[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Savannah-cvs] [SshAccess] (edit)

From: peter20080727
Subject: [Savannah-cvs] [SshAccess] (edit)
Date: Tue, 29 Jul 2008 20:48:17 +0000

* Another problem can arise when you are trying to connect from behind a NAT 
router using OpenSSH. During session setup, after the password has been given, 
OpenSSH sets the TOS (type of service) field in the IP datagram. Some routers 
are known to choke on this. The effect is that your session hangs indefinitely 
after you gave your password. Here is the example output from such an ssh 

    address@hidden:~$ ssh -vvv address@hidden
    OpenSSH_4.7p1 Debian-8ubuntu1.2, OpenSSL 0.9.8g 19 Oct 2007
    debug1: Reading configuration data /etc/ssh/ssh_config
    Enter passphrase for key '{homedir}/.ssh/id_dsa':
    debug1: read PEM private key done: type DSA
    debug1: Authentication succeeded (publickey).
    debug2: fd 5 setting TCP_NODELAY
    debug2: callback done
    debug2: channel 0: open confirm rwindow 0 rmax 32768

 and from here on the session hangs.

 The fix is to make ssh send all its traffic via netcat, because netcat won't 
set the TOS field. To test whether the netcat route solves your problem, issue 
the following command::

    ssh -o "ProxyCommand nc %h %p" address@hidden

 For a successfull login, you should get an output similar to this (with no 
hanging, i.e. you get a prompt afterwards)::

    address@hidden:~$ ssh -o "ProxyCommand nc %h %p" address@hidden
    Enter passphrase for key '{home-dir}/.ssh/id_dsa':
    Last login: {datetime} from {ip-adr}
    You tried to execute:
    Sorry, you are not allowed to execute that command.
    Connection to closed.

 If you find that your login works via the netcat route, then you can make it 
permanent by adding a directive to the ssh config file '~/.ssh/config' (or, if 
that file doesn't exist, create it)::

    ProxyCommand nc %h %p

 Here's an example ssh config file in a user's home folder 
    # This is the ssh client user configuration file.  See
    # ssh_config(5) for more information.  This file provides defaults for
    # this user, and the values can be changed on the command line.
    # Configuration data is parsed as follows:
    #  1. command line options
    #  2. user-specific file
    #  3. system-wide file
    # Any configuration value is only changed the first time it is set.
    # Thus, host-specific definitions should be at the beginning of the
    # configuration file, and defaults at the end.
    # Directive to overcome TOS issue with our NAT router. During session 
setup, OpenSSH sets the TOS
    # (type of service) field after the user has submitted the password. Some 
routers are known to choke on this,
    # with the result that the session hangs during buildup. As workaround we 
send our traffic via netcat which 
    # doesn't set the TOS field. 
    ProxyCommand nc %h %p

 It's advisable to put the comments as well, otherwise six months later you may 
find yourself wondering what that directive is all about??

 You could also add this directive to your global ssh config file 
(/etc/ssh/ssh_config), but this change would be system wide, and not all users 
on the system may appreciate that change. 

Of course, for this to work, you need to have netcat installed. You can test 
this by entering::

    which nc

 and if you get a path back, like::

 then you probably have netcat installed. For the very cautious, you could then 

    nc -h

  and look at the upcoming help text.

forwarded from

reply via email to

[Prev in Thread] Current Thread [Next in Thread]