odongarma
(Odon Garma)
28 August 2020 13:10
1
Hi,
i’m using the ssh for remote administration.
on core 144 everything went well, now on core 147 the forwarding fails:
Received request from xxx.xxx.xxx.xxx port 25013 to connect to host xxx.xxxxxx.xxxx port 3389, but the request was denied.
I think my settings in /etc/ssh/sshd_config are valid:
AllowTcpForwarding yes
AllowAgentForwarding yes
PermitOpen any
What am i missing?
Greetz
paku
(Paul Paku)
12 November 2020 21:00
2
Hi,
Have you ever solved the issues ?
paku
(Paul Paku)
12 November 2020 21:37
3
So do I … but have no idea how.
It just started working after a number of reboots.
PermitOpen - commented out.
odongarma
(Odon Garma)
13 November 2020 09:23
4
It’s strange, because i was trying a lot and finally it’s working.
If i look at my config, i think it should not work. I’m crossing the fingers and let it go…
Here’s my sshd_config so far:
OpenSSH server configuration file for IPFire
Only allow version 2 of SSH protocol
Protocol 2
Listen on port 22 by default
Port 222
Listen on every interface and IPv4 only
AddressFamily inet
ListenAddress 0.0.0.0
Limit authentication timeout to 30 seconds
LoginGraceTime 30s
Limit maximum instanctes to prevent DoS
MaxStartups 5
Only allow safe crypto algorithms (may break some very outdated clients)
KexAlgorithms curve25519-sha256@libssh.org ,diffie-hellman-group-exchange-sha256
Ciphers chacha20-poly1305@openssh.com ,aes256-gcm@openssh.com ,aes128-gcm@openssh.com ,aes256-ctr,aes192-ctr,aes128-ctr
MACs hmac-sha2-512-etm@openssh.com ,hmac-sha2-256-etm@openssh.com ,umac-128-etm@openssh.com ,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com
Only allow cryptographically safe SSH host keys (adjust paths if needed)
HostKey /etc/ssh/ssh_host_ed25519_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_rsa_key
Only allow login via public key by default
PubkeyAuthentication yes
PasswordAuthentication no
ChallengeResponseAuthentication no
Permit root login as there is no other user in IPFire 2.x
PermitRootLogin yes
Ignore user ~/.ssh/known_hosts file
IgnoreUserKnownHosts yes
Do not allow any kind of forwarding (provides only low security);
some of them might need to be re-enabled if SSH server is a jump platform
AllowTcpForwarding yes
AllowAgentForwarding yes
#PermitOpen any
Fix port forwarding???
#X11Forwarding no
#PermitTunnel yes
#GatewayPorts yes
Detect broken sessions by sending keep-alive messages to clients via SSH connection
ClientAliveInterval 10
Close unresponsive SSH sessions which fail to answer keep-alive
ClientAliveCountMax 6
Add support for SFTP
Subsystem sftp /usr/lib/openssh/sftp-server
EOF
Greetz
odongarma
(Odon Garma)
13 November 2020 15:32
5
I just updated to core 151. The same issue here.
No Port forwarding after Update.
Commenting “permitopen none” and restarting the sshd does not solve this. But after reboot the Port forwarding works as expected.
Greetz
paku
(Paul Paku)
14 November 2020 15:57
6
Yes, it seems rebooting is a point.
odongarma
(Odon Garma)
14 November 2020 17:15
7
Rebooting is annoying and it feels so windows-like lol
Greetz
pike_it
(Pike)
15 November 2020 23:52
8
Rebooting sometimes is needed for install something new or upgrade something running, which may be critical to other processes and iterations.
Reboot is texted as requested when necessary at core upgrades…
odongarma
(Odon Garma)
16 November 2020 06:47
9
Thats right. But changing some sshd config values should never cause a reboot to work!
pike_it
(Pike)
16 November 2020 08:22
10
In any distro installation or compiled installation you may be right. But it’s possible that you don’t have the full grasp of how IPFire works.
odongarma
(Odon Garma)
16 November 2020 08:39
11
Yes you are right! I am an idiot. Thanks to show me the light.