Page 1 of 1

Cannot SSH into my machine [SOLVED]

Posted: Sat Oct 26, 2013 6:52 pm
by muontrack
I'm not very knowledgeable with networking so I'm posting here for some help.

Context: I'm setting up a home (linux) server to which I want to connect from work. I have a good ethernet connection but I live in a building that (presumably) shares the same IP as I do. I know my local IP.

Goal: I want to ssh into my machine from work.

Problem: When I try to connect to my computer ( ssh user@IP ), I'm prompted for a password, which I type in correctly, and then it tells me that my password is incorrect. I cannot log in.

Notable Facts:

1) Port 22 is open

[ME@localhost ~]$ nmap -oG -p22 MY.IP | grep ssh
22/tcp   open  ssh


Attempted Solution:

At first I thought there was something wrong with my openssh server settings so I checked in /etc/ssh/sshd_config and everything in there looks normal.

I then decided to attempt to connect to the computer using a newly generated public/private key and disable the user's password (in principle this is more secure anyway provided that no one steals my private key somehow). I restarted my ssh server and found the following peculiarity:

When I log in through localhost (ssh user@localhost), then everything works as I set it up and I can log in. If I try and log in through my IP (ssh [email protected]), then it goes back to asking me for the user's password, and again denying me entrance. At this point I think I realize the problem... there is more than one ssh server on my network (and I have no control over them) and when I try to connect to my computer, it finds some other host instead? I'm not sure if this is the issue.

At this point I would LOVE to know, is there any way to specify that I want to connect to my computer's ssh server and not someone else's on my IP?

Or is there some other problem that I cannot see?

Thanks a lot for your help!

Re: Cannot SSH into my machine

Posted: Sat Oct 26, 2013 7:20 pm
by bthylafh
What's your local IP? If it's in the RFC 1918 address ranges (10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255, 192.168.0.0-192.168.255.255) then you're behind a NAT and are probably out of luck: you'd need to get someone with access to the building's router to enable port forwarding for you, and if they're unwilling there's not much you can do about it.

As to your second question: yes, but that goes back to port forwarding. What the router admin would have to do is set a non-standard port (for instance port 12899/tcp) to be forwarded to your machine's SSH port, and you'd have to specify in your SSH client that you want to use that port with your building's IP address.

Re: Cannot SSH into my machine

Posted: Sat Oct 26, 2013 7:23 pm
by muontrack
bthylafh wrote:
What's your local IP? If it's in the RFC 1918 address ranges (10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255, 192.168.0.0-192.168.255.255) then you're behind a NAT and are probably out of luck: you'd need to get someone with access to the building's router to enable port forwarding for you, and if they're unwilling there's not much you can do about it.


My local ip is of the form 192.168.x.x... so I'm sol?? I'm not sure what port forwarding would do if the relevant ssh port is already open. Like I said, I don't know much about this stuff; what would've been the strategy had I not been behind a NAT?

Re: Cannot SSH into my machine

Posted: Sat Oct 26, 2013 7:24 pm
by muontrack
bthylafh wrote:
What's your local IP? If it's in the RFC 1918 address ranges (10.0.0.0-10.255.255.255, 172.16.0.0-172.31.255.255, 192.168.0.0-192.168.255.255) then you're behind a NAT and are probably out of luck: you'd need to get someone with access to the building's router to enable port forwarding for you, and if they're unwilling there's not much you can do about it.

As to your second question: yes, but that goes back to port forwarding. What the router admin would have to do is set a non-standard port (for instance port 12899/tcp) to be forwarded to your machine's SSH port, and you'd have to specify in your SSH client that you want to use that port with your building's IP address.


Ahh I didn't see your second sentence. I understand now, thanks. So basically it would give my machine a dedicated a port to which I could ssh and it would be forwarded to my local ip, and hence my personal ssh server. I understand.

Re: Cannot SSH into my machine

Posted: Sat Oct 26, 2013 7:26 pm
by bthylafh
Probably what's happened is that the router's admin has another computer (or the router itself) that serves out SSH, and that's why you're faced with a password prompt instead of a failed connection.

If you had your very own IP address it'd be a lot simpler. You'd tell your router to open up port 22 and forward it to your computer, done. However I wouldn't open up port 22 on the router because of all the bots that scan for weak user/pass pairs; I use a high port myself and forward that to port 22 on my server.

Re: Cannot SSH into my machine

Posted: Sat Oct 26, 2013 7:27 pm
by DougG
If everyone in your building does share an IP address, as you expect, then you're behind a NAT, and you won't be able to do what you're trying to do here.

Here's a simple test: if you can, ask someone else in your building to go to whatismyip.com in a web browser. You do the same. If you get different IPs, there's hope.

If you do have your own IP address, your router might have been listening on port 22. Log into your router's interface and set up a port mapping, from some other port on your router, mapped to port 22 on your computer. SSH from work to that port.

Further potential hurdles: your ISP may not allow inbound traffic on the port you've chosen, and your work may have many/most outbound ports firewalled off.

I wish you luck, but you need all your ducks lined up correctly for this to work.

Re: Cannot SSH into my machine

Posted: Sat Oct 26, 2013 11:04 pm
by just brew it!
Yeah, as others have said, in order to make this work you will need to get whoever maintains the NAT router to set up a port forward for you. The port exposed on the outside of the router will need to be some other port (not port 22) since the "normal" SSH port is clearly already in use. The router can be set up to forward some other port (doesn't matter what port, a random high numbered one like 32548 is fine) to port 22 on your PC, so the config on your PC does not need to change.

If you can't get the router config for your building changed, another way to do this is to get someone else outside of your building who has a dedicated IP (or can at least get their router admin to set up a forward for them) to cooperate with you to set up a tunnel. The idea is that you SSH from your home PC into some other machine outside your building, and use the -R option to set up a reverse port forward from that remote machine back into your home PC; you just leave that session up all the time. Then, you can connect to your home PC from outside by SSHing to the appropriate port on the remote machine; the pre-existing SSH session with the -R option allows the incoming connection to tunnel back through the NAT router in your building (you're essentially piggybacking an incoming session to your PC over a pre-existing outgoing connection, to sidestep the incoming NAT issue).

Re: Cannot SSH into my machine

Posted: Sun Oct 27, 2013 9:58 am
by muontrack
Thanks for the replies everyone! I'm negotiating with the NAT lord... hopefully by Monday they'll have a yes/no answer.

Re: Cannot SSH into my machine

Posted: Sun Oct 27, 2013 10:59 am
by jokinin
Make sure SELinux is set on permissive or disabled, otherwise this could explain your login problems. Specially if you're using a Red Hat based distro.

Re: Cannot SSH into my machine

Posted: Sun Oct 27, 2013 11:13 am
by just brew it!
jokinin wrote:
Make sure SELinux is set on permissive or disabled, otherwise this could explain your login problems. Specially if you're using a Red Hat based distro.

Since he's actually getting a login prompt, this seems rather unlikely to me. Observed symptoms plus the fact that we've already established that he's behind a NAT router point to him not connecting to the server he thinks he's connecting to.

Re: Cannot SSH into my machine

Posted: Sun Oct 27, 2013 11:31 am
by chuckula
If you can't get a port-forward setup for your NAT to do logins from the outside-in then another potential solution is a reverse SSH tunnel. to get the connection established from the inside-out.

Edit: Ah, saw that JBI was already on the reverse tunnel. I hope my link is at least helpful in backing up his point.

Re: Cannot SSH into my machine

Posted: Sun Oct 27, 2013 11:32 am
by muontrack
jokinin wrote:
Make sure SELinux is set on permissive or disabled, otherwise this could explain your login problems. Specially if you're using a Red Hat based distro.


SELinux is pretty much the first thing I disable (I run Fedora) when I do a fresh install.


just brew it! wrote:
jokinin wrote:
Make sure SELinux is set on permissive or disabled, otherwise this could explain your login problems. Specially if you're using a Red Hat based distro.

Since he's actually getting a login prompt, this seems rather unlikely to me. Observed symptoms plus the fact that we've already established that he's behind a NAT router point to him not connecting to the server he thinks he's connecting to.


Agreed with this. An even simpler test (which I did) was to turn off all ssh servers I own (my laptop+desktop) and I was still getting a login prompt when I ssh'd into my IP. Some very lucky person has claimed port 22 :(.

Re: Cannot SSH into my machine

Posted: Sun Oct 27, 2013 11:34 am
by muontrack
chuckula wrote:
If you can't get a port-forward setup for your NAT to do logins from the outside-in then another potential solution is a reverse SSH tunnel. to get the connection established from the inside-out.

Edit: Ah, saw that JBI was already on the reverse tunnel. I hope my link is at least helpful in backing up his point.


Oh thank you! I saw JBI talked a bit about this but your link helps me understand it better. Thank you very much for this.

Edit: @JBI @chuckula indeed, since my source and destination are always on, I will have no problems setting up this reverse tunneling - very easy to understand, but I didn't know about this before. I suppose if the NAT lord will have none of it, then this solution works for me. Thanks! Once I get this up and running (need to put my source machine back at office, because, ironically, it's with me right now), I'll mark the thread as solved.

Re: Cannot SSH into my machine

Posted: Sun Oct 27, 2013 11:41 am
by just brew it!
muontrack wrote:
Some very lucky person has claimed port 22 :(.

It may actually be the maintenance interface for the router itself.

And no, they're *not* lucky. Using the standard port means they're guaranteed to get hammered 24x7 by brute force password cracking attempts for common account names (root, and popular first names like john, mary, mike, joe, etc.)

You're actually better off exposing a high-numbered non-standard port to the outside world. It'll cut down the spewage in your authentication logs by several orders of magnitude, and if you're leaving password-based logins enabled it'll give you a (small) bit of additional security against the script kiddies.

Edit: On a related note, I also suggest you disable SSH logins for the root account if you have not already done so. If you need to administer the system remotely, log in as a normal user then elevate with su or sudo.

Re: Cannot SSH into my machine

Posted: Sun Oct 27, 2013 11:43 am
by muontrack
just brew it! wrote:
muontrack wrote:
Some very lucky person has claimed port 22 :(.

It may actually be the maintenance interface for the router itself.

And no, they're *not* lucky. Using the standard port means they're guaranteed to get hammered 24x7 by brute force password cracking attempts for common account names (root, and popular first names like john, mary, mike, joe, etc.)

You're actually better off exposing a high-numbered non-standard port to the outside world. It'll cut down the spewage in your authentication logs by several orders of magnitude, and if you're leaving password-based logins enabled it'll give you a (small) bit of additional security against the script kiddies.


Oh interesting; yes, this makes sense. So they should close the router's port 22 and, in principle, forward a unique high port to everyone's own port 22? I've been learning a lot by going through this simple problem, so I'd like to learn more.

Re: Cannot SSH into my machine

Posted: Sun Oct 27, 2013 12:08 pm
by just brew it!
muontrack wrote:
Oh interesting; yes, this makes sense. So they should close the router's port 22 and, in principle, forward a unique high port to everyone's own port 22?

Yup. Not that there's much choice for anyone beyond the first, given that the systems are behind a NAT router already.

muontrack wrote:
I've been learning a lot by going through this simple problem, so I'd like to learn more.

SSH really is a "Swiss Army Knife" for doing secure communications over the Internet.

Among other things, it also has a built-in SOCKS proxy server (activated via the -D option) which can be used to encrypt all of your HTTP traffic and forward it through a trusted remote machine that you control. I use this when I'm on the road using public WiFi, since many sites (this one included!) still don't use HTTPS for everything; using the SSH-based SOCKS proxy ensures that anyone else on the same public WiFi can't sniff your web browsing.

The -X option allows you to remotely (and securely) run individual GUI-based apps on the SSH server without using a full remote desktop solution.

SSH is also used as the default transport mechanism for rsync. If you aren't familiar with rsync, it is another "Swiss Army Knife" CLI tool (for data synchronization).

Re: Cannot SSH into my machine [SOLVED]

Posted: Mon Oct 28, 2013 8:06 pm
by muontrack
Thanks for the help everyone! I appreciate all the detail. I have setup a reverse tunnel to solve my problem. Marking the thread as solved now.