Troy Carter
2001-Feb-22 03:53 UTC
SSH connection hangs with ipchains/RH6.2/OpenSSH 2.5.1p1 (butnot <= 2.3.0p1)
I figured this out -- looks like 2.5.1p1 is now using ports < 1024 on the client side (wasn't before?). I had a ipchains rule to allow ACK packets to 1024:65535, which was good enough for <= 2.3.0p1 : #allow only ACK tcp packed ipchains -A input -j ACCEPT -i eth0 -s any/0 --dport 1024:65535 -p tcp ! -y So I added the following : #allow return from ssh connections ipchains -A input -j ACCEPT -i eth0 -s any/0 22 -p tcp ! -y Now everything is fine. I even see the config file option to switch back to using non-priveleged ports. What was the reason for switching to priveleged by default in 2.5.1p1? -Troy Jason Stone wrote:> > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > > I just recently installed OpenSSH 2.5.1p1 on a RH6.2 box (kernel > > 2.2.17). I run ipchains to do packet filtering, allowing incoming > > connections only to 22 and 80 (and some other ports for specific > > machines). > > Strange. Add a logging rule to your ipchains setup to see all the deny > packets. > > If it was working with prior versions, than I imagine you already know > this, but make sure to have a rule allowing the return packets. > > -Jason > > --------------------------- > If the Revolution comes to grief, it will be because you and those you > lead have become alarmed at your own brutality. --John Gardner > > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.0.4 (FreeBSD) > Comment: See https://private.idealab.com/public/jason/jason.gpg > > iD8DBQE6lICTswXMWWtptckRAhqFAJ4rBjhw5S/pt/rMB2zh7rrFR7HHBwCeNRB0 > JpLCTVj3M3MaDfenF/F1NS8> =P1RP > -----END PGP SIGNATURE------- Troy Carter tcarter at princeton.edu
Pekka Savola
2001-Feb-22 08:22 UTC
SSH connection hangs with ipchains/RH6.2/OpenSSH 2.5.1p1 (butnot <= 2.3.0p1)
On Wed, 21 Feb 2001, Troy Carter wrote:> I figured this out -- looks like 2.5.1p1 is now using ports < 1024 on > the client side (wasn't before?). I had a ipchains rule to allow ACK > packets to 1024:65535, which was good enough for <= 2.3.0p1 :<snip>> Now everything is fine. I even see the config file option to switch > back to using non-priveleged ports. What was the reason for switching > to priveleged by default in 2.5.1p1?This has always been the case, and is caused by the setuid bit (by default) in your ssh binary. You can disable this (as you probably had done) by removing the bit, or adding 'UsePrivilegedPort no' in your ssh_config. (Note that this breaks RhostsAuthentication, see man page) -- Pekka Savola "Tell me of difficulties surmounted, Netcore Oy not those you stumble over and fall" Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
Possibly Parallel Threads
- SSH connection hangs with ipchains/RH6.2/OpenSSH 2.5.1p1 (but not <= 2.3.0p1)
- New Standard/Daylight time-change dates in rhel4u2 butnot centos4.2?
- Re: New Standard/Daylight time-change dates in rhel4u2 butnot centos4.2?
- Problem with OpenSSH 2.3.0p1/2.5.1p1 and AIX
- ssh, .shosts and RH6.2: user logins ok, root not