32 replies to this topic

[Mindovermaster]

Hey, I have a few systems that run Linux and I can't seem to connect to them. SAMBA seems, for some odd reason, to break. So, I want to know how to set up SSH.

When I follow guides, I keep getting errors:

david@david-ubuntu:~$ sudo /etc/init.d/ssh restart
Rather than invoking init scripts through /etc/init.d, use the service(8)
utility, e.g. service ssh restart
Since the script you are attempting to invoke has been converted to an
Upstart job, you may also use the stop(8) and then start(8) utilities,
e.g. stop ssh ; start ssh. The restart(8) utility is also available.
ssh start/running, process 26361
david@david-ubuntu:~$ service ssh restart
stop: Unknown instance:
start: Rejected send message, 1 matched rules; type="method_call", sender=":1.288" (uid=1000 pid=26394 comm="start ssh ") interface="com.ubuntu.Upstart0_6.Job" member="Start" error name="(unset)" requested_reply="0" destination="com.ubuntu.Upstart" (uid=0 pid=1 comm="/sbin/init")
david@david-ubuntu:~$

Anyone care to explain this?

Was unsure to put it in Linux section or here. Move as you see fit.

[+BudMan]

So you didn't sudo there to do a restart.. I run ssh on ubuntu without any issues.



But yeah linux section might be better suited for this question.

What issues are you having with samba? I normally just use my linux boxes as shell boxes, don't see a need for samba - but have never had any issues with it in the past when setting it up for testing, etc.

But sure scp or sftp just as easy and more secure method of putting/getting files off a linux box.

[xorangekiller]

As usual, BudMan's advice is spot-on. Let me see if I can elaborate a little though. With SAMBA, its usually as simple as installing its package from the repository and configuring the service. (It gets a little more complicated on Fedora/RHEL/CentOS when SELinux gets involved, but its still not THAT difficult.)

sudo aptitude install samba
sudo nano /etc/samba/smb.conf
sudo service samba restart

If you're using a firewall (such as UFW, which is default in Ubuntu), you will also need to allow SAMBA through. I will try to help you with this if you need it, but I don't remember much of UFW's syntax off-hand. (Or iptables, for that matter, and I actually use that one!) I believe that UFW also has a nice GUI configuration tool you can use. (The package is called gufw if I'm not mistaken.)

You might also consider checking to make sure that the services you want are running on startup. You can use sysctl, which I believe is the method Canonical officially recommends, but I prefer the ncurses-based Debian Runlevel configuration tool.

sudo aptitude install rcconf
sudo rcconf

[+BudMan]

If you want gui to configure stuff on linux box, just install webmin

As to a host firewall on local secure network - you could just disable it if you ask me. If the network is managed by you, and you control access to this network - ie no hostile type machines are on it. All machines on it are under your control, then the added overhead of management of a local host firewall seems overkill. Control access via firewall at your trust border (gateway)

I don't run any firewalls on my local linux/bsd boxes - other than the one that is acting as my gateway/firewall to the public NET.

Now on my vps that is directly connected to the public internet, then yes I run it - and have it locked down to only allow MY IPs access to services that are for management and only allow public access to those services that are needed to be accessed via public. Since my trust border in that type of case is the HOST, then yeah host firewall makes sense.

If this is your HOME network, I can not see a reason to add all the management overhead of running firewalls on every host. Now if the host moves off this network to networks with possible hostiles on it - then yes your trust border is again your hosts interface in that sort of scenario.

[Axel]

BudMan, on 27 November 2012 - 18:28, said:

If you want gui to configure stuff on linux box, just install webmin

As to a host firewall on local secure network - you could just disable it if you ask me. If the network is managed by you, and you control access to this network - ie no hostile type machines are on it. All machines on it are under your control, then the added overhead of management of a local host firewall seems overkill. Control access via firewall at your trust border (gateway)

I don't run any firewalls on my local linux/bsd boxes - other than the one that is acting as my gateway/firewall to the public NET.

Now on my vps that is directly connected to the public internet, then yes I run it - and have it locked down to only allow MY IPs access to services that are for management and only allow public access to those services that are needed to be accessed via public. Since my trust border in that type of case is the HOST, then yeah host firewall makes sense.

If this is your HOME network, I can not see a reason to add all the management overhead of running firewalls on every host. Now if the host moves off this network to networks with possible hostiles on it - then yes your trust border is again your hosts interface in that sort of scenario.

Another vote for Webmin from me, I also don't run a firewall on my server as the router handles all that and I hide various services running on my machine behind a reverse proxy and use SSL.

Works a dream

[Mindovermaster]

I just want to use SSH, because I plan, in the future, to run a headless server, and configure it remotely. Just want to get the configurations of it right.

when I sudo it:

david@david-ubuntu:~$ sudo service ssh restart
[sudo] password for david:
stop: Unknown instance:
ssh start/running, process 27994
david@david-ubuntu:~$

For Samba, I did install it. When I run SAMBA, it gives me this crash:



If you need certain sections opened up, let me know.

[+BudMan]

When you did a restart was it not running?

As to running samba?? What are you trying to exe? I almost never use a gui, I don't even have it installed on my ubuntu install.. Why would you ever need a gui on a server?

[Mindovermaster]

My whole intention on this thread is how to get SSH working. Only you and Orange suggested SAMBA. Between two desktops, yes, SAMBA is simple.

[Axel]

Lets ignore samba for a second then. You're trying to connect SSH but you can't get it to work? Please elaborate. What are you using to connect? Putty using the box's IP and port 22? Do you get prompted for a username / password etc or is the connection flat out refused?

[+BudMan]

Shows its running with
ssh start/running, process 27994

What is your config look like /etc/ssh/sshd_config Here is mine

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 768

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin yes
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile	%h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
IgnoreUserKnownHosts no
PasswordAuthentication no

There really shouldn't be anything in there that is of privacy or security concern.

Also you should see it running on your box with a netstat -an, example

budman@ubuntu:~$ netstat -an
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 192.168.1.7:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:10000 0.0.0.0:* LISTEN
tcp 0 348 192.168.1.7:22 10.0.200.6:2536 ESTABLISHED
tcp 0 0 192.168.1.7:22 10.0.200.6:1276 ESTABLISHED
tcp 0 0 192.168.1.7:22 10.0.200.6:2500 ESTABLISHED
tcp6 0 0 :::53 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
tcp6 0 0 :::443 :::* LISTEN
tcp6 0 0 :::80 :::* LISTEN
udp 0 0 192.168.1.7:53 0.0.0.0:*
udp 0 0 127.0.0.1:53 0.0.0.0:*
udp 0 0 192.168.1.7:123 0.0.0.0:*
udp 0 0 127.0.0.1:123 0.0.0.0:*
udp 0 0 0.0.0.0:123 0.0.0.0:*
udp 0 0 0.0.0.0:10000 0.0.0.0:*
udp6 0 0 :::53 :::*
udp6 0 0 ::1:123 :::*
udp6 0 0 2001:470:xx:xx::777:123 :::*
udp6 0 0 fe80::20c:29ff:fedd:123 :::*
udp6 0 0 :::123 :::*

I snipped out my global IPv6 address - the rest is not of privacy issues

You can even see my connection there from my vpn tunnel on that 10.0.200 address. And if you have setup IPv6 you should see it listening on that as well, see that tcp6 :::22 on my output.

If you install webmin, you can use gui to configure sshd, etc.



But some more details would be helpful in helping you figure it out. Normally root would not have access via it, If your running firewall on the host, yeah have to open it up, etc.

edit: Just noticed I have not updated my webmin in a while Updating now, so that is one good thing that came out of this thread

[Mindovermaster]

OK, I can connect from my desktop to my laptop, but not the other way around. (forgot to install ssh on my laptop before this. )

david@david-ubuntu:~$ ssh master@192.168.0.188
master@192.168.0.188's password:
Welcome to Ubuntu 12.04.1 LTS (GNU/Linux 3.5.0-8-generic x86_64)
* Documentation:  https://help.ubuntu.com/
Last login: Tue Nov 27 15:18:07 2012 from david-ubuntu.local
master@master-Aspire-5750:~$ exit
logout
Connection to 192.168.0.188 closed.
david@david-ubuntu:~$

This have to with something in the settings I screwed up from some guides? should I just reinstall ssh on the desktop?

[+BudMan]

not sure what guide you followed, sshd should be there from the get go on the install. Or simple

apt-get install openssh-server

And you would be done with a default config that would allow you to connect, running on port 22

There really isn't much more to it than that - unless you want to enable root access, turn off password auth and use public_key auth only, etc.

Guess you didn't get around to upgrading to 12.10 yet?

[Mindovermaster]

I actually was waiting for Mint 14, but I just never got around to it.

Edit: via my laptop to desktop, I keep getting that connection is refused. I have the same configuration on both.

[+BudMan]

so on the desktop - verify that your listening, and on the standard 22 port. What does your sshd_config look like? Do a simple netstat -an, are you listening on 22?

if your listening and you can not connect, then firewall is blocking. You can ping the desktop from laptop can you not?

Or is your laptop wireless and desktop is wired? And you have AP isolation or Client isolation, etc. guest wireless? There are different security settings on some wireless routers that do not allow wireless to create a connection to a wired box. But wired can create to wireless.

Can you ping?

If you can not ping - look in laptop arp table after you try and ping. Do you see the mac?

example

budman@ubuntu:~$ arp -a
esxi.local.lan (192.168.1.40) at 2c:76:8a:ad:f6:56 [ether] on eth0
pfsense.local.lan (192.168.1.253) at 00:50:56:00:00:02 [ether] on eth0
budman@ubuntu:~$ ping 192.168.1.100
PING 192.168.1.100 (192.168.1.100) 56(84) bytes of data.
64 bytes from 192.168.1.100: icmp_req=1 ttl=128 time=0.735 ms
64 bytes from 192.168.1.100: icmp_req=2 ttl=128 time=0.415 ms
^C
--- 192.168.1.100 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.415/0.575/0.735/0.160 ms
budman@ubuntu:~$ arp -a
esxi.local.lan (192.168.1.40) at 2c:76:8a:ad:f6:56 [ether] on eth0
pfsense.local.lan (192.168.1.253) at 00:50:56:00:00:02 [ether] on eth0
i5-w7.local.lan (192.168.1.100) at 18:03:73:b1:0d:d3 [ether] on eth0

edit: if you have connectivity issues, that could explain your samba issues

[Mindovermaster]

It brings up a whole mess of stuff when I ping, some connected, some don't say anything. SSHD_Config was never touched on my laptop. All standard.

Yes, the laptop is wireless. I have no isolation that I'm aware of.

If I can connect TO the laptop, would that not be an issue? It is connecting through the wireless, no?