ssh/scp via wired LAN not working; ping works

Connection sharing, Firewall, Samba..etc
Forum rules
Before you post please read how to get help

ssh/scp via wired LAN not working; ping works

Postby MikZ on Sun Apr 28, 2013 2:02 am

G'day people,

I have a new laptop running Mint 14, and I want to scp files from my old Ubuntu Natty Narwhal laptop before I retire it. I've installed openssh-server on the new box and made a couple of changes to sshd_config; details below.

Both machines are connected to the same router which otherwise isn't doing anything, and both have their wireless turned off, so it doesn't interfere with anything. The Mint box, let's call it mint14server, is running gufw, but that's turned off too.

The problem: when I try to ssh to mint14server from my old Natty box, let's call it nattyclient, it times out. But I'm able to ping mint14server, and I'm able to ssh to its IP address from itself. I can't telnet to port 22 from nattyclient, and a traceroute only shows asterisks.

I've included as much diagnostic info as I can think of, and what I've seen asked for in other posts, below. Can anyone suggest what to try next? Any way to find out whether it's an OS issue or a router issue?

mint14server (a Lenovo T430s):

Here are the network details, a successful local session, and my /etc/ssh/sshd_config:

Code: Select all
mint14server:~$ ifconfig
eth0      Link encap:Ethernet  HWaddr 3c:97:0e:59:ea:8d 
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: [blah] Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:52141 errors:0 dropped:0 overruns:0 frame:0
          TX packets:93781 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:7579768 (7.5 MB)  TX bytes:8954948 (8.9 MB)
          Interrupt:20 Memory:d2500000-d2520000

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: [blah] Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:87510 errors:0 dropped:0 overruns:0 frame:0
          TX packets:87510 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:8340701 (8.3 MB)  TX bytes:8340701 (8.3 MB)

usb0      Link encap:Ethernet  HWaddr 02:15:e0:ec:01:00 
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

mint14server:~$ sudo restart ssh
ssh start/running, process 26151

mint14server:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 [blah]
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 3c:97:0e:59:ea:8d brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.1/24 brd 192.168.1.255 scope global eth0
    inet6 [blah] scope link
       valid_lft forever preferred_lft forever
4: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN qlen 1000
    link/ether 24:77:03:d8:aa:6c brd ff:ff:ff:ff:ff:ff
16: usb0: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state UNKNOWN qlen 1000
    link/ether 02:15:e0:ec:01:00 brd ff:ff:ff:ff:ff:ff

mint14server:~$ ip r
default via 192.168.1.254 dev eth0  proto static
169.254.0.0/16 dev eth0  scope link  metric 1000
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.1  metric 1

mint14server:~$ ssh mikz@192.168.1.1
The authenticity of host '192.168.1.1 (192.168.1.1)' can't be established.
ECDSA key fingerprint is [blah].
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.1' (ECDSA) to the list of known hosts.
mikz@192.168.1.1's password:
Welcome to Linux Mint 14 Nadia (GNU/Linux 3.5.0-17-generic x86_64)

Welcome to Linux Mint
 * Documentation:  http://www.linuxmint.com
mikz@mint14server ~ $ exit
logout
Connection to 192.168.1.1 closed.

mint14server:~$ cat /etc/ssh/sshd_config
# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
# following line turned off by mikz 27/04/2013
PermitRootLogin no
StrictModes yes

# following line inserted by mikz 27/04/2013
AllowUsers mikz

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile   %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes


nattyclient (a Lenovo X60s):

Here are the network details, and some attempts to connect to the above server:

Code: Select all
nattyclient:~$ sudo restart network-manager
[sudo] password for mikz:
network-manager start/running, process 986

nattyclient:~$ ifconfig
eth0      Link encap:Ethernet  HWaddr 00:16:d3:3b:af:16 
          inet addr:192.168.1.3  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: [blah] Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:53348 errors:0 dropped:0 overruns:0 frame:0
          TX packets:53796 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:8135585 (8.1 MB)  TX bytes:4989385 (4.9 MB)
          Interrupt:16 Memory:ee000000-ee020000

lo        Link encap:Local Loopback 
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: [blah] Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:495719 errors:0 dropped:0 overruns:0 frame:0
          TX packets:495719 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:42285435 (42.2 MB)  TX bytes:42285435 (42.2 MB)

nattyclient:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 [blah] scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 00:16:d3:3b:af:16 brd ff:ff:ff:ff:ff:ff
    inet 192.168.1.3/24 brd 192.168.1.255 scope global eth0
    inet6 [blah] scope link
       valid_lft forever preferred_lft forever
3: irda0: <NOARP> mtu 2048 qdisc noop state DOWN qlen 8
    link/irda 00:00:00:00 brd ff:ff:ff:ff
4: wlan0: <BROADCAST,MULTICAST> mtu 1500 qdisc mq state DOWN qlen 1000
    link/ether 00:13:02:10:bf:1f brd ff:ff:ff:ff:ff:ff

nattyclient:~$ ip r
192.168.1.0/24 dev eth0  proto kernel  scope link  src 192.168.1.3  metric 1
169.254.0.0/16 dev eth0  scope link  metric 1000
default via 192.168.1.254 dev eth0  proto static

nattyclient:~$ ssh mikz@192.168.1.1
ssh: connect to host 192.168.1.1 port 22: Connection timed out

nattyclient:~$ telnet 192.168.1.1 22
Trying 192.168.1.1...
telnet: Unable to connect to remote host: Connection timed out

nattyclient:~$ ping 192.168.1.1
PING 192.168.1.1 (192.168.1.1) 56(84) bytes of data.
64 bytes from 192.168.1.1: icmp_req=1 ttl=64 time=0.653 ms
64 bytes from 192.168.1.1: icmp_req=2 ttl=64 time=0.414 ms
64 bytes from 192.168.1.1: icmp_req=3 ttl=64 time=0.425 ms
^C
--- 192.168.1.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 1998ms
rtt min/avg/max/mdev = 0.414/0.497/0.653/0.111 ms

nattyclient:~$ traceroute 192.168.1.1
traceroute to 192.168.1.1 (192.168.1.1), 30 hops max, 60 byte packets
 1  * * *
 2  * * *
 3  * * *
 4  * * *
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *
24  * * *
25  * * *
26  * * *
27  * * *
28  * * *
29  * * *
30  * * *
nattyclient:~$


The router (a Billion BiPAC 7800N):

I disabled the wifi, and each machine is connected by an Ethernet cable. I've added port 22 in Configuration → Virtual Server → Port Mapping: the internal and external port ar 22, the internal IP address is 192.168.1.1, the time schedule is Always On, and a note says 'Port ranges forwarded internally will be the same as Externally'.
User avatar
MikZ
Level 1
Level 1
 
Posts: 33
Joined: Sun Mar 17, 2013 7:08 pm

Linux Mint is funded by ads and donations.
 

Re: ssh/scp via wired LAN not working; ping works

Postby thinkit_1 on Sun Apr 28, 2013 10:17 am

Hi MikZ,

At first thought, I would check too see if you have the firewall enabled on the lm14 box. If on, you need to set a rule to allow ssh. Quick check would be to disable the firewall and then try to ssh from the natty box.
thinkit_1
Level 1
Level 1
 
Posts: 10
Joined: Sun Apr 08, 2012 11:48 pm

Re: ssh/scp via wired LAN not working; ping works

Postby MikZ on Sat May 04, 2013 4:35 am

thinkit_1 wrote:Hi MikZ,

At first thought, I would check too see if you have the firewall enabled on the lm14 box. If on, you need to set a rule to allow ssh. Quick check would be to disable the firewall and then try to ssh from the natty box.


Thanks, thinkit_1. I actually did make sure it was turned off—I must've accidentally edited that factoid out of my post.

Other ideas, anyone? Are there network tools other than ping and traceroute I could use to verify the router isn't the problem? All those asterisks look sus to me.
User avatar
MikZ
Level 1
Level 1
 
Posts: 33
Joined: Sun Mar 17, 2013 7:08 pm

Re: ssh/scp via wired LAN not working; ping works

Postby MikZ on Sun May 05, 2013 4:57 pm

When I booted my Mint box with a live CD, I was able to successfully copy to an unencrypted directory. So the problem was definitely in my Mint setup somewhere. I'll post when I find the solution.
User avatar
MikZ
Level 1
Level 1
 
Posts: 33
Joined: Sun Mar 17, 2013 7:08 pm

Re: ssh/scp via wired LAN not working; ping works

Postby rlmcc46 on Wed May 15, 2013 12:30 am

Mikz,
I don't know if you are still having the same problem or not, but here is what happened to me.

I upgraded my Fedora 11 laptop to Mint 14.1 with Mate DE. I left my Fedora 11 desktop alone as it was.
I got laptop all loaded up then started trying to set up my rsync scripts. OOPs, no ssh from desktop to laptop. I could ssh from laptop to desktop, but not vice-versa. Got to looking around in /var/log. Found a file called auth.log.
It kept telling me that hosts.deny either was missing a newline or had too many lines. I checked out hosts.deny file.
I found that there were a couple of tab characters after what I thought was the last line in the file. I deleted them, saved hosts.deny, issued service ssh restart, and voila, it works now. Check out that auth.log file. It might be your answer.

r l mccown

ps. good luck!
rlmcc46
Level 1
Level 1
 
Posts: 1
Joined: Wed May 15, 2013 12:18 am

Re: ssh/scp via wired LAN not working; ping works

Postby MikZ on Wed Jun 26, 2013 2:07 am

Thanks, @rlmcc46; auth.log helped me find out what the problem was. It turns out I was wrong when I said the firewall was switched off! I should've checked more thoroughly, but it really is a UI bug.

I'm using gufw, which is the firewall software that comes with Mint 14. It looked like the Status was 'off', but that's because I hadn't unlocked it by entering password. Once I did, it was clear that it was turned on. I think it ought to show the correct status whether it's unlocked or not, but if there's a good reason it shouldn't, then it should show no status, rather than the misleading 'off' state.

Anyhow, once I turned it off, SSH and SCP worked as I expected. I changed the Port setting in /etc/ssh/sshd_config to a custom number, and added an ALLOW IN rule in gufw to enable that port, and it works as I want. Beaut.

Cheers,
MikZ.
User avatar
MikZ
Level 1
Level 1
 
Posts: 33
Joined: Sun Mar 17, 2013 7:08 pm


Return to Other networking topics

Who is online

Users browsing this forum: No registered users and 7 guests