SSH-Login via LAN ok, WAN fails (OpenSSH Windows, SecureCRT)

From: GogSSH (gogssh_at_centermail.net)
Date: 06/14/03

Next message: Suchun Wu: "Permission denied to ssh3.6.1"
Previous message: Kyler Laird: "Re: "public" OpenSSH Tunnel"
Next in thread: Frank Hoffman: "Re: SSH-Login via LAN ok, WAN fails (OpenSSH Windows, SecureCRT)"
Reply: Frank Hoffman: "Re: SSH-Login via LAN ok, WAN fails (OpenSSH Windows, SecureCRT)"
Reply: Frank Hoffman: "Re: SSH-Login via LAN ok, WAN fails (OpenSSH Windows, SecureCRT)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Sat, 14 Jun 2003 18:30:22 +0200

Hi Group,

I am stuck with a very strange problem concerning
connecting SecureCRT 3.4.5 to an OpenSSH for Windows
v3.5p1-3 server with Public Key Authorisation.

I have the correct keys installed on client and on
server side - (whereas I am absolutely not sure, why
Secure CRT doesn't give a sh*t whether I give it the
path to the public or private key, both seem to work).

I have to XP PCs on my LAN, and I can log in from one PC
(the client) to the OpenSSH server without any problems
via the internet.
These two PCs connect to the internet through a PIX
firewall and a Cisco 1721 for ADSL.

I have a third PC connected to the internet via ISDN
(Win2k). If I want to log in from this ISDN-PC to the
OpenSSH server via internet, the connection is being
established to a certain point: the client sends a
"KEXDH_GEX_REQUEST" segment to the server - and after
the 120 seconds idle timeout the connection is FINed.

Server ------|
             } -- PIX -- Cisco 1721 -- [internet] --|
LAN Client --| |
                                                    |
                                                    |
                                                    |
WAN Client -- ISDN card -------------- [internet] --|

I think I can exclude networking problems up to the
fourth layer; otherwise SSH packets could not be
exchanged.

I have been reading OpenSSH's manuals, SecureCRT manuals,
Cisco manuals, newsgroups and Google search results, and
I have been trying different SSH clients (i. e., Putty)
for over one week now and I haven't got a step forward.

I'll give you traces and config details below; I will really
appreciate any kind of hint or help!

Thank you very much in advance,

NiM

Secure CRT trace (WAN client)
SecureCRT - Version 3.4.5
[SSH LOCAL ONLY] : SecureCRT(3.4.5) : Using SSH2Core v2.0.0.11
[SSH LOCAL ONLY] : State Change: SSH_STATE_UNINITIALIZED->SSH_STATE_CONNECTING
[SSH LOCAL ONLY] : State Change: SSH_STATE_CONNECTING->SSH_STATE_EXPECT_IDENTIFIER
[SSH LOCAL ONLY] : connected
[SSH LOCAL ONLY] : RECV : Remote Identifier = "SSH-2.0-OpenSSH_3.6.1p1"
[SSH LOCAL ONLY] : CAP : Remote can re-key
[SSH LOCAL ONLY] : CAP : Remote sends language in password change requests
[SSH LOCAL ONLY] : CAP : Remote sends algorithm name in PK_OK packets
[SSH LOCAL ONLY] : CAP : Remote sends algorithm name in public key packets
[SSH LOCAL ONLY] : CAP : Remote sends algorithm name in signatures
[SSH LOCAL ONLY] : CAP : Remote sends error text in open failure packets
[SSH LOCAL ONLY] : CAP : Remote sends name in service accept packets
[SSH LOCAL ONLY] : CAP : Remote includes port number in x11 open packets
[SSH LOCAL ONLY] : CAP : Remote uses 160 bit keys for SHA1 MAC
[SSH LOCAL ONLY] : CAP : Remote supports new diffie-hellman group exchange messages
[SSH LOCAL ONLY] : CAP : Remote is IETF-DRAFT compliant
[SSH LOCAL ONLY] : SEND : KEXINIT
[SSH LOCAL ONLY] : State Change: SSH_STATE_EXPECT_IDENTIFIER->SSH_STATE_INITIAL_KEYEXCHANGE
[SSH LOCAL ONLY] : RECV : Read kexinit
[SSH LOCAL ONLY] : Kex Method = diffie-hellman-group-exchange-sha1
[SSH LOCAL ONLY] : Host Key Algo = ssh-dss
[SSH LOCAL ONLY] : Send Cipher = aes128-cbc
[SSH LOCAL ONLY] : Recv Cipher = aes128-cbc
[SSH LOCAL ONLY] : Send Mac = hmac-md5
[SSH LOCAL ONLY] : Recv Mac = hmac-md5
[SSH LOCAL ONLY] : Compressor = none
[SSH LOCAL ONLY] : Decompressor = none
[SSH LOCAL ONLY] : SEND : KEXDH_GEX_REQUEST
*** it keeps stuck for 120 sec (connection timeout) here

Cisco 1721 configuration details
ip nat inside source list 10 interface Dialer10 overload
ip nat inside source static tcp 172.16.73.101 22 interface Dialer10 22

Cisco 1721 NAT translation table before trying to log in
Cisco1721#clear ip nat trans *
Cisco1721#sho ip nat trans
Pro Inside global Inside local Outside local Outside global
tcp 80.140.83.1:22 172.16.73.101:22 --- ---
Cisco1721#

Cisco 1721 NAT translation table while/after trying to log in
Cisco1721#sho ip nat trans
Pro Inside global Inside local Outside local Outside global
tcp 80.140.83.1:22 172.16.73.101:22 212.223.101.49:2645 212.223.101.49:2645
tcp 80.140.83.1:22 172.16.73.101:22 --- ---

pixfirewall
access-list 100 permit tcp any host 172.16.73.101 eq ssh
static (inside,outside) 172.16.73.101 192.168.73.1 netmask 255.255.255.255 0 0

Windows XP OpenSSH server
netstat -a before trying to log in
TCP 192.168.73.1:22 192.168.73.1:0 LISTEN

netstat -a while/after trying to log in
TCP 192.168.73.1:22 192.168.73.1:0 LISTEN
TCP 192.168.73.1:22 212.223.x.y:4684 ESTABLISHED

sshd debug
C:\Programme\OpenSSH\bin>..\usr\sbin\sshd -d -d -d
debug2: read_server_config: filename /etc/sshd_config
debug1: sshd version OpenSSH_3.6.1p1
debug3: Not a RSA1 key file /etc/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: private host key: #1 type 2 DSA
debug1: Bind to port 22 on 192.168.73.1.
# I have set it back to 0.0.0.0 already, but it didn't help
Server listening on 192.168.73.1 port 22.
debug1: Server will not fork when running in debugging mode.
Connection from 212.223.x.y port 2052
debug1: Client protocol version 2.0; client software version 3.4.5 SecureCRT
debug1: no match: 3.4.5 SecureCRT
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_3.6.1p1
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent

sshd_config
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

Port 22
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey ${SYSCONFDIR}/ssh_host_key
# HostKeys for protocol version 2
#HostKey ${SYSCONFDIR}/ssh_host_rsa_key
#HostKey ${SYSCONFDIR}/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#LogLevel war INFO
SyslogFacility AUTH
LogLevel DEBUG

# Authentication:

#LoginGraceTime 120
PermitRootLogin yes

# The following setting overrides permission checks on host key files
# and directories. For security reasons set this to "yes" when running
# NT/W2K, NTFS and CYGWIN=ntsec.
# there are errors while logging in, so I set this to no
StrictModes no

RSAAuthentication no
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# rhosts authentication should not be used
RhostsAuthentication no

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes

# For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts
RhostsRSAAuthentication no

# similar for protocol version 2
#HostbasedAuthentication no

# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes

#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
UsePrivilegeSeparation no
#PermitUserEnvironment no
#Compression yes

MaxStartups 10:30:60

# no default banner path
Banner /etc/banner.txt
#VerifyReverseMapping no

# override default of no subsystems
Subsystem sftp /usr/sbin/sftp-server

Next message: Suchun Wu: "Permission denied to ssh3.6.1"
Previous message: Kyler Laird: "Re: "public" OpenSSH Tunnel"
Next in thread: Frank Hoffman: "Re: SSH-Login via LAN ok, WAN fails (OpenSSH Windows, SecureCRT)"
Reply: Frank Hoffman: "Re: SSH-Login via LAN ok, WAN fails (OpenSSH Windows, SecureCRT)"
Reply: Frank Hoffman: "Re: SSH-Login via LAN ok, WAN fails (OpenSSH Windows, SecureCRT)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

interactive commands via plink.exe -> linux/sshd
... putty/PLINK to push the backup data to the server via rsync. ... connection just seems to die as if the client cancelled the connection, ... debug1: read PEM private key done: type RSA ...
(comp.security.ssh)
ssh connection pause
... I'm having a strange issue where establishing an SSH connection to an AIX ... box running openssh v4.6 pauses for approximately 30 seconds during the ... debug1: Connection established. ... Server listening on 0.0.0.0 port 22. ...
(SSH)
ssh from solaris8 to win2000 no work.
... Im running openssh on solaris8 and commercial sshd on win2000, ... debug1: Rhosts Authentication disabled, ... debug1: Connection established. ... 2588:WARNING: Server became zombie - must commit suicide. ...
(SunManagers)
Server refusing connection.
... I need some assistance to figure out why my ssh server is refusing my ... debug1: read PEM private key done: type RSA ... debug3: channel 1: waiting for connection ... debug1: channel 1: not connected: Connection refused ...
(comp.security.ssh)
Re: Arbitrary Code Execution Vulnerability in VanDyke SecureCRT 3.4 & 4.0 beta
... > a bug in a seemlingly trivial portion of its SSH connection code. ... > When an SSH Client connects to a server, ... Unfortunetly the SecureCRT code which handles ...
(Bugtraq)