I'd like to ask for tips. I have a Pi running a number of services. One
is SSH to allow Telnet access via Putty. I use certificates for
authentication. While at home on LAN I can Putty into the Pi just fine
using IP 192.168.0.181:22

I have dynamic DNS for external access so I can use address
<me>.ddns.net:22 then port forwarding on my router to the Pi. Now this
works with other services like web server. So I know DDNS and port
forwarding works.

What could be blocking SSH? Anyway to check logs on Pi?

Thanks!

--
Don't be afraid of the deep...
--[ bbs.bottomlessabyss.net | https | telnet=2023 ]--
--[ /query geeknix on libera.chat | tilde.chat ]--

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Hello Geeknix!

Saturday April 22 2023 23:00, you wrote to All:

I'd like to ask for tips. I have a Pi running a number of services.
One is SSH to allow Telnet access via Putty. I use certificates
for authentication. While at home on LAN I can Putty into the Pi just
fine using IP 192.168.0.181:22

I have dynamic DNS for external access so I can use address
<me>.ddns.net:22 then port forwarding on my router to the Pi. Now this
works with other services like web server. So I know DDNS and port forwarding works.

What could be blocking SSH? Anyway to check logs on Pi?

Silly questions, but have you opened SSH (instead of telnet - very low security) and have you set up secure key authority etc.

Small point - on mine systems I have extra security set to verify all MAC addresses as well as user / passwords and they are only allowed using defined ip addresses in a specific network and no I have no need to get through from outside but do have a box set up as a concentrator if needs must with security set to above B1.


Vincent

--- Mageia Linux v8 X64/Mbse v1.0.8.3/GoldED+/LNX 1.1.5-b20180707
* Origin: Air Applewood, The Linux Gateway to the UK & Eire (2:250/1)

Geeknix <usenet@apple.geeknix135.net> wrote:

I'd like to ask for tips. I have a Pi running a number of services. One
is SSH to allow Telnet access via Putty. I use certificates for authentication. While at home on LAN I can Putty into the Pi just fine
using IP 192.168.0.181:22

I have dynamic DNS for external access so I can use address
<me>.ddns.net:22 then port forwarding on my router to the Pi. Now this
works with other services like web server. So I know DDNS and port
forwarding works.

What could be blocking SSH? Anyway to check logs on Pi?

Do you have any firewalling on the Pi, router or ISP that might interfere?
Try a different external port other than 22?

To see logs:

On the client, Putty has a logging window that tells you what happened on
its side of the connection. On ther server, /var/log/auth.log often tells
you if there was a problem with keys or similar.

Post the logs here if you need help with them.

Theo

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 2023-04-22, Vincent Coen <nospam.Vincent.Coen@f1.n250.z2.fidonet.org> wrote:

Hello Geeknix!

Saturday April 22 2023 23:00, you wrote to All:

I'd like to ask for tips. I have a Pi running a number of services.
One is SSH to allow Telnet access via Putty. I use certificates
for authentication. While at home on LAN I can Putty into the Pi just
fine using IP 192.168.0.181:22

I have dynamic DNS for external access so I can use address <me>.ddns.net:22 then port forwarding on my router to the Pi. Now this works with other services like web server. So I know DDNS and port forwarding works.

Silly questions, but have you opened SSH (instead of telnet - very low security) and have you set up secure key authority etc.

Not sure what you mean, when I open the port on the router I have
selected All (i.e. TCP and UDP) for port 22.

Small point - on mine systems I have extra security set to verify all MAC addresses as well as user / passwords and they are only allowed using defined ip addresses in a specific network and no I have no need to get through from outside but do have a box set up as a concentrator if needs must with security
set to above B1.

I have disabled username/password and only accept pre-shared keys.

Thanks Vincent.

--
Don't be afraid of the deep...
--[ bbs.bottomlessabyss.net | https | telnet=2023 ]--
--[ /query geeknix on libera.chat | tilde.chat ]--

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 2023-04-23, Theo <theom+news@chiark.greenend.org.uk> wrote:

Geeknix <usenet@apple.geeknix135.net> wrote:

I'd like to ask for tips. I have a Pi running a number of services. One
is SSH to allow Telnet access via Putty. I use certificates for
authentication. While at home on LAN I can Putty into the Pi just fine
using IP 192.168.0.181:22

I have dynamic DNS for external access so I can use address
<me>.ddns.net:22 then port forwarding on my router to the Pi. Now this
works with other services like web server. So I know DDNS and port
forwarding works.

What could be blocking SSH? Anyway to check logs on Pi?

Do you have any firewalling on the Pi, router or ISP that might interfere? Try a different external port other than 22?

Thanks for your reply. I haven't knowingly setup a firewall on the Pi
perhaps the router has one but the same steps I use to allow HTTP and
Minecraft have opened those ports for use.

On the client, Putty has a logging window that tells you what happened on
its side of the connection.

Great, I'll try and figure out how to see that window.

On ther server, /var/log/auth.log often tells you if there was a problem
with keys or similar.

I'll check that out also. Thank you.

--
Don't be afraid of the deep...
--[ bbs.bottomlessabyss.net | https | telnet=2023 ]--
--[ /query geeknix on libera.chat | tilde.chat ]--

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 23/04/2023 00:00, Geeknix wrote:

I'd like to ask for tips. I have a Pi running a number of services. One
is SSH to allow Telnet access via Putty. I use certificates for authentication. While at home on LAN I can Putty into the Pi just fine
using IP 192.168.0.181:22

I have dynamic DNS for external access so I can use address
<me>.ddns.net:22 then port forwarding on my router to the Pi. Now this
works with other services like web server. So I know DDNS and port
forwarding works.

What could be blocking SSH? Anyway to check logs on Pi?

Thanks!

Should be no different. I have a similar setup here - Ah!

I remember. I couldn't forward port 22. The router was using it for
secure remote login.

Just try using an arbitrary high port on the router.



--
You can get much farther with a kind word and a gun than you can with a
kind word alone.

Al Capone

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Sun, 23 Apr 2023 10:30:04 GMT, Geeknix wrote:

On 2023-04-22, Vincent Coen <nospam.Vincent.Coen@f1.n250.z2.fidonet.org> wrote:

Hello Geeknix!

Saturday April 22 2023 23:00, you wrote to All:

I'd like to ask for tips. I have a Pi running a number of services.
One is SSH to allow Telnet access via Putty. I use certificates for
authentication. While at home on LAN I can Putty into the Pi just
fine using IP 192.168.0.181:22

I have dynamic DNS for external access so I can use address
<me>.ddns.net:22 then port forwarding on my router to the Pi. Now
this works with other services like web server. So I know DDNS and
port forwarding works.

Silly questions, but have you opened SSH (instead of telnet - very low
security) and have you set up secure key authority etc.

Not sure what you mean, when I open the port on the router I have
selected All (i.e. TCP and UDP) for port 22.

Small point - on mine systems I have extra security set to verify all
MAC addresses as well as user / passwords and they are only allowed
using defined ip addresses in a specific network and no I have no need
to get through from outside but do have a box set up as a concentrator
if needs must with security set to above B1.

I have disabled username/password and only accept pre-shared keys.

Thanks Vincent.

Pedantry, maybe, but Telnet != ssh

Telnet offers a very basic tty-like service over a plaintext channel,
while ssh provides a secure, encrypted service. Their connection protocols
are not compatible.

Similarly with ftp vs. ssh2 for file transfers: I wouldn't dream of using telnet, ftp or Kermit outside my LAN, which is firewalled off from the
wider Internet, but I have no problems with using ssh or ssh2 to log in to
a remote (trusted) system or to transfer files to or from them.


--

Martin | martin at
Gregorie | gregorie dot org

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 2023-04-23, Theo <theom+news@chiark.greenend.org.uk> wrote:

Try a different external port other than 22?

I have tried port 4444 for external access, that still forwards to port
22 on the Pi.

--
Don't be afraid of the deep...
--[ bbs.bottomlessabyss.net | https | telnet=2023 ]--
--[ /query geeknix on libera.chat | tilde.chat ]--

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 23/04/2023 11:30, Geeknix wrote:

On 2023-04-23, Theo <theom+news@chiark.greenend.org.uk> wrote:

Try a different external port other than 22?

I have tried port 4444 for external access, that still forwards to port
22 on the Pi.

Hmm. Let me see how I did it here.
Ok I used a high port on the router and 22 on the target machine

Worked for me on *86 platform. Mint. so basically debian with frills

Have you enabled global access to sshd in /etc/ssh/sshd.config and friends?

I think that is the default, but check anyway

Match Address is the line to look at. I think

Ok a good way to test this is to telnet to the ssh port on your public interface and see whether the daemon is responding or not

$telnet media.larksrise.com 2345
Trying 212.69.38.60...
Connected to media.larksrise.com.
Escape character is '^]'.
SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.5

....etc. Oh, I edited the port number, so don't get cute


--
All political activity makes complete sense once the proposition that
all government is basically a self-legalising protection racket, is
fully understood.

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On Sun, 23 Apr 2023 10:30:05 GMT, Geeknix wrote:

On 2023-04-23, Theo <theom+news@chiark.greenend.org.uk> wrote:

Geeknix <usenet@apple.geeknix135.net> wrote:

I'd like to ask for tips. I have a Pi running a number of services.
One is SSH to allow Telnet access via Putty. I use certificates for
authentication. While at home on LAN I can Putty into the Pi just fine
using IP 192.168.0.181:22

I have dynamic DNS for external access so I can use address
<me>.ddns.net:22 then port forwarding on my router to the Pi. Now this
works with other services like web server. So I know DDNS and port
forwarding works.

What could be blocking SSH? Anyway to check logs on Pi?

Do you have any firewalling on the Pi, router or ISP that might
interfere?
Try a different external port other than 22?

Thanks for your reply. I haven't knowingly setup a firewall on the Pi
perhaps the router has one but the same steps I use to allow HTTP and Minecraft have opened those ports for use.

On the client, Putty has a logging window that tells you what happened
on its side of the connection.

Great, I'll try and figure out how to see that window.

On ther server, /var/log/auth.log often tells you if there was a
problem with keys or similar.

I'll check that out also. Thank you.

Use 'nmap' to see what ports are accessible on your firewall, rpi's etc
from inside your LAN.

http://grc.com/ - the Gibson Research Corp - provides "Shields Up", which
scans your firewall from the outside and reports which ports are
accessible to an intruder.

--

Martin | martin at
Gregorie | gregorie dot org

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Hello Geeknix!

Sunday April 23 2023 10:30, you wrote to me:

On 2023-04-22, Vincent Coen
<nospam.Vincent.Coen@f1.n250.z2.fidonet.org> wrote:

Hello Geeknix!

Saturday April 22 2023 23:00, you wrote to All:

I'd like to ask for tips. I have a Pi running a number of

services.

One is SSH to allow Telnet access via Putty. I use certificates
for authentication. While at home on LAN I can Putty into the Pi

just

fine using IP 192.168.0.181:22

I have dynamic DNS for external access so I can use address
<me>.ddns.net:22 then port forwarding on my router to the Pi. Now

this

works with other services like web server. So I know DDNS and port
forwarding works.

Silly questions, but have you opened SSH (instead of telnet - very
low security) and have you set up secure key authority etc.

Not sure what you mean, when I open the port on the router I have
selected All (i.e. TCP and UDP) for port 22.

Should only be TCP - according to my router settings for port trigger but both for port forwarding so look correct.

Small point - on mine systems I have extra security set to verify
all MAC addresses as well as user / passwords and they are only
allowed using defined ip addresses in a specific network and no I
have no need to get through from outside but do have a box set up as
a concentrator if needs must with security set to above B1.

I have disabled username/password and only accept pre-shared keys.

Yep, for ssh that is best as far as I know but I have extra security that means
users system must have declared MAC code (I also make use of users CPU
model and serial numbers - but that was an experiment that seems to work.



Vincent

--- Mageia Linux v8 X64/Mbse v1.0.8.3/GoldED+/LNX 1.1.5-b20180707
* Origin: Air Applewood, The Linux Gateway to the UK & Eire (2:250/1)

Theo <theom+news@chiark.greenend.org.uk> wrote:

Geeknix <usenet@apple.geeknix135.net> wrote:

I'd like to ask for tips. I have a Pi running a number of services. One
is SSH to allow Telnet access via Putty. I use certificates for authentication. While at home on LAN I can Putty into the Pi just fine using IP 192.168.0.181:22

I have dynamic DNS for external access so I can use address <me>.ddns.net:22 then port forwarding on my router to the Pi. Now this works with other services like web server. So I know DDNS and port forwarding works.

What could be blocking SSH? Anyway to check logs on Pi?

Do you have any firewalling on the Pi, router or ISP that might interfere? Try a different external port other than 22?

Yes, on many routers you not only have to configure the port
forwarding you also hove to open up the relevant ports on the
firewall.

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 23/04/2023 18:27, Chris Green wrote:

Theo <theom+news@chiark.greenend.org.uk> wrote:

Geeknix <usenet@apple.geeknix135.net> wrote:

I'd like to ask for tips. I have a Pi running a number of services. One
is SSH to allow Telnet access via Putty. I use certificates for
authentication. While at home on LAN I can Putty into the Pi just fine
using IP 192.168.0.181:22

I have dynamic DNS for external access so I can use address
<me>.ddns.net:22 then port forwarding on my router to the Pi. Now this
works with other services like web server. So I know DDNS and port
forwarding works.

What could be blocking SSH? Anyway to check logs on Pi?

Do you have any firewalling on the Pi, router or ISP that might interfere? >> Try a different external port other than 22?

Yes, on many routers you not only have to configure the port
forwarding you also hove to open up the relevant ports on the
firewall.

I think he said he already tried that.
--
Microsoft : the best reason to go to Linux that ever existed.

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 23/04/2023 07:00, Geeknix wrote:

I'd like to ask for tips. I have a Pi running a number of services. One
is SSH to allow Telnet access via Putty. I use certificates for authentication. While at home on LAN I can Putty into the Pi just fine
using IP 192.168.0.181:22

Thanks for all the replies, I'm away from home until Wednesday (SG
time), I'll try the suggestions then and let you all know the outcome!

RenMas

--
Don't be afraid of the deep...
--[ bbs.bottomlessabyss.net|https|telnet=2023|ssh=2222 ]--
--[ Remove the fruit and digits for valid email address ]--
--[ usenet <at> apple.geeknix135.net ]--

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Dana Sun, 23 Apr 2023 10:30:04 GMT, Geeknix <usenet@apple.geeknix135.net> napis'o:

On 2023-04-22, Vincent Coen <nospam.Vincent.Coen@f1.n250.z2.fidonet.org> wrote:

Hello Geeknix!

Saturday April 22 2023 23:00, you wrote to All:

I'd like to ask for tips. I have a Pi running a number of services.
One is SSH to allow Telnet access via Putty. I use certificates
for authentication. While at home on LAN I can Putty into the Pi just
fine using IP 192.168.0.181:22

I have dynamic DNS for external access so I can use address
<me>.ddns.net:22 then port forwarding on my router to the Pi. Now this
works with other services like web server. So I know DDNS and port
forwarding works.

Silly questions, but have you opened SSH (instead of telnet - very low
security) and have you set up secure key authority etc.

Not sure what you mean, when I open the port on the router I have
selected All (i.e. TCP and UDP) for port 22.

Ok, but you have to forward that port to your 102.168.0.181:22

Small point - on mine systems I have extra security set to verify all MAC
addresses as well as user / passwords and they are only allowed using defined
ip addresses in a specific network and no I have no need to get through from >> outside but do have a box set up as a concentrator if needs must with security
set to above B1.

I have disabled username/password and only accept pre-shared keys.

Thanks Vincent.

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

Dana Mon, 24 Apr 2023 20:59:57 +0800, Geeknix <usenet@apple.geeknix135.net> napis'o:

On 23/04/2023 07:00, Geeknix wrote:

I'd like to ask for tips. I have a Pi running a number of services. One
is SSH to allow Telnet access via Putty. I use certificates for
authentication. While at home on LAN I can Putty into the Pi just fine
using IP 192.168.0.181:22

Thanks for all the replies, I'm away from home until Wednesday (SG
time), I'll try the suggestions then and let you all know the outcome!

You can also forward some highet ot to your 192.168.0.181:22
You have to do that on your router provided by your ISP.

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 2023-04-22, Geeknix <usenet@apple.geeknix135.net> wrote:

I'd like to ask for tips. I have a Pi running a number of services. One
is SSH to allow Telnet access via Putty. I use certificates for authentication. While at home on LAN I can Putty into the Pi just fine
using IP 192.168.0.181:22

I have dynamic DNS for external access so I can use address
<me>.ddns.net:22 then port forwarding on my router to the Pi. Now this
works with other services like web server. So I know DDNS and port
forwarding works.

What could be blocking SSH? Anyway to check logs on Pi?

Thank you everyone for your replies. I tried everything you mentioned
and it all looked good. I turned on logging in Putty and more detailed
logs in auth.log on sshd.

When fiddling with the router firewall I noticed I had 2 port forwards
to 22 on the Pi. Basically I was forwarding 4440 (changed from 4444 as
it seemed to be used by other protocols) and 22 from external to local
22. I deleted external 22 and left only 4440. And it started working
around this time, so I suspect I created some kind of clash on the
router!?

Anyway, is really great I can now access my Pi with SSH. Thanks again!

--
Don't be afraid of the deep...
--[ bbs.bottomlessabyss.net | https | telnet=2023 ]--
--[ /query geeknix on libera.chat | tilde.chat ]--

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)

On 30/04/2023 14:00, Geeknix wrote:

Anyway, is really great I can now access my Pi with SSH. Thanks again!

👍

--
“Some people like to travel by train because it combines the slowness of
a car with the cramped public exposure of 
an airplane.”

Dennis Miller

--- SoupGate-Win32 v1.05
* Origin: Agency HUB, Dunedin - New Zealand | Fido<>Usenet Gateway (3:770/3)