Whenever I install a dual boot machine, I issue the shell command

update-rc.d ssh defaults

Now I did this on my home PC so I can ssh to it from work (b/c they block every site under the sun...). This worked well for my getting to my email, etc. But suddenly it doesn't work. I'm thinking that the IT guy got wise and blocked port 22 so I cen't ssh home. How do I use a different port?

TIA,
AJG

According to my memory and http://www.twuug.org/lists/twuug/2003-02/msg00714.html you should be able to set the port in the /etc/ssh/sshd_conf file.

I hope this helps.
James

Hi UnderScore, thanx for the input. I'll still a little confused. The link you provide says to change the part in the /etc/init.d/sshd script, but I don't see any reference to a port there.

You mentioned editting /etc/ssh/ssh_config or /etc/ssh/ssh_config. Now, if I change the port on /etc/ssh/ssh_config it seems to change the port I'm trying to connect to on the fly (ie: just edit ssh_config, save and ssh). So, am I correct in assuming that changing the port in /etc/ssh/sshd_config will alter which port others connect to my PC using ssh remotely? Well, I tried changing it and no joy! I changed the ssh port at work from 22 to 8080 and the sshd port at home from 22 to 8080 and still no joy (ie:I can still connect from home to work, but I still can't connect from work to home)!

Any more ideas would be welcome!

TIA,
AJG

Sorry. I should have chosen a better representative link.
Anyway, there should be two config files in /etc/ssh: sshd_config and ssh_config. The first one is to configure the server daemon and the second one is to configure the client.
Here is my sshd_config in full. The bolded line is the one you want.

# $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCreds yes

# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication'
#UsePAM yes

AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem sftp /usr/lib/misc/sftp-server

That's exactly what I did! Still no joy....

Regards,
AJG

That's exactly what I did! Still no joy....
Hmmmmm. Thats strange. I will go through the motions now ....
I just booted a PC with Knoppix 3.6 with the cheatcode: knoppix 2 vga=normal
When it gives me a root prompt, I edit the /etc/ssh/sshd_config and change the Port 22 line to Port 2211. I save the changes. I start the sshd daemon with the command:
/etc/init.d/ssh start
Then I change the root user passwd to pentium4. I use ifconfig to find out the IP addr it was given (10.100.100.2)
On my windows box I have the cygwin tools installed. I run the openssh client with the command:

ssh -v -C -p 2211 root@10.100.100.2
I connects & asks me for the password. I type pentium4 and hit enter and I am in.
I must ask the obvious, did you restart the sshd daemon so that it runs on the new port?
/etc/init.d/ssh restart

Another thing to consider is changing the forwarded port in a router you might have.

UnderScore, thanx for the input, but I did all that too!

Markus, you know I forgot to reset the port forwarding on my router at home. I think you have something there! I'll have to check that out. Now, how do I do that on my D-Link DI-604....

EDIT: OK, now I remember! Take a look at this post http://www.knoppix.net/forum/viewtopic.php?t=8739&postdays=0&postorder=asc&start=0
famous last words, huh?

TWIMC, if that's not the problem, maybe they blocked all but a few ports at my job for sshing out. Maybe I need to find the active or allowed ports? Is there such a thing as a port sniffing app in KNOPPIX?

Regards,
AJG

Maybe I need to find the active or allowed ports? Is there such a thing as a port sniffing app in knoppix? You could try running the sshd on common acceptable ports: http 80, https 443, 8080, ftp 21. Knoppix includes nmap for network/port scanning. Try nmap --help on the command line. I like to use nmap -sS -O -p1-1024 -vv 10.100.100.2.
Good luck.

Yeah, I tried 21 and 8080 yesterday, just guessing, but no joy.

OK, I just ran nmap and got on my work PC:
22/tcp open ssh
111/tcp open sunrpc
631/tcp open ipp

and on my home PC:
80/tcp open http
113/tcp clased auth

and on another server at work:
80/tcp open http

The one I use from work mostly is the one that reported 22/tcp open ssh. I can still ssh to it from home but not out from it to home. So either I have to fix the port forwarding on my router at home or nmap isn't reporting on outgoing sshd, but only for incoming ssh.

BTW, nmap reports a service for each port like http or ssh or ipp. Can I "hijack" an open port, say 80, and force a ssh service?

TIA,
AJG

OK, now I'm home and I got sshd to listen on port 80. So I can ssh ing from home on port 22 and then I try to ssh back from work on port 80 and I get "connection closed by remote host." So, that's some progress! It only timed-out before. I did forward the port onthe D-Link before it worked. However, I'm still not in.

Regards,
AJG

If you have ALL:ALL in /etc/hosts.deny try adding the following lines to hosts.allow
ssh sshd : workIP @domain : ALLOW
ssh sshd : 127.0.0.1 LOCAL : ALLOW

EDIT: You can do this with one line:
ssh sshd : 127.0.0.1 .workdomain : ALLOW

You might as well start by testing the connection from home to home just to rule out some problems.

OK, I'll try to edit hosts.allow as you suggest just as soon as I get home since I can't ssh there from work anymore and edit it from here! Boy, I never realized how much I had come to depend on ssh! What a pain this is. I've been using ssh, sftp and fish for tons of everyday stuff. In fact, I set up sshd because it was so easy to use and more secure than ftp and telnet ever was. I've never had to do anything to hosts.allow, but lets see what happens.

Anyway, here's the current state of affairs:
PC at work, I reset (after much tweaking) ssh_config and sshd_config to port 22.
PC at home, I also left ssh_config with port 22 but changed sshd_config at home to use port 80.

The idea is so I can still ssh from home to work without a problem:
ssh userid@homeip

Further, the idea was to ssh from work to home using port 80 thusly:
ssh userid@workip -p80

HomeToWork is fine. Before I switched to port 80, WorkToHome would timeout. I've apparently made some progress as now with port 80 I get connection closed by remote host! Now what?

Thanx,
AJG

OK, I'm home!

BTW, port 80 works fine internally on my home office PCs and port 22 works fine internally on my work LAN and hosts.deny has ALL:PARANOID in it. Does that mater?

I placed the following 2 lines in hosts.allow and restarted ssh but no joy!
ssh sshd : workip@ALL : ALLOW
ssh sshd : 127.0.0.1 LOCAL : ALLOW
is that correct?

What if I just comment out ALL:PARANOID in hosts.deny
and change ssh sshd : workip@ALL : ALLOW to ssh sshd : ALL@ALL : ALLOW
in hosts.allow?

OK, I'm home!

BTW, port 80 works fine internally on my home office PCs and port 22 works fine internally on my work LAN and hosts.deny has ALL:PARANOID in it. Does that mater?

I placed the following 2 lines in hosts.allow and restarted ssh but no joy!
ssh sshd : workip@ALL : ALLOW
ssh sshd : 127.0.0.1 LOCAL : ALLOW
is that correct? Nope. try:
ssh sshd : workip @workdomain : ALLOW


What if I just comment out ALL:PARANOID in hosts.deny
and change ssh sshd : workip@ALL : ALLOW to ssh sshd : ALL@ALL : ALLOW
in hosts.allow? You need a space before "@". You're allowing an ip AND a domain. (wishing I remembered the syntax correct)
Besides, are you sure you want the whole world to be able to connect? At least add AllowUsers user1 user2 and so on to sshd_config.

I don't understand what to put in for workdomain.

BTW, you need a userid and password and ipaddress to get in, right?

TIA,
AJG

OK, in a desperaate attempt to try to get this working agian I commented out everything in hosts.deny (ie: ALL:PARANOID) and added

ssh sshd : ALL@ALL : ALLOW
ALL : 127.0.0.1 LOCAL : ALLOW

to hosts.allow (everything else in that file is commented out too). I restarted sshd, I sshed in to the work PC but I still can't ssh back from there. Something really wierd is going on here!

Regards,
AJG

Ok, I'm getting clueless again. I ran a test as example:

First check if ssh is really listening:
root@fujibox:~# netstat -tupan|grep LISTEN
tcp6 0 0 :::80 :::* LISTEN 3149/sshd

# /etc/hosts.allow: list of hosts that are allowed to access the system.
# ssh sshd : ALL@ALL : ALLOW
ssh sshd : 127.0.0.1 LOCAL : ALLOW
ssh sshd : ip.from.where.iconnect : ALLOW
# snipped a few allowed lines ;)
#ALL : 127.0.0.1 LOCAL : ALLOW
#ALL : ALL@ALL : DENY
ALL:ALL:deny

# /etc/hosts.deny: list of hosts that are _not_ allowed to access the system.
#ALL: PARANOID
ALL:ALL

Opened in iptables:
$IPTABLES -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
$IPTABLES -A INPUT -i eth0 -p udp -m udp --dport 80 -j ACCEPT

Forwarded in my router after checking inet addr with ifconfig:
to_IP:192.168.2.166 port:80 protocol:both enable

Connected with:
ssh -p 80 markus@my.ip.number

It then asks to save the rsa key and proceeds to connect.

OK, let me try all that. But, one thing, you now say that I use

ssh sshd : ip.from.where.iconnect : ALLOW
say
ssh sshd : 111.112.113.114 : ALLOW


in hosts.allow, not

ssh sshd : ip.from.where.iconnect @domainname: ALLOW
say
ssh sshd : 111.112.113.114 @school.edu: ALLOW

that's what is confusing me. I thought you said I had to specify a domainname for my work which I'm not sure of.

I'm wondering if something else is going on here. I never had a problem setting up ssh like this....

Thanx for all your help!

Regards,
AJG

First of all, I'm hardly an expert on this.
Second, sorry if I mislead you. I meant you can specify an IP and/or a domain from where you connect. I just use an IP myself.
The domain is probably the @part of your work email.

I'm not trying to confuse you more but you can also allow an IP-range.
Say your workip is 111.222.333.444 you can do: whois 111.222.333.444 which should give you close to the top of the output inetnum.
Say the range is 111.222.333.0 - 111.222.444.555 you can then put in hosts.allow:
ssh sshd : 111.222.333. : ALLOW
ssh sshd : 111.222.444. : ALLOW

Thanx for all your generous help so far markus!

OK, here's the current state of affairs:

I checked netstat in a root shell and its OK.

I did all that iptable stuff you said in a root shell.

Here's my whole /etc/hosts.deny file (except for commented lines):
ALL:ALL

Here's my whole /etc/hosts.allow file (except for commented lines):
ssh sshd : 127.0.0.1 LOCAL : ALLOW
ssh sshd : XX.XX.XX.XX : ALLOW
ALL:ALL:deny

Here's my whole /etc/ssh/ssh_config file (except for commented lines):
Host localhost
ForwardAgent yes
ForwardX11 yes
Host *
ForwardX11 yes
RhostsAuthentication no
RhostsRSAAuthentication yes
RSAAuthentication yes
PasswordAuthentication yes
FallBackToRsh no
UseRsh no
CheckHostIP yes
Port 22
Protocol 2,1
Cipher blowfish

Here's my whole /etc/ssh/sshd_config file (except for commented lines):
Port 80
HostKey /etc/ssh/ssh_host_key
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
ServerKeyBits 768
LoginGraceTime 600
KeyRegenerationInterval 3600
PermitRootLogin yes
IgnoreRhosts yes
StrictModes yes
X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog no
KeepAlive yes
SyslogFacility AUTH
LogLevel INFO
RhostsRSAAuthentication no
HostbasedAuthentication no
RSAAuthentication yes
PasswordAuthentication yes
PermitEmptyPasswords no
Subsystem sftp /usr/lib/sftp-server
UsePAM yes

I issued the following command in a root shell:
/etc/init.d/ssh restart

I logged-in to my workpc from home (using port 22)
ssh apcs@XX.XX.XX.XX

Then I logged-in from there to my homepc (using port 80)
ssh apcs@XX.XXX.XXX.XX -p80

and the best I get is:
ssh_exchange_identification: Connection closed by remote host

ARRGGGHHHHH!

Frustrated,
AJG

I did all that iptable stuff you said in a root shell. Umm, thats a line I use in my firewall.sh, it's not a command.
Do you have iptables running? Check with iptables -nL


Here's my whole /etc/hosts.deny file (except for commented lines):
ALL:ALL

Here's my whole /etc/hosts.allow file (except for commented lines):
ssh sshd : 127.0.0.1 LOCAL : ALLOW
ssh sshd : XX.XX.XX.XX : ALLOW
ALL:ALL:deny Can't see a fault there..


Here's my whole /etc/ssh/ssh_config file (except for commented lines): That's only for outward connections.


Then I logged-in from there to my homepc (using port 80)
ssh apcs@XX.XXX.XXX.XX -p80 Is the missing space between p and 80 a typo?


ARRGGGHHHHH!

Frustrated, That I believe.

In your sshd_config:
HostKey /etc/ssh/ssh_host_key ---this would accept also ssh1 protocol

Well, here's my sshd_config:
Port 22
Protocol 2 ---your missing this if you want protocol 2 only
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
UsePrivilegeSeparation yes ---not sure if this is important
KeyRegenerationInterval 3600
ServerKeyBits 768
SyslogFacility AUTH
LogLevel INFO
LoginGraceTime 600
PermitRootLogin no ---change this to no
StrictModes yes
RSAAuthentication yes ---your missing this
PubkeyAuthentication yes ---your missing this
IgnoreRhosts yes
RhostsRSAAuthentication no
HostbasedAuthentication no
PermitEmptyPasswords no
PasswordAuthentication no
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
KeepAlive yes
Subsystem sftp /usr/lib/sftp-server
UsePAM yes

I just ssh'd with this to work and back to home so at least for me it works. Could it be that your work has disabled the not so secure protocol1?
How about: ssh -2 -p 80 login@IP
Check first if you can connect from home to home with ssh -p 80 homelogin@homeIP and ssh -2 -p 80 homelogin@homeIP

We might be barking up the wrong tree. For all I know the answer is probably obvious and simple. I'm just not seeing it.

EDIT: Another thought. Try deleting the line for your homeIP in the known_hosts file at your work.

Well, I never had to setup iptables before! So I didn't know what I was doing when I used that shell command you gave me.

Anyway, here's what iptables -nL returns:
root@gaurdian.mil:~# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:80

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

BTW, ssh apcs@localhost -p80 works fine as does ssh apcs@localhost -p 80

Also, ssh apcs@localhost -p80 works fine as does ssh -2 apcs@localhost -p80

EDIT: OK, maybe you're on to something again with the known_hosts file....

Stumped,
AJG

Well, I never had to setup iptables before! So I didn't know what I was doing when I used that shell command you gave me.

Anyway, here's what iptables -nL returns:
root@gaurdian.mil:~# iptables -nL
Chain INPUT (policy ACCEPT)
target prot opt source destination
ACCEPT tcp -- 0.0.0.0/0 0.0.0.0/0 tcp dpt:80
ACCEPT udp -- 0.0.0.0/0 0.0.0.0/0 udp dpt:80

Chain FORWARD (policy ACCEPT)
target prot opt source destination

Chain OUTPUT (policy ACCEPT)
target prot opt source destination Ok, so iptables is running. Are you sure it wasn't running before? Otherwise I'm not sure where you got those chains. How about a reboot and then check if iptables is still running. Or check in /etc/rc2-5.d if you see something calling iptables. I haven't played with the iptables script in knoppix so I don't even know what starts it.


BTW, ssh apcs@localhost -p80 works fine as does ssh apcs@localhost -p 80 Ok, so space isn't important.


Also, ssh apcs@localhost -p80 works fine as does ssh -2 apcs@localhost -p80 Oh well, home to home seems to work too and protocol isn't important at home but how about from work with -2.

Let's hope it's the known_hosts file because quite frankly I'm really getting out of ideas here.

Sorry, I'm not up on iptables. I just issued the commands you gave me in a root shell:

iptables -A INPUT -i eth0 -p tcp -m tcp --dport 80 -j ACCEPT
iptables -A INPUT -i eth0 -p udp -m udp --dport 80 -j ACCEPT

Regards,
AJG

I'm free, free a last, thank God almighty, free at last!!!

Markus, you are an officer, a gentleman and a genius! I just tweaked everything again on the homePC and the workPC and on the router - now all of it works! I don't know just exactly what I fixed, but I did delete the known_host files on both PCs. I think that was the clincher.

BTW, the only thing I didn't change was
PermitRootLogin yes
so I can tweak the workPC from home and the homePC from work if necessary (like I did today).

Again, thank you, and underscore, so very much!

Relieved,
AJG

I'm free, free a last, thank God almighty, free at last!!! Well done. Would be nice to know what it was but the main thing is it's working.


BTW, the only thing I didn't change was
PermitRootLogin yes
so I can tweak the workPC from home and the homePC from work if necessary (like I did today). You can still do su to root even when it's set to no, the Permit thingy is just to keep out script kiddies and such that try to login directly as root with different password lists.

Thanx , Markus, for all your help. You are god amoung Linux Gurus!

BTW, I think maybe I will remove root permission after all.

Regards,
AJG

Ahem, you're very welcome but I'm really just another semi-intermediate user.
Wish there was some certified ladder to climb :) , like:
ultranoob
newbie
accomplished newb
semi-intermediate user
intermediate user
user
accomplished user
semi-guru
guru
kernel hacker

I guess I'll aspire to one day be an AccomplishedNoob!

Remember when this forum first started out? People would get some kind of rank based on how many posts they made. What happened to that? With over 1000 posts I guess I would be awarded the rank of UltraNoob since most of my posts have been questions....

Regards,
AJG

You're way too hard on yourself. I just gave myself 4:th rank out of a whim :)

Now, what about PXE? I could never get that to work with KNOPPIX 3.4 or 3.6 - it would seem I have a windows DHCP server getting in the way....

Regards,
AJG

Haven't tried but you might want to start a new thread.
If you want to try out kanotix you need Fix2 of BugHunterX to get a working terminal server.