From owner-freebsd-current@FreeBSD.ORG Sat Oct 27 10:04:04 2007 Return-Path: Delivered-To: freebsd-current@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AB27E16A41B for ; Sat, 27 Oct 2007 10:04:04 +0000 (UTC) (envelope-from stefan.lambrev@moneybookers.com) Received: from blah.sun-fish.com (blah.sun-fish.com [217.18.249.150]) by mx1.freebsd.org (Postfix) with ESMTP id 2223C13C4A7 for ; Sat, 27 Oct 2007 10:04:04 +0000 (UTC) (envelope-from stefan.lambrev@moneybookers.com) Received: by blah.sun-fish.com (Postfix, from userid 1002) id 0530B1B10ED2; Sat, 27 Oct 2007 12:04:02 +0200 (CEST) X-Spam-Checker-Version: SpamAssassin 3.2.3 (2007-08-08) on blah.cmotd.com X-Spam-Level: X-Spam-Status: No, score=-4.4 required=5.0 tests=ALL_TRUSTED,BAYES_00 autolearn=ham version=3.2.3 Received: from [10.1.1.3] (unknown [192.168.25.14]) by blah.sun-fish.com (Postfix) with ESMTP id CF6931B10C26; Sat, 27 Oct 2007 12:03:58 +0200 (CEST) Message-ID: <47230D02.1080602@moneybookers.com> Date: Sat, 27 Oct 2007 13:03:46 +0300 From: Stefan Lambrev User-Agent: Thunderbird 2.0.0.6 (Windows/20070728) MIME-Version: 1.0 To: Rob Zietlow References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Virus-Scanned: ClamAV 0.91.2/4605/Sat Oct 27 09:39:42 2007 on blah.cmotd.com X-Virus-Status: Clean Cc: freebsd-current@freebsd.org Subject: Re: [7.0-Beta] can no longer ssh into just upgraded host X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 27 Oct 2007 10:04:04 -0000 Hi Rob, Rob Zietlow wrote: > Hello, > > A google for the error messages hasn't turned up so I turn to you mailing > lists. > > I have recently upgraded to RELENG_7. (Oct 26th 13:03) Ever since then i am > no longer able to ssh into the upgraded host from outside my local subnet. > This has been tested coming from OSX, Linux, openbsd and Solaris 8-10. > > >From the host to the server I see the following. > > #ssh -vv 192.168.8.163 > OpenSSH_3.9p1, OpenSSL 0.9.7a Feb 19 2003 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: Applying options for * > debug2: ssh_connect: needpriv 0 > debug1: Connecting to 192.168.8.163 [192.168.8.163] port 22. > debug1: Connection established. > debug1: identity file /home/$USER/.ssh/identity type -1 > debug1: identity file /home/$USER/.ssh/id_rsa type -1 > debug1: identity file /home/$USER/.ssh/id_dsa type -1 > ssh_exchange_identification: read: Connection reset by peer > # > > Do you have active PF on the FreeBSD hosts? I see similar error with my ssh every time when I misconfigure pf.conf :) If you have "pass out keep state" rule, but do not have "pass in keep state" (and you are not blocking port 22) when you connect to the hosts first packets are passed, but then pf create wrong state (from server to client) which really piss openssh and it just stop working ( i didn't dig enough to see why) You can look for "connection timed out on freebsd 7.0" in -stable mailing list for other possible network problems, but I think your RELENG_7 from 26th Oct should be fixed already. > I get this if the keys exist in ~/.ssh/known_hosts or not. > > > I get this on all of the hosts connecting to the new 7.0 server > > On the server i see the following. > > /var/log/auth > Oct 26 13:32:27 dhcp11 sshd[1013]: Did not receive identification string > from 192.168.3.132 > > I compared an /etc/ssh/sshd_config from a working 6.2 host and my 7 host and > they are identical (empty lines removed) > dhcp11# grep -v # /etc/ssh/sshd_config > DSAAuthentication yes > PubkeyAuthentication yes > AuthorizedKeysFile .ssh/authorized_keys > Subsystem sftp /usr/libexec/sftp-server > > Here is /etc/hosts.allow > dhcp11# grep -v # /etc/hosts.allow (empty lines removed again) > ALL : ALL : allow > sendmail : ALL : allow > ftpd : ALL : allow > > sshd in debugging mode. > > dhcp11# /usr/sbin/sshd -ddddddd > debug2: load_server_config: filename /etc/ssh/sshd_config > debug2: load_server_config: done config len = 249 > debug2: parse_server_config: config /etc/ssh/sshd_config len 249 > debug3: /etc/ssh/sshd_config:111 setting Subsystem sftp > /usr/libexec/sftp-server > debug3: /etc/ssh/sshd_config:118 setting DSAAuthentication yes > debug3: /etc/ssh/sshd_config:119 setting PubkeyAuthentication yes > debug3: /etc/ssh/sshd_config:120 setting AuthorizedKeysFile > .ssh/authorized_keys > debug1: sshd version OpenSSH_4.5p1 FreeBSD-20061110 > debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key. > debug1: read PEM private key done: type DSA > debug1: private host key: #0 type 2 DSA > debug1: rexec_argv[0]='/usr/sbin/sshd' > debug1: rexec_argv[1]='-ddddddd' > debug2: fd 3 setting O_NONBLOCK > debug1: Bind to port 22 on 0.0.0.0. > Server listening on 0.0.0.0 port 22. > debug1: fd 4 clearing O_NONBLOCK > debug1: Server will not fork when running in debugging mode. > debug3: send_rexec_state: entering fd = 7 config len 249 > debug3: ssh_msg_send: type 0 > debug3: send_rexec_state: done > debug1: rexec start in 4 out 4 newsock 4 pipe -1 sock 7 > debug1: inetd sockets after dupping: 3, 3 > debug1: res_init() > Connection from 192.168.3.132 port 39685 > Did not receive identification string from 192.168.3.132 > > DNS queries forward and reverse resolve the hostnames I am ssh-ing in from. > > Any other suggestions as I have ran out of ideas and google isn't as helpful > at this point, unless I have overlooked something. > _______________________________________________ > freebsd-current@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-current > To unsubscribe, send any mail to "freebsd-current-unsubscribe@freebsd.org" >