[PLUG] sshd_exchange_identification problem

MaD dUCK on Thu, 10 May 2001 11:50:07 -0400

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[PLUG] sshd_exchange_identification problem

From: MaD dUCK <madduck@madduck.net>

To: debian users <debian-user@lists.debian.org>

Subject: [PLUG] sshd_exchange_identification problem

Date: Thu, 10 May 2001 11:43:26 -0400

Cc: plug <plug@lists.phillylinux.org>

Reply-to: plug@lists.phillylinux.org

Sender: plug-admin@lists.phillylinux.org

User-agent: Mutt/1.2.5i

debians, i (we) operate a number of Potato servers in different locations. After a hack attack on one of our machines, we reinstalled it (using pretty much defaults), and now we're having problems connecting to it from some machines. specifically, the problems relate to the sshd / hosts.deny interaction, which we have set to ALL: PARANOID. scenario is this: the new server is piper @ 130.58.xxx.xxx [1]. i can reproduce the problem with the two machines on my desk, one of which can connect, the other of which fails. [1] yes, gabe, it's the machine you're thinking off. ===== (A) the machine is called fishbowl.madduck.net, which is a CNAME to fishbowl.dyn.madduck.net, a dynamically changeable address (bind 9, TTL 3 minutes). currently, it resolves to 130.58.82.172, which points back to d172.sproul.swarthmore.edu. fishbowl uses ns1.madduck.net as nameserver, which i told to resolve the ip back to its name. so: fishbowl:~> host fishbowl.madduck.net fishbowl.madduck.net CNAME fishbowl.dyn.madduck.net fishbowl.dyn.madduck.net A 130.58.82.172 fishbowl:~> host 130.58.82.172 Name: fishbowl.dyn.madduck.net Address: 130.58.82.172 but on the new machine: piper:~> host fishbowl.madduck.net fishbowl.madduck.net CNAME fishbowl.dyn.madduck.net fishbowl.dyn.madduck.net A 130.58.82.172 piper:~> host 130.58.82.172 Name: d172.sproul.swarthmore.edu Address: 130.58.82.172 using RSA authentication between the two stock ssh installs (OpenSSH 1.2.3, protocol 1.5), I can successfully log in to my account on piper. ===== (B) the other machine is called diamond.madduck.net, and it's pretty much the same DNS situation: diamond:~> host diamond.madduck.net diamond.madduck.net A 130.58.82.235 diamond:~> host 130.58.82.235 Name: diamond.madduck.net Address: 130.58.82.235 but on the new machine: piper:~> host diamond.madduck.net shbowl.dyn.madduck.net A 130.58.82.235 piper:~> host 130.58.82.235 Name: d235.sproul.swarthmore.edu Address: 130.58.82.235 this machine cannot log in to piper: diamond:~> ssh -v piper SSH Version OpenSSH-1.2.3, protocol version 1.5. Compiled with SSL. debug: Reading configuration data /home/madduck/.ssh/config debug: Applying options for piper debug: Applying options for * debug: Reading configuration data /etc/ssh/ssh_config debug: Applying options for * debug: ssh_connect: getuid 1000 geteuid 1000 anon 1 debug: Connecting to piper.xxx.swarthmore.edu [130.58.xxx.xxx] port 22. debug: Connection established. ssh_exchange_identification: Connection closed by remote host debug: Calling cleanup 0x8056840(0x0) meanwhile, piper's /var/log/auth.log lists this: May 10 11:14:35 piper sshd[9765]: warning: /etc/hosts.deny, line 15: can't verify hostname: gethostbyname(d235.sproul.swarthmore.edu) failed May 10 11:14:35 piper sshd[9765]: refused connect from 130.58.82.235 hosts.deny:15 is obviously ALL: PARANOID. before the reinstall, this machine could successfully connect to piper with the same DNS setup. however, now it doesn't work and i am think that it's the ALL: PARANOID entry, which i speculate did not exist previously. can you back me up on this, and explain why i am having these problems? does ssh advertise the hostname of the client trying to connect? i.e. is diamond saying "hi piper's sshd, i am diamond.madduck.net" and sshd does a reverse lookup on the connecting IP and discovers a mismatch in the hostnames? however, all my machines have the same stock /etc/hosts.deny and i don't have these problems anywhere else. i do recall getting them once in a while, but deleting ~/.ssh/known_hosts usually fixed them... not in this case... any tips/pointers appreciated! martin; (greetings from the heart of the sun.) \____ echo mailto: !#^."<*>"|tr "<*> mailto:"; net@madduck -- stay the patient course. of little worth is your ire. the network is down. ______________________________________________________________________ Philadelphia Linux Users Group - http://www.phillylinux.org Announcements-http://lists.phillylinux.org/mail/listinfo/plug-announce General Discussion - http://lists.phillylinux.org/mail/listinfo/plug

Follow-Ups:

Re: [PLUG] sshd_exchange_identification problem
From: gabriel rosenkoetter <gr@eclipsed.net>

Re: [PLUG] sshd_exchange_identification problem
From: Mental <Mental@neverlight.com>

Prev by Date: Re: [PLUG] Streaming Audio for linux?

Next by Date: [PLUG] DirectTV DSL Service...any thoughts?

Previous by thread: RE: [PLUG] which xemacs/emacs html mode is best?

Next by thread: Re: [PLUG] sshd_exchange_identification problem

Index(es):

Date

Thread