I use SSH extensively to administer a number of systems. Everything was working perfectly until a short while ago when I discovered I could not SSH into some servers (but others work perfectly).
I did recently upgrade to the latest Ubuntu 14.04, and wonder if thats the cause, but more to the point - how can I fix the issue.
In each case I'm sshing across a VPN using public/private keys. In each case if I manually telnet to port 22 I get the SSH banner. There is very little to help track down what the problem is, but when I ssh with "-v" the systems I'm trying to access fail after outputing
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
When SSH succeeds on the other network I get the following
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<3072<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA d9:a7:23:9e:93:da:fe:15:54:5c:a3:01:54:b7:0c:be
debug1: Host '114.23.35.78' is known and matches the RSA host key.
I can confirm that it appears to be all the hosts behind the 1 network which are failing - and there is a fair number of them spanning different versions of CentOS. (Where I can SSH in the network is using CentOS and Ubuntu based boxes - I can reach both). All the connections behind the other network appear to work.
In both cases I am trying to use SSH protocol 2 (if I try and force protocol 1 I get "Protocol major versions differ: 1 vs 2)
I've tried clamping MTU on the OUTPUT, but that does not seem to have made a difference.
In
Any ideas how (without local access to the server) I can work out whats going on ?
EDITS WITH MORE INFO:
When I try and SSH from my cellphone (going through the same router and similar VPN), access works fine.
When I try to SSH from my computer via the cellphone via the Cellular Data connection it works fine.
Regardless of whether I connect my computer to the router via a cable or access point it does not allow me to connect. (I can't connect my computer via my cellphone to my AP, but that would be because I can't use the AP as an AP Client and AP at the same time)
There is a rather large number of entries in my routers ARP cache (over 1000) due, I suspect, to P2P activity earlier in the day. The modem is using "PPP extensions", so of-course the MAC address of the IP's is all the same, being that of the modem. I do not have the option of terminating the PPP session on the router with this modem. (Also not sure how relevant this is - I would assume its not relevant as the traffic is tunneled using OpenVPN, bypassing the router in a traceroute and also I get a Telnet banner.
Problem does not seem to be IPTABLES related as I dropped iptables on the router of the network causing problems. I can connect to the external interface of the router no problems (no VPN), but as soon as I try the internal interface I get the problems described.
Upgrading SSH and OpenVPN did not make any difference, neither did allowing password authentication.
0 Answers