davidmcewen
Posts: 5
Joined: Sun Mar 24, 2019 4:33 pm

SSH out of Raspberry Pi

Sun Mar 24, 2019 5:11 pm

Hi

I'm trying to connect to a firewall via SSH using Raspbian through a PPTP connection. I've updated and upgraded and all I ever appear to get is

It's also the same if I prefix with sudo.

It takes a long time to come back with the response (if that's of any relevance) as if it's timing out or something.

I can SSH to the same server with the same command from a DOS box on my Windows PC but not from the Pi

There's so much information on connecting to the RasPi with SSH that if there is any info on connecting from it, it's totally drowned out so I'd appreciate some pointers if possible.

I think the problem is down to the VPN but I don't have a local SSH server to test against. I'm setting up another Raspberry Pi to try to SSH to locally, but in the meantime, can anyone shed any light on my problem?

Thanks

Dave

knute
Posts: 462
Joined: Thu Oct 23, 2014 12:14 am
Location: Texas
Contact: Website

Re: SSH out of Raspberry Pi

Mon Mar 25, 2019 12:22 am

You don't need sudo. Can you ping the firewall at that address? Do you really need to log in as root?

W. H. Heydt
Posts: 10772
Joined: Fri Mar 09, 2012 7:36 pm
Location: Vallejo, CA (US)

Re: SSH out of Raspberry Pi

Mon Mar 25, 2019 1:10 am

What is the IP address of your Pi? (That is...are you on the same sub-net?)

davidmcewen
Posts: 5
Joined: Sun Mar 24, 2019 4:33 pm

Re: SSH out of Raspberry Pi

Mon Mar 25, 2019 9:31 am

Hi

Thanks for the replies.

If at first I don't succeed, I generally try sudo, so OK, I don't need it.

Yes, I can ping the firewall IP address.

No, I don't suppose I need to be logging in as root but I have the password for root and I'm using that as a comparison on my Windows PC, I've tried other users but as I'm never asked for the password, I'm assuming this isn't a problem with authentication.

The IP address of the Pi is
Local network: 192.168.0.157 subnet 255.255.255.0
VPN network: 192.168.1.152 subnet 255.255.255.255

The setup is the same on the Windows PC (same subnets but different IP addresses obviously)

I plugged another Raspberry Pi in and I can SSH to it no problem, so I definitely think this is something in the VPN that's playing up.
Thanks

Dave

knute
Posts: 462
Joined: Thu Oct 23, 2014 12:14 am
Location: Texas
Contact: Website

Re: SSH out of Raspberry Pi

Mon Mar 25, 2019 4:11 pm

Is the Windows PC on 192.168.1.? or a different subnet completely from the Pi's VPN network? If it is then maybe the 'firewall' (whatever that is) is rejecting addresses from 192.168.1.*.

davidmcewen
Posts: 5
Joined: Sun Mar 24, 2019 4:33 pm

Re: SSH out of Raspberry Pi

Mon Mar 25, 2019 7:57 pm

Hi

The Windows PC and the Pi are on the same subnets, they're both connected to the same LANs (local and through the VPN), both with 192.168.0.* (Local) and 192.168.1.* (VPN) addresses. The firewall (it's just a Linux box) I'm trying to SSH to is on 192.168.1.* on the LAN at the other end of the VPN connection.

I'm thinking there may be an issue with the way the VPN's set up but I have no idea what might be wrong - are there any settings in a PPTP setup that I may have got wrong?

Thanks

Dave

knute
Posts: 462
Joined: Thu Oct 23, 2014 12:14 am
Location: Texas
Contact: Website

Re: SSH out of Raspberry Pi

Mon Mar 25, 2019 8:08 pm

Just so I'm sure I understand your setup, you've got two computers, a Pi and Windows PC on a LAN. Both connect to the Linux box's network via VPN but only the Windows PC can ssh into the Linux box? Or are you using the LAN's router to VPN to the Linux box's network?

So I would turn on the VPN on the Pi and the Windows PC and check that they can ping the Linux box and each other through the VPN. The next thing I would do is to look at the logs on the Linux box to see if there is something different in the login attempts from the Pi and the Windows PC.

Andyroo
Posts: 4219
Joined: Sat Jun 16, 2018 12:49 am
Location: Lincs U.K.

Re: SSH out of Raspberry Pi

Mon Mar 25, 2019 8:12 pm

You can also run

Code: Select all

ssh -v [email protected] -p 8022
To get more info on the SSH connection failures.
Need Pi spray - these things are breeding in my house...

davidmcewen
Posts: 5
Joined: Sun Mar 24, 2019 4:33 pm

Re: SSH out of Raspberry Pi

Tue Mar 26, 2019 12:03 am

Hi

Thanks for the replies again.

Andyroo, I tried the -v option and have pasted the results below. I'm not seeing anything jump out at me but maybe you will (there's a long pause between the last debug message and the Connection Closed message):

[email protected]:~ $ ssh -v [email protected] -p 8022
OpenSSH_7.4p1 Raspbian-10+deb9u6, OpenSSL 1.0.2r 26 Feb 2019
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.1.254 [192.168.1.254] port 8022.
debug1: Connection established.
debug1: key_load_public: No such file or directory
debug1: identity file /home/pi/.ssh/id_rsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/pi/.ssh/id_rsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/pi/.ssh/id_dsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/pi/.ssh/id_dsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/pi/.ssh/id_ecdsa type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/pi/.ssh/id_ecdsa-cert type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/pi/.ssh/id_ed25519 type -1
debug1: key_load_public: No such file or directory
debug1: identity file /home/pi/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Raspbian-10+deb9u6
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.7
debug1: match: OpenSSH_6.7 pat OpenSSH* compat 0x04000000
debug1: Authenticating to 192.168.1.254:8022 as 'root'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: [email protected]
debug1: kex: host key algorithm: ssh-ed25519
debug1: kex: server->client cipher: [email protected] MAC: <implicit> compression: none
debug1: kex: client->server cipher: [email protected] MAC: <implicit> compression: none
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
Connection closed by 192.168.1.254 port 8022

knute, Yes, that's the setup I have, they're both connected with respective VPN clients to a router on the target's LAN. As far as pinging is concerned:
Win pings Linux
Pi pings Linux
Win pings Pi (local LAN)
Pi pings Win (local LAN)
Win pings Pi (VPN LAN)
Pi FAILS to ping Win (VPN LAN)

So all the pings work apart from the Pi pinging the Windows PC through the VPN. I also just tried pinging from the Linux box and that gets a reply from the Pi but not the Windows PC.

I just turned the firewall off on the Windows PC and that made the pinging work, so everything can ping everything.

Thanks

Dave

Andyroo
Posts: 4219
Joined: Sat Jun 16, 2018 12:49 am
Location: Lincs U.K.

Re: SSH out of Raspberry Pi

Tue Mar 26, 2019 8:51 pm

Yuck - or words to that effect :lol:

A few things I’ve seen via Google (as I can SSH out ok on my LAN)

1) MTU error where the size of the data pack detailing security protocols supported is too long for one frame at one end of the link.
2) A mismatch in time / time zone
3) A mismatch in keys / encryption methods
4) Bug in SSH

Time is the simplest to check
Then maybe recreate / delete any keys needed at both ends and check the SSH config file on the destination to make sure this is correct
MTU can be a pain - check max MTU at each stage of the link. I had an issue e a few years ago with a Plusnet router that I fixed by dropping the MTU down till they got a software fix done (months and months :roll: ) Maybe set the MTU to 1400 all ther way through.

It may not hurt to check is SSH is up to date on both machines.
Need Pi spray - these things are breeding in my house...

davidmcewen
Posts: 5
Joined: Sun Mar 24, 2019 4:33 pm

Re: SSH out of Raspberry Pi

Wed Apr 03, 2019 12:24 am

Well, I finally managed to connect after taking a couple of days not even thinking about it. I thought that the time mismatch was the problem when I first looked as they were different but synchronising those didn't make any difference. I'm not using keys so I didn't check anything there and, obviously I can't do much about a bug in SSH.

That left the MTU issue. I tried running ifconfig ppp0 mtu 1200 and then tried the ssh command again and it asked me if I was OK with the key fingerprint, I typed yes and then I was in and able to run the command I wanted to run. Now I have to work out how I can save that change and how I can connect to ssh and run a script unattended, but that'll be for tomorrow.

Thanks for the pointers.

Andyroo
Posts: 4219
Joined: Sat Jun 16, 2018 12:49 am
Location: Lincs U.K.

Re: SSH out of Raspberry Pi

Wed Apr 03, 2019 1:38 am

Darn I had hopped it was not that!

I found any changes to the MTU gave general surfing issues and incomplete page loads. Never got to the bottom of why as I just hit refresh a few times :oops:

As for setting it up to be perm, I think adding the MTU XXX setting to /etc/network/interfaces should set it. I recommend you do this at a local keyboard / screen just incase it lock SSH out (yup I’ve still lots to learn on Linux networking :lol: )
Need Pi spray - these things are breeding in my house...

Return to “Troubleshooting”