[Risolto] server SSH non funziona più dopo anni di onorato servizio

Fedora Linux Internet, Reti e Sicurezza
#1

Il server SSH (Fedora) che uso da anni ha iniziato a dare malfunzionamenti improvvisi. Ora ogniqualvolta provo ad entrare in SSH ottengo

ssh [email protected] -p 4000 write: Connection reset by peer
Ora qualcuno dirà roba sulle porte, tranquilli, funzionano da anni. Le regole firewall sono in ordine.

/var/log/secure

non sente proprio alcun client che prova a connettersi al pc.

journalctl -u sshd

restituisce semplici messaggi di “started SSH server”

Anche eseguire sshd a mano

/usr/sbin/sshd -D

restituisce gli stessi messaggi

#2

[list=1]
]Porta ed IP sono corretti?/]
]Il firewall è aperto sulla 4000 TCP?/]
]Quali modifiche sono state apportate alla configurazione di sshd (a parte la porta)?/]
]SELinux che dice?/]
[/list]

#3

Aggiungerei, come suggerimento, di utilizzare lo switch -vvv per un miglior debug.

#4

[quote=frafra][list=1]
]Porta ed IP sono corretti?/]
]Il firewall è aperto sulla 4000 TCP?/]
]Quali modifiche sono state apportate alla configurazione di sshd (a parte la porta)?/]
]SELinux che dice?/]
[/list][/quote]

[list=1]
]Sì/]
]Sì, ho anche provato a spegnerlo per fare una prova/]
]Vedi più in basso/]
]Nulla, ma se fermo il servizio SSHd e poi lo faccio ripartire, ottengo https://bugzilla.redhat.com/show_bug.cgi?id=1316879 Ho anche eseguito i comandi per dire a SELinux di ignorare tale cosa e persino messo SELinux in modalità permissiva, ma il problema del client per la connessione a SSHd rimane/]
[/list]

[code]# $OpenBSD: sshd_config,v 1.84 2011/05/23 03:30:07 djm Exp $

This is the sshd server system-wide configuration file. See

sshd_config(5) for more information.

This sshd was compiled with PATH=/usr/local/bin:/usr/bin

The strategy used for options in the default sshd_config shipped with

OpenSSH is to specify options with their default value where

possible, but leave them commented. Uncommented options override the

default value.

Port 4000
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::

The default requires explicit activation of protocol 1

#Protocol 2

HostKey for protocol version 1

#HostKey /etc/ssh/ssh_host_key

HostKeys for protocol version 2

#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key

Lifetime and size of ephemeral version 1 server key

#KeyRegenerationInterval 1h
#ServerKeyBits 1024

Logging

obsoletes QuietMode and FascistLogging

#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO

Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
MaxAuthTries 3
#MaxSessions 10

#RSAAuthentication yes
PubkeyAuthentication yes
#AllowedAuthentications publickey,password RIMUOVERE
#RequiredAuthentications publickey,password RIMUOVERE

The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2

but this is overridden so installations will only check .ssh/authorized_keys

AuthorizedKeysFile .ssh/authorized_keys

#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody

For this to work you will also need host keys in /etc/ssh/ssh_known_hosts

#RhostsRSAAuthentication no

similar for protocol version 2

#HostbasedAuthentication no

Change to yes if you don’t trust ~/.ssh/known_hosts for

RhostsRSAAuthentication and HostbasedAuthentication

#IgnoreUserKnownHosts no

Don’t read the user’s ~/.rhosts and ~/.shosts files

#IgnoreRhosts yes

To disable tunneled clear text passwords, change to no here!

PasswordAuthentication no
#PermitEmptyPasswords no

Change to no to disable s/key passwords

#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no

Kerberos options

#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes

GSSAPI options

#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no

Set this to ‘yes’ to enable PAM authentication, account processing,

and session processing. If this is enabled, PAM authentication will

be allowed through the ChallengeResponseAuthentication and

PasswordAuthentication. Depending on your PAM configuration,

PAM authentication via ChallengeResponseAuthentication may bypass

the setting of “PermitRootLogin without-password”.

If you just want the PAM account and session checks to run without

PAM authentication, then enable this but set PasswordAuthentication

and ChallengeResponseAuthentication to ‘no’.

WARNING: ‘UsePAM no’ is not supported in Fedora and may cause several

problems.

#UsePAM no
UsePAM yes

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

no default banner path

#Banner /home/pdalberone/Immagini/banner

Accept locale-related environment variables

AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS

override default of no subsystems

Subsystem sftp /usr/libexec/openssh/sftp-server

Uncomment this if you want to use .local domain

#Host *.local

CheckHostIP no

Example of overriding settings on a per-user basis

#Match User anoncvs

X11Forwarding no

AllowTcpForwarding no

ForceCommand cvs server

[/code]

#5

Ho provato ad aumentare la quantità di messaggi di debug di sshd, ma vedo proprio che non gli arriva nessuna richiesta quando provo a loggarmi…

#6 
PasswordAuthentication no

Scusami ma ti autentichi con certificato (chiave pubblica/privata)?? E’ corretta oppure un errore in fase di configurazione??

#7

Se lanci un tcpdump sulla macchina client vedi uscire la richiesta verso la porta tcp 4000?
Viceversa, tcpdump sul server mostra la tua richiesta sulla medesima porta?

#8

[quote=palir1927]PasswordAuthentication no

Scusami ma ti autentichi con certificato (chiave pubblica/privata)?[/quote]
Si

Stasera provo

#9

Bene, magari già che ci sei posti anche un

$ ss -l -n -t -p

del server?

#10

(Per lo switch -p del comando ss suggerito al post #9 sarà comunque necessario lanciare il comando come root)

#11

Incredibile, mentre eseguivo tcpdump, per creare più voci nel log, ho provato dal client ad entrare più volte, e alla quinta volta è magicamente entrato. E, ancora più assurdo, questa cosa è addirittura riproducibile

# ss -l -n -t -p State Recv-Q Send-Q Local Address:Port Peer Address:Port LISTEN 0 64 *:2049 *:* LISTEN 0 128 127.0.0.1:199 *:* users:(("snmpd",pid=1110,fd=8)) LISTEN 0 128 *:4000 *:* users:(("sshd",pid=1200,fd=3)) LISTEN 0 128 *:111 *:* users:(("rpcbind",pid=787,fd=8)) LISTEN 0 128 *:20048 *:* users:(("rpc.mountd",pid=1163,fd=8)) LISTEN 0 64 *:44115 *:* LISTEN 0 5 192.168.122.1:53 *:* users:(("dnsmasq",pid=1680,fd=6)) LISTEN 0 5 127.0.0.1:631 *:* users:(("cupsd",pid=1091,fd=12)) LISTEN 0 128 127.0.0.1:31416 *:* users:(("boinc_client",pid=1193,fd=4)) LISTEN 0 128 127.0.0.1:5432 *:* users:(("postgres",pid=1274,fd=3)) LISTEN 0 10 127.0.0.1:25 *:* users:(("sendmail",pid=2140,fd=4)) LISTEN 0 128 *:60987 *:* users:(("rpc.statd",pid=1151,fd=9)) LISTEN 0 64 :::2049 :::* LISTEN 0 128 :::3306 :::* users:(("mysqld",pid=1545,fd=16)) LISTEN 0 128 :::4000 :::* users:(("sshd",pid=1200,fd=4)) LISTEN 0 64 :::37007 :::* LISTEN 0 128 :::111 :::* users:(("rpcbind",pid=787,fd=11)) LISTEN 0 128 :::80 :::* users:(("httpd",pid=3016,fd=4),("httpd",pid=3014,fd=4),("httpd",pid=3012,fd=4),("httpd",pid=2959,fd=4),("httpd",pid=2957,fd=4),("httpd",pid=2955,fd=4),("httpd",pid=2953,fd=4),("httpd",pid=2951,fd=4),("httpd",pid=2949,fd=4),("httpd",pid=2946,fd=4)) LISTEN 0 128 :::20048 :::* users:(("rpc.mountd",pid=1163,fd=10)) LISTEN 0 128 :::42353 :::* users:(("rpc.statd",pid=1151,fd=11)) LISTEN 0 5 ::1:631 :::* users:(("cupsd",pid=1091,fd=11)) LISTEN 0 128 :::443 :::* users:(("httpd",pid=3016,fd=6),("httpd",pid=3014,fd=6),("httpd",pid=3012,fd=6),("httpd",pid=2959,fd=6),("httpd",pid=2957,fd=6),("httpd",pid=2955,fd=6),("httpd",pid=2953,fd=6),("httpd",pid=2951,fd=6),("httpd",pid=2949,fd=6),("httpd",pid=2946,fd=6))

Più tardi vi aggiorno su tcpdump

#12

Ok, i tentativi di connessione arrivano al server.
Nel seguente log sono mostrati 5 o 6 tentativi consecutivi di connessione andati a male, dopodiché l’ultimo è andato a buon fine, solo che son uscito prima di mettere la passphrase della chiave privata SSH.

reading from file /root/dump3, link-type EN10MB (Ethernet) 23:03:45.210335 IP 192.168.1.211.60262 > machine.dynamid: Flags [s], seq 1078329345, win 29200, options [mss 1460,sackOK,TS val 15294894 ecr 0,nop,wscale 7], length 0 23:03:45.210410 IP machine.dynamid > 192.168.1.211.60262: Flags [S.], seq 1995471096, ack 1078329346, win 28960, options [mss 1460,sackOK,TS val 3989571 ecr 15294894,nop,wscale 7], length 0 23:03:45.211592 IP 192.168.1.211.60262 > machine.dynamid: Flags .], ack 1, win 229, options [nop,nop,TS val 15294895 ecr 3989571], length 0 23:03:45.211614 IP machine.dynamid > 192.168.1.211.60262: Flags [R], seq 1995471097, win 0, length 0 23:03:45.212269 IP 192.168.1.211.60262 > machine.dynamid: Flags [P.], seq 1:22, ack 1, win 229, options [nop,nop,TS val 15294896 ecr 3989571], length 21 23:03:45.212281 IP machine.dynamid > 192.168.1.211.60262: Flags [R], seq 1995471097, win 0, length 0 23:03:46.445713 IP 192.168.1.211.60264 > machine.dynamid: Flags [s], seq 2660194407, win 29200, options [mss 1460,sackOK,TS val 15296129 ecr 0,nop,wscale 7], length 0 23:03:46.445785 IP machine.dynamid > 192.168.1.211.60264: Flags [S.], seq 4059381207, ack 2660194408, win 28960, options [mss 1460,sackOK,TS val 3990807 ecr 15296129,nop,wscale 7], length 0 23:03:46.447652 IP 192.168.1.211.60264 > machine.dynamid: Flags .], ack 1, win 229, options [nop,nop,TS val 15296131 ecr 3990807], length 0 23:03:46.447669 IP machine.dynamid > 192.168.1.211.60264: Flags [R], seq 4059381208, win 0, length 0 23:03:46.447672 IP 192.168.1.211.60264 > machine.dynamid: Flags [P.], seq 1:22, ack 1, win 229, options [nop,nop,TS val 15296132 ecr 3990807], length 21 23:03:46.447678 IP machine.dynamid > 192.168.1.211.60264: Flags [R], seq 4059381208, win 0, length 0 23:03:47.033745 IP 192.168.1.211.60266 > machine.dynamid: Flags [s], seq 1083130986, win 29200, options [mss 1460,sackOK,TS val 15296716 ecr 0,nop,wscale 7], length 0 23:03:47.033817 IP machine.dynamid > 192.168.1.211.60266: Flags [S.], seq 2978460878, ack 1083130987, win 28960, options [mss 1460,sackOK,TS val 3991395 ecr 15296716,nop,wscale 7], length 0 23:03:47.035217 IP 192.168.1.211.60266 > machine.dynamid: Flags .], ack 1, win 229, options [nop,nop,TS val 15296719 ecr 3991395], length 0 23:03:47.035234 IP machine.dynamid > 192.168.1.211.60266: Flags [R], seq 2978460879, win 0, length 0 23:03:47.035237 IP 192.168.1.211.60266 > machine.dynamid: Flags [P.], seq 1:22, ack 1, win 229, options [nop,nop,TS val 15296719 ecr 3991395], length 21 23:03:47.035243 IP machine.dynamid > 192.168.1.211.60266: Flags [R], seq 2978460879, win 0, length 0 23:03:47.763230 IP 192.168.1.211.60268 > machine.dynamid: Flags [s], seq 3966067322, win 29200, options [mss 1460,sackOK,TS val 15297447 ecr 0,nop,wscale 7], length 0 23:03:47.763304 IP machine.dynamid > 192.168.1.211.60268: Flags [S.], seq 1800592558, ack 3966067323, win 28960, options [mss 1460,sackOK,TS val 3992124 ecr 15297447,nop,wscale 7], length 0 23:03:47.764457 IP 192.168.1.211.60268 > machine.dynamid: Flags .], ack 1, win 229, options [nop,nop,TS val 15297448 ecr 3992124], length 0 23:03:47.764474 IP machine.dynamid > 192.168.1.211.60268: Flags [R], seq 1800592559, win 0, length 0 23:03:47.765259 IP 192.168.1.211.60268 > machine.dynamid: Flags [P.], seq 1:22, ack 1, win 229, options [nop,nop,TS val 15297449 ecr 3992124], length 21 23:03:47.765270 IP machine.dynamid > 192.168.1.211.60268: Flags [R], seq 1800592559, win 0, length 0 23:03:48.401481 IP 192.168.1.211.60270 > machine.dynamid: Flags [s], seq 1699128551, win 29200, options [mss 1460,sackOK,TS val 15298059 ecr 0,nop,wscale 7], length 0 23:03:48.401553 IP machine.dynamid > 192.168.1.211.60270: Flags [S.], seq 2251254238, ack 1699128552, win 28960, options [mss 1460,sackOK,TS val 3992762 ecr 15298059,nop,wscale 7], length 0 23:03:48.403819 IP 192.168.1.211.60270 > machine.dynamid: Flags .], ack 1, win 229, options [nop,nop,TS val 15298087 ecr 3992762], length 0 23:03:48.404367 IP 192.168.1.211.60270 > machine.dynamid: Flags [P.], seq 1:22, ack 1, win 229, options [nop,nop,TS val 15298088 ecr 3992762], length 21 23:03:48.404414 IP machine.dynamid > 192.168.1.211.60270: Flags .], ack 22, win 227, options [nop,nop,TS val 3992765 ecr 15298088], length 0 23:03:48.413328 IP machine.dynamid > 192.168.1.211.60270: Flags [P.], seq 1:22, ack 22, win 227, options [nop,nop,TS val 3992774 ecr 15298088], length 21 23:03:48.414476 IP 192.168.1.211.60270 > machine.dynamid: Flags .], ack 22, win 229, options [nop,nop,TS val 15298098 ecr 3992774], length 0 23:03:48.415603 IP 192.168.1.211.60270 > machine.dynamid: Flags [P.], seq 22:1358, ack 22, win 229, options [nop,nop,TS val 15298099 ecr 3992774], length 1336 23:03:48.418899 IP machine.dynamid > 192.168.1.211.60270: Flags [P.], seq 22:998, ack 1358, win 249, options [nop,nop,TS val 3992780 ecr 15298099], length 976 23:03:48.424758 IP 192.168.1.211.60270 > machine.dynamid: Flags [P.], seq 1358:1406, ack 998, win 251, options [nop,nop,TS val 15298109 ecr 3992780], length 48 23:03:48.435741 IP machine.dynamid > 192.168.1.211.60270: Flags [P.], seq 998:1362, ack 1406, win 249, options [nop,nop,TS val 3992797 ecr 15298109], length 364 23:03:48.442419 IP 192.168.1.211.60270 > machine.dynamid: Flags [P.], seq 1406:1422, ack 1362, win 266, options [nop,nop,TS val 15298126 ecr 3992797], length 16 23:03:48.481601 IP machine.dynamid > 192.168.1.211.60270: Flags .], ack 1422, win 249, options [nop,nop,TS val 3992843 ecr 15298126], length 0 23:03:48.482905 IP 192.168.1.211.60270 > machine.dynamid: Flags [P.], seq 1422:1466, ack 1362, win 266, options [nop,nop,TS val 15298166 ecr 3992843], length 44 23:03:48.482918 IP machine.dynamid > 192.168.1.211.60270: Flags .], ack 1466, win 249, options [nop,nop,TS val 3992844 ecr 15298166], length 0 23:03:48.482958 IP machine.dynamid > 192.168.1.211.60270: Flags [P.], seq 1362:1406, ack 1466, win 249, options [nop,nop,TS val 3992844 ecr 15298166], length 44 23:03:48.484546 IP 192.168.1.211.60270 > machine.dynamid: Flags [P.], seq 1466:1534, ack 1406, win 266, options [nop,nop,TS val 15298168 ecr 3992844], length 68 23:03:48.484937 IP machine.dynamid > 192.168.1.211.60270: Flags [P.], seq 1406:1482, ack 1534, win 249, options [nop,nop,TS val 3992846 ecr 15298168], length 76 23:03:48.492290 IP 192.168.1.211.60270 > machine.dynamid: Flags [P.], seq 1534:2674, ack 1482, win 266, options [nop,nop,TS val 15298176 ecr 3992846], length 1140 23:03:48.492954 IP machine.dynamid > 192.168.1.211.60270: Flags [P.], seq 1482:2582, ack 2674, win 272, options [nop,nop,TS val 3992854 ecr 15298176], length 1100 23:03:48.533834 IP 192.168.1.211.60270 > machine.dynamid: Flags .], ack 2582, win 289, options [nop,nop,TS val 15298218 ecr 3992854], length 0

Idee?

#13

Ciao Caterpillar, verifichiamo cosa succede se, lato client lanciamo

$ ssh -4 [email protected] -p 4000

e contemporaneamente, lato server, predisponiamo (magari in due terminali distinti)

# tcpdump -i XXX -nn -q tcp port 4000

dove * XXX* va indicato il nome corretto dell’interfaccia di rete del server
e

# tail -f -n 0 /var/log/secure

Predisponi prima i due comandi lato server prima di avviare la connessione ssh dal client in modo da disporre di output puntuali

#14

Il problema è magicamente sparito da solo, non so proprio più cosa pensare… Mah…

#15

Recentemente è stato aggiornato openssl, potrebbe essere lui il ‘colpevole’ del miracolo informatico?

#16

Penso proprio di sì