Reply
 
Thread Tools Display Modes
  #1  
Old 03-03-2012, 05:48 AM
martinZ martinZ is offline
Junior Member
 
Join Date: Mar 2012
Location: Xi'An, ShaanXi, China
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default cannot use ssh to access PCBSD9
I installed PCBSD9 on my HP PC. To use ssh to access it, I removed # before ssh in /etc/inetd.conf.
and set sshd_enable="YES" in /etc/rc.conf

Now, in PCBSD console, I can use ssh to access itself by using its local network ip. But I could not use ssh to access it from other pcs.The message is always "Connection refused!". But I can ping it from other machines.

Here is my /etc/ssh/sshd_config:
Code:
#	$OpenBSD: sshd_config,v 1.82 2010/09/06 17:10:19 naddy Exp $
#	$FreeBSD$

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.

#VersionAddendum FreeBSD-20110503

Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

# The default requires explicit activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
PermitRootLogin yes
StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile	.ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes

# Change to yes to enable built-in password authentication.
PasswordAuthentication yes
PermitEmptyPasswords no

# Change to no to disable PAM authentication
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will 
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem	sftp	/usr/libexec/sftp-server

# Disable HPN tuning improvements.
#HPNDisabled no

# Buffer size for HPN to non-HPN connections.
#HPNBufferSize 2048

# TCP receive socket buffer polling for HPN.  Disable on non autotuning kernels.
#TcpRcvBufPoll yes

# Allow the use of the NONE cipher.
#NoneEnabled no

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	X11Forwarding no
#	AllowTcpForwarding no
#	ForceCommand cvs server
I got PF firewall enabled, here is my /etc/pf.conf
Code:
set skip on lo0
set block-policy return
scrub in all
antispoof quick for lo0 inet
block in from no-route to any
# Block all other incoming
block in log

# Allow all outgoing traffic
pass out keep state

# Block blacklist
table <blacklist> persist file "/etc/blacklist"
block from <blacklist> to any

# Enable ICMP for IPv4 IPv6
pass proto icmp all
pass proto icmp6 all

# Nic Specific Rules
pass in quick on nfe0 proto {tcp,udp} from any to any port 49152:65535 keep state
pass in quick on nfe0 proto udp from any to (nfe0) port 137 keep state
pass in quick on nfe0 proto udp from any to (nfe0) port 138 keep state
pass in quick on nfe0 proto udp from any to (nfe0) port 111 keep state
pass in quick on nfe0 proto udp from any to (nfe0) port 1110 keep state
pass in quick on nfe0 proto udp from any to (nfe0) port 2049 keep state
pass in quick on nfe0 proto udp from any to (nfe0) port 4045 keep state
pass in quick on nfe0 proto udp from any to (nfe0) port 5353 keep state
pass in quick on nfe0 proto udp from any to 224.0.0.251/32 port 5353 keep state
pass in quick on nfe0 proto tcp from any to (nfe0) port 445 keep state
pass in quick on nfe0 proto tcp from any to (nfe0) port 137 keep state
pass in quick on nfe0 proto tcp from any to (nfe0) port 139 keep state
pass in quick on nfe0 proto tcp from any to (nfe0) port 111 keep state
pass in quick on nfe0 proto tcp from any to (nfe0) port 1110 keep state
pass in quick on nfe0 proto tcp from any to (nfe0) port 4045 keep state
pass in quick on nfe0 proto tcp from any to (nfe0) port 5353 keep state
pass in quick on urtw0 proto {tcp,udp} from any to any port 49152:65535 keep state
pass in quick on urtw0 proto udp from any to (urtw0) port 137 keep state
pass in quick on urtw0 proto udp from any to (urtw0) port 138 keep state
pass in quick on urtw0 proto udp from any to (urtw0) port 111 keep state
pass in quick on urtw0 proto udp from any to (urtw0) port 1110 keep state
pass in quick on urtw0 proto udp from any to (urtw0) port 2049 keep state
pass in quick on urtw0 proto udp from any to (urtw0) port 4045 keep state
pass in quick on urtw0 proto udp from any to (urtw0) port 5353 keep state
pass in quick on urtw0 proto udp from any to 224.0.0.251/32 port 5353 keep state
pass in quick on urtw0 proto tcp from any to (urtw0) port 445 keep state
pass in quick on urtw0 proto tcp from any to (urtw0) port 137 keep state
pass in quick on urtw0 proto tcp from any to (urtw0) port 139 keep state
pass in quick on urtw0 proto tcp from any to (urtw0) port 111 keep state
pass in quick on urtw0 proto tcp from any to (urtw0) port 1110 keep state
pass in quick on urtw0 proto tcp from any to (urtw0) port 4045 keep state
pass in quick on urtw0 proto tcp from any to (urtw0) port 5353 keep state
pass in quick on lagg0 proto {tcp,udp} from any to any port 49152:65535 keep state
pass in quick on lagg0 proto udp from any to (lagg0) port 137 keep state
pass in quick on lagg0 proto udp from any to (lagg0) port 138 keep state
pass in quick on lagg0 proto udp from any to (lagg0) port 111 keep state
pass in quick on lagg0 proto udp from any to (lagg0) port 1110 keep state
pass in quick on lagg0 proto udp from any to (lagg0) port 2049 keep state
pass in quick on lagg0 proto udp from any to (lagg0) port 4045 keep state
pass in quick on lagg0 proto udp from any to (lagg0) port 5353 keep state
pass in quick on lagg0 proto udp from any to 224.0.0.251/32 port 5353 keep state
pass in quick on lagg0 proto tcp from any to (lagg0) port 445 keep state
pass in quick on lagg0 proto tcp from any to (lagg0) port 137 keep state
pass in quick on lagg0 proto tcp from any to (lagg0) port 139 keep state
pass in quick on lagg0 proto tcp from any to (lagg0) port 111 keep state
pass in quick on lagg0 proto tcp from any to (lagg0) port 1110 keep state
pass in quick on lagg0 proto tcp from any to (lagg0) port 4045 keep state
pass in quick on lagg0 proto tcp from any to (lagg0) port 5353 keep state
I do not have any experience with BSD. Do I need to set the firewall or somewhere in other config file? Thanks in advance
Reply With Quote
  #2  
Old 03-03-2012, 06:08 AM
martinZ martinZ is offline
Junior Member
 
Join Date: Mar 2012
Location: Xi'An, ShaanXi, China
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default
after run sockstat -4l, I got:
root sshd 1804 4 tcp4 *:22 *:*
Reply With Quote
  #3  
Old 03-05-2012, 02:35 PM
kmoore134's Avatar
kmoore134 kmoore134 is offline
Administrator
 
Join Date: May 2005
Location: Knoxville, TN
Posts: 2,568
Thanks: 0
Thanked 163 Times in 127 Posts
Default cannot use ssh to access PCBSD9
I'm not seeing any port 22 exception in your firewall config..

You can confirm that is the problem by turning off the firewall to test:

/etc/rc.d/pf stop
__________________
----
Kris Moore
PC-BSD Founder
Reply With Quote
  #4  
Old 03-08-2012, 11:43 AM
martinZ martinZ is offline
Junior Member
 
Join Date: Mar 2012
Location: Xi'An, ShaanXi, China
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default
Originally Posted by kmoore134 View Post
I'm not seeing any port 22 exception in your firewall config..

You can confirm that is the problem by turning off the firewall to test:

/etc/rc.d/pf stop
Thanks for your suggestions. After turned off the firewall, I can use ssh to access my pc. Does the firewall in PC-BCD forbid the access to port 22 by default? Since I did not modify anything about the firewall after installed PC-BSD.
Reply With Quote
  #5  
Old 03-08-2012, 12:05 PM
kmoore134's Avatar
kmoore134 kmoore134 is offline
Administrator
 
Join Date: May 2005
Location: Knoxville, TN
Posts: 2,568
Thanks: 0
Thanked 163 Times in 127 Posts
Default cannot use ssh to access PCBSD9
Yes, port 22 is blocked by default. If you use the firewall GUI can
easily open that port
__________________
----
Kris Moore
PC-BSD Founder
Reply With Quote
  #6  
Old 03-08-2012, 12:28 PM
martinZ martinZ is offline
Junior Member
 
Join Date: Mar 2012
Location: Xi'An, ShaanXi, China
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default
Originally Posted by kmoore134 View Post
Yes, port 22 is blocked by default. If you use the firewall GUI can
easily open that port
I have used the firewall GUI opened the port. It is very easy! Cool!!!!!!
Thanks!
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT. The time now is 11:49 AM.


Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.

Copyright 2005-2010, The PC-BSD Project. PC-BSD and the PC-BSD logo are registered trademarks of iXsystems.
All other content is freely available for sharing under the terms of the Creative Commons Attribution License.