Difference between revisions of "Ssh"

From Linuxintro
imported>ThorstenStaerk
imported>ThorstenStaerk
(ypBind)
 
(6 intermediate revisions by 2 users not shown)
Line 1: Line 1:
ssh is a command to log in over the network to another computer.
+
ssh is a [[command]] to [[control a computer over the network]].
  
 
= Send graphical output to ssh user =
 
= Send graphical output to ssh user =
Line 30: Line 30:
 
  or -vv, -vvv
 
  or -vv, -vvv
  
= possible problems =
+
 
 +
 
 +
= TroubleShooting =
  
 
== Remote host identification has changed ==
 
== Remote host identification has changed ==
Line 59: Line 61:
 
If ssh -X works, but you still do not get the graphical display from your remote machine, check /etc/ssh/sshd_config. There must be a line
 
If ssh -X works, but you still do not get the graphical display from your remote machine, check /etc/ssh/sshd_config. There must be a line
 
  X11Forwarding yes
 
  X11Forwarding yes
 +
Also, there must be a binary xauth, otherwise .Xauthority cannot be created.
 +
 +
If you get an error message like
 +
Invalid MIT-MAGIC-COOKIE-1 keyError: Can't open display: localhost:10.0
 +
make sure to call
 +
xhost +
 +
on the client machine before calling ssh.
 +
 +
== ssh hangs ==
 +
'''Symptom:''' After calling something like
 +
ssh root@venus
 +
Nothing seems to happen for about half a minute, then the password prompt appears.
 +
 +
'''Solution 1:''' Check the name server configuration. Here is an example case:
 +
earth:~ # ssh root@192.168.0.108
 +
Now I had to wait about 30 seconds, then I got the password prompt:
 +
Password:
 +
I gave the password and inspected the name server config:
 +
tweedleburg:~ # cat /etc/resolv.conf
 +
[...]
 +
nameserver 80.237.128.144
 +
nameserver 192.168.0.1
 +
nameserver 217.0.43.113
 +
nameserver 217.0.43.97
 +
Ok, let's see if the first name server is reachable:
 +
tweedleburg:~ # ping 80.237.128.144
 +
PING 80.237.128.144 (80.237.128.144) 56(84) bytes of data.
 +
64 bytes from 80.237.128.144: icmp_req=1 ttl=57 time=48.4 ms
 +
64 bytes from 80.237.128.144: icmp_req=2 ttl=57 time=48.8 ms
 +
It is. I quit with CTRL_C.
 +
 +
Now let's see if you can reach the name service's port:
 +
tweedleburg:~ # telnet 80.237.128.144 53
 +
Trying 80.237.128.144...
 +
 
 +
 +
telnet: connect to address 80.237.128.144: No route to host
 +
No. We wait and nothing happens. This is our root cause.
 +
So let's edit /etc/resolv.conf and remove the name server 80.237.128.144
 +
tweedleburg:~ # vi /etc/resolv.conf
 +
tweedleburg:~ # exit
 +
logout
 +
Connection to 192.168.0.108 closed.
 +
earth:~ # ssh root@192.168.0.108
 +
And immediately I got the password prompt:
 +
Password:
 +
Problem solved.
 +
 +
'''Solution 2:''' Stop and disable ypbind:
 +
/etc/init.d/ypbind stop
  
 
= Related =
 
= Related =
 
ssh-related topics:
 
ssh-related topics:
 
* [[passwordless login]]
 
* [[passwordless login]]

Latest revision as of 09:49, 30 April 2013

ssh is a command to control a computer over the network.

Send graphical output to ssh user

If you want to start a graphical program, e.g. kwrite, on your remote computer and get the display to your local computer, no problem. Just use:

ssh -l user server -X
xclock &

what happens

After logging in with ssh -X, xauth is called to create/modify .Xauthority. Using netstat -putan you can find out that every ssh -X session gets a socket:

remote:~ # netstat -putan
[...]
tcp        0      0 127.0.0.1:6010          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:6011          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:6012          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:6013          0.0.0.0:*               LISTEN      -
[...]

And $DISPLAY is set automatically.

remote:~ # echo $DISPLAY
localhost:14.0

And ssh listens on the respective port to forward X11 traffic:

remote:~ # lsof | grep 6014
sshd       5257     root    6u  IPv4 3755641440                   TCP localhost:6014 (LISTEN)

port forwarding

ssh username@server -L localport:remoteserver:remoteport

ssh verbose

ssh -v user@server
or -vv, -vvv


TroubleShooting

Remote host identification has changed

Symptom

When trying to log in via ssh you may get a message like this:

tweedleburg:~ # ssh root@192.168.0.107
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
32:78:25:83:d8:a6:de:ad:6a:0b:99:5e:05:e5:7c:e7.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:11
RSA host key for 192.168.0.107 has changed and you have requested strict checking.
Host key verification failed.
Reason

This means the key of the computer that you try to reach has changed.

Solution
$ ssh-keygen -R hostname

ssh -X does not work

If ssh -X works, but you still do not get the graphical display from your remote machine, check /etc/ssh/sshd_config. There must be a line

X11Forwarding yes

Also, there must be a binary xauth, otherwise .Xauthority cannot be created.

If you get an error message like

Invalid MIT-MAGIC-COOKIE-1 keyError: Can't open display: localhost:10.0

make sure to call

xhost +

on the client machine before calling ssh.

ssh hangs

Symptom: After calling something like

ssh root@venus

Nothing seems to happen for about half a minute, then the password prompt appears.

Solution 1: Check the name server configuration. Here is an example case:

earth:~ # ssh root@192.168.0.108

Now I had to wait about 30 seconds, then I got the password prompt:

Password: 

I gave the password and inspected the name server config:

tweedleburg:~ # cat /etc/resolv.conf
[...]
nameserver 80.237.128.144
nameserver 192.168.0.1
nameserver 217.0.43.113
nameserver 217.0.43.97

Ok, let's see if the first name server is reachable:

tweedleburg:~ # ping 80.237.128.144
PING 80.237.128.144 (80.237.128.144) 56(84) bytes of data.
64 bytes from 80.237.128.144: icmp_req=1 ttl=57 time=48.4 ms
64 bytes from 80.237.128.144: icmp_req=2 ttl=57 time=48.8 ms

It is. I quit with CTRL_C.

Now let's see if you can reach the name service's port:

tweedleburg:~ # telnet 80.237.128.144 53
Trying 80.237.128.144...
 

telnet: connect to address 80.237.128.144: No route to host

No. We wait and nothing happens. This is our root cause. So let's edit /etc/resolv.conf and remove the name server 80.237.128.144

tweedleburg:~ # vi /etc/resolv.conf
tweedleburg:~ # exit
logout
Connection to 192.168.0.108 closed.
earth:~ # ssh root@192.168.0.108

And immediately I got the password prompt:

Password: 

Problem solved.

Solution 2: Stop and disable ypbind:

/etc/init.d/ypbind stop

Related

ssh-related topics: