Penguin
Recent Changes

Differences between version 20 and predecessor to the previous major change of SSHErrors.

Other diffs: Previous Revision, Previous Author, or view the Annotated Edit History

Newer page: version 20 Last edited on Saturday, June 3, 2006 7:49:30 am by AristotlePagaltzis Revert
Older page: version 18 Last edited on Friday, October 7, 2005 3:42:25 am by AshleyWard Revert
@@ -3,29 +3,30 @@
 If you are having trouble logging in to a remote machine using ssh keys, or other methods you would be wise to check the permissions on your <tt>.ssh</tt> directory (and its parents) on that machine. The <tt>.ssh</tt> directory (and its contents) must not be group or world writeable. Additionally, your private key (<tt>.ssh/id_dsa</tt>) must not be readable or writable by anyone other than you. If this is the problem you will find <tt>sshd: Authentication refused: bad ownership or modes for directory</tt> in your <tt>auth.log</tt> when you try to log in. 
  
  
 !!! <tt>Connection closed by remote host</tt> Error Message 
-There are several reasons why you might get a message like  
  
-<tt>ssh_exchange_identification: Connection closed by remote host</tt> 
+There are several reasons why you might get a message like <tt>ssh_exchange_identification: Connection closed by remote host</tt> when trying to a machine connect via [SSH]. This normally means a [TCP] connection was established, but closed before anything could happen.  
  
-when trying to a machine connect via SSH .  
-This normally means a [TCP ] connection was established , but closed before anything could happen
+!! TCPWrappers  
+  
+One cause for this is that [TCP] Wrappers was configured at the server end to drop connections for some reason - perhaps paranoid lookups. Another example is a line such as the following:''''  
+  
+ <verbatim>  
+ sshd: .nz  
+ </verbatim>  
+  
+in <tt>/etc/hosts.allow</tt>, which restricts incoming [SSH] connections to [IP] addresses that have a reverse [DNS ] entry that ends in <tt>.nz</tt>. You can fix it by either getting your [IP] to resolve correctly (both forward and reverse) , removing the <tt>PARANOID</tt> line in <tt>/etc/hosts .deny</tt>, or adding  
  
-!!TCPWrappers  
-One cause for this is that [TCP] Wrappers was configured at the server end to drop connections for some reason - perhaps paranoid lookups. Another example is a line such as  
-<verbatim>  
-sshd: .nz  
-</verbatim>  
-in /etc/hosts.allow, which restricts incoming SSH connections to [IP] addresses that have a reverse [DNS] entry that ends in ".nz".  
-You can fix it by either getting your IP to resolve - both forward and reverse - correctly, removing the PARANOID line in <tt>/etc/hosts.deny</tt>, or adding  
 <verbatim> 
 sshd sshd1 sshd2 : ALL : ALLOW 
 </verbatim> 
+  
 to <tt>/etc/hosts.allow</tt>. 
  
 !! Server pseudo-terminal problems 
-Ensure that your [PTY]s are correctly installed and configured. In my case, this involved manually remounting <tt>/dev/pts</tt> in order to get it working. Another symptom of this problem is screen(1) reporting that it cannot find any [PTY]s. If SSH can't allocate a terminal, it returns (by the looks of things), preventing you from getting a shell. 
+  
+ Ensure that your [PTY]s are correctly installed and configured. In my case, this involved manually remounting <tt>/dev/pts</tt> in order to get it working. Another symptom of this problem is screen(1) reporting that it cannot find any [PTY]s. If [ SSH] can't allocate a terminal, it returns (by the looks of things), preventing you from getting a shell. 
  
  
 !!! Commands complain about corruption when piping data via [SSH] / [SCP] errors 
  
@@ -33,51 +34,57 @@
  
 <verbatim> 
 [ "$TERM" = 'dumb' ] && return 
 </verbatim> 
+  
  
 !!! Config file not expanding <tt>$HOME</tt> out 
  
-Yes, your <tt>.ssh/config</tt> doesn't actually expand out <tt>$HOME</tt>. This is despite the man page ssh_config(5) referring to <tt>$HOME/.ssh/''foo''</tt> for the <tt>~IdentifyFile</tt> section. It will expand out <tt> ~~ </tt> correctly, so you can use <tt>~~/.ssh/</tt> instead. 
+Yes, your <tt>.ssh/config</tt> doesn't actually expand out <tt>$HOME</tt>. This is despite the ManPage ssh_config(5) referring to <tt>$HOME/.ssh/''foo''</tt> for the <tt>~IdentifyFile</tt> section. It will expand out <tt>~~</tt> correctly, however , so you can use <tt>~~/.ssh/</tt> instead.  
+  
  
 !!! <tt>no matching comp found: client zlib server none</tt> 
  
 You tried to use compression but the ssh server refused. This might be because you had the <tt>-C</tt> option on the command line, or you have <tt>Compression</tt> in your <tt>~/.ssh_options</tt> file. This might mean that there are different versions of ssh installed on the two machines, or different versions of libssl. Not trying to use compression will work around this. 
+  
  
 !!! Privilege Separation 
  
 If you find you are unable to ssh in to a box where auth is [LDAP] via [PAM], you are probably using privelege seperation. 
  
 You have two options. Set <tt>~UsePrivilegeSeparation no</tt> and <tt>PAMAuthenticationViaKbdInt yes</tt>, or use keys only. Keep in mind that using keys will require local home directories, which you may not have if you're using [LDAP] auth... 
  
-!!! Could not reverse map address  
  
-sshd has an option to disallow connections where the ReverseLookup for the [IP] that is connecting does not match the ForwardLookup. In sshd_config(5) it says the parameter is called <tt>~VerifyReverseMapping</tt>, but other documentation points to there being a <tt>~RequireReverseMapping </tt> as well.  
+!!! <tt>Could not reverse map address </tt> 
  
-Should sshd complain (and take a long time to let you connect ), and the [DNS ] appears sound, restart the service . These results appear to be cached so restarting sshd will solve your problem
+sshd(8 ) has an option to disallow connections where the ReverseLookup for the incoming connection’s remote [IP ] does not match the ForwardLookup . In sshd_config(5) it says the parameter is called <tt>~VerifyReverseMapping</tt>, but other documentation points to there being a <tt>~RequireReverseMapping</tt> as well
  
+Should sshd(8) complain (and take a long time to let you connect), and the [DNS] appears sound, restart the service. These results appear to be cached so restarting sshd will solve your problem.  
  
-!!! SSH won't prompt for passwords 
+  
+ !!! [ SSH] won't prompt for passwords 
  
 If [SSH]ing to a machine seems to avoid prompting you for passwords, check the permissions on <tt>/dev/tty</tt>. If the user cannot write to this device, then [SSH] is unable to turn off local echo when prompting for passwords, so it just silently skips asking for passwords. 
+  
  
 !!! <tt>Disconnecting: bad packet length 1349676916.</tt> 
  
 There was a protocol error, normally due to conflicting versions of ssh on the two machines. You might get this on a machine running [Slackware] version 7 (where OpenSSH-1.2 only supports [SSH] protocol 1.5) when trying to [SSH] to a machine running [Slackware] 8 (with OpenSSH-3.4 and only using [SSH] protocol 2). 
  
 You can solve this problem by either installing a [SSH] client which supports protocol version 2 on the source machine (strongly recommended), or by changing the configuration of the [SSH] server on the destination machine. Note that protocol versions 1.x are deprecated because they're vulnerable. You should really upgrade the client instead. 
  
-If you cannot do that for whatever reason, you have to permit clients to use a 1.x protocol in sessions with the server by changing the directive <tt>Protocol 2</tt> to <tt>Protocol 2,1</tt> in the server's <tt>/etc/ssh/ sshd_config</tt> . Don't forget to restart the daemon. 
+If you cannot do that for whatever reason, you have to permit clients to use a 1.x protocol in sessions with the server by changing the directive <tt>Protocol 2</tt> to <tt>Protocol 2,1</tt> in the server's sshd_config(5) . Don't forget to restart the daemon.  
+  
  
 !!! Permission denied errors 
  
-If you get an error similar to <tt>Permission denied (publickey).</tt> you probably have not put your public key into the authorized_keys file in ~/.ssh or else you may have corrupted that file. 
+If you get an error similar to <tt>Permission denied (publickey).</tt> you probably have not put your public key into the authorized_keys file in <tt>~ ~/.ssh</tt> or else you may have corrupted that file. 
  
-!!! <tt>channel ''n'': open failed: administratively prohibited: open failed</tt>  
  
-Despite this error message, this just means it wasn't able to open a port forward. Generally this is because the address you have set for port forwarding is wrong, or the port that you are pointing to is incorrect. Check your -L or -R options for accuracy. This is also the message you'll get if your slave SSH server is running port filtering software like "Little Snitch" or have a firewall setup on the slave side.  
+!!! <tt>channel <i>n</i>: open failed: administratively prohibited: open failed</tt>  
  
-This can also be if the server you are connecting to has AllowTcpForwarding set to no in its sshd_config file
+Despite this error message, this just means it wasn't able to open a port forward. Generally this is because the address you have set for PortForwarding is wrong, or the [Port] that you are pointing to is incorrect. Check your <tt>-L</tt> or <tt>-R</tt> options for accuracy. For example this command will bring up the error mentioned above caused by a wrong usage, eg. <tt>ssh -L 9999:__user@__host:22</tt>, where the problem is that you are not allowed to specify a user at that point. [OTOH], this is also the message you'll get if your slave [SSH] server is running port filtering software like "Little Snitch" or has a FireWall set up on the slave side
  
-----  
+This can also be if the server you are connecting to has <tt>~AllowTcpForwarding no</tt> in its sshd_config(5).  
  
-Part of CategorySecurity, CategoryNetworking, CategoryErrors 
+----  
+ Part of CategorySecurity, CategoryNetworking and CategoryErrors