Odd tcp dump? was: ssh working with dialup, not through router
Tom 'Needs A Hat' Mitchell
mitch48 at sbcglobal.net
Sun May 23 17:52:08 UTC 2004
On Tue, May 18, 2004 at 10:27:49PM +0200, M. Fioretti wrote:
> On Sat, May 15, 2004 18:33:21 PM -0700, Tom 'Needs A Hat' Mitchell
> (mitch48 at sbcglobal.net) wrote:
> >
> > Does ping interact with the far machine in both directions.
> > i.e. check "ping -R" and "traceroute" for strange things.
>
> ping -R gives no error I can see. traceroute goes like this:
>
> /usr/sbin/traceroute the.ssh.server
> traceroute to the.ssh.server (its.ip.address), 30 hops max, 38 byte packets
> 1 192.168.1.1 (192.168.1.1) 0.809 ms 0.708 ms 0.695 ms
> [intermediate steps cut]
> 15 FE1.internet9t.9massy1-1-ro-bas-2.9tel.net (212.30.124.1) 77.582 ms 79.149 ms 79.839 ms
> 16 * * *
> [on like this until...]
> 27 * * *
> 28 * * *
> 29 * * *
> 30 * * *
....
>
> > Are you using RFC 1918, ...Private Internet numbers behind the
> > router? Remember that these nets are not routeable!
....
> > Getting into a RFC1918 net should not be facilitated via routes
> > except via a single NAT port mapping sort of connection.
>
> As far as I understand, this is exactly what the router box is
> (supposed to be) doing.
>
> > Can your ADSL router 192.168.1.1. act in NAT mode?
>
> It says that NAT is on (in its web config interface).
OK NAT is good. NAT should translate the ssh port
of one and only one box on the inside to be visible outside.
It still sounds as if you are confusing NAT and routing.
> > Lastly make sure that DNS is correct, other have addressed this (pun
> > intended).
>
> Even here, I can't find anything wrong.
>
> Any other help/comment/request of further tests is more than welcome.
Lets double check things like key length and encryption codes. I
recently tried to speed up some SSH connections by reducing my key to
512 bits from 1024 and could not connect. The minimum ephemeral key
length defaults to 768 bits for RSA and my 512 key would fail as an
authorized key.
Test your daemon config file "sshd -d -d -d -t" on both ends.
Test ssh config "ssh -v host" on both ends.
Review both ssh_config and sshd_config on both ends including $HOME/.ssh/config files.
IPV4 or IPV6... force this -4.
Force the cipher, one at a time.
--
T o m M i t c h e l l
/dev/null the ultimate in secure storage.
More information about the fedora-list
mailing list