ошибка при подключении по ssh

[Turbo]

подключаюсь к PCBSD 7.1 с такой-же самой PCBSD 7.1

Код: Выделить всё

[root@pcbsd]/home/user1(9)# ssh -v user1@hostname2
OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8e 23 Feb 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to hostname2 [b.b.b.b] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
ssh_exchange_identification: Connection closed by remote host 

причем с других компов логинится без проблем... куда копать где искать ответы?

[Хостинг HostFood.ru]

Тарифы на хостинг в России, от 12 рублей: https://www.host-food.ru/tariffs/hosting/
Тарифы на виртуальные сервера (VPS/VDS/KVM) в РФ, от 189 руб.: https://www.host-food.ru/tariffs/virtualny-server-vps/
Выделенные сервера, Россия, Москва, от 2000 рублей (HP Proliant G5, Intel Xeon E5430 (2.66GHz, Quad-Core, 12Mb), 8Gb RAM, 2x300Gb SAS HDD, P400i, 512Mb, BBU):
https://www.host-food.ru/tariffs/vydelennyi-server-ds/
Недорогие домены в популярных зонах: https://www.host-food.ru/domains/

[paradox]

rm -rf /root/.ssh/

если не поможет
то смотри что то в настройках на сервере ssh
именно на эту машину
проверь 22 порт что бы проходил

[Turbo]

очистил ключи в первую очередь. удалить лишнее - первое действие

нормально подключился к SUSE 10:

[root@pcbsd]/home/andreyv(10)# ssh -v andreyv@hostname
OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8e 23 Feb 2007
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Connecting to hostname [a.a.a.a] port 22.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_4.2
debug1: match: OpenSSH_4.2 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
The authenticity of host 'hostmane (a.a.a.a)' can't be established.
DSA key fingerprint is b2:50:22:55:35:3e:78:14:ef:42:56:98:2a:02:8b:09.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'hostname' (DSA) to the list of known hosts.
debug1: ssh_dss_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: Trying private key: /root/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password:
debug1: Authentication succeeded (keyboard-interactive).
debug1: channel 0: new [client-session]
debug1: Requesting no-more-sessions@openssh.com
debug1: Entering interactive session.
Last login: Fri May 22 08:30:39 2009 from ip.ip.ip.ip

и с SUSE к PCBSD 7.1 (к которой не мог подключиться из PCBSD в первом посте)

andreyv@relay:~> ssh -v andreyv@hostname2
OpenSSH_4.2p1, OpenSSL 0.9.8a 11 Oct 2005
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to hostname2 [ip.ip.ip.ip] port 22.
debug1: Connection established.
debug1: identity file /home/andreyv/.ssh/identity type -1
debug1: identity file /home/andreyv/.ssh/id_rsa type -1
debug1: identity file /home/andreyv/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 FreeBSD-20080901
debug1: match: OpenSSH_5.1p1 FreeBSD-20080901 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_4.2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host 'site.ubcua.tv' is known and matches the DSA host key.
debug1: Found key in /home/andreyv/.ssh/known_hosts:1
debug1: ssh_dss_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Trying private key: /home/andreyv/.ssh/identity
debug1: Trying private key: /home/andreyv/.ssh/id_rsa
debug1: Trying private key: /home/andreyv/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
Password:
debug1: Authentication succeeded (keyboard-interactive).
debug1: channel 0: new [client-session]
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LANG = uk_UA.UTF-8
Last login: Fri May 22 08:30:50 2009 from SUSEhost
Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.

ssh конфиг исходной тачки - все строки в конфиге закомментированы

SUSE

Код: Выделить всё

andreyv@relay:~> cat /etc/ssh/ssh_config
#       $OpenBSD: ssh_config,v 1.20 2005/01/28 09:45:53 dtucker Exp $

Host *
ForwardX11Trusted yes

# This enables sending locale enviroment variables LC_* LANG, see ssh_config(5).
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
SendEnv LC_IDENTIFICATION LC_ALL

на целевой тачке как и на исходной PCBSD - конфиги как по умолчанию поставились инсталятором. ничего не менял

Код: Выделить всё

#       $OpenBSD: ssh_config,v 1.23 2007/06/08 04:40:40 pvalchev Exp $
#       $FreeBSD: src/crypto/openssh/ssh_config,v 1.32.2.1 2008/09/01 20:03:13 des Exp $

# This is the ssh client system-wide configuration file.  See
# ssh_config(5) for more information.  This file provides defaults for
# users, and the values can be changed in per-user configuration files
# or on the command line.                                             

# Configuration data is parsed as follows:
#  1. command line options
#  2. user-specific file
#  3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.

# Site-wide defaults for some commonly used options.  For a comprehensive
# list of available options, their meanings and defaults, please see the
# ssh_config(5) man page.

# Host *
#   ForwardAgent no
#   ForwardX11 no
#   RhostsRSAAuthentication no
#   RSAAuthentication yes
#   PasswordAuthentication yes
#   HostbasedAuthentication no
#   GSSAPIAuthentication no
#   GSSAPIDelegateCredentials no
#   BatchMode no
#   CheckHostIP no
#   AddressFamily any
#   ConnectTimeout 0
#   StrictHostKeyChecking ask
#   IdentityFile ~/.ssh/identity
#   IdentityFile ~/.ssh/id_rsa
#   IdentityFile ~/.ssh/id_dsa
#   Port 22
#   Protocol 2,1
#   Cipher 3des
#   Ciphers aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc
#   MACs hmac-md5,hmac-sha1,umac-64@openssh.com,hmac-ripemd160
#   EscapeChar ~
#   Tunnel no
#   TunnelDevice any:any
#   PermitLocalCommand no
#   VersionAddendum FreeBSD-20080901

[paradox]

ssh_exchange_identification: Connection closed by remote host

наверное закрыт порт 22

проверь
telnet айпи 22
должно ответить версией ссх

[Turbo]

целевая тачка

Код: Выделить всё

[andreyv@site]/home/andreyv(9)% telnet 127.0.0.1 22
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901

Protocol mismatch.
Connection closed by foreign host.

с сусе

Код: Выделить всё

andreyv@relay:~> telnet site 22
Trying ip.ip.ip.ip...
Connected to site
Escape character is '^]'.
SSH-2.0-OpenSSH_5.1p1 FreeBSD-20080901

Protocol mismatch.
Connection closed by foreign host.
andreyv@relay:~>

на сусе с исходной тачки

Код: Выделить всё

[andreyv@pcbsd]/home/andreyv(13)% telnet SUSE 22
Trying ip.ip.ip...
Connected to relay.ubcua.tv.
Escape character is '^]'.
SSH-1.99-OpenSSH_4.2

Protocol mismatch.
Connection closed by foreign host.
[andreyv@pcbsd]/home/andreyv(14)%

c исходной на целевую

Код: Выделить всё

[andreyv@pcbsd]/home/andreyv(14)% telnet site 22
Trying ip.ip.ip...
Connected to site.ubcua.tv.
Escape character is '^]'.


Connection closed by foreign host.
[andreyv@pcbsd]/home/andreyv(15)%

[paradox]

ну нету ссх
как сам видишь
может ты сам у себя локально фаер там накрутил

[Turbo]

по мануалу PCBSD серверная ставится с открытыми портами и все работает из коробки.
подключение с SUSE подтверждает работоспособность, с винды коннектится,
вероятно трабл с исходным клиентом с PCBSD которую я ставил как клиент не может достучаться до сервака. но с него на SUSE конектится. блин нужен шаман
пошел думать....
ЗЫ огр спасибо что был онлайн - идей накидал

[Turbo]

если присмотреться то вот такое нашел на приемной стороне авторизация

auth.log
.

Код: Выделить всё

..
May 24 01:23:30 site sshd[29536]: warning: /etc/hosts.allow, line 35: can't verify hostname: getaddrinfo(82.193.97.ХХ.usernat.ip.PP.ua, AF_INET) failed
May 24 01:23:50 site sshd[29536]: refused connect from 82.193.97.ХХ (82.193.97.ХХ)
May 24 01:26:54 site sshd[30413]: warning: /etc/hosts.allow, line 35: can't verify hostname: getaddrinfo(82.193.97.Х.usernat.ip.PP.ua, AF_INET) failed
May 24 01:27:15 site sshd[30413]: refused connect from 82.193.97.ХХ (82.193.97.ХХ)
May 24 01:28:01 site sshd[30666]: Accepted keyboard-interactive/pam for andreyv from 217.25.199.ХХ port 25601 ssh2
May 24 01:28:08 site su: andreyv to root on /dev/ttyp0
May 24 01:34:56 site sshd[32510]: warning: /etc/hosts.allow, line 35: can't verify hostname: getaddrinfo(82.193.97.ХХ.usernat.ip.PP.ua, AF_INET) failed
May 24 01:35:17 site sshd[32510]: refused connect from 82.193.97.ХХ (82.193.97.ХХ)

[paradox]

/etc/hosts.allow

ггг
я думал об этом с самого начала
но не нудумал что кто кто им еще пользуеться

ну идите в него и редактируйте

[Turbo]

это PCBSD 7.1
FreeBSD site.ubcua.tv 7.2-PRERELEASE FreeBSD 7.2-PRERELEASE #10: Wed Apr 1 10:14:22 EDT 2009 root@pcbsdx32-7:/usr/obj/pcbsd-build71/cvs/7.1-src/sys/PCBSD i386

что с этим сделать?
ALL : PARANOID : RFC931 20 : deny

Код: Выделить всё

[andreyv@site]/home/andreyv(14)% cat /etc/hosts.allow                                                                                                        
#                                                                                                                                                            
# hosts.allow access control file for "tcp wrapped" applications.                                                                                            
# $FreeBSD: src/etc/hosts.allow,v 1.19.8.1 2006/02/19 14:57:01 ume Exp $                                                                                     
#                                                                                                                                                            
# NOTE: The hosts.deny file is deprecated.                                                                                                                   
#       Place both 'allow' and 'deny' rules in the hosts.allow file.                                                                                         
#       See hosts_options(5) for the format of this file.                                                                                                    
#       hosts_access(5) no longer fully applies.                                                                                                             
                                                                                                                                                             
#        _____                                      _          _                                                                                             
#       | ____| __  __   __ _   _ __ ___    _ __   | |   ___  | |                                                                                            
#       |  _|   \ \/ /  / _` | | '_ ` _ \  | '_ \  | |  / _ \ | |                                                                                            
#       | |___   >  <  | (_| | | | | | | | | |_) | | | |  __/ |_|                                                                                            
#       |_____| /_/\_\  \__,_| |_| |_| |_| | .__/  |_|  \___| (_)                                                                                            
#                                          |_|                                                                                                               
# !!! This is an example! You will need to modify it for your specific                                                                                       
# !!! requirements!                                                                                                                                          
                                                                                                                                                             
                                                                                                                                                             
# Start by allowing everything (this prevents the rest of the file                                                                                           
# from working, so remove it when you need protection).                                                                                                      
# The rules here work on a "First match wins" basis.                                                                                                         
#ALL : ALL : allow                                                                                                                                           
                                                                                                                                                             
# Wrapping sshd(8) is not normally a good idea, but if you                                                                                                   
# need to do it, here's how                                                                                                                                  
#sshd : .evil.cracker.example.com : deny                                                                                                                     
                                                                                                                                                             
# Protect against simple DNS spoofing attacks by checking that the                                                                                           
# forward and reverse records for the remote host match. If a mismatch                                                                                       
# occurs, access is denied, and any positive ident response within                                                                                           
# 20 seconds is logged. No protection is afforded against DNS poisoning,                                                                                     
# IP spoofing or more complicated attacks. Hosts with no reverse DNS                                                                                         
# pass this rule.                                                                                                                                            
ALL : PARANOID : RFC931 20 : deny                                                                                                                            
                                                                                                                                                             
# Allow anything from localhost.  Note that an IP address (not a host                                                                                        
# name) *MUST* be specified for rpcbind(8).                                                                                                                  
ALL : localhost 127.0.0.1 : allow                                                                                                                            
# Comment out next line if you build libwrap with NO_INET6=yes.                                                                                              
ALL : [::1] : allow                                                                                                                                          
#ALL : my.machine.example.com 192.0.2.35 : allow                                                                                                             
                                                                                                                                                             
# To use IPv6 addresses you must enclose them in []'s                                                                                                        
#ALL : [fe80::%fxp0]/10 : allow                                                                                                                              
#ALL : [fe80::]/10 : deny                                                                                                                                    
#ALL : [2001:db8:2:1:2:3:4:3fe1] : deny                                                                                                                      
#ALL : [2001:db8:2:1::]/64 : allow                                                                                                                           
                                                                                                                                                             
# Sendmail can help protect you against spammers and relay-rapers                                                                                            
sendmail : localhost : allow                                                                                                                                 
#sendmail : .nice.guy.example.com : allow
#sendmail : .evil.cracker.example.com : deny
sendmail : ALL : allow

# Exim is an alternative to sendmail, available in the ports tree
exim : localhost : allow
#exim : .nice.guy.example.com : allow
#exim : .evil.cracker.example.com : deny
exim : ALL : allow

# Rpcbind is used for all RPC services; protect your NFS!
# (IP addresses rather than hostnames *MUST* be used here)
#rpcbind : 192.0.2.32/255.255.255.224 : allow
#rpcbind : 192.0.2.96/255.255.255.224 : allow
rpcbind : ALL : deny

# NIS master server. Only local nets should have access
ypserv : localhost : allow
#ypserv : .unsafe.my.net.example.com : deny
#ypserv : .my.net.example.com : allow
ypserv : ALL : deny

# Provide a small amount of protection for ftpd
ftpd : localhost : allow
#ftpd : .nice.guy.example.com : allow
#ftpd : .evil.cracker.example.com : deny
ftpd : ALL : allow

# You need to be clever with finger; do _not_ backfinger!! You can easily
# start a "finger war".
fingerd : ALL \
        : spawn (echo Finger. | \
         /usr/bin/mail -s "tcpd\: %u@%h[%a] fingered me!" root) & \
        : deny

# The rest of the daemons are protected.
#ALL : ALL \
#       : severity auth.info \
#       : twist /bin/echo "You are not welcome to use %d from %h."

# denyhosts
sshd : /etc/hosts.deniedssh \
     : severity auth.info \
     : twist /bin/echo "Server %d denied from %h"
     : deny
sshd : ALL : allow

[paradox]

в конце смотри

[Turbo]

пока суть до дела я раскоментил

в этом фрагменте в самом начале. все заработало но я к этому вопросу еще вернусь -- не зря они вписали текст в hosts.allow надо изучить и освоить, может хорошая фича

Код: Выделить всё

                                                                                                                                                             
# Start by allowing everything (this prevents the rest of the file                                                                                           
# from working, so remove it when you need protection).                                                                                                      
# The rules here work on a "First match wins" basis.                                                                                                         
[color=#00BF40]ALL : ALL : allow    [/color]     

[paradox]

/etc/hosts.deniedssh

[Turbo]

/etc/hosts.deniedssh

файл не содержит текста - размер "0"