2

EDIT: This problem turned out to be only when I do a round trip out of my home network and then back in again. It works perfectly fine from outside, so I'm cool.

I'm able to connect to my sshd service on a machine on my home network, but if I access it from outside through a router using port forwarding then it only gets as far as this message

debug1: SSH2_MSG_KEXINIT sent

then stalls.

Is there anyway to diagnose what is failing at that point? What is happening at that stage of the protocol?

I did find some info [online][1] that this may be related to MTU sizes. I've tried setting the MTU to 576 on both my server and my router, but I get the same result.

Here's the log from the ssh client:

OpenSSH_5.1p1 Debian-5ubuntu1, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to xx.xx.xx.xx [xx.xx.xx.xx] port 22.
debug1: Connection established.
debug1: identity file /home/justinhj/.ssh/identity type 0
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug3: Not a RSA1 key file /home/justinhj/.ssh/id_rsa.
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/justinhj/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/justinhj/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5ubuntu1
debug1: match: OpenSSH_5.1p1 Debian-5ubuntu1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent

And here's the server output:

justinhj@ubuntu:~$ sudo /usr/sbin/sshd -ddd
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 875
debug2: parse_server_config: config /etc/ssh/sshd_config len 875
debug3: /etc/ssh/sshd_config:6 setting Port 22
debug3: /etc/ssh/sshd_config:7 setting ListenAddress 192.168.0.106:22
debug3: /etc/ssh/sshd_config:8 setting ListenAddress 127.0.0.1:22
debug3: /etc/ssh/sshd_config:9 setting Protocol 2
debug3: /etc/ssh/sshd_config:15 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: /etc/ssh/sshd_config:16 setting HostKey /etc/ssh/ssh_host_dsa_key
debug3: /etc/ssh/sshd_config:19 setting UsePrivilegeSeparation yes
debug3: /etc/ssh/sshd_config:22 setting KeyRegenerationInterval 3600
debug3: /etc/ssh/sshd_config:23 setting ServerKeyBits 768
debug3: /etc/ssh/sshd_config:26 setting SyslogFacility AUTH
debug3: /etc/ssh/sshd_config:27 setting LogLevel DEBUG3
debug3: /etc/ssh/sshd_config:29 setting GatewayPorts yes
debug3: /etc/ssh/sshd_config:32 setting LoginGraceTime 120
debug3: /etc/ssh/sshd_config:33 setting PermitRootLogin no
debug3: /etc/ssh/sshd_config:34 setting StrictModes yes
debug3: /etc/ssh/sshd_config:44 setting IgnoreRhosts yes
debug3: /etc/ssh/sshd_config:47 setting RhostsRSAAuthentication no
debug3: /etc/ssh/sshd_config:50 setting HostbasedAuthentication no
debug3: /etc/ssh/sshd_config:56 setting PermitEmptyPasswords no
debug3: /etc/ssh/sshd_config:60 setting ChallengeResponseAuthentication yes
debug3: /etc/ssh/sshd_config:63 setting PasswordAuthentication no
debug3: /etc/ssh/sshd_config:66 setting KerberosAuthentication no
debug3: /etc/ssh/sshd_config:68 setting KerberosOrLocalPasswd yes
debug3: /etc/ssh/sshd_config:69 setting KerberosTicketCleanup yes
debug3: /etc/ssh/sshd_config:72 setting GSSAPIAuthentication no
debug3: /etc/ssh/sshd_config:73 setting GSSAPICleanupCredentials no
debug3: /etc/ssh/sshd_config:74 setting GSSAPIKeyExchange no
debug3: /etc/ssh/sshd_config:76 setting X11Forwarding no
debug3: /etc/ssh/sshd_config:77 setting X11DisplayOffset 10
debug3: /etc/ssh/sshd_config:78 setting PrintMotd yes
debug3: /etc/ssh/sshd_config:79 setting PrintLastLog yes
debug3: /etc/ssh/sshd_config:80 setting TCPKeepAlive yes
debug3: /etc/ssh/sshd_config:85 setting Banner /etc/issue
debug3: /etc/ssh/sshd_config:88 setting AcceptEnv LANG LC_*
debug3: /etc/ssh/sshd_config:90 setting Subsystem sftp /usr/lib/openssh/sftp-server
debug3: /etc/ssh/sshd_config:92 setting UsePAM yes
debug1: sshd version OpenSSH_5.1p1 Debian-5ubuntu1
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: private host key: #0 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: private host key: #1 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-ddd'
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22 on 127.0.0.1.
Server listening on 127.0.0.1 port 22.
debug2: fd 4 setting O_NONBLOCK
debug1: Bind to port 22 on 192.168.0.106.
Server listening on 192.168.0.106 port 22.
debug3: fd 5 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 8 config len 875
debug3: ssh_msg_send: type 0
debug3: send_rexec_state: done
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from xx.xx.xx.x port 41016

No. Time Source Destination Protocol Info 22 40.592821 192.168.0.106 192.168.0.100 TCP ssh > 4632 [RST] Seq=1 Win=0 Len=0

Frame 22 (60 bytes on wire, 60 bytes captured) Ethernet II, Src: Asiarock_c9:54:51 (00:13:8f:c9:54:51), Dst: AskeyCom_76:f6:2b (00:90:96:76:f6:2b) Internet Protocol, Src: 192.168.0.106 (192.168.0.106), Dst: 192.168.0.100 (192.168.0.100) Transmission Control Protocol, Src Port: ssh (22), Dst Port: 4632 (4632), Seq: 1, Len: 0

No.     Time        Source                Destination           Protocol Info  
     23 43.485533   192.168.0.100         xxx.xxx.xxx.xxx         TCP      [TCP         Retransmission] [TCP segment of a reassembled PDU]

Frame 23 (590 bytes on wire, 590 bytes captured)
Ethernet II, Src: AskeyCom_76:f6:2b (00:90:96:76:f6:2b), Dst: D-Link_fa:33:1e     (00:13:46:fa:33:1e)
Internet Protocol, Src: 192.168.0.100 (192.168.0.100), Dst: xxx.xxx.xxx.xxx (xxx.xxx.xxx.xxx)
Transmission Control Protocol, Src Port: 4632 (4632), Dst Port: ssh (22), Seq: 1, Ack:  40, Len: 536
SSH Protocol

[1]: Perhaps: http://www.snailbook.com/faq/mtu-mismatch.auto.html

Improve this question
7
  • 1
    you could add more details - tell if it works on your home network (you can also test an ssh connexion from the server) and give the full error message of the client (not just the last line - use ssh -vvv), and if possible, post the relevant parts of sshd logs on the server (/var/log/auth.log ... that might be another file depending on your logger daemon config), .... - to satisfy everybody's paranoia, consider modifying your login/host names from your logs.
    – avelldiroll
    Commented Oct 12, 2009 at 2:58
  • Yeah good point, I was being rushed out the door
    – justinhj
    Commented Oct 12, 2009 at 20:54
  • And yes I am testing on my home network, just using the external IP so it has to go out and come back in again. I've also tried using my neighbours wifi to connect. With their permission, of course
    – justinhj
    Commented Oct 12, 2009 at 20:55
  • 1
    this link indicates problems stemming from the wireless. their symptoms were disconnects well after the authentication, tho. still, might be helpful: ubuntuforums.org/showthread.php?t=838873
    – quack quixote
    Commented Oct 14, 2009 at 18:12
  • Can you actually login with password instead of passkey when outside?
    – mr-euro
    Commented Oct 21, 2009 at 10:39

2 Answers 2

Reset to default
2
+50

Run a packet capture (e.g., Wireshark or tcpdump) on both the client and the server, and attempt the connection. You might see packets being sent (by either the client or the server) that don't get received by the other end. If this is the case, then something (like your firewall/router, or iptables on the server) is dropping the packets.

You can limit the capture to tcp port 22 to filter everything but the ssh connections. But you should also capture icmp as well, in case there are any unreachables being sent.

Improve this answer
2
  • I've used wireshark to look at the output. I am getting repeated output of retransmitted packets at the point it goes wrong. I'm not quite sure what that means.
    – justinhj
    Commented Nov 1, 2009 at 20:31
  • (I've added that to the end of the question)
    – justinhj
    Commented Nov 1, 2009 at 20:32
0

Try checking to make sure that /etc/hosts.allow and /etc/hosts.deny are not blocking SSH access from outside your home network.

Improve this answer
1
  • 1
    that would block the connection before it got to sshd. not the case here; you can see the connection at the bottom of the sshd log.
    – quack quixote
    Commented Oct 14, 2009 at 18:07

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .