openssh - podešavanje i korišćenje

Ukoliko imate problema sa instalacijom ili korišćenjem nekog programa, ovo je pravo mesto za vaše pitanje.

Moderators: Slackmuz, Urednik

Post Reply

Elitni član
Elitni član
offline
User avatar

Posts: 362
Joined: 15 Jul 2007, 03:58
Location: Beograd

Post Napisano: 17 Jul 2013, 12:00


Pozdrav svima!

Kako kaže naslov, potrebna mi je pomoć oko podešavanja openssh.

Na desktop mašini je slack (sam OS je manje bitan) i on je mašina na koju hoću da se logujem putem ssh, a na laptopu je arch i on je klijent sa koga hoću da se logujem.

Na oba sistema je instaliran openssh i pokrenuti su daemon-i, probao sam da se logujem u lokalu

Code: Select all

ssh warrior@192.168.1.2
i to može, prolazi, ali je problem kad hoću preko interneta i IP adrese da se logujem.

Code: Select all

ssh -vvv warrior@moja_IP -p 22   
OpenSSH_6.2p2, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to moja_IP [moja_IP] port 22.
debug1: Connection established.
debug1: identity file /home/username/.ssh/id_rsa type -1
debug1: identity file /home/username/.ssh/id_rsa-cert type -1
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/username/.ssh/id_dsa" as a RSA1 public key
debug1: identity file /home/username/.ssh/id_dsa type 2
debug1: identity file /home/username/.ssh/id_dsa-cert type -1
debug1: identity file /home/username/.ssh/id_ecdsa type -1
debug1: identity file /home/username/.ssh/id_ecdsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version dropbear_0.46
debug1: no match: dropbear_0.46
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "moja_IP" from file "/home/username/.ssh/known_hosts"
debug3: load_hostkeys: loaded 0 keys
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-sha1,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: kex_parse_kexinit: diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa
debug2: kex_parse_kexinit: 3des-cbc
debug2: kex_parse_kexinit: 3des-cbc
debug2: kex_parse_kexinit: hmac-sha1,hmac-md5
debug2: kex_parse_kexinit: hmac-sha1,hmac-md5
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: none
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: 
debug2: kex_parse_kexinit: first_kex_follows 0 
debug2: kex_parse_kexinit: reserved 0 
debug2: mac_setup: found hmac-md5
debug1: kex: server->client 3des-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server 3des-cbc hmac-md5 none
debug2: dh_gen_key: priv key bits set: 187/384
debug2: bits set: 509/1024
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
Connection closed by moja_IP
Pokušavam već 20ak dana da nađem rešenje, ali ništa.
Sumnjam da mi nisu otvoreni portovi, ali nisam siguran da je to u pitanju, preko http://www.yougetsignal.com/tools/open-ports/" onclick="window.open(this.href);return false; sam skenirao svoju IP i rekao mi je da je port 22 zatvoren, iako sam na ruteru forward-ovao port.
komanda

Code: Select all

lsof -i
je dala izlaz sa nekih 15ak portova koje koriste različiti programi, sve te portove sam probao kroz gore pomenuti sajt, i samo jedan port koji koristi skype je bio open.
Probao sam danas da taj port stavim u komandu za ssh

Code: Select all

ssh -vvv warrior@moj_IP -p 15567
OpenSSH_6.2p2, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 20: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to moj_IP [moj_IP] port 15567.
debug1: connect to address moj_IP port 15567: Connection refused
ssh: connect to host moj_IP port 15567: Connection refused
Podešavanja su sledeća:
na slack mašini
ssh_config

Code: Select all

Host *
ForwardAgent no
ForwardX11 no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
BatchMode no
CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
StrictHostKeyChecking no
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
Port 22
Protocol 2
#   Cipher 3des
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
sshd_config

Code: Select all

Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

LoginGraceTime 1m
PermitRootLogin no
#StrictModes yes
MaxAuthTries 3
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	.ssh/authorized_keys

#AuthorizedPrincipalsFile none

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox		# Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem	sftp	/usr/libexec/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	ForceCommand cvs server
na arch mašini
ssh_config

Code: Select all

Host *
ForwardAgent no
ForwardX11 no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
BatchMode no
CheckHostIP yes
#   AddressFamily any
#   ConnectTimeout 0
StrictHostKeyChecking no
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
Port 22
Protocol 2
#   Cipher 3des
#   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VisualHostKey no
#   ProxyCommand ssh -q -W %h:%p gateway.example.com
sshd_config

Code: Select all

Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

LoginGraceTime 1m
PermitRootLogin no
#StrictModes yes
MaxAuthTries 3
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	.ssh/authorized_keys

#AuthorizedPrincipalsFile none

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing, 
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation sandbox		# Default for new installations.
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem	sftp	/usr/libexec/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	ForceCommand cvs server
Ako neko zna rešenje ili vidi gde pravim grešku, neka slobodno kaže.
Ako mislis pobjediti, ne smijes izgubiti!



Administrator
Administrator
offline
User avatar

Posts: 4590
Joined: 04 Feb 2011, 20:32
Location: Beograd
Contact:

Post Napisano: 17 Jul 2013, 18:10


dokman wrote:Pozdrav svima!
Poštovanje. :)

Code: Select all

Na oba sistema je instaliran openssh i pokrenuti su daemon-i, probao sam da se logujem u lokalu
[code]ssh warrior@192.168.1.2
i to može, prolazi, ali je problem kad hoću preko interneta i IP adrese da se logujem.[/code]

Šta znači u lokalu? 127.0.0.1?

Ne mogu ti reći "gde je greška", ali ono što meni upada u oko je:

neispravan ssh ključ

Code: Select all

debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/username/.ssh/id_dsa" as a RSA1 public key
drugi računar gura dropbear, ne openssh

Code: Select all

debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
debug1: Remote protocol version 2.0, remote software version dropbear_0.46
Ako neko zna rešenje ili vidi gde pravim grešku, neka slobodno kaže.
Možda da nađeš neki dobar tutorijal pa ispočetka. :) Arch wiki je poznat kao dobar izvor informacija za bilo koji distro.

Btw, ako pokušavaš povezivanje u lokalnoj mreži, prvo proveri da li prolazi ping s jednog na drugi. Bitno je i kako su računari povezani i da li postoji neki posrednik (najverovatniji ruter koji bridžuje wireless i wired konekciju). Tj. najbolje je prvo da proveriš da li se računari "vide" da ne bi posle ispalo da je problem u nečemu sasvim drugom.



Elitni član
Elitni član
offline
User avatar

Posts: 362
Joined: 15 Jul 2007, 03:58
Location: Beograd

Post Napisano: 18 Jul 2013, 08:52


@bocke hvala na odgovoru

"u lokalu" meni znači sve što je iza rutera, odnosno iza nekog uređaja koji pravi svoju mrežu i njome upravlja, pa su mi onda sve adrese sa

Code: Select all

192.168.1.*
u lokalu, možda je pogrešan termin, ali ja sam tako shvatio stvar. :angel:

Kad se povezjem sa jednog kompa na drugi može preko te adrese, dozvoljava mi uz upisivanje passworda.

Mislio sam da je bolje tako da krenem, da bi lakše locirao grešku, ali izgleda neće. :cry:

Ništa, krećem od nule ponovo, jel može da se radi konekcija da ne diram ništa u config fajlovima ili moraju neka podešavanja ipak da se urade?

Code: Select all

debug1: Remote protocol version 2.0, remote software version dropbear_0.46
ovo je na slack mašini, pošto je ona u ovom slučaju remote, kako mogu da promenim da bude i to openssh?

EDIT:
Što se tiče ping-a, to sam probao i vraća pozitivan odgovor, ali ne mogu da proverim određeni port, pa da budem siguran da li će na njemu proći konekcija.
Ako mislis pobjediti, ne smijes izgubiti!



Elitni član
Elitni član
offline
User avatar

Posts: 362
Joined: 15 Jul 2007, 03:58
Location: Beograd

Post Napisano: 18 Jul 2013, 12:23


ping sam odradio preko telefona, ovo je izlaz

Code: Select all

$ ping -c 3 moj_IP
PING moj_IP (moj_IP) 56(84) bytes of data.
64 bytes from moj_IP: icmp_seq=1 ttl=51 time=1935 ms
64 bytes from moj_IP: icmp_seq=2 ttl=51 time=932 ms
64 bytes from moj_IP: icmp_seq=3 ttl=51 time=62.5 ms

--- moj_IP ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2003ms
rtt min/avg/max/mdev = 62.585/977.012/1935.874/765.412 ms, pipe 2
Isti izlaz dobijem kad odradim ping sa arch-a na slack i obrnuto, kako preko internet IP tako i 191.168.1.*, to treba da znači da se kompovi vide.

Sve sam obrisao i ponovo instalirao na oba kompa, opet mogu da se konektujem preko 192.* adrese, ali kad probam preko internet IP

Code: Select all

ssh -vvv username@moj_IP -p 5431
OpenSSH_6.2p2, OpenSSL 1.0.1e 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to moj_IP [moj_IP] port 5431.
debug1: Connection established.
debug1: identity file /home/username/.ssh/id_rsa type -1
debug1: identity file /home/username/.ssh/id_rsa-cert type -1
debug1: identity file /home/username/.ssh/id_dsa type -1
debug1: identity file /home/username/.ssh/id_dsa-cert type -1
debug1: identity file /home/username/.ssh/id_ecdsa type -1
debug1: identity file /home/username/.ssh/id_ecdsa-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.2
ssh_exchange_identification: Connection closed by remote host
sve što sam menjao u sshd_cofig fajlu je port i

Code: Select all

PermitRootLogin yes
iz yes u no i naravno restartovao daemon.

EDIT:
Sad sam se preko juicessh ulogovao bez problema, internet za telefon je bio preko GPRS.

Ista podešavanja, ali internet za telefon preko wifi veze i dobijam

Code: Select all

connection closed by remote host
Da li je to do mog rutera ili stvarno klijent ne sme da bude u istoj mreži sa serverom?
Ako mislis pobjediti, ne smijes izgubiti!



Administrator
Administrator
offline
User avatar

Posts: 4590
Joined: 04 Feb 2011, 20:32
Location: Beograd
Contact:

Post Napisano: 21 Jul 2013, 12:08


dokman wrote:Da li je to do mog rutera ili stvarno klijent ne sme da bude u istoj mreži sa serverom?
Zavisi o konfiguraciji mreže. :) Problem je što je mreža iza rutera. Tako da problem ni ne mora biti do jednog ili drugog računara, već može biti i do podešavanja rutera. Ovo što ti kažeš je moguće ako je uključena neko opskurno firewall/NAT pravilo na ruteru. :)

Ako je pristup moguć sa moba, ja bi u tom grmu tražio krivca (zekonju). ;)



Elitni član
Elitni član
offline
User avatar

Posts: 362
Joined: 15 Jul 2007, 03:58
Location: Beograd

Post Napisano: 21 Jul 2013, 15:35


Sad nemam priliku da probam da se prikačim laptopom na drugu mrežu pa da tako probam konekciju.

Ako proradi sa druge mreže, onda moram i zaštitu da napravim.
Ako mislis pobjediti, ne smijes izgubiti!


Post Reply

Who is online

Users browsing this forum: No registered users and 2 guests