Thread Tools Display Modes
  #1  
Old 01-17-2009, 09:46 PM
glrx314 glrx314 is offline
Junior Member
 
Join Date: Sep 2008
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default Unable to ssh into my PC-BSD box
I have PCBSD 7.0.2 installed on my computer.

When I try to ssh into my system from an outside server I get a timeout error and it doesn't even respond with a password prompt. But when I try ssh from my machine to my own machine, it works just fine.

I have reproduced the relevant files below. Any help is appreciated.

I have sshd running

Code:
[~]$/etc/rc.d/sshd status
sshd is running as pid 1267.
I've configured my /etc/ssh/sshd_config file with the following parameters.

Code:
Port 22
#Protocol 2
#AddressFamily any
#ListenAddress 155.97.234.205
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys2

# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# Change to yes to enable built-in password authentication.
PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable PAM authentication
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM yes

AllowUsers amjith vijay nx
#AllowUsers admin
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'no' to disable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM yes

AllowUsers amjith vijay nx
#AllowUsers admin
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem       sftp    /usr/libexec/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server
Here is my /etc/allow.hosts

Code:
# The rules here work on a "First match wins" basis.
ALL : ALL : allow

# Wrapping sshd(8) is not normally a good idea, but if you
# need to do it, here's how
#sshd : .evil.cracker.example.com : deny

# Protect against simple DNS spoofing attacks by checking that the
# forward and reverse records for the remote host match. If a mismatch
# occurs, access is denied, and any positive ident response within
# 20 seconds is logged. No protection is afforded against DNS poisoning,
# IP spoofing or more complicated attacks. Hosts with no reverse DNS
# pass this rule.
ALL : PARANOID : RFC931 20 : deny

# Allow anything from localhost.  Note that an IP address (not a host
# name) *MUST* be specified for rpcbind(8).
ALL : localhost 127.0.0.1 : allow
# Comment out next line if you build libwrap with NO_INET6=yes.
ALL : [::1] : allow
ALL : my.machine.example.com 192.0.2.35 : allow

# To use IPv6 addresses you must enclose them in []'s
ALL : [fe80::%fxp0]/10 : allow
ALL : [fe80::]/10 : deny
ALL : [2001:db8:2:1:2:3:4:3fe1] : deny
ALL : [2001:db8:2:1::]/64 : allow

# Sendmail can help protect you against spammers and relay-rapers
sendmail : localhost : allow
sendmail : .nice.guy.example.com : allow
sendmail : .evil.cracker.example.com : deny
sendmail : ALL : allow

# Exim is an alternative to sendmail, available in the ports tree
exim : localhost : allow
exim : .nice.guy.example.com : allow
exim : .evil.cracker.example.com : deny
exim : ALL : allow

# Rpcbind is used for all RPC services; protect your NFS!
# (IP addresses rather than hostnames *MUST* be used here)
rpcbind : 192.0.2.32/255.255.255.224 : allow
rpcbind : 192.0.2.96/255.255.255.224 : allow
rpcbind : ALL : deny
# NIS master server. Only local nets should have access
ypserv : localhost : allow
ypserv : .unsafe.my.net.example.com : deny
ypserv : .my.net.example.com : allow
ypserv : ALL : deny

# Provide a small amount of protection for ftpd
ftpd : localhost : allow
ftpd : .nice.guy.example.com : allow
ftpd : .evil.cracker.example.com : deny
ftpd : ALL : allow

# You need to be clever with finger; do _not_ backfinger!! You can easily
# start a "finger war".
fingerd : ALL \
        : spawn (echo Finger. | \
         /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
        : deny

# The rest of the daemons are protected.
#ALL : ALL \
#       : severity auth.info \
#       : twist /bin/echo "You are not welcome to use %d from %h."

# denyhosts
sshd : /etc/hosts.deniedssh \
     : severity auth.info \
     : twist /bin/echo "Server %d denied from %h"
     : deny
sshd : ALL : allow
  #2  
Old 01-18-2009, 10:48 PM
gwood gwood is offline
Member
 
Join Date: Sep 2008
Location: Scottsdale, AZ
Posts: 76
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Unable to ssh into my PC-BSD box: PF and DENYHOSTS
pc-bsd 7.x comes with the pf firewall enabled, and the default ruleset, /etc/pf.conf, is not configured to allow ssh connections from anything but localhost.

In addition, denyhosts is enabled in rc.conf. I believe it may also block ssh connections. It looks innocuous, but I had to disable it in rc.conf to get incoming ssh to work.

I am not a pf guru, but I think something like this will open up ssh from anywhere, assuming your ethernet interface is bfe0:

Code:
pass in on bfe0 proto tcp from any to (bfe0) port 22 keep state
or from one host ('foo.bar.com' by name):
Code:
pass in on bfe0 proto tcp from foo.bar.com to (bfe0) port 22 keep state
or from a list of hosts
Code:
pass in on bfe0 proto tcp from { foo.bar.com, ugh.com } to (bfe0) port 22 keep state
(I am not sure the braces are required)

or from a subnet:
Code:
pass in on bfe0 proto tcp from 98.23.43.0/24 to (bfe0) port 22 keep state
If someone has a working configuration for denyhosts that allows a local subnet and a set of external hosts, please post it. I'm also looking for good tutorials, sample configs or other doc for pf and denyhosts. (yes, I saw /usr/share/examples/pf/).

-g
__________________
_____
G.D. Wood
  #3  
Old 01-19-2009, 07:03 PM
TerryP TerryP is offline
Senior Member
 
Join Date: Nov 2005
Location: Ga. USofA
Posts: 7,906
Thanks: 0
Thanked 0 Times in 0 Posts
Send a message via ICQ to TerryP Send a message via AIM to TerryP Send a message via Yahoo to TerryP
Default Re: Unable to ssh into my PC-BSD box
This is the principal rule from my machines pf.conf, for ssh'ing in:

Code:
#
# allow new incoming tcp/ssh traffic on our usual port
#
# bind matches to interface
# Enable src tracking; limit state creations based on this rule only
# Limit the max number of nodes that can simultaneously create state
# Limit the max number of simultaneous states per source IP
# Limit max simultaneous TCP conn's /w completed handshakes per host
# Limit rate of said new conn's to integer / seconds
# people who abuse these limits, get fucked off
pass in quick on $eiface0 proto tcp \
        from <clients> to $eiface0 port $ssh_port \
        flags S/SA synproxy state \
        (if-bound, source-track rule, max-src-nodes 5, max-src-states 8, \
         max-src-conn 8, max-src-conn-rate 12/60, \
         overload <fuckoff> flush global)
where $eiface0 = my external interface, $ssh_port is a custom SSH port, and <fuckoff> is a persistent table for people yanking the machines chain, and <clients> is a table of people that should have the right to connect.



I'm not a PF guru either.

This more simple rule would probably work for most PC-BSD users (Note it's written off the top of my head, not battle proven):
Code:
pass in quick on TheInterface proto tcp from any to any port TheSshdPort keep state


When one gets into NAT and stuff, it would get a bit more complicated of course.
  #4  
Old 01-20-2009, 02:42 PM
glrx314 glrx314 is offline
Junior Member
 
Join Date: Sep 2008
Posts: 4
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Unable to ssh into my PC-BSD box
I checked my pf.conf file and it has the following line. msk0 is my ethernet name.

Code:
pass in on msk0 proto tcp from any to (msk0) port 22 keep state
But still I am not able to ssh into my machine. I don't even get a prompt asking for a login or passwd. When I try to ssh, it waits for a long time and then reports a time out error.
  #5  
Old 01-20-2009, 05:20 PM
gwood gwood is offline
Member
 
Join Date: Sep 2008
Location: Scottsdale, AZ
Posts: 76
Thanks: 0
Thanked 0 Times in 0 Posts
Default Re: Unable to ssh into my PC-BSD box
just to make sure that pf is not the problem, briefly disable it and try to ssh in from some other box. If this succeeds, then your pf rules need tweaking.

remember to re-enable afterwards.

to disable, use a root shell and enter 'pfctl -d'

to check the status: 'pfctl -s all |grep ^Status'

also, check with denyhosts off:

/usr/local/etc/rc.d/denyhosts stop
ps -ax |grep denyhosts # make sure it is not running

to re-enable pf: 'pfctl -e'
to restart denyhosts: /usr/local/etc/rc.d/denyhosts start
__________________
_____
G.D. Wood
 

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Unable to mount audio CD bradleyjpb Sound and Multimedia 1 12-06-2009 11:35 AM
unable to mnt wd 160g usb hd jeremylsartain Drives 2 05-13-2009 02:21 PM
unable to run KDE jemo Startup Bug Reports (read-only) 2 11-02-2008 09:46 PM
Unable to boot simplyjat Installing PC-BSD 1 04-09-2007 06:37 PM
Unable to install PC-BSD 1.3 dudu2007 Installing PC-BSD 2 01-05-2007 03:49 AM


All times are GMT. The time now is 11:49 AM.


Powered by vBulletin® Version 3.8.5
Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.

Copyright 2005-2010, The PC-BSD Project. PC-BSD and the PC-BSD logo are registered trademarks of iXsystems.
All other content is freely available for sharing under the terms of the Creative Commons Attribution License.