[UCI-Linux] Cause of problems with sshd and ping?

Harry Mangalam hjm@tacgi.com
Tue, 13 Apr 2004 12:12:27 -0700


Try checking with Michael Scott at NACS - it looks like there may be a 
DNS/routing problem (I had a few of those when I was BioSci - possibly a partial 
routing entry...).

By the by, with experience on multiple, multi-homed, NAT'ed, etc machines on 
multiple architectures (PPC, AMD, SMP Intel, IBM and Dell laptops, etc) with 
both grub and lilo loaders, large/small memory footprints, several different 
filesystems,  my experience is that Sid is /exceptionally/ stable and 
well-behaved, with excellent upgrade & fallback utils.  It's unstable only in 
comparison to Sarge & Woody, which are stable like lead. Just my 2 cents.

Charlie, bring it over tonight (with beer) and I'll look at it if you want..

Harry.



Chris Louden wrote:
> Try shutting down the firewall and see if the issue continues. Might
> even be a simple problem, did you restart sshd yet? My experience with
> Debian SID so far is that it its still quite unstable.    
> 
> -----Original Message-----
> From: uci-linux-admin@uci.edu [mailto:uci-linux-admin@uci.edu] On Behalf
> Of Charlie Zender
> Sent: Tuesday, April 13, 2004 10:00 AM
> To: UCI Linux Mail List
> Subject: [UCI-Linux] Cause of problems with sshd and ping?
> 
> 
> Hi,
> 
> ashes.ess.uci.edu is an up-to-date Debian Sid GNU/Linux box which has
> suddenly started having problems. The symptoms are that I cannot ssh
> into the machine nor does ping elicit a response. The machine itself
> runs fine, and can ssh out to and ping other machines (including
> localhost) fine. Any advice on how to isolate and fix the source of the
> problem would be helpful. 
> 
> Thanks!
> Charlie
> 
> ashes:~# hostname
> ashes
> 
> zender@ashes:~$ ping ashes.ess.uci.edu
> PING ashes.ess.uci.edu (128.200.14.90): 56 data bytes
> [hangs here]
> 
> zender@ashes:~$ ping dust.ess.uci.edu
> PING dust.ess.uci.edu (128.200.14.25): 56 data bytes
> 64 bytes from 128.200.14.25: icmp_seq=0 ttl=64 time=0.2 ms
> 64 bytes from 128.200.14.25: icmp_seq=1 ttl=64 time=0.1 ms
> 
> ashes:~# ssh ashes.ess.uci.edu
> ssh: connect to host ashes.ess.uci.edu port 22: No route to host
> 
> zender@ashes:~$ ssh dust.ess.uci.edu
> zender@dust:~$ ssh ashes.ess.uci.edu
> ssh: connect to host ashes.ess.uci.edu port 22: No route to host
> 
> ashes:~# ps -ef | grep ssh
> zender     806   765  0 Mar01 ?        00:00:00 /usr/bin/ssh-agent
> x-session-manager
> zender   13160   893  0 Apr09 pts/3    00:00:00 ssh dust.ess.uci.edu
> root     18586     1  0 09:39 ?        00:00:00 sshd
> root     18593  1097  0 09:40 pts/2    00:00:00 grep ssh
> 
> ashes:~# sudo nmap -sS -F localhost
> Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-04-13 09:43
> PDT Interesting ports on localhost (127.0.0.1): (The 1212 ports scanned
> but not shown below are in state: closed)
> PORT    STATE SERVICE
> 22/tcp  open  ssh
> 68/tcp  open  dhcpclient
> 80/tcp  open  http
> 111/tcp open  rpcbind
> 631/tcp open  ipp
> Nmap run completed -- 1 IP address (1 host up) scanned in 1.740 seconds
> 
> ashes:~# ssh localhost
> The authenticity of host 'localhost (127.0.0.1)' can't be established.
> RSA key fingerprint is f0:09:36:b4:87:85:47:d7:34:02:c8:35:60:18:b0:41.
> Are you sure you want to continue connecting (yes/no)? yes
> Warning: Permanently added 'localhost' (RSA) to the list of known hosts.
> Password:
> Last login: Mon Feb 23 10:16:56 2004
> ashes:~# exit
> logout
> Connection to localhost closed.
> 
> ashes:~# ps -ef | grep ssh
> zender     806   765  0 Mar01 ?        00:00:00 /usr/bin/ssh-agent
> x-session-manager
> zender   13160   893  0 Apr09 pts/3    00:00:00 ssh dust.ess.uci.edu
> root     18586     1  0 09:39 ?        00:00:00 sshd
> root     18593  1097  0 09:40 pts/2    00:00:00 grep ssh
> 
> ashes:~# more /etc/hosts
> 127.0.0.1       localhost
> 128.200.14.90   ashes.ess.uci.edu       ashes
> 
> # The following lines are desirable for IPv6 capable hosts
> # (added automatically by netbase upgrade)
> 
> ::1     ip6-localhost ip6-loopback
> fe00::0 ip6-localnet
> ff00::0 ip6-mcastprefix
> ff02::1 ip6-allnodes
> ff02::2 ip6-allrouters
> ff02::3 ip6-allhosts
> 
> ashes:/etc/ssh# more sshd_config
> # Package generated configuration file
> # See the sshd(8) manpage for defails
> 
> # What ports, IPs and protocols we listen for
> Port 22
> # Use these options to restrict which interfaces/protocols sshd will
> bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys
> for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey
> /etc/ssh/ssh_host_dsa_key #Privilege Separation is turned on for
> security UsePrivilegeSeparation yes
> 
> # ...but breaks Pam auth via kbdint, so we have to turn it off # Use PAM
> authentication via keyboard-interactive so PAM modules can # properly
> interface with the user (off due to PrivSep) #PAMAuthenticationViaKbdInt
> no # Lifetime and size of ephemeral version 1 server key
> KeyRegenerationInterval 3600 ServerKeyBits 768
> 
> # Logging
> SyslogFacility AUTH
> LogLevel INFO
> 
> # Authentication:
> LoginGraceTime 600
> PermitRootLogin yes
> StrictModes yes
> 
> RSAAuthentication yes
> PubkeyAuthentication yes
> #AuthorizedKeysFile	%h/.ssh/authorized_keys
> 
> # rhosts authentication should not be used #RhostsAuthentication no #
> Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes #
> For this to work you will also need host keys in /etc/ssh_known_hosts
> RhostsRSAAuthentication no # similar for protocol version 2
> HostbasedAuthentication no # Uncomment if you don't trust
> ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes
> 
> # To enable empty passwords, change to yes (NOT RECOMMENDED)
> PermitEmptyPasswords no
> 
> # Uncomment to disable s/key passwords 
> #ChallengeResponseAuthentication no
> 
> # To disable tunneled clear text passwords, change to no here!
> PasswordAuthentication yes
> 
> 
> # To change Kerberos options
> #KerberosAuthentication no
> #KerberosOrLocalPasswd yes
> #AFSTokenPassing no
> #KerberosTicketCleanup no
> 
> # Kerberos TGT Passing does only work with the AFS kaserver
> #KerberosTgtPassing yes
> 
> X11Forwarding no
> X11DisplayOffset 10
> PrintMotd no
> PrintLastLog yes
> KeepAlive yes
> #UseLogin no
> 
> #MaxStartups 10:30:60
> #Banner /etc/issue.net
> #ReverseMappingCheck yes
> 
> Subsystem	sftp	/usr/lib/sftp-server
> 
> UsePAM yes

-- 
Cheers, Harry
Harry J Mangalam - 949 856 2847 (v&f) - hjm@tacgi.com
             <<plain text preferred>>