SSH: internal working but external not working

aixlover · April 20, 2012, 9:51am

Hi, This is a strange issue: We have an sftp server. Users can ssh to it from internal LAN without any issue, but they can not ssh to it externally via firewall. Here is what I got:

$ ssh -v sshuser@198.111.10.98
OpenSSH_5.2p1, OpenSSL 0.9.8r 8 Feb 2011
debug1: Reading configuration data /etc/ssh_config
debug1: Connecting to 198.111.10.98 [198.111.10.98] port 22.
debug1: Connection established.
debug1: identity file /Users/sshuser/.ssh/identity type -1
debug1: identity file /Users/sshuser/.ssh/id_rsa type 1
debug1: identity file /Users/sshuser/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version 3.2.9.1 SSH Secure Shell (non-commercial)
debug1: no match: 3.2.9.1 SSH Secure Shell (non-commercial)
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.2
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: sending SSH2_MSG_KEXDH_INIT
debug1: expecting SSH2_MSG_KEXDH_REPLY
debug1: Host '198.111.10.98' is known and matches the DSA host key.
debug1: Found key in /Users/sshuser/.ssh/known_hosts:25
debug1: ssh_dss_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/sshuser/.ssh/identity
debug1: Offering public key: /Users/sshuser/.ssh/id_rsa
debug1: Authentications that can continue: password
debug1: Next authentication method: password
sshuser@198.111.10.98's password:
debug1: Authentications that can continue: password
Permission denied, please try again.
sshuser@198.111.10.98's password:
debug1: Authentications that can continue: password
Permission denied, please try again.
sshuser@198.111.10.98's password:
debug1: Authentications that can continue:
debug1: Next authentication method: publickey
debug1: Trying private key: /Users/sshuser/.ssh/id_dsa
debug1: Next authentication method: keyboard-interactive
debug1: Authentications that can continue:
debug1: Next authentication method: password
debug1: No more authentication methods to try.
Permission denied ().

OS is Solaris 9. No hosts.allow and hosts.deny files.

Please help. Thank you in advance!

Corona688 · April 20, 2012, 10:28am

If it gets that far it certainly doesn't seem like a firewall issue... Could it be a problem with PAM?

aixlover · April 20, 2012, 10:40am

Yes. It gets as far as to the logon prompt.

What PAM issue can be to make internal work, but external not work?

Thanks.

hicksd8 · April 20, 2012, 11:31am

As Corona668 says, the difference is that there's a firewall (and possibly a router?) in the way. From the external client what happens exactly?

It the router config set up correctly on the ssh server? Does this machine know how to return the call?

If you get the ip address of the external client which can't connect, what happens if you try to ping that address from the ssh server?

Corona688 · April 20, 2012, 11:39am

I didn't think it was a firewall problem. It'd take a very strange kind of dynamic firewall to allow them to connect and communicate but not allow them to authenticate.

I'm not precisely sure what PAM trouble could cause this. PAM doesn't usually differentiate between different network locations itself. But I understand some systems had implemented PAM add-ons to do so. Maybe just glance in your PAM configuration and see if you find anything related. (But don't touch it lightly, either. Messing up PAM may require a rescue CD to recover from.)

aixlover · April 23, 2012, 2:43pm

I've added the following line into /etc/ssh2/sshd2_config and restarted sshd:

Still not working. The system is in DMZ. I may need to find out if ssh is disabled by DMZ. Any idea?

coolboys · April 24, 2012, 12:27am

edit the ssh config file

i adde below entry
sshd : ALL
save and exit

aixlover · April 30, 2012, 10:13am

I gave up. SSH under Solaris 8/9 is just not stable and mature. Instead of troubleshooting the issue, I've built a new SFTP server using SuSE Linux. External SSH works well right after the configuration is done.

Thank you again!