Re: [7.0-Beta] can no longer ssh into just upgraded host

From: Stefan Lambrev <stefan.lambrev_at_moneybookers.com>
Date: Sat, 27 Oct 2007 13:03:46 +0300
Hi Rob,

Rob Zietlow wrote:
> Hello,
>
> A google for the error messages hasn't turned up so I turn to you mailing
> lists.
>
> I have recently upgraded to RELENG_7.  (Oct 26th 13:03) Ever since then i am
> no longer able to ssh into the upgraded host from outside my local subnet.
> This has been tested coming from OSX, Linux, openbsd and Solaris 8-10.
>
> >From the host to the server I see the following.
>
> #ssh -vv 192.168.8.163
> OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to 192.168.8.163 [192.168.8.163] port 22.
> debug1: Connection established.
> debug1: identity file /home/$USER/.ssh/identity type -1
> debug1: identity file /home/$USER/.ssh/id_rsa type -1
> debug1: identity file /home/$USER/.ssh/id_dsa type -1
> ssh_exchange_identification: read: Connection reset by peer
> #
>
>   
Do you have active PF on the FreeBSD hosts?
I see similar error with my ssh every time when I misconfigure pf.conf :)

If you have "pass out keep state" rule, but do not have "pass in keep 
state" (and you are not blocking port 22)
when you connect to the hosts first packets are passed, but then pf 
create wrong state (from server to client)
which really piss openssh and it just stop working ( i didn't dig enough 
to see why)

You can look for "connection timed out on freebsd 7.0" in -stable 
mailing list for other possible network problems,
but I think your RELENG_7 from 26th Oct should be fixed already.

> I get this if the keys exist in ~/.ssh/known_hosts or not.
>
>
> I get this on all of the hosts connecting to the new 7.0 server
>
> On the server i see the following.
>
> /var/log/auth
> Oct 26 13:32:27 dhcp11 sshd[1013]: Did not receive identification string
> from 192.168.3.132
>
> I compared an /etc/ssh/sshd_config from a working 6.2 host and my 7 host and
> they are identical (empty lines removed)
> dhcp11# grep -v # /etc/ssh/sshd_config
> DSAAuthentication yes
> PubkeyAuthentication yes
> AuthorizedKeysFile      .ssh/authorized_keys
> Subsystem       sftp    /usr/libexec/sftp-server
>
> Here is /etc/hosts.allow
> dhcp11# grep -v # /etc/hosts.allow (empty lines removed again)
> ALL : ALL : allow
> sendmail : ALL : allow
> ftpd : ALL : allow
>
> sshd in debugging mode.
>
> dhcp11# /usr/sbin/sshd -ddddddd
> debug2: load_server_config: filename /etc/ssh/sshd_config
> debug2: load_server_config: done config len = 249
> debug2: parse_server_config: config /etc/ssh/sshd_config len 249
> debug3: /etc/ssh/sshd_config:111 setting Subsystem sftp
> /usr/libexec/sftp-server
> debug3: /etc/ssh/sshd_config:118 setting DSAAuthentication yes
> debug3: /etc/ssh/sshd_config:119 setting PubkeyAuthentication yes
> debug3: /etc/ssh/sshd_config:120 setting AuthorizedKeysFile
> .ssh/authorized_keys
> debug1: sshd version OpenSSH_4.5p1 FreeBSD-20061110
> debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
> debug1: read PEM private key done: type DSA
> debug1: private host key: #0 type 2 DSA
> debug1: rexec_argv[0]='/usr/sbin/sshd'
> debug1: rexec_argv[1]='-ddddddd'
> debug2: fd 3 setting O_NONBLOCK
> debug1: Bind to port 22 on 0.0.0.0.
> Server listening on 0.0.0.0 port 22.
> debug1: fd 4 clearing O_NONBLOCK
> debug1: Server will not fork when running in debugging mode.
> debug3: send_rexec_state: entering fd = 7 config len 249
> debug3: ssh_msg_send: type 0
> debug3: send_rexec_state: done
> debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7
> debug1: inetd sockets after dupping: 3, 3
> debug1: res_init()
> Connection from 192.168.3.132 port 39685
> Did not receive identification string from 192.168.3.132
>
> DNS queries forward and reverse resolve the hostnames I am ssh-ing in from.
>
> Any other suggestions as I have ran out of ideas and google isn't as helpful
> at this point, unless I have overlooked something.
> _______________________________________________
> freebsd-current_at_freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-current
> To unsubscribe, send any mail to "freebsd-current-unsubscribe_at_freebsd.org"
>   
Received on Sat Oct 27 2007 - 08:04:04 UTC

This archive was generated by hypermail 2.4.0 : Wed May 19 2021 - 11:39:20 UTC