Re: SSH-Login via LAN ok, WAN fails (OpenSSH Windows, SecureCRT)
From: Frank Hoffman (gogssh_at_centermail.net)
Date: 06/19/03
- Previous message: Paul Wilkinson: "Multiple SFTP Directories on SSH server"
- In reply to: GogSSH: "SSH-Login via LAN ok, WAN fails (OpenSSH Windows, SecureCRT)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 19 Jun 2003 01:45:34 +0200
Dear Group,
the problem was solved.
(Btw, thanks for the many, many answers I got).
The problem was Cisco's very special kind of
logic within the PIX software:
static(inside,outside) ip1 ip2 netmask
has *NOTHING* to do with the real INSIDE
IP address or the NATed OUTSIDE IP address.
So you might want to try
static(inside,outside) NAT-IP REAL-IP netmask
Chiasm.
But: there *are* packets going over the net from
source to destination, which makes debugging this
a nightmare.
Bye,
Frank
"GogSSH" <gogssh@centermail.net> schrieb im Newsbeitrag news:bcfiif$5i0$00$1@news.t-online.com...
> Hi Group,
>
> I am stuck with a very strange problem concerning
> connecting SecureCRT 3.4.5 to an OpenSSH for Windows
> v3.5p1-3 server with Public Key Authorisation.
>
> I have the correct keys installed on client and on
> server side - (whereas I am absolutely not sure, why
> Secure CRT doesn't give a sh*t whether I give it the
> path to the public or private key, both seem to work).
>
> I have to XP PCs on my LAN, and I can log in from one PC
> (the client) to the OpenSSH server without any problems
> via the internet.
> These two PCs connect to the internet through a PIX
> firewall and a Cisco 1721 for ADSL.
>
> I have a third PC connected to the internet via ISDN
> (Win2k). If I want to log in from this ISDN-PC to the
> OpenSSH server via internet, the connection is being
> established to a certain point: the client sends a
> "KEXDH_GEX_REQUEST" segment to the server - and after
> the 120 seconds idle timeout the connection is FINed.
>
> Server ------|
> } -- PIX -- Cisco 1721 -- [internet] --|
> LAN Client --| |
> |
> |
> |
> WAN Client -- ISDN card -------------- [internet] --|
>
>
> I think I can exclude networking problems up to the
> fourth layer; otherwise SSH packets could not be
> exchanged.
>
> I have been reading OpenSSH's manuals, SecureCRT manuals,
> Cisco manuals, newsgroups and Google search results, and
> I have been trying different SSH clients (i. e., Putty)
> for over one week now and I haven't got a step forward.
>
> I'll give you traces and config details below; I will really
> appreciate any kind of hint or help!
>
> Thank you very much in advance,
>
> NiM
>
>
> Secure CRT trace (WAN client)
> SecureCRT - Version 3.4.5
> [SSH LOCAL ONLY] : SecureCRT(3.4.5) : Using SSH2Core v2.0.0.11
> [SSH LOCAL ONLY] : State Change: SSH_STATE_UNINITIALIZED->SSH_STATE_CONNECTING
> [SSH LOCAL ONLY] : State Change: SSH_STATE_CONNECTING->SSH_STATE_EXPECT_IDENTIFIER
> [SSH LOCAL ONLY] : connected
> [SSH LOCAL ONLY] : RECV : Remote Identifier = "SSH-2.0-OpenSSH_3.6.1p1"
> [SSH LOCAL ONLY] : CAP : Remote can re-key
> [SSH LOCAL ONLY] : CAP : Remote sends language in password change requests
> [SSH LOCAL ONLY] : CAP : Remote sends algorithm name in PK_OK packets
> [SSH LOCAL ONLY] : CAP : Remote sends algorithm name in public key packets
> [SSH LOCAL ONLY] : CAP : Remote sends algorithm name in signatures
> [SSH LOCAL ONLY] : CAP : Remote sends error text in open failure packets
> [SSH LOCAL ONLY] : CAP : Remote sends name in service accept packets
> [SSH LOCAL ONLY] : CAP : Remote includes port number in x11 open packets
> [SSH LOCAL ONLY] : CAP : Remote uses 160 bit keys for SHA1 MAC
> [SSH LOCAL ONLY] : CAP : Remote supports new diffie-hellman group exchange messages
> [SSH LOCAL ONLY] : CAP : Remote is IETF-DRAFT compliant
> [SSH LOCAL ONLY] : SEND : KEXINIT
> [SSH LOCAL ONLY] : State Change: SSH_STATE_EXPECT_IDENTIFIER->SSH_STATE_INITIAL_KEYEXCHANGE
> [SSH LOCAL ONLY] : RECV : Read kexinit
> [SSH LOCAL ONLY] : Kex Method = diffie-hellman-group-exchange-sha1
> [SSH LOCAL ONLY] : Host Key Algo = ssh-dss
> [SSH LOCAL ONLY] : Send Cipher = aes128-cbc
> [SSH LOCAL ONLY] : Recv Cipher = aes128-cbc
> [SSH LOCAL ONLY] : Send Mac = hmac-md5
> [SSH LOCAL ONLY] : Recv Mac = hmac-md5
> [SSH LOCAL ONLY] : Compressor = none
> [SSH LOCAL ONLY] : Decompressor = none
> [SSH LOCAL ONLY] : SEND : KEXDH_GEX_REQUEST
> *** it keeps stuck for 120 sec (connection timeout) here
>
> Cisco 1721 configuration details
> ip nat inside source list 10 interface Dialer10 overload
> ip nat inside source static tcp 172.16.73.101 22 interface Dialer10 22
>
> Cisco 1721 NAT translation table before trying to log in
> Cisco1721#clear ip nat trans *
> Cisco1721#sho ip nat trans
> Pro Inside global Inside local Outside local Outside global
> tcp 80.140.83.1:22 172.16.73.101:22 --- ---
> Cisco1721#
>
> Cisco 1721 NAT translation table while/after trying to log in
> Cisco1721#sho ip nat trans
> Pro Inside global Inside local Outside local Outside global
> tcp 80.140.83.1:22 172.16.73.101:22 212.223.101.49:2645 212.223.101.49:2645
> tcp 80.140.83.1:22 172.16.73.101:22 --- ---
>
>
>
> pixfirewall
> access-list 100 permit tcp any host 172.16.73.101 eq ssh
> static (inside,outside) 172.16.73.101 192.168.73.1 netmask 255.255.255.255 0 0
>
>
> Windows XP OpenSSH server
> netstat -a before trying to log in
> TCP 192.168.73.1:22 192.168.73.1:0 LISTEN
>
> netstat -a while/after trying to log in
> TCP 192.168.73.1:22 192.168.73.1:0 LISTEN
> TCP 192.168.73.1:22 212.223.x.y:4684 ESTABLISHED
>
>
> sshd debug
> C:\Programme\OpenSSH\bin>..\usr\sbin\sshd -d -d -d
> debug2: read_server_config: filename /etc/sshd_config
> debug1: sshd version OpenSSH_3.6.1p1
> debug3: Not a RSA1 key file /etc/ssh_host_rsa_key.
> debug1: read PEM private key done: type RSA
> debug1: private host key: #0 type 1 RSA
> debug3: Not a RSA1 key file /etc/ssh_host_dsa_key.
> debug1: read PEM private key done: type DSA
> debug1: private host key: #1 type 2 DSA
> debug1: Bind to port 22 on 192.168.73.1.
> # I have set it back to 0.0.0.0 already, but it didn't help
> Server listening on 192.168.73.1 port 22.
> debug1: Server will not fork when running in debugging mode.
> Connection from 212.223.x.y port 2052
> debug1: Client protocol version 2.0; client software version 3.4.5 SecureCRT
> debug1: no match: 3.4.5 SecureCRT
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_3.6.1p1
> debug1: list_hostkey_types: ssh-rsa,ssh-dss
> debug1: SSH2_MSG_KEXINIT sent
>
>
> sshd_config
> # This is the sshd server system-wide configuration file. See
> # sshd_config(5) for more information.
>
> # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
>
> # The strategy used for options in the default sshd_config shipped with
> # OpenSSH is to specify options with their default value where
> # possible, but leave them commented. Uncommented options change a
> # default value.
>
> Port 22
> Protocol 2
> #ListenAddress 0.0.0.0
> #ListenAddress ::
>
> # HostKey for protocol version 1
> #HostKey ${SYSCONFDIR}/ssh_host_key
> # HostKeys for protocol version 2
> #HostKey ${SYSCONFDIR}/ssh_host_rsa_key
> #HostKey ${SYSCONFDIR}/ssh_host_dsa_key
>
> # Lifetime and size of ephemeral version 1 server key
> #KeyRegenerationInterval 3600
> #ServerKeyBits 768
>
> # Logging
> #obsoletes QuietMode and FascistLogging
> #LogLevel war INFO
> SyslogFacility AUTH
> LogLevel DEBUG
>
> # Authentication:
>
> #LoginGraceTime 120
> PermitRootLogin yes
>
> # The following setting overrides permission checks on host key files
> # and directories. For security reasons set this to "yes" when running
> # NT/W2K, NTFS and CYGWIN=ntsec.
> # there are errors while logging in, so I set this to no
> StrictModes no
>
> RSAAuthentication no
> #PubkeyAuthentication yes
> #AuthorizedKeysFile .ssh/authorized_keys
>
> # rhosts authentication should not be used
> RhostsAuthentication no
>
> # Don't read the user's ~/.rhosts and ~/.shosts files
> IgnoreRhosts yes
>
> # For this to work you will also need host keys in ${SYSCONFDIR}/ssh_known_hosts
> RhostsRSAAuthentication no
>
> # similar for protocol version 2
> #HostbasedAuthentication no
>
> # Change to yes if you don't trust ~/.ssh/known_hosts for
> # RhostsRSAAuthentication and HostbasedAuthentication
> IgnoreUserKnownHosts no
>
> # To disable tunneled clear text passwords, change to no here!
> PasswordAuthentication yes
>
> #PermitEmptyPasswords no
>
> # Change to no to disable s/key passwords
> #ChallengeResponseAuthentication yes
>
> #X11Forwarding no
> #X11DisplayOffset 10
> #X11UseLocalhost yes
> #PrintMotd yes
> #PrintLastLog yes
> #KeepAlive yes
> #UseLogin no
> UsePrivilegeSeparation no
> #PermitUserEnvironment no
> #Compression yes
>
> MaxStartups 10:30:60
>
> # no default banner path
> Banner /etc/banner.txt
> #VerifyReverseMapping no
>
> # override default of no subsystems
> Subsystem sftp /usr/sbin/sftp-server
>
>
- Previous message: Paul Wilkinson: "Multiple SFTP Directories on SSH server"
- In reply to: GogSSH: "SSH-Login via LAN ok, WAN fails (OpenSSH Windows, SecureCRT)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
