Re: OpenBSD2.9 ssh to OpenBSD3.0 sshd - Secure connection to <ipaddress> refused.

From: Richard E. Silverman (slade@shore.net)
Date: 02/16/02


From: slade@shore.net (Richard E. Silverman)
Date: 15 Feb 2002 21:08:13 -0500


>>>>> "fsh" == fsh <fsh@sdnet.org> writes:

    fsh> Actually, I think ssh is communicating but sending information
    fsh> that sshd can't understand, therefore sending a TCP reset.

No; the packet trace you posted shows that this is not what's happening
(and your suggestion indicates that you need to review how TCP works).
The client sends a SYN to start the TCP handshake; the server sends an
immediate RST -- this happens several times as the client retries before
giving up. No connection is ever set up, no application data are
exchanged, and the listening process (sshd) is completely unaware of these
events. This is consistent with your report that there are no verbose
messages from sshd during this test. If you want more direct
confirmation, ktrace sshd while this is happening -- you will see that it
does not get woken up from io sleep.

    fsh> I also stated that if I ssh from the localhost it works fine -
    fsh> indicating sshd is listening on port 22.

I know, and I did not write anything inconsistent with that. The RST
reply is, as a matter of protocol, an indication that the socket is
closed. However, there are other reasons why this could happen besides
that nothing is actually listening, and I suggested one: an intervening
firewall sending masqueraded RST's. Also, you did not say exactly how you
conducted your same-host test. "ssh localhost" and "ssh hostname" would,
for example, test completely different listening sockets. And still, your
sshd might not be listening on the right protocol -- OpenBSD supports both
ipv4 and ipv6. Perhaps for some reason, sshd is only listening on the
4-in-6 socket, and your local test is using that one. Check with netstat
-a or lsof to see if that's the case. You might try "ListenAddress
0.0.0.0" or "ListenAddress <real IP address>" and see if it makes a
difference.

-- 
  Richard Silverman
  slade@shore.net



Relevant Pages

  • Re: sshd blocking ftp data port 20?
    ... something listening that looks like sshd. ... If you want to see which process is using the port try ... > The sshd configuration file points to port 22 as is normal. ... > strange is the netstat output where there is no indication of ports 20 ...
    (comp.security.ssh)
  • Re: Knoppix - ssh connection refused.
    ... some remote maintenance on the Connecticut machine, ... Did you check to make sure that sshd is listening on the external interface ... just listen on localhost and will not accept remote connections. ...
    (comp.os.linux.misc)
  • Re: OpenBSD2.9 ssh to OpenBSD3.0 sshd - Secure connection to <ipaddress> refused.
    ... It was the listening address (I made it the dns name ... I think ssh is communicating but sending information ... > fsh> that sshd can't understand, ...
    (comp.security.ssh)
  • Re: cvs over ssh with non standard port
    ... >> I am trying to get cvs to access the repository through a ssh connection ... >> when the sshd is listening on a non standard port. ...
    (Debian-User)
  • Re: OpenSSh 3.4p1 PrivilegeSerparation experiment
    ... > o you expect disconnection from an ssh'd tty when root sends sshd the ... Yes, the spinoffs are not LISTENing, so what's the ... new configuration aswell. ...
    (Vuln-Dev)