changing ssh listener port?

**A. Jorge Garcia** · 12-14-2004, 03:32 PM

Whenever I install a dual boot machine, I issue the shell command

update-rc.d ssh defaults

Now I did this on my home PC so I can ssh to it from work (b/c they block every site under the sun...). This worked well for my getting to my email, etc. But suddenly it doesn't work. I'm thinking that the IT guy got wise and blocked port 22 so I cen't ssh home. How do I use a different port?

TIA,
AJG

**UnderScore** · 12-14-2004, 04:34 PM

According to my memory and http://www.twuug.org/lists/twuug/2003-02/msg00714.html you should be able to set the port in the /etc/ssh/sshd_conf file.

I hope this helps.
James

**A. Jorge Garcia** · 12-15-2004, 03:29 AM

Hi UnderScore, thanx for the input. I'll still a little confused. The link you provide says to change the part in the /etc/init.d/sshd script, but I don't see any reference to a port there.

You mentioned editting /etc/ssh/ssh_config or /etc/ssh/ssh_config. Now, if I change the port on /etc/ssh/ssh_config it seems to change the port I'm trying to connect to on the fly (ie: just edit ssh_config, save and ssh). So, am I correct in assuming that changing the port in /etc/ssh/sshd_config will alter which port others connect to my PC using ssh remotely? Well, I tried changing it and no joy! I changed the ssh port at work from 22 to 8080 and the sshd port at home from 22 to 8080 and still no joy (ie:I can still connect from home to work, but I still can't connect from work to home)!

Any more ideas would be welcome!

TIA,
AJG

**UnderScore** · 12-15-2004, 04:55 AM

Sorry. I should have chosen a better representative link.
Anyway, there should be two config files in /etc/ssh: sshd_config and ssh_config. The first one is to configure the server daemon and the second one is to configure the client.
Here is my sshd_config in full. The bolded line is the one you want.

# $OpenBSD: sshd_config,v 1.65 2003/08/28 12:54:34 markus Exp $

# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.

#Port 22
Protocol 2
#ListenAddress 0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCreds yes

# Set this to 'yes' to enable PAM authentication (via challenge-response)
# and session processing. Depending on your PAM configuration, this may
# bypass the setting of 'PasswordAuthentication'
#UsePAM yes

AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10

# no default banner path
#Banner /some/path

# override default of no subsystems
Subsystem sftp /usr/lib/misc/sftp-server

**A. Jorge Garcia** · 12-15-2004, 04:19 PM

That's exactly what I did! Still no joy....

Regards,
AJG

**UnderScore** · 12-15-2004, 05:23 PM

That's exactly what I did! Still no joy....

Hmmmmm. Thats strange. I will go through the motions now ....
I just booted a PC with Knoppix 3.6 with the cheatcode: knoppix 2 vga=normal
When it gives me a root prompt, I edit the /etc/ssh/sshd_config and change the Port 22 line to Port 2211. I save the changes. I start the sshd daemon with the command:

Code:

/etc/init.d/ssh start

Then I change the root user passwd to pentium4. I use ifconfig to find out the IP addr it was given (10.100.100.2)
On my windows box I have the cygwin tools installed. I run the openssh client with the command:

Code:

ssh -v -C -p 2211 root@10.100.100.2

I connects & asks me for the password. I type pentium4 and hit enter and I am in.
I must ask the obvious, did you restart the sshd daemon so that it runs on the new port?

Code:

/etc/init.d/ssh restart

**Markus** · 12-15-2004, 08:19 PM

Another thing to consider is changing the forwarded port in a router you might have.

**A. Jorge Garcia** · 12-15-2004, 09:30 PM

UnderScore, thanx for the input, but I did all that too!

Markus, you know I forgot to reset the port forwarding on my router at home. I think you have something there! I'll have to check that out. Now, how do I do that on my D-Link DI-604....

EDIT: OK, now I remember! Take a look at this post http://www.knoppix.net/forum/viewtop...er=asc&start=0
famous last words, huh?

TWIMC, if that's not the problem, maybe they blocked all but a few ports at my job for sshing out. Maybe I need to find the active or allowed ports? Is there such a thing as a port sniffing app in KNOPPIX?

Regards,
AJG

**UnderScore** · 12-15-2004, 09:37 PM

Maybe I need to find the active or allowed ports? Is there such a thing as a port sniffing app in knoppix?

You could try running the sshd on common acceptable ports: http 80, https 443, 8080, ftp 21. Knoppix includes nmap for network/port scanning. Try nmap --help on the command line. I like to use nmap -sS -O -p1-1024 -vv 10.100.100.2.
Good luck.

**A. Jorge Garcia** · 12-15-2004, 10:25 PM

Yeah, I tried 21 and 8080 yesterday, just guessing, but no joy.

OK, I just ran nmap and got on my work PC:
22/tcp open ssh
111/tcp open sunrpc
631/tcp open ipp

and on my home PC:
80/tcp open http
113/tcp clased auth

and on another server at work:
80/tcp open http

The one I use from work mostly is the one that reported 22/tcp open ssh. I can still ssh to it from home but not out from it to home. So either I have to fix the port forwarding on my router at home or nmap isn't reporting on outgoing sshd, but only for incoming ssh.

BTW, nmap reports a service for each port like http or ssh or ipp. Can I "hijack" an open port, say 80, and force a ssh service?

TIA,
AJG