[UCI-Linux] Cause of problems with sshd and ping?

Charlie Zender Charlie Zender <zender@uci.edu>
Tue, 13 Apr 2004 10:00:27 -0700


Hi,

ashes.ess.uci.edu is an up-to-date Debian Sid GNU/Linux box which has
suddenly started having problems. The symptoms are that I cannot ssh
into the machine nor does ping elicit a response. The machine itself
runs fine, and can ssh out to and ping other machines (including
localhost) fine. Any advice on how to isolate and fix the source of
the problem would be helpful. 

Thanks!
Charlie

ashes:~# hostname
ashes

zender@ashes:~$ ping ashes.ess.uci.edu
PING ashes.ess.uci.edu (128.200.14.90): 56 data bytes
[hangs here]

zender@ashes:~$ ping dust.ess.uci.edu
PING dust.ess.uci.edu (128.200.14.25): 56 data bytes
64 bytes from 128.200.14.25: icmp_seq=0 ttl=64 time=0.2 ms
64 bytes from 128.200.14.25: icmp_seq=1 ttl=64 time=0.1 ms

ashes:~# ssh ashes.ess.uci.edu
ssh: connect to host ashes.ess.uci.edu port 22: No route to host

zender@ashes:~$ ssh dust.ess.uci.edu
zender@dust:~$ ssh ashes.ess.uci.edu
ssh: connect to host ashes.ess.uci.edu port 22: No route to host

ashes:~# ps -ef | grep ssh
zender     806   765  0 Mar01 ?        00:00:00 /usr/bin/ssh-agent x-session-manager
zender   13160   893  0 Apr09 pts/3    00:00:00 ssh dust.ess.uci.edu
root     18586     1  0 09:39 ?        00:00:00 sshd
root     18593  1097  0 09:40 pts/2    00:00:00 grep ssh

ashes:~# sudo nmap -sS -F localhost
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-04-13 09:43 PDT
Interesting ports on localhost (127.0.0.1):
(The 1212 ports scanned but not shown below are in state: closed)
PORT    STATE SERVICE
22/tcp  open  ssh
68/tcp  open  dhcpclient
80/tcp  open  http
111/tcp open  rpcbind
631/tcp open  ipp
Nmap run completed -- 1 IP address (1 host up) scanned in 1.740 seconds

ashes:~# ssh localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
RSA key fingerprint is f0:09:36:b4:87:85:47:d7:34:02:c8:35:60:18:b0:41.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
Password:
Last login: Mon Feb 23 10:16:56 2004
ashes:~# exit
logout
Connection to localhost closed.

ashes:~# ps -ef | grep ssh
zender     806   765  0 Mar01 ?        00:00:00 /usr/bin/ssh-agent x-session-manager
zender   13160   893  0 Apr09 pts/3    00:00:00 ssh dust.ess.uci.edu
root     18586     1  0 09:39 ?        00:00:00 sshd
root     18593  1097  0 09:40 pts/2    00:00:00 grep ssh

ashes:~# more /etc/hosts
127.0.0.1       localhost
128.200.14.90   ashes.ess.uci.edu       ashes

# The following lines are desirable for IPv6 capable hosts
# (added automatically by netbase upgrade)

::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

ashes:/etc/ssh# more sshd_config
# Package generated configuration file
# See the sshd(8) manpage for defails

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# ...but breaks Pam auth via kbdint, so we have to turn it off
# Use PAM authentication via keyboard-interactive so PAM modules can
# properly interface with the user (off due to PrivSep)
#PAMAuthenticationViaKbdInt no
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 600
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys

# rhosts authentication should not be used
#RhostsAuthentication no
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Uncomment to disable s/key passwords 
#ChallengeResponseAuthentication no

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes


# To change Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#AFSTokenPassing no
#KerberosTicketCleanup no

# Kerberos TGT Passing does only work with the AFS kaserver
#KerberosTgtPassing yes

X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
KeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net
#ReverseMappingCheck yes

Subsystem	sftp	/usr/lib/sftp-server

UsePAM yes
-- 
Charlie Zender, surname@uci.edu, (949) 824-2987, Department of Earth 
System Science, University of California, Irvine CA 92697-3100