I can't connect (by ssh) to my Knoppix 4.0 machine

**ugo** · 09-28-2005, 02:39 PM

Hi,
I've just installed Knoppix 4.0.2 (CD version) on the HD of the PC in my office.
Everything looks fine but the following problem.

I've at my disposal a static IP address and I've not any problem to see the web starting from my PC.
Nevertheless, I can't connect by ssh to my PC STARTING FROM THE EXTERNAL.
The answer is always: "Connection refused".

What I've to do in order to be able to connect from the external?

Let me describe my further tries.
I thought the problem was in the firewall settings.
(BTW, am I right?).
Thus, I run firewall command (it gives the same as it starts from the menu Knoppix -> services -> Knoppix firewall)
and I tried to deactivate the firewall, but when I tried to save the configuration it answered to me:
"You have to create a persistent knoppix image first",
then I stopped because I thought the OS was still working as it was running from the CD.

Thank you for your kind help,
ciao,
Ugo

P.S. Since I've to install Linux also in a PC classroom (and I try to do it in a way the students can easily reconstruct at their home,
then I use knoppix) I'm very happy with this setting that doesn't allow to connect from the external for general purposes, but
not for the PC in my office that must be on all the time. With Knoppix 3.3 this problem didn't show up.

**Markus** · 09-28-2005, 06:56 PM

To see if ssh is listening: netstat -tupan
To check firewall rules: iptables -nvL
To add ssh rules (modify if different port or some such):
/sbin/iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT
/sbin/iptables -A INPUT -i eth0 -p udp -m udp --dport 22 -j ACCEPT

**ugo** · 09-29-2005, 11:52 AM

Dear Markus,
your suggestions had a good sound. I'm not able to make the tries directly on the HD installation on the
PC of my office (I'll not be there till monday or tuesday).
Thus, I tried by running the 4.0.2 Cd version of Knoppix from the CD of my laptop.
(BTW, tell me if this make a big difference in test, but I think that trying to connect by ssh
to a Knoppix running machine in the "live" way is a problem interesting in itself).

This is the result of my tries.

root@0[knoppix]# netcardconfig
Sending DHCP broadcast from device eth0 OK.

root@0[knoppix]# netstat -tupan
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:68 0.0.0.0:* LISTEN 1984/pump
tcp 0 0 0.0.0.0:6000 0.0.0.0:* LISTEN 2607/XFree86

root@0[knoppix]# iptables -nvL
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

root@0[knoppix]# /sbin/iptables -A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT

root@0[knoppix]# /sbin/iptables -A INPUT -i eth0 -p udp -m udp --dport 22 -j ACCEPT

Then, I connected by ssh to another machine (say pippo its name) where I've an account:
as usual, no problem.
From that machine (pippo), I've written the command

pippo-ugo:ssh -l knoppix XXX.YYY.WWW.ZZ
ssh: connect to host XXX.YYY.WWW.ZZ port 22: Connection refused

where obviously XXX.YYY.WWW.ZZ means the IP number given to my laptop by the DHCP server.

Thus, it seems to not work.
I've read a little the man page about iptables, but this overwhelm my little knowledge of Linux.
Any other idea to go on?

Thanks a lot for your effort,
ciao,
Ugo

**Markus** · 09-29-2005, 05:43 PM

From the netstat output it looks like sshd isn't running. Try "sudo /etc/init.d/ssh start" on the server, and do netstat again.
The iptables commands seem unneeded since it has accept policy all over.

**ugo** · 09-30-2005, 10:30 AM

Dear Markus,
great! Running the command
/etc/init.d/ssh start
from a root terminal has been the main step to let me connect by ssh to my KNOPPIX 4.0.2 laptop (still
running from the CD in "live" way). I had just to set a password for the knoppix user, because, otherwise,
ssh don't le me to connect. I guess the behaviour of a machine after a HD install will be the same.

I guess you're feeling happy because you are thinking to have finished your work with me.
You're wrong! I've a couple of questions for you that may be are of interest for the community.

I remember very well that at the end of the HD install of KNOPPIX 3.2 and 3.3 (I did it many times)
I was asked to start the ssh server daemon (or something sounding like that); the same didn't occurr
for HD install of KNOPPIX 3.7 and 4.0 (and I guess the same for the intermediate versions).
Question (1):
is this fact making the difference after the HD install about the ssh connection?
I mean with the versions 3.2 and 3.3 you are allowed to connect by ssh from the external to the
PC running from the HD install, on the other hand with versions 3.7 and 4.0 you're not allowed to do it.

If the answer to question (1) is "Yes, this makes the difference", I think it is better to let the HD install in the
present state about the (not) starting of the ssh daemon: it's much more safe, because KNOPPIX addresses
also to newbies and middle experts.

However,
question (2) :
isn't better to write down how to allow an ssh connection to a KNOPPIX machine in some howto?

I think it could help people interested in HD install.
BTW, I've read many times that KNOPPIX project is not taylored for the HD install, but mainly for
the "live way" running. I see.
However, for people (like me) interested in the teaching it is very important that KNOPPIX project
succeeds in being stable both in HD and in the "live way" running. In fact, this allows the teacher
to create an environment at the university (or eventually at college) such that the students can easily
recreate it at home even without an HD install (many of them are very scared about the HD install, because
they don't want risk to damage windows ....).
Let me say that none of the projects taylored for scientific/educational purposes (like Quantian, Edubuntu, etc.)
is as flexible as KNOPPIX in the "live way".

Sorry for the length of my thoughts.
God bless you!
Ciao,
Ugo

**Markus** · 09-30-2005, 11:30 AM

It's actually a long time since I've used knoppix. The last hd install with it was 3.3. I'm using kanotix and debian hd installs nowadays, and there isn't much kanotix specific left in the kanotix install either.
I don't recall now how secure the sshd_config in knoppix is. It doesn't really have to be either since it's meant for livecd use. Things like that make it a not so perfect hd install. At a bare minimum disallow root login in it, and perhaps change the listening port. After do "/etc/init.d/ssh restart" for the settings to take effect.
If you want a livecd that also makes a good hd install, try kanotix.
There's one more thing to consider with daemons like ssh when using debian. When you install a daemon it gets added to the startup scripts in /etc/rc* and starts on bootup. The same thing happens when you upgrade a service like ssh. If you don't want to do "update-rc.d -f ssh remove" everytime you upgrade it, change the symlinks to K instead of S, namely kill instead of start.

1) The reason for the change in the installer asking about ssh might well be that knoppix now uses the installer from kanotix.

2) Now that you have experimented and managed it, feel free to add to the wiki http://www.knoppix.net/wiki/Ssh

**mhuang** · 10-02-2005, 04:02 PM

hi,

after you started sshd, try on the same host: ssh localhost -l some_user_name. That
can tell you if sshd is running OK. this might not be your case but if you have AllowUsers
set in /etc/ssh/sshd_config then you have to put autorized userid in it to enable login
by that user. hope this helps