SSH questions

From: Nick Smith 
I inherited 3 ubuntu servers and the previous admin is no longer around.
They have some weird config issues with ssh that i havnt ran into before,
was hoping someone here could shed some light on it for me.

I can only ssh into one server from the network directly. To access the 2nd
server i have to ssh into the first one then hop to the 2nd.  The 3rd
server is so borked i can only login from the console, ssh access doesnt

Ive compared the sshd configs to some of our other ubuntu servers and they
seem to be fairly default setups.

I dont see any place in the config where the server would be setup to only
allow access from one server (or a server on that subnet). Where else
besides the sshd config would something like that be configured on ubuntu?

Not sure where i should start looking, ive checked resolv.conf and the
nsswitch.conf and they appear to be correct.

From what ive found on google, i might be able to resolve the 2nd servers
sshd config by removing and reinstalling sshd completely.  Has anyone done
that remotely? Can you uninstall sshd while ssh'd into the box?

Ive done other crazy stuff like blow away the root partition and resize it
while the machines running with no problems, so hopefully thats possible as

Thanks for any info.

Nick Smith
nick at nicksmith dot us

=============================================================== From: Mike Harrison ------------------------------------------------------ IPTABLES ? iptables -L Also, reverse DNS timeouts can be an issue.

=============================================================== From: ------------------------------------------------------ Start from the basics... login to the console of server1 and do: telnet localhost 22 Repeat for each server. If 'telnet localhost 22' fails, you have a non-running SSH server, it is running but in a non-standard port or you have some iptables rules blocking the connection. Assuming that telnet can establish the connection described above, then move to a remote box and: telnet server

=============================================================== From: Billy ------------------------------------------------------ Expanding on this: You have a ~user/.ssh/config File that lists special ssh options by host. Check for that file. I personally would do a iptables -L And iptables -t nat -L And iptables -t mangle -L Sent from my iPhone

=============================================================== From: John Aldrich ------------------------------------------------------ Quoting Nick Smith : Have you checked hosts.allow and hosts.deny? I don't see any mention of that here.

=============================================================== From: Wil Wade ------------------------------------------------------ Likely already checked, but I would guess most of the responses are assuming that you are getting valid responses for: ping server2 ping server3 server1 ping server3 server1 ping server3 nslookup server1, 2, 3 server1 nslookup server3

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 /etc/hosts.allow /etc/hosts.deny iptables -L -n I'd look in all three of those places before I'd touch /etc/resolv.conf or nsswitch.conf. Regards, dtb - -- "Some things in life can never be fully appreciated nor understood unless experienced firsthand. Some things in networking can never be fully understood by someone who neither builds commercial networking equipment nor runs an operational network." RFC 1925 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Thunderbird - iQEcBAEBAgAGBQJSsfNOAAoJEMP+wtEOVbcdIe0H/RIanbVy7jV/yBTSgBYegnka tZI3djom1WPZLNYUnp5jDGHqmrY/5nplj5GekaQbJ45jnTF0fB/KK6OEvTBKCWZp ua7K8rFEnekXsKQTqaFFmX0GpG+ZmSHDnSSNuwqyOuYXr3uuMZvDAJujLb84BWce +FXeecfyA36rJ4rWoz4pHMdrePGK0ps9oAK1sj+Xhqb2qvKfd4t0Q6uzzVfXz5C+ iuwc17upEX2whlfYp8npXBdNndITdSzdjjwhuSyVzdLiIOn0pm+yn/hTtmfWE+2N DU7B4uAeK3bEs0ZDe3byOt4fPRkiU9Wb7WZapQ8C5jBEi2+rW91rVSe65ItqVp8= =E01b -----END PGP SIGNATURE-----

=============================================================== From: Nick Smith ------------------------------------------------------ Thanks for the replies, There is nothing in hosts.allow There is nothing in hosts.deny iptables -L -n list nothing (no rules specified) iptables -t nat -L lists nothing iptables -t mangle -L lists nothing iptables -L lists: Chain INPUT (policy ACCEPT) target prot opt source destination DROP tcp -- anywhere anywhere tcp multiport dports sunrpc,1138,1500,9200 Which doesnt look to have anything to do with ssh on port 22. Nothing else specified I can ping each server from each server. Cannot look them up via nslookup, but they arent configured on the local dns servers. (currently AD) so they shouldnt resolve. resolv.conf just lists the local name servers nsswitch.conf lists: passwd: compat group: compat shadow: compat hosts: files dns networks: files protocols: db files services: db files ethers: db files rpc: db files netgroup: nis Which looks like every other nsswitch.conf file ive looked at from servers that are working..... Anything else i can look at?

=============================================================== From: wes ------------------------------------------------------ sshd log file? run sshd in the foreground on a different port and see if that behaves the same / different? and observe output tcpdump output on both sides? -wes

=============================================================== From: Wil Wade ------------------------------------------------------ Try nmap perhaps to see if the ports say are open.

=============================================================== From: Billy ------------------------------------------------------ Or netstat -anp Sent from my iPhone

=============================================================== From: Dave Brockman ------------------------------------------------------ -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Please give IP addresses (feel free to fake them) for all three servers. Are they in the same Layer 3 subnet, and are they in the same Layer 2 (VLAN)? If they are not, stop all testing from machines not in the same subnet and same VLAN. resolv.conf and nsswitch.conf are used for name resolution. If you are attempting to connect via IP address, these never come into play. Possibly, but if this is a production box, I wouldn't suggest you attempt it. Killing sshd will not kill your current session (normally/usually), but no new sessions can be created. If you drop connection while in the process, you're boned, and not in a good way. Really wouldn't suggest or encourage this on a production box unless I knew 100% the filesystem supported hot resizing. And I'm pretty sure you didn't "blow away the root partition" while the machine was running either. ssh (client) can be run with up to three "-v" options to increase its verbosity. sshd (server) can be run with multiple debugs and in the foreground. On Server 2: #killall sshd #/usr/sbin/sshd -ddd - From Server 1: #ssh -vvv SERVER

=============================================================== From: Dan Eveland ------------------------------------------------------ Probably not the answer, but check your hosts file and make sure some strangeness is not going on there.