[Gibble]

Ok, I set up a freeBSD 4.10 machine, it's a pretty bare install. I plan to install everything in jails. But that's not the issue (yet)

I'm having issue with SSH. I installed OpenSSH 3.6.1 and from computers outside the network, I can connect. But from computers behind my freeBSD machine (it's running natd) I get a login prompt, so I type the username...but I don't get a prompt for the password.

What the hell is wrong?

[Squashman]

Would really help to see the conf file, dont you think?

[Gibble]

Everything is set to defaults...but which conf file? sshd?

[deuce868]

sounds like your firewall is not letting things back out. Check that you have related on as well as port 22 both ways.

[Gibble]

Currently my firewall is set to OPEN ... so shouldn't that be letting everything through both ways?

[Squashman]

Well, I can tell you for starters that you should not run Open SSH in its default configuration. Version 3.6.1 had many vulnerabilites. I am trying to find the one that lets you login without a password if you are running SSH version 1.

So do we get to see the config file.

[Gibble]

Code:

#       $OpenBSD: sshd_config,v 1.59 2002/09/25 11:17:16 markus Exp $
#       $FreeBSD: src/crypto/openssh/sshd_config,v 1.4.2.13 2003/09/24 19:28:35 des Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

# Note that some of FreeBSD's defaults differ from OpenBSD's, and
# FreeBSD has a few additional options.

#VersionAddendum FreeBSD-20030924

#Port 22
#Protocol 2,1
#ListenAddress 0.0.0.0
#ListenAddress ::
ListenAddress MY EXTERNAL IP HERE

# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 3600
#ServerKeyBits 768

# Logging
#obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 120
#PermitRootLogin no
#StrictModes yes

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable PAM authentication
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

#AFSTokenPassing no

# Kerberos TGT Passing only works with the AFS kaserver
#KerberosTgtPassing no

#X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#KeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression yes

#MaxStartups 10
# no default banner path
#Banner /some/path
#VerifyReverseMapping no

# override default of no subsystems
Subsystem       sftp    /usr/libexec/sftp-server

[Gibble]

Quote:

Originally Posted by LwdSquashman

Well, I can tell you for starters that you should not run Open SSH in its default configuration. Version 3.6.1 had many vulnerabilites. I am trying to find the one that lets you login without a password if you are running SSH version 1.

So do we get to see the config file.

It's just odd that I can log in from a PC outside the network, but not from one inside the network ...

[Squashman]

Do you have multiple NICs setup in your machine. I am wondering why you have the listen address setup.

[Squashman]

Here are some things you should think about changing:

Code:

Port 22
Protocol 2
PermitRootLogin no
X11Forwarding no
KeepAlive yes
Compression yes
MaxStartups 10 (or whatever you want)
PermitEmptyPasswords no
PasswordAuthentication yes
ReverseMappingCheck no
GatewayPorts no
AllowGroups ssh ( or whatever group name you want to call it)
PrintMotd yes

[Gibble]

Quote:

Originally Posted by LwdSquashman

Do you have multiple NICs setup in your machine. I am wondering why you have the listen address setup.

The listen address is setup for two reasons.
1. Yes I have two NIC's this server is running NAT for my internal network. So NIC1 has my external IP, and NIC2 has the internal IP 192.168.0.1

2. Since I plan on running apache, mysql, etc in jails, and to gain access to each jail they each have to run SSH (or some will anyhow) then the nonjailed portion of the machine should only listen to ssh requests on it's IPs, not just any that resolve to the machine, as the jails get their own IPs and their SSH daemons will listen on their IPs

But since the Jails aren't yet setup, I don't know why I can SSH to the machine from outside the network, but not inside. When I attempt to SSH to the machine internally, I get the login prompt, but after entering the username, it does nothing, and I don't get the password prompt, it just timesout or something...

[Squashman]

Did you try putting the listen address of your internal nic in that list.

[Squashman]

I would comment out the listenaddress line. THe listenaddress is for when you have multiple nics and you only want one of the nics to respond to ssh.

[Gibble]

Quote:

Originally Posted by LwdSquashman

I would comment out the listenaddress line. THe listenaddress is for when you have multiple nics and you only want one of the nics to respond to ssh.

I will need it, since this machine will have several different IPs because of the jails which will run their own ssh daemons and I they have to be held seperate.

But I'll add the internal IP as well and see if that fixes the problem (but I won't know until this evening when I am at one of the internal machines)

[Squashman]

Well according to one of my online buddies, you dont need to bind the addresses in the config. Nat Redirection should take care of it.