1151148 – Can't connect to sshd

Bug 1151148 - Can't connect to sshd

Summary: Can't connect to sshd

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	openssh
Sub Component:
Version:	21
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Petr Lautrbach
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-10-09 16:29 UTC by Mikhail
Modified:	2014-10-14 04:02 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2014-10-10 12:46:40 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)
journalctl -b -l (203.20 KB, text/plain) 2014-10-10 12:40 UTC, Mikhail	no flags	Details
View All

Description Mikhail 2014-10-09 16:29:14 UTC

Description of problem:
Can't connect to sshd 

client log:
$ ssh -vvv root.1.6
OpenSSH_6.6.1, OpenSSL 1.0.1i-fips 6 Aug 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 51: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.1.6 [192.168.1.6] port 22.
debug1: Connection established.
debug1: identity file /home/mikhail/.ssh/id_rsa type -1
debug1: identity file /home/mikhail/.ssh/id_rsa-cert type -1
debug1: identity file /home/mikhail/.ssh/id_dsa type -1
debug1: identity file /home/mikhail/.ssh/id_dsa-cert type -1
debug1: identity file /home/mikhail/.ssh/id_ecdsa type -1
debug1: identity file /home/mikhail/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/mikhail/.ssh/id_ed25519 type -1
debug1: identity file /home/mikhail/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "192.168.1.6" from file "/home/mikhail/.ssh/known_hosts"
debug3: load_hostkeys: loaded 0 keys
debug1: SSH2_MSG_KEXINIT sent
Read from socket failed: Connection reset by peer


server log:
# /usr/sbin/sshd -d
debug1: sshd version OpenSSH_6.6.1, OpenSSL 1.0.1i-fips 6 Aug 2014
debug1: could not open key file '/etc/ssh/ssh_host_rsa_key': No such file or directory
Could not load host key: /etc/ssh/ssh_host_rsa_key
debug1: could not open key file '/etc/ssh/ssh_host_ecdsa_key': No such file or directory
Could not load host key: /etc/ssh/ssh_host_ecdsa_key
debug1: could not open key file '/etc/ssh/ssh_host_ed25519_key': No such file or directory
Could not load host key: /etc/ssh/ssh_host_ed25519_key
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-d'
Set /proc/self/oom_score_adj from 0 to -1000
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
debug1: Bind to port 22 on ::.
Server listening on :: port 22.
debug1: Server will not fork when running in debugging mode.
debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8
debug1: inetd sockets after dupping: 3, 3
Connection from 192.168.1.6 port 42813 on 192.168.1.6 port 22
debug1: Client protocol version 2.0; client software version OpenSSH_6.6.1
debug1: match: OpenSSH_6.6.1 pat OpenSSH_6.6.1* compat 0x04000000
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: SELinux support enabled [preauth]
debug1: permanently_set_uid: 74/74 [preauth]
debug1: list_hostkey_types:  [preauth]
No supported key exchange algorithms [preauth]
debug1: do_cleanup [preauth]
debug1: do_cleanup
debug1: Killing privsep child 10405



# rpm -qa | grep ssh
openssh-server-6.6.1p1-5.fc21.1.x86_64
openssh-askpass-6.6.1p1-5.fc21.1.x86_64
openssh-6.6.1p1-5.fc21.1.x86_64
libssh2-1.4.3-15.fc21.x86_64
openssh-clients-6.6.1p1-5.fc21.1.x86_64

Comment 1 Petr Lautrbach 2014-10-10 07:21:47 UTC

Your sshd host keys are not generated:

debug1: could not open key file '/etc/ssh/ssh_host_rsa_key': No such file or directory
Could not load host key: /etc/ssh/ssh_host_rsa_key
debug1: could not open key file '/etc/ssh/ssh_host_ecdsa_key': No such file or directory
Could not load host key: /etc/ssh/ssh_host_ecdsa_key
debug1: could not open key file '/etc/ssh/ssh_host_ed25519_key': No such file or directory
Could not load host key: /etc/ssh/ssh_host_ed25519_key

You can run 'systemctl start sshd-keygen.service' or generate them yourself manually, see 'HostKey' in 'man sshd_config' and 'man ssh-keygen'

Comment 2 Tomas Mraz 2014-10-10 07:22:58 UTC

The question is why the sshd-keygen.service was not started automatically. Was that fresh install? How did you install the system?

Comment 3 Petr Lautrbach 2014-10-10 07:45:35 UTC

Reading the description and bug #1151157, I guess Mikhail run his sshd manually using '/usr/sbin/sshd -d' command instead of starting sshd.service. Am I correct Mikhail?

Comment 4 Mikhail 2014-10-10 10:48:13 UTC

(In reply to Tomas Mraz from comment #2)
> The question is why the sshd-keygen.service was not started automatically.
> Was that fresh install? How did you install the system?

Yes, this is fresh install Beta TC1

# sysctl start sshd-keygen.service 
sysctl: cannot stat /proc/sys/start: No such file or directory
sysctl: cannot stat /proc/sys/sshd-keygen/service: No such file or directory



(In reply to Petr Lautrbach from comment #3)
> Reading the description and bug #1151157, I guess Mikhail run his sshd
> manually using '/usr/sbin/sshd -d' command instead of starting sshd.service.
> Am I correct Mikhail?

Yes, I am rum by hand for get more logs here.

Comment 5 Petr Lautrbach 2014-10-10 10:54:22 UTC

(In reply to Mikhail from comment #4)
> # sysctl start sshd-keygen.service 
> sysctl: cannot stat /proc/sys/start: No such file or directory
> sysctl: cannot stat /proc/sys/sshd-keygen/service: No such file or directory
> 

It's not sysctl but systemctl

# systemctl start sshd-keygen.service

Comment 6 Petr Lautrbach 2014-10-10 10:57:24 UTC

If you need debug logs from sshd, change LogLevel in sshd_config, restart sshd.service (systemctl restart sshd.service) and run either:

# systemctl status -l sshd.service

or

# journalctl -l -u sshd.service

Comment 7 Mikhail 2014-10-10 11:37:09 UTC

[root@localhost ~]# systemctl start sshd-keygen.service
[root@localhost ~]# systemctl status sshd-keygen.service
● sshd-keygen.service - OpenSSH Server Key Generation
   Loaded: loaded (/usr/lib/systemd/system/sshd-keygen.service; static)
   Active: inactive (dead)


strange but sshd-keygen.service can't run :(

Comment 8 Petr Lautrbach 2014-10-10 11:45:26 UTC

You've missed '-l' option:

# systemctl status -l sshd-keygen.service
● sshd-keygen.service - OpenSSH Server Key Generation
   Loaded: loaded (/usr/lib/systemd/system/sshd-keygen.service; static)
   Active: inactive (dead)
           start condition failed at Fri 2014-10-10 09:38:19 CEST; 3h 59min ago
           none of the trigger conditions were met

When I look into sshd-keygen.service I can see the conditions:

# cat /usr/lib/systemd/system/sshd-keygen.service 
[Unit]
Description=OpenSSH Server Key Generation
ConditionPathExists=|!/etc/ssh/ssh_host_rsa_key
ConditionPathExists=|!/etc/ssh/ssh_host_ecdsa_key
ConditionPathExists=|!/etc/ssh/ssh_host_ed25519_key
PartOf=sshd.service sshd.socket

[Service]
ExecStart=/usr/sbin/sshd-keygen
Type=oneshot
RemainAfterExit=yes


All paths exist on my system, so lets remove one of them and try to run sshd-keygen.service again:

# rm /etc/ssh/ssh_host_rsa_key*
rm: remove regular file ‘/etc/ssh/ssh_host_rsa_key’? y
rm: remove regular file ‘/etc/ssh/ssh_host_rsa_key.pub’? y

# systemctl start sshd-keygen.service

# systemctl status -l sshd-keygen.service
● sshd-keygen.service - OpenSSH Server Key Generation
   Loaded: loaded (/usr/lib/systemd/system/sshd-keygen.service; static)
   Active: active (exited) since Fri 2014-10-10 13:39:36 CEST; 2s ago
  Process: 12755 ExecStart=/usr/sbin/sshd-keygen (code=exited, status=0/SUCCESS)
 Main PID: 12755 (code=exited, status=0/SUCCESS)

Oct 10 13:39:36 hulk.w.lan sshd-keygen[12755]: Generating SSH2 RSA host key: [  OK  ]


It's also possible that you've got bad labels on host key files, you can run:

# restorecon -Rv /etc/ssh

and restart sshd.service

Comment 9 Mikhail 2014-10-10 12:02:01 UTC

[mikhail@localhost ~]$ ssh root.0.250
ssh: connect to host 10.10.0.250 port 22: Connection refused
[mikhail@localhost ~]$ su -
Password: 
[root@localhost ~]# systemctl status -l sshd-keygen.service
● sshd-keygen.service - OpenSSH Server Key Generation
   Loaded: loaded (/usr/lib/systemd/system/sshd-keygen.service; static)
   Active: inactive (dead)
[root@localhost ~]# systemctl restart sshd-keygen.service
[root@localhost ~]# systemctl status -l sshd-keygen.service
● sshd-keygen.service - OpenSSH Server Key Generation
   Loaded: loaded (/usr/lib/systemd/system/sshd-keygen.service; static)
   Active: inactive (dead)
[root@localhost ~]# rm /etc/ssh/ssh_host_rsa_key*
rm: remove regular file ‘/etc/ssh/ssh_host_rsa_key’? y
rm: remove regular file ‘/etc/ssh/ssh_host_rsa_key.pub’? y
[root@localhost ~]# systemctl restart sshd-keygen.service
[root@localhost ~]# systemctl restart sshd.service
[root@localhost ~]# ssh root.0.250
root.0.250's password: 


removing /etc/ssh/ssh_host_rsa_key* helps, but after system reboot I need do it again :(

Comment 10 Petr Lautrbach 2014-10-10 12:07:07 UTC

It would need more information, please do following steps:

1. set "LogLevel DEBUG" in /etc/ssh/sshd_config

2. reboot your system and relabel your filesystem:

# fixfiles onboot && reboot

3. provide logs since boot:

# journalctl -b -l

Comment 11 Mikhail 2014-10-10 12:40:26 UTC

Created attachment 945584 [details]
journalctl -b -l

Comment 12 Petr Lautrbach 2014-10-10 12:46:40 UTC

Is your sshd.service enabled? 

# systemctl is-enabled sshd.service

I guess that no. To enable sshd.service run:

# systemctl enable sshd.service

Comment 13 Mikhail 2014-10-14 04:02:41 UTC

I am sorry! Big thanks!

Note You need to log in before you can comment on or make changes to this bug.