Request Help - is this a DNS or pure SSH issue

Discussion in 'Linux Networking' started by dakupoto, Sep 16, 2013.

  1. dakupoto

    dakupoto Guest

    I apologize if this is the inappropriate newsgroup
    for my query, but here is an issue that is bugging
    me for two weeks now, and I do not have any good
    handle as to what the solution is.

    I am trying to ssh from a Fedora 15 box to a
    Raspberry Pi Model B board running OpenELEC 2.99.5.
    I have a ADSL modem/router whose WAN side is connected
    to the phone line. The ADSL modem/router's single
    Ethernet port is connected to a D-Link 5 port Ethernet
    switch. Both the Fedora box and Raspberry Pi are
    connected to the switch's Ethernet ports. Both the
    Fedora box and Raspberry Pi have static IP addresses
    with the gateway IP address 192.168.1.1 acting as
    the first DNS IP address. The Fedora box's firewall
    has port 22 open.

    First, ping does not work:
    ping 192.168.1.2
    PING 192.168.1.2 (192.168.1.2) 56(84) bytes of data.
    From 192.168.1.2 icmp_seq=1 Destination Host Prohibited
    From 192.168.1.2 icmp_seq=2 Destination Host Prohibited
    From 192.168.1.2 icmp_seq=3 Destination Host Prohibited
    From 192.168.1.2 icmp_seq=4 Destination Host Prohibited
    From 192.168.1.2 icmp_seq=5 Destination Host Prohibited
    From 192.168.1.2 icmp_seq=6 Destination Host Prohibited
    From 192.168.1.2 icmp_seq=7 Destination Host Prohibited
    From 192.168.1.2 icmp_seq=8 Destination Host Prohibited
    From 192.168.1.2 icmp_seq=9 Destination Host Prohibited
    .....

    Then if I ssh to the Raspberry Pi, connection is made,
    but authentication fails. I have re-generated the pub/
    pri key pairs several times, with ssh-keygen, but that
    has not helped matters.

    ssh root@192.168.1.2 -vvv
    OpenSSH_5.5p1, OpenSSL 1.0.0e-fips 6 Sep 2011
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug2: ssh_connect: needpriv 0
    debug1: Connecting to 192.168.1.2 [192.168.1.2] port 22.
    debug1: Connection established.
    debug3: Not a RSA1 key file /home/lama/.ssh/id_dsa.
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug3: key_read: missing whitespace
    debug1: identity file /home/lama/.ssh/id_dsa type 2
    debug1: identity file /home/lama/.ssh/id_dsa-cert type -1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5
    debug1: match: OpenSSH_5.5 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_5.5
    debug2: fd 3 setting O_NONBLOCK
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ,,ssh-rsa,ssh-dss
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,,hmac-ripemd160,,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,,hmac-ripemd160,,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: none,,zlib
    debug2: kex_parse_kexinit: none,,zlib
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
    debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
    debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,,hmac-ripemd160,,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,,hmac-ripemd160,,hmac-sha1-96,hmac-md5-96
    debug2: kex_parse_kexinit: none,
    debug2: kex_parse_kexinit: none,
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit:
    debug2: kex_parse_kexinit: first_kex_follows 0
    debug2: kex_parse_kexinit: reserved 0
    debug2: mac_setup: found hmac-md5
    debug1: kex: server->client aes128-ctr hmac-md5 none
    debug2: mac_setup: found hmac-md5
    debug1: kex: client->server aes128-ctr hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug2: dh_gen_key: priv key bits set: 131/256
    debug2: bits set: 512/1024
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug3: check_host_in_hostfile: host 192.168.1.2 filename /home/lama/.ssh/known_hosts
    debug3: check_host_in_hostfile: host 192.168.1.2 filename /home/lama/.ssh/known_hosts
    debug3: check_host_in_hostfile: match line 1
    debug1: Host '192.168.1.2' is known and matches the RSA host key.
    debug1: Found key in /home/lama/.ssh/known_hosts:1
    debug2: bits set: 502/1024
    debug1: ssh_rsa_verify: signature correct
    debug2: kex_derive_keys
    debug2: set_newkeys: mode 1
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug2: set_newkeys: mode 0
    debug1: SSH2_MSG_NEWKEYS received
    debug1: Roaming not allowed by server
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug2: service_accept: ssh-userauth
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug2: key: /home/lama/.ssh/id_dsa (0x2655160)
    debug1: Authentications that can continue: publickey,password
    debug3: start over, passed a different list publickey,password
    debug3: preferred publickey,keyboard-interactive,password
    debug3: authmethod_lookup publickey
    debug3: remaining preferred: keyboard-interactive,password
    debug3: authmethod_is_enabled publickey
    debug1: Next authentication method: publickey
    debug1: Offering public key: /home/lama/.ssh/id_dsa
    debug3: send_pubkey_test
    debug2: we sent a publickey packet, wait for reply
    debug1: Authentications that can continue: publickey,password
    debug2: we did not send a packet, disable method
    debug3: authmethod_lookup password
    debug3: remaining preferred: ,password
    debug3: authmethod_is_enabled password
    debug1: Next authentication method: password
    root@192.168.1.2's password:
    debug3: packet_send2: adding 64 (len 57 padlen 7 extra_pad 64)
    debug2: we sent a password packet, wait for reply
    debug1: Authentications that can continue: publickey,password
    Permission denied, please try again.
    root@192.168.1.2's password:
    debug3: packet_send2: adding 64 (len 57 padlen 7 extra_pad 64)
    debug2: we sent a password packet, wait for reply
    debug1: Authentications that can continue: publickey,password
    Permission denied, please try again.
    root@192.168.1.2's password:
    debug3: packet_send2: adding 64 (len 57 padlen 7 extra_pad 64)
    debug2: we sent a password packet, wait for reply
    debug1: Authentications that can continue: publickey,password
    debug2: we did not send a packet, disable method
    debug1: No more authentication methods to try.
    Permission denied (publickey,password).

    Any hints, suggestions would be of immense help.
    Thanks in advance for your help,
     
    dakupoto, Sep 16, 2013
    #1
    1. Advertisements

  2. dakupoto

    unruh Guest

    You keep asking
    The RPi might not allow root ssh into it. Depends on the options set up
    in the etc/ssh/sshd.conf file.
    Try ssh into a user account on the RPi instead of root.

    And as you have been told before, your id_dsa file is corrupt. Fix it.

    And it asks three times for the root password. Are you sure you know
    what it is? Did you enter the correct password?

    Sure, but you have to listen.
     
    unruh, Sep 16, 2013
    #2
    1. Advertisements

  3. dakupoto

    dakupoto Guest

    Well I tried a few pairs as username -password, admin password
    but the results are the same.I have even made the change in
    my Fedora box's /etc/hosts.allow file as sshd : ALL
    As I have mentioned in my earlier mail, I have re-generated
    the keys 7 - 8 times using ssh-keygen, with RSA, RSA 1 and DSA
    but each time I try to use the DSA keys, I get this error
    message. I have even tried "cat id_**.pub >> authorized_keys"
    but still no luck.
    As far as I know from all the OpenELEC forums, the default
    login and password are : root, openelec -- both lower case.
     
    dakupoto, Sep 17, 2013
    #3
  4. Firstly, is appears you had a mismatch of keys between client and server

    "debug3: Not a RSA1 key file /home/lama/.ssh/id_dsa."

    The default IIRC is RSA. You you and DSA you need to change it on your
    client in /etc/ssh/ssh_conf


    man ssh_config

    Well, just appending the keys on the server if you have boogered key in
    there will not fix the situation. It is recommended to use ssh-copy-id
    to upload your public key to prevent multiple entries and such.

    man ssh-copy-id

    If you have a damaged key in your server's authorized_keys file I would
    REPLACE the file

    sudo mv /home/$USER/.ssh/authorized_keys
    /home/$USER/.ssh/authorized_keys.bad

    and then from your client upload the properly generated public key using
    ssh-copy-id
     
    Jonathan N. Little, Sep 17, 2013
    #4
  5. dakupoto

    Joe Pfeiffer Guest

    This is a firewall issue: if I'm reading your description correctly,
    you're trying to ping from the Fedora box to the Pi. If that's the
    case, there's a firewall rule on the Pi saying to reject ping messages
    with a host-prohibited message.
    Assuming you aren't mis-typing the root password (I mention the
    possibility because I've done it -- my favorite has been typing a
    password for a different machine over and over and over), I wonder if
    your Pi's sshd daemon configuration is allowing root logins. On my
    Debian box the relevant file is /etc/ssh/sshd_config and the relevant
    line will look something like

    PermitRootLogin yes # permits root logins
    or
    PermitRootLogin no # does not permit root logins

    For what you're trying to do, you need it to be "yes" (I have exactly
    zero experience with the Pi -- if it can be set up to create user
    accounts, that is the way you'll want to do it, and disable remote root
    logins).
     
    Joe Pfeiffer, Sep 18, 2013
    #5
  6. dakupoto

    Joe Pfeiffer Guest

    Yes, but do you have any non-root accounts set up on the Pi?
    No, he means syntactically incorrect. The message

    debug3: key_read: missing whitespace

    is telling you that the file doesn't look like it's supposed to.
    Regenerating the keys isn't going to fix that; you'll have to look at
    the file with a text editor and figure out what's wrong.
     
    Joe Pfeiffer, Sep 18, 2013
    #6
  7. dakupoto

    unruh Guest

    Take the sd card out of the RPI and put it into a regular linux machine
    (eg the sd slot on the computer, or buy and sd card reader for the usb).
    mount the / partition on the sd card onto the computer.
    mount /dev/sdc1 /media/cdrom
    cd /media/cdrom
    cd etc/ssh
    Now edit sshd.conf and make sure that it allows root logins.
    next copy the root password from /etc/shadow to /media/cdrom/etc/shadow.
    Root will now have the same password on the RPi as it has on your
    machine.
    umount /media/cdrom
    remove the sd card and put it into the RPi and boot up the RPi.

    Now you KNOW what the root password is and you should be able to log in
    as root.

    RM /home/lama/.ssh/id_dsa
    and then recreate the ssh key for id_dsa
    But this is irrelevant, since your RPi does not have the key in
    /root/.ssh/authorized_keys

    So you are going to have to log in using root password.

    Now enter root's password
     
    unruh, Sep 18, 2013
    #7
  8. dakupoto

    dakupoto Guest

    This is what so puzzling. The keys were generated with ssh-keygen
    a module/tool that is part of the ssh package. But the main ssh
    module does not recognize the format of the generated key. Seems
    like the left does not know what the right hand is doing.
     
    dakupoto, Sep 19, 2013
    #8
  9. dakupoto

    unruh Guest

    I think there is something else that does not know what it is doing.
    And refuses to listen to suggestions.
     
    unruh, Sep 19, 2013
    #9
  10. dakupoto

    dakupoto Guest

    Using my trusty Logitech SD card reader/writer with the
    OpenELEC SD card inserted in it, I found:
    df -h
    Filesystem Size Used Avail Use% Mounted on
    /dev/mapper/VolGroup-lv_root
    33G 9.1G 22G 30% /
    tmpfs 990M 424K 990M 1% /dev/shm
    /dev/sda1 485M 66M 395M 15% /boot
    /dev/sdb1 125M 96M 29M 77% /media/System
    /dev/sdb2 756M 32M 687M 5% /media/Storage

    Then if I cd to /media/System, I find:
    cd /media/System
    [thisuser@localhost System]$ ls
    bootcode.bin fixup.dat openelec.ico SYSTEM
    cmdline.txt kernel.img README.md
    config.txt LICENCE.broadcom start.elf

    Similarly, if I look at the other partition, I see:
    cd /media/Storage
    [thisuser@localhost Storage]$ ls
    lost+found music pictures screenshots tvshows videos

    Each of the directories 'music', etc., are empty.

    On the other hand if I use the SD card reader/writer to check
    the Raspbian SD card, I can see the full Linux file system
    staring at the root /, with /bin, /etc and so forth.
    Please note that the Raspberry Pi boots perfectly off the
    OpenELEC SD card. No issues there.
    I am really thankful to you for the detailed steps
    you have provided me, but looking at the contents
    of the OpenELEC SD card, I am not sure how to use
    the instructions. Any help, hints in this regard will
    be gratefully appreciated.
     
    dakupoto, Sep 19, 2013
    #10
  11. dakupoto

    unruh Guest

    And what is in /boot?
    Anyway, it is clear I do not understand the OpenELEC system so any
    advice I give regarding it should be ignored.
    What is in SYSTEM?
    You might try
    find /dev/mapper/VolGroup-lv_root -name fstab
    to see where they hide the etc filesystem. Otherwise go to an OpenELEC
    group and ask questions there. Or somebody here might know what is going
    on and how it works. I do not obviously.
    That filesystem was what I expected. The web page for openelec is
    completely unhelpful. It tells you what it is not and tells you it is
    designed to be a fast XBMC system (whatever that is) and that it is
    controlled from the graphical user interface (which of course the RPi
    does not really have). So how yu get ssh running on it, I have no idea.

    You are using it why?


     
    unruh, Sep 19, 2013
    #11
  12. dakupoto

    dakupoto Guest

    Well your initial suggestions have proved useful.
    That is, when I insert the SD card into the reader
    and plug it into my PC, it immediately maps the
    the two SD card partitions System and Storage to
    /media/System and /media/Storage. Now the contents
    of /media/System are all binary and thus uneditable,
    but the contents of /media/Storage are editable.
    In particular, a sub-directory called
    /media/Storage/.xbmc/userdata contains 5 XML files,
    that are used for configuring the Raspberry Pi at
    boot-up time. Once the editing is complete, I can
    So, after 'cd'ing to /media/Storage/.xbmc/userdata
    I can do a 'sudo' to root and edit the XML files.
    After editing is complete, I 'umount' both
    /media/System and /media/Storage. So, far my simple
    modifications appear to be working, and this trick
    overcomes the irritating issue of SSH authentication
    failure.
     
    dakupoto, Sep 21, 2013
    #12
  13. dakupoto

    Thomas K. Guest

    Hi,
    I think I haven't seen a system in my time that doesn't complain in the
    same way.

    Best regards
    Thomas
     
    Thomas K., Oct 13, 2013
    #13
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.