ssh - cannot log in
Rick Sewill
rsewill at cableone.net
Wed Jun 27 06:39:43 UTC 2007
If I were using a Linux ssh client, I would turn on the debug option.
Does Putty have a debug window one could look at which might give clues?
Does anything appear in the FC6 Linux log files?
In FC6 and FC7, /etc/syslog.conf sends authpriv.* to /var/log/secure
Is sshd running on FC6? What does "service sshd status" indicate?
Please examine /etc/ssh/sshd_config to see how sshd is configured. The
paranoid, in me, thinks one might not want to share sshd_config with
anyone without proper sanitization. Please look for the following:
# Specify names of users who can connect to this sshd.
AllowUsers name1 name2 name3
# Is your name on the list?
# Specify which port to listen on?
Port xyz
# Is this the port you are trying to connect to?
# Specify the ssh protocols accepted, default was Protocol 2,1
# Maybe someone limited it to ssh protocol 2
Protocol 2
# Maybe Putty is not trying to use the correct protocol?
# Specify which interface IP address to listen on, default all
ListenAddress 10.0.0.1
# Only allow clients to connect to 10.0.0.1 if above is in....
# Following will prevent password authentication.
# One would have to use some other form of authentication.
PasswordAuthentication no
UsePAM no
# -or-
UsePAM yes
ChallengeResponseAuthentication no
# Perhaps one is only allowing pubkeyauthentication
If push comes to shove and one couldn't get debug information from Putty
and/or log information from FC6, I might resort to wireshark to see if a
connection was established or an icmp error was returned when I tried to
connect. If a connection is established, ssh will encrypt communication
making any further use of Wireshark pointless.
Debug information from Putty and/or any log information from FC6 might
give us a clue. I am paranoid. Look at the information before sending
it to the list to make sure there is nothing, security-wise, the public
should not see.
On Tue, 2007-06-26 at 21:02 -0700, David Katz wrote:
> I'm using Putty under XP to try to login to FC6 but it times out.
>
> I can ping the external ip from my laptop.
>
> Here's my iptables --list:
>
> Chain INPUT (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- anywhere anywhere
>
> Chain FORWARD (policy ACCEPT)
> target prot opt source destination
> RH-Firewall-1-INPUT all -- anywhere anywhere
>
> Chain OUTPUT (policy ACCEPT)
> target prot opt source destination
>
> Chain RH-Firewall-1-INPUT (2 references)
> target prot opt source destination
> ACCEPT all -- anywhere anywhere
> ACCEPT icmp -- anywhere anywhere icmp any
> ACCEPT tcp -- anywhere anywhere tcp
> dpt:http flags:SYN,RST,ACK/SYN
> ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
> flags:SYN,RST,ACK/SYN
> ACCEPT esp -- anywhere anywhere
> ACCEPT ah -- anywhere anywhere
> ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns
> ACCEPT udp -- anywhere anywhere udp dpt:ipp
> ACCEPT tcp -- anywhere anywhere tcp dpt:ipp
> ACCEPT all -- anywhere anywhere state
> RELATED,ESTABLISHED
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:xdmcp
> ACCEPT udp -- anywhere anywhere state NEW
> udp dpt:xdmcp
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:x11
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:x11-ssh-offset
> ACCEPT tcp -- anywhere anywhere state NEW
> tcp dpt:ssh
> REJECT all -- anywhere anywhere reject-with
> icmp-host-prohibited
>
> I've tried without the windows firewall. The router is open to port 22
> and nats over to what I think is my workstation (how can I check this?)
>
> Thanks for any help.
>
> Note - ultimately I'd like to use X but right now I'm just trying to get
> a login prompt.
>
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20070627/2eb11fde/attachment-0001.sig>
More information about the fedora-list
mailing list