libexec/openssh/sftp-server
X11DisplayOffset 10
X11Forwarding no
KeepAlive yes
PrintMotd yes
The files in /etc/e-smith/templates/etc/ssh/sshd_config are:
-rw-r--r-- 1 root root 24 Feb 15 2002 00intro
-rw-r--r-- 1 root root 8 Feb 15 2002 10Port
-rw-r--r-- 1 root root 278 Feb 15 2002 15ListenAddress
-rw-r--r-- 1 root root 30 Feb 15 2002 20HostKey
-rw-r--r-- 1 root root 34 Feb 15 2002 20HostKeyDSA
-rw-r--r-- 1 root root 34 Feb 15 2002 20HostKeyRSA
-rw-r--r-- 1 root root 29 Feb 15 2002 20KeyRegenerationInterval
-rw-r--r-- 1 root root 19 Feb 15 2002 20LoginGraceTime
-rw-r--r-- 1 root root 18 Feb 15 2002 20Protocol
-rw-r--r-- 1 root root 18 Feb 15 2002 20ServerKeyBits
-rw-r--r-- 1 root root 35 Feb 15 2002 40ChallengeResponseAuthentication
-rw-r--r-- 1 root root 16 Sep 18 2003 40Compression
-rw-r--r-- 1 root root 68 Feb 15 2002 40IgnoreRhosts
-rw-r--r-- 1 root root 108 Feb 15 2002 40IgnoreUserKnownHosts
-rw-r--r-- 1 root root 32 Feb 15 2002 40KbdInteractiveAuthentication
-rw-r--r-- 1 root root 133 Feb 15 2002 40KerberosAuthentication
-rw-r--r-- 1 root root 88 Feb 15 2002 40KerberosTgtPassing
-rw-r--r-- 1 root root 373 Sep 18 2003 40MaxStartups
-rw-r--r-- 1 root root 380 Feb 15 2002 40PasswordAuthentication
-rw-r--r-- 1 root root 24 Feb 15 2002 40PermitEmptyPasswords
-rw-r--r-- 1 root root 271 Feb 15 2002 40PermitRootLogin
-rw-r--r-- 1 root root 105 Feb 15 2002 40RhostsRSAAuthentication
-rw-r--r-- 1 root root 22 Feb 15 2002 40RSAAuthentication
-rw-r--r-- 1 root root 100 Feb 15 2002 40SkeyAuthentication
-rw-r--r-- 1 root root 16 Feb 15 2002 40StrictModes
-rw-r--r-- 1 root root 27 Sep 18 2003 40UsePrivilegeSeparation
-rw-r--r-- 1 root root 508 Feb 15 2002 50SubsystemSftp
-rw-r--r-- 1 root root 20 Feb 15 2002 50X11DisplayOffset
-rw-r--r-- 1 root root 17 Feb 15 2002 50X11Forwarding
-rw-r--r-- 1 root root 14 Feb 15 2002 60KeepAlive
-rw-r--r-- 1 root root 14 Feb 15 2002 60PrintMotd
-rw-r--r-- 1 root root 17 Feb 15 2002 60UseLogin
-rw-r--r-- 1 root root 92 Feb 15 2002 80Logging
HTH
-
.. of course you saw the deliberate mistake, the template command should be:
/sbin/e-smith/expand-template /etc/ssh/sshd_config
doh!
-
Hi Alexander,
Looking at your data I'd say smeghead has said it all .-)
You do have a "virgin" sshd config file
i.o.w. your SME-sshd-template is non-expanded,
and the sshd config is emptied (all #-ed) out.
(strange - hope there isn't more to that)
In short, on the local command-line issue two commands:
# /sbin/e-smith/expand-template /etc/ssh/sshd_config
# /sbin/e-smith/signal-event remoteaccess-update
(of course you have to remove the "# " in front but I know you know .-)
now check the /etc/ssh/sshd_config file again...
the line starting with ListenAddress should show your SERVER-IP now...
ListenAddress 192.168.57.9 ...or something like that.
x-ing fingers
Reinhold
-
Hi folks,
this solved it: The complete e-smith-openssh was uninstalled (perhaps i did it myself during manual update?) - poor me :-x
Complete /etc/e-smith/templates/ssh was missing.
I did rpm -Uvh openssh*.rpm to uninstall the rudiments, then a complete upgrade from CD, reboot, then i had to manually delete the /etc/ssh/sshd_config and then do
expand-template
and signal event
as described. Thanx again folks - you helped a lot.
-
Reinhold's solution of re-installing ssh updates together works well, for this problem(within 30 second problem solved) . Maybe someone should tell the person who made the update system script. Seems a bit silly to have a workaround for workaround to updates! :-)
www.wittenborg-university.com