Page 1 of 1

SSH out of Raspberry Pi

Posted: Sun Mar 24, 2019 5:11 pm
by davidmcewen
Hi

I'm trying to connect to a firewall via SSH using Raspbian through a PPTP connection. I've updated and upgraded and all I ever appear to get is

It's also the same if I prefix with sudo.

It takes a long time to come back with the response (if that's of any relevance) as if it's timing out or something.

I can SSH to the same server with the same command from a DOS box on my Windows PC but not from the Pi

There's so much information on connecting to the RasPi with SSH that if there is any info on connecting from it, it's totally drowned out so I'd appreciate some pointers if possible.

I think the problem is down to the VPN but I don't have a local SSH server to test against. I'm setting up another Raspberry Pi to try to SSH to locally, but in the meantime, can anyone shed any light on my problem?

Thanks

Dave

Re: SSH out of Raspberry Pi

Posted: Mon Mar 25, 2019 12:22 am
by knute
You don't need sudo. Can you ping the firewall at that address? Do you really need to log in as root?

Re: SSH out of Raspberry Pi

Posted: Mon Mar 25, 2019 1:10 am
by W. H. Heydt
What is the IP address of your Pi? (That is...are you on the same sub-net?)

Re: SSH out of Raspberry Pi

Posted: Mon Mar 25, 2019 9:31 am
by davidmcewen
Hi

Thanks for the replies.

If at first I don't succeed, I generally try sudo, so OK, I don't need it.

Yes, I can ping the firewall IP address.

No, I don't suppose I need to be logging in as root but I have the password for root and I'm using that as a comparison on my Windows PC, I've tried other users but as I'm never asked for the password, I'm assuming this isn't a problem with authentication.

The IP address of the Pi is
Local network: 192.168.0.157 subnet 255.255.255.0
VPN network: 192.168.1.152 subnet 255.255.255.255

The setup is the same on the Windows PC (same subnets but different IP addresses obviously)

I plugged another Raspberry Pi in and I can SSH to it no problem, so I definitely think this is something in the VPN that's playing up.
Thanks

Dave

Re: SSH out of Raspberry Pi

Posted: Mon Mar 25, 2019 4:11 pm
by knute
Is the Windows PC on 192.168.1.? or a different subnet completely from the Pi's VPN network? If it is then maybe the 'firewall' (whatever that is) is rejecting addresses from 192.168.1.*.

Re: SSH out of Raspberry Pi

Posted: Mon Mar 25, 2019 7:57 pm
by davidmcewen
Hi

The Windows PC and the Pi are on the same subnets, they're both connected to the same LANs (local and through the VPN), both with 192.168.0.* (Local) and 192.168.1.* (VPN) addresses. The firewall (it's just a Linux box) I'm trying to SSH to is on 192.168.1.* on the LAN at the other end of the VPN connection.

I'm thinking there may be an issue with the way the VPN's set up but I have no idea what might be wrong - are there any settings in a PPTP setup that I may have got wrong?

Thanks

Dave

Re: SSH out of Raspberry Pi

Posted: Mon Mar 25, 2019 8:08 pm
by knute
Just so I'm sure I understand your setup, you've got two computers, a Pi and Windows PC on a LAN. Both connect to the Linux box's network via VPN but only the Windows PC can ssh into the Linux box? Or are you using the LAN's router to VPN to the Linux box's network?

So I would turn on the VPN on the Pi and the Windows PC and check that they can ping the Linux box and each other through the VPN. The next thing I would do is to look at the logs on the Linux box to see if there is something different in the login attempts from the Pi and the Windows PC.

Re: SSH out of Raspberry Pi

Posted: Mon Mar 25, 2019 8:12 pm
by Andyroo
You can also run

Code: Select all

ssh -v [email protected] -p 8022
To get more info on the SSH connection failures.

Re: SSH out of Raspberry Pi

Posted: Tue Mar 26, 2019 12:03 am
by davidmcewen
Hi

Thanks for the replies again.

Andyroo, I tried the -v option and have pasted the results below. I'm not seeing anything jump out at me but maybe you will (there's a long pause between the last debug message and the Connection Closed message):

[email protected]:~ $ ssh -v [email protected] -p 8022
OpenSSH_7.4p1 Raspbian-10+deb9u6, OpenSSL 1.0.2r 26 Feb 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.1.254 [192.168.1.254] port 8022.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/pi/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/pi/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/pi/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/pi/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/pi/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/pi/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/pi/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/pi/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u6
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7
debug1: match: OpenSSH_6.7 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.1.254:8022 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
Connection closed by 192.168.1.254 port 8022

knute, Yes, that's the setup I have, they're both connected with respective VPN clients to a router on the target's LAN. As far as pinging is concerned:
Win pings Linux
Pi pings Linux
Win pings Pi (local LAN)
Pi pings Win (local LAN)
Win pings Pi (VPN LAN)
Pi FAILS to ping Win (VPN LAN)

So all the pings work apart from the Pi pinging the Windows PC through the VPN. I also just tried pinging from the Linux box and that gets a reply from the Pi but not the Windows PC.

I just turned the firewall off on the Windows PC and that made the pinging work, so everything can ping everything.

Thanks

Dave

Re: SSH out of Raspberry Pi

Posted: Tue Mar 26, 2019 8:51 pm
by Andyroo
Yuck - or words to that effect :lol:

A few things I’ve seen via Google (as I can SSH out ok on my LAN)

1) MTU error where the size of the data pack detailing security protocols supported is too long for one frame at one end of the link.
2) A mismatch in time / time zone
3) A mismatch in keys / encryption methods
4) Bug in SSH

Time is the simplest to check
Then maybe recreate / delete any keys needed at both ends and check the SSH config file on the destination to make sure this is correct
MTU can be a pain - check max MTU at each stage of the link. I had an issue e a few years ago with a Plusnet router that I fixed by dropping the MTU down till they got a software fix done (months and months :roll: ) Maybe set the MTU to 1400 all ther way through.

It may not hurt to check is SSH is up to date on both machines.

Re: SSH out of Raspberry Pi

Posted: Wed Apr 03, 2019 12:24 am
by davidmcewen
Well, I finally managed to connect after taking a couple of days not even thinking about it. I thought that the time mismatch was the problem when I first looked as they were different but synchronising those didn't make any difference. I'm not using keys so I didn't check anything there and, obviously I can't do much about a bug in SSH.

That left the MTU issue. I tried running ifconfig ppp0 mtu 1200 and then tried the ssh command again and it asked me if I was OK with the key fingerprint, I typed yes and then I was in and able to run the command I wanted to run. Now I have to work out how I can save that change and how I can connect to ssh and run a script unattended, but that'll be for tomorrow.

Thanks for the pointers.

Re: SSH out of Raspberry Pi

Posted: Wed Apr 03, 2019 1:38 am
by Andyroo
Darn I had hopped it was not that!

I found any changes to the MTU gave general surfing issues and incomplete page loads. Never got to the bottom of why as I just hit refresh a few times :oops:

As for setting it up to be perm, I think adding the MTU XXX setting to /etc/network/interfaces should set it. I recommend you do this at a local keyboard / screen just incase it lock SSH out (yup I’ve still lots to learn on Linux networking :lol: )