[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-cvs] [SshAccess] (edit)
From: |
peter20080727 |
Subject: |
[Savannah-cvs] [SshAccess] (edit) |
Date: |
Tue, 29 Jul 2008 20:48:17 +0000 |
++added:
* Another problem can arise when you are trying to connect from behind a NAT
router using OpenSSH. During session setup, after the password has been given,
OpenSSH sets the TOS (type of service) field in the IP datagram. Some routers
are known to choke on this. The effect is that your session hangs indefinitely
after you gave your password. Here is the example output from such an ssh
session::
address@hidden:~$ ssh -vvv address@hidden
OpenSSH_4.7p1 Debian-8ubuntu1.2, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /etc/ssh/ssh_config
[...]
Enter passphrase for key '{homedir}/.ssh/id_dsa':
debug1: read PEM private key done: type DSA
debug1: Authentication succeeded (publickey).
[...]
debug2: fd 5 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
and from here on the session hangs.
The fix is to make ssh send all its traffic via netcat, because netcat won't
set the TOS field. To test whether the netcat route solves your problem, issue
the following command::
ssh -o "ProxyCommand nc %h %p" address@hidden
For a successfull login, you should get an output similar to this (with no
hanging, i.e. you get a prompt afterwards)::
address@hidden:~$ ssh -o "ProxyCommand nc %h %p" address@hidden
Enter passphrase for key '{home-dir}/.ssh/id_dsa':
Last login: {datetime} from {ip-adr}
You tried to execute:
Sorry, you are not allowed to execute that command.
Connection to cvs.savannah.gnu.org closed.
address@hidden:~$
If you find that your login works via the netcat route, then you can make it
permanent by adding a directive to the ssh config file '~/.ssh/config' (or, if
that file doesn't exist, create it)::
ProxyCommand nc %h %p
Here's an example ssh config file in a user's home folder
(/home/user/.ssh/config)::
# This is the ssh client user configuration file. See
# ssh_config(5) for more information. This file provides defaults for
# this user, and the values can be changed on the command line.
#
# Configuration data is parsed as follows:
# 1. command line options
# 2. user-specific file
# 3. system-wide file
# Any configuration value is only changed the first time it is set.
# Thus, host-specific definitions should be at the beginning of the
# configuration file, and defaults at the end.
#
# Directive to overcome TOS issue with our NAT router. During session
setup, OpenSSH sets the TOS
# (type of service) field after the user has submitted the password. Some
routers are known to choke on this,
# with the result that the session hangs during buildup. As workaround we
send our traffic via netcat which
# doesn't set the TOS field.
ProxyCommand nc %h %p
It's advisable to put the comments as well, otherwise six months later you may
find yourself wondering what that directive is all about??
You could also add this directive to your global ssh config file
(/etc/ssh/ssh_config), but this change would be system wide, and not all users
on the system may appreciate that change.
Of course, for this to work, you need to have netcat installed. You can test
this by entering::
which nc
and if you get a path back, like::
/bin/nc
then you probably have netcat installed. For the very cautious, you could then
issue::
nc -h
and look at the upcoming help text.
--
forwarded from
https://savannah.gnu.org/maintenance/address@hidden://savannah.gnu.org/maintenance
- [Savannah-cvs] [SshAccess] (edit),
peter20080727 <=
- [Savannah-cvs] [SshAccess] (edit), peter20080727, 2008/07/29
- [Savannah-cvs] [SshAccess] (edit), peter20080727, 2008/07/29
- [Savannah-cvs] [SshAccess] (edit), peter20080727, 2008/07/29
- [Savannah-cvs] [SshAccess] (edit), peter20080727, 2008/07/29
- [Savannah-cvs] [SshAccess] (edit), peter20080727, 2008/07/29
- [Savannah-cvs] [SshAccess] (edit), peter20080727, 2008/07/29