Mailing List Archive: Cannot connect from outside the local network

Cannot connect from outside the local network

Jun 21, 2010, 8:25 PM

Post #1 of 3 (2537 views)

Hello,

I installed OpenSSH version 5.5p1 in Cygwin. Everything works fine if
I try to connect from inside the local network but if I try to connect
from an external network I'm not able to.

The service does not appear to receive the connection:

debug1: sshd version OpenSSH_5.5p1
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
debug1: Bind to port 10122 on 0.0.0.0.
Server listening on 0.0.0.0 port 10122.

I have already verified the hosts.allow and hosts.deny files and there
are correct also the ports are open in the firewall.

This is the sshd_config:

---------------------------------------------------
# $OpenBSD: sshd_config,v 1.81 2009/10/08 14:03:41 markus Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/bin:/usr/sbin:/sbin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

Port 10122
#AddressFamily any
ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
#Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh_host_rsa_key
#HostKey /etc/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
StrictModes no
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem sftp /usr/sbin/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
-------------------------------------------------------

Re: Cannot connect from outside the local network [ In reply to ]

rgt at wi

Jun 22, 2010, 12:53 PM

Post #2 of 3 (2457 views)

Permalink

Did you check these?

the default gateway
the windows firewall

If need be, grab a copy of wireshark and see if the packets from the
other subnet are getting to the machine.

rgt

On 06/21/2010 11:25 PM, Amy wrote:
> Hello,
>
> I installed OpenSSH version 5.5p1 in Cygwin. Everything works fine if
> I try to connect from inside the local network but if I try to connect
> from an external network I'm not able to.
>
> The service does not appear to receive the connection:
>
> debug1: sshd version OpenSSH_5.5p1
> debug1: read PEM private key done: type RSA
> debug1: private host key: #0 type 1 RSA
> debug1: read PEM private key done: type DSA
> debug1: private host key: #1 type 2 DSA
> debug1: rexec_argv[0]='/usr/sbin/sshd'
> debug1: rexec_argv[1]='-d'
> debug1: Bind to port 10122 on 0.0.0.0.
> Server listening on 0.0.0.0 port 10122.
>
> I have already verified the hosts.allow and hosts.deny files and there
> are correct also the ports are open in the firewall.
>
> This is the sshd_config:
>
> ---------------------------------------------------
> # $OpenBSD: sshd_config,v 1.81 2009/10/08 14:03:41 markus Exp $
>
> # This is the sshd server system-wide configuration file. See
> # sshd_config(5) for more information.
>
> # This sshd was compiled with PATH=/bin:/usr/sbin:/sbin:/usr/bin
>
> # The strategy used for options in the default sshd_config shipped with
> # OpenSSH is to specify options with their default value where
> # possible, but leave them commented. Uncommented options change a
> # default value.
>
> Port 10122
> #AddressFamily any
> ListenAddress 0.0.0.0
> #ListenAddress ::
>
> # The default requires explicit activation of protocol 1
> #Protocol 2
>
> # HostKey for protocol version 1
> #HostKey /etc/ssh_host_key
> # HostKeys for protocol version 2
> #HostKey /etc/ssh_host_rsa_key
> #HostKey /etc/ssh_host_dsa_key
>
> # Lifetime and size of ephemeral version 1 server key
> #KeyRegenerationInterval 1h
> #ServerKeyBits 1024
>
> # Logging
> # obsoletes QuietMode and FascistLogging
> #SyslogFacility AUTH
> #LogLevel INFO
>
> # Authentication:
>
> #LoginGraceTime 2m
> #PermitRootLogin yes
> StrictModes no
> #MaxAuthTries 6
> #MaxSessions 10
>
> #RSAAuthentication yes
> #PubkeyAuthentication yes
> #AuthorizedKeysFile .ssh/authorized_keys
>
> # For this to work you will also need host keys in /etc/ssh_known_hosts
> #RhostsRSAAuthentication no
> # similar for protocol version 2
> #HostbasedAuthentication no
> # Change to yes if you don't trust ~/.ssh/known_hosts for
> # RhostsRSAAuthentication and HostbasedAuthentication
> #IgnoreUserKnownHosts no
> # Don't read the user's ~/.rhosts and ~/.shosts files
> #IgnoreRhosts yes
>
> # To disable tunneled clear text passwords, change to no here!
> #PasswordAuthentication yes
> #PermitEmptyPasswords no
>
> # Change to no to disable s/key passwords
> #ChallengeResponseAuthentication yes
>
> # Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #KerberosTicketCleanup yes
> #KerberosGetAFSToken no
>
> # GSSAPI options
> #GSSAPIAuthentication no
> #GSSAPICleanupCredentials yes
>
> # Set this to 'yes' to enable PAM authentication, account processing,
> # and session processing. If this is enabled, PAM authentication will
> # be allowed through the ChallengeResponseAuthentication and
> # PasswordAuthentication. Depending on your PAM configuration,
> # PAM authentication via ChallengeResponseAuthentication may bypass
> # the setting of "PermitRootLogin without-password".
> # If you just want the PAM account and session checks to run without
> # PAM authentication, then enable this but set PasswordAuthentication
> # and ChallengeResponseAuthentication to 'no'.
> #UsePAM no
>
> #AllowAgentForwarding yes
> #AllowTcpForwarding yes
> #GatewayPorts no
> #X11Forwarding no
> #X11DisplayOffset 10
> #X11UseLocalhost yes
> #PrintMotd yes
> #PrintLastLog yes
> #TCPKeepAlive yes
> #UseLogin no
> UsePrivilegeSeparation yes
> #PermitUserEnvironment no
> #Compression delayed
> #ClientAliveInterval 0
> #ClientAliveCountMax 3
> #UseDNS yes
> #PidFile /var/run/sshd.pid
> #MaxStartups 10
> #PermitTunnel no
> #ChrootDirectory none
>
> # no default banner path
> #Banner none
>
> # override default of no subsystems
> Subsystem sftp /usr/sbin/sftp-server
>
> # Example of overriding settings on a per-user basis
> #Match User anoncvs
> # X11Forwarding no
> # AllowTcpForwarding no
> # ForceCommand cvs server
> -------------------------------------------------------

RE: Cannot connect from outside the local network [ In reply to ]

aleethorp at hotmail

Jun 23, 2010, 3:31 AM

Post #3 of 3 (2452 views)

Permalink

To a firewall (if there is one) 10122 is an "unusual" incoming port.
Some things you could try.

1) check that the target is reachable, run a traceroute (tracert on windows) or a ping at your client.2) check that the target port is reachable, e.g. nmap target, nc target 22 from your client.3) run the ssh client with -vv to get extra diagnostics.
cheers
----------------------------------------
> Date: Tue, 22 Jun 2010 15:53:27 -0400
> From: rgt@wi.mit.edu
> To: mi.basura.mail@gmail.com
> CC: secureshell@securityfocus.com
> Subject: Re: Cannot connect from outside the local network
>
> Did you check these?
>
> the default gateway
> the windows firewall
>
> If need be, grab a copy of wireshark and see if the packets from the
> other subnet are getting to the machine.
>
> rgt
>
> On 06/21/2010 11:25 PM, Amy wrote:
>> Hello,
>>
>> I installed OpenSSH version 5.5p1 in Cygwin. Everything works fine if
>> I try to connect from inside the local network but if I try to connect
>> from an external network I'm not able to.
>>
>> The service does not appear to receive the connection:
>>
>> debug1: sshd version OpenSSH_5.5p1
>> debug1: read PEM private key done: type RSA
>> debug1: private host key: #0 type 1 RSA
>> debug1: read PEM private key done: type DSA
>> debug1: private host key: #1 type 2 DSA
>> debug1: rexec_argv[0]='/usr/sbin/sshd'
>> debug1: rexec_argv[1]='-d'
>> debug1: Bind to port 10122 on 0.0.0.0.
>> Server listening on 0.0.0.0 port 10122.
>>
>> I have already verified the hosts.allow and hosts.deny files and there
>> are correct also the ports are open in the firewall.
>>
>> This is the sshd_config:
>>
>> ---------------------------------------------------
>> # $OpenBSD: sshd_config,v 1.81 2009/10/08 14:03:41 markus Exp $
>>
>> # This is the sshd server system-wide configuration file. See
>> # sshd_config(5) for more information.
>>
>> # This sshd was compiled with PATH=/bin:/usr/sbin:/sbin:/usr/bin
>>
>> # The strategy used for options in the default sshd_config shipped with
>> # OpenSSH is to specify options with their default value where
>> # possible, but leave them commented. Uncommented options change a
>> # default value.
>>
>> Port 10122
>> #AddressFamily any
>> ListenAddress 0.0.0.0
>> #ListenAddress ::
>>
>> # The default requires explicit activation of protocol 1
>> #Protocol 2
>>
>> # HostKey for protocol version 1
>> #HostKey /etc/ssh_host_key
>> # HostKeys for protocol version 2
>> #HostKey /etc/ssh_host_rsa_key
>> #HostKey /etc/ssh_host_dsa_key
>>
>> # Lifetime and size of ephemeral version 1 server key
>> #KeyRegenerationInterval 1h
>> #ServerKeyBits 1024
>>
>> # Logging
>> # obsoletes QuietMode and FascistLogging
>> #SyslogFacility AUTH
>> #LogLevel INFO
>>
>> # Authentication:
>>
>> #LoginGraceTime 2m
>> #PermitRootLogin yes
>> StrictModes no
>> #MaxAuthTries 6
>> #MaxSessions 10
>>
>> #RSAAuthentication yes
>> #PubkeyAuthentication yes
>> #AuthorizedKeysFile .ssh/authorized_keys
>>
>> # For this to work you will also need host keys in /etc/ssh_known_hosts
>> #RhostsRSAAuthentication no
>> # similar for protocol version 2
>> #HostbasedAuthentication no
>> # Change to yes if you don't trust ~/.ssh/known_hosts for
>> # RhostsRSAAuthentication and HostbasedAuthentication
>> #IgnoreUserKnownHosts no
>> # Don't read the user's ~/.rhosts and ~/.shosts files
>> #IgnoreRhosts yes
>>
>> # To disable tunneled clear text passwords, change to no here!
>> #PasswordAuthentication yes
>> #PermitEmptyPasswords no
>>
>> # Change to no to disable s/key passwords
>> #ChallengeResponseAuthentication yes
>>
>> # Kerberos options
>> #KerberosAuthentication no
>> #KerberosOrLocalPasswd yes
>> #KerberosTicketCleanup yes
>> #KerberosGetAFSToken no
>>
>> # GSSAPI options
>> #GSSAPIAuthentication no
>> #GSSAPICleanupCredentials yes
>>
>> # Set this to 'yes' to enable PAM authentication, account processing,
>> # and session processing. If this is enabled, PAM authentication will
>> # be allowed through the ChallengeResponseAuthentication and
>> # PasswordAuthentication. Depending on your PAM configuration,
>> # PAM authentication via ChallengeResponseAuthentication may bypass
>> # the setting of "PermitRootLogin without-password".
>> # If you just want the PAM account and session checks to run without
>> # PAM authentication, then enable this but set PasswordAuthentication
>> # and ChallengeResponseAuthentication to 'no'.
>> #UsePAM no
>>
>> #AllowAgentForwarding yes
>> #AllowTcpForwarding yes
>> #GatewayPorts no
>> #X11Forwarding no
>> #X11DisplayOffset 10
>> #X11UseLocalhost yes
>> #PrintMotd yes
>> #PrintLastLog yes
>> #TCPKeepAlive yes
>> #UseLogin no
>> UsePrivilegeSeparation yes
>> #PermitUserEnvironment no
>> #Compression delayed
>> #ClientAliveInterval 0
>> #ClientAliveCountMax 3
>> #UseDNS yes
>> #PidFile /var/run/sshd.pid
>> #MaxStartups 10
>> #PermitTunnel no
>> #ChrootDirectory none
>>
>> # no default banner path
>> #Banner none
>>
>> # override default of no subsystems
>> Subsystem sftp /usr/sbin/sftp-server
>>
>> # Example of overriding settings on a per-user basis
>> #Match User anoncvs
>> # X11Forwarding no
>> # AllowTcpForwarding no
>> # ForceCommand cvs server
>> -------------------------------------------------------

_________________________________________________________________
http://clk.atdmt.com/UKM/go/195013117/direct/01/