[Spce-user] Lost SSH after upgrade

Maxwell Power mpower at yegtel.ca
Tue Jun 13 13:23:17 EDT 2017 

We had issues with this a few versions ago where we got completely locked out. Not a good time.

SSH is fairly locked down in recent builds due to the new firewall configuration. Which is great in theory for sure. Except in our case, we have support located in multiple locations. All use changing IP addresses.

Our solution was to add a firewall rule to allow all SSH traffic.

Update config.yml, looking for the following section:

security:
    rules4:
      - '-A INPUT --dport 22 - j ACCEPT'

It does allow anyone to connect via SSH and is a security risk, if SSH is not properly protected.

Cheers,
Maxwell Power
Technical Account Manager
Phone: (780) 809-9990 Ext. 417 | Toll Free: (855) 4-YEGTEL(934835) | Fax: (780) 401-3390
YEGTEL Communications INC. | 10301 104 ST NW, Suite 55, Edmonton, Alberta, T5J 1B9
Email: mpower at yegtel.ca | Web: www.yegtel.ca

This e-mail and any attachments may contain confidential or privileged information. If you are not an intended recipient, do not re-send, copy or use this e-mail. Please also contact the sender immediately and delete this e-mail in its entirety. Privilege is not waived by reason of mistaken delivery to you. YEGTEL Communications and its affiliates accept no liability whatsoever for loss or damage in relation to this e-mail and may monitor, retain and/or review email. Opinions expressed in this e-mail are those of the author and may not represent the opinions of YEGTEL Communications and its affiliates.

Ce courriel et toutes ses pièces jointes peuvent contenir de l'information de nature confidentielle ou privilégiée. Si vous avez reçu ce courriel par erreur, merci de ne pas le transférer, le copier ou l'utiliser. Veuillez communiquer immédiatement avec l'expéditeur et supprimer le message dans son intégralité. Le fait de vous avoir envoyé ce courriel par erreur ne signifie pas que l'expéditeur renonce à ses droits. YEGTEL Communications et ses sociétés affiliées ne peuvent être tenues responsables de toute perte ou dommages liés au présent courriel et peuvent effectuer un suivi de ce courriel, le conserver et l'examiner. Les opinions exprimées dans le présent courriel sont celles de son auteur et non celles de YEGTEL Communications et de ses sociétés affiliées.

-----Original Message-----
From: Spce-user [mailto:spce-user-bounces at lists.sipwise.com] On Behalf Of Alex Lutay
Sent: Monday, June 12, 2017 17:07
To: spce-user at lists.sipwise.com
Subject: Re: [Spce-user] Lost SSH after upgrade

So, what is your problem exactly?
You cannot establish TCP connect or system doesn't accept your password/key? Option -v will help you here: ssh -v <you_ip>

Also check: netstat -anp | grep 22
Does sshd listens proper IP?

Any hints inside auth.log?

On 06/12/2017 07:10 PM, Anthony Sanchez wrote:
> root at spce:~# /etc/init.d/ssh
> [info] Usage: /etc/init.d/ssh
> {start|stop|reload|force-reload|restart|try-restart|status}.
> root at spce:~# /etc/init.d/ssh status
> [ ok ] sshd is running.
> 
> 
> On Mon, Jun 12, 2017 at 11:56 AM, Alex Lutay <alutay at sipwise.com 
> <mailto:alutay at sipwise.com>> wrote:
> 
>     Hi,
> 
>     This is hard to say something from this side.
> 
>     You can't connect or your credentials were not accepted?
> 
>     Obviously you need to connect the system using terminal/console
>     and check sshd state, is IP listening there correct,
>     then you can check /var/log/auth.log to see the reason why
>     you login attempt was rejected.
> 
>     I do not recall mr5.3.1 changes which can affect SSHd.
>     BTW, did you access system using password or key?
> 
>     I see one option moved to config.yml:
>     > 17:55:25 ✔ taurus:(mr5.3.1)~/sipwise/git/templates$ git diff
>     mr5.2.1 mr5.3.1  -- system/sshd_config
>     > diff --git a/system/sshd_config b/system/sshd_config
>     > index 9163032..8f83735 100644
>     > --- a/system/sshd_config
>     > +++ b/system/sshd_config
>     > @@ -67,7 +67,7 @@ PermitEmptyPasswords no
>     >  ChallengeResponseAuthentication no
>     >
>     >  # Change to no to disable tunnelled clear text passwords
>     > -#PasswordAuthentication yes
>     > +PasswordAuthentication [% sshd.password_authentication %]
>     >
>     >  # Kerberos options
>     >  #KerberosAuthentication no
>     > 17:55:27 ✔ taurus:(mr5.3.1)~/sipwise/git/templates$
> 
>     While default value must not be changed there.
> 
>     Please share your progress there. Tnx!
> 
>     On 06/12/2017 05:42 PM, Anthony Sanchez wrote:
>     > Yesterday I did an upgrade from mr5.2.1 to mr5.3.1, after that ssh
>     > connections stops working.
>     > How can I get it working again?
> 
>     --
>     Alex Lutay


--
Alex Lutay
_______________________________________________
Spce-user mailing list
Spce-user at lists.sipwise.com
https://lists.sipwise.com/listinfo/spce-user

More information about the Spce-user mailing list