[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Savannah-help-public] progress -> ssh login from behind firewall fails
From: |
Peter Hoppe |
Subject: |
[Savannah-help-public] progress -> ssh login from behind firewall fails |
Date: |
Tue, 29 Jul 2008 02:20:37 +0100 |
User-agent: |
Thunderbird 2.0.0.14 (X11/20080505) |
Dear sir or madam,
I am registered user with Savannah (username = peter20080727) and am part of
the traverso project. I tried to check the
project out from cvs using ssh. In an earlier mail I wrote about connection
difficulties using an ssh login.
When looking more into the issue I found that I could log in using PuTTY (on
wine) - I got the 'command not allowed'
message, but nevermind, it was still a login. This lead me to the conclusion
that the problem must lie with OpenSSH. So
I looked on google using 'openssh nat login hangs' and found this post:
> (http://marc.info/?l=secure-shell&m=118520918019189&w=2)
> > [...]
>> >> So there is something about my network at home that kills multiple
>> >> versions of openssh but which does not affect other ssh clients. I
>> >> have a d-link router which acts as a firewall and NAT.
> >
> > OpenSSH sets the IP TOS (to either "lowdelay" or "throughput") and some
> > some routers have been known to choke on such packets.
> >
> > [...]
>> >> debug2: fd 3 setting TCP_NODELAY
>> >> debug2: callback done
>> >> debug2: channel 0: open confirm rwindow 0 rmax 32768
>> >> that is the last message. The terminal hangs. ctrl-c can not interrupt.
> >
> > The TOS is set immediately after the TCP_NODELAY so it's a pretty good
> > bet that's your culprit.
> >
> > As a workaround, you can recompile ssh then you can insert a "return;"
> > at the start of packet_set_tos() in packet.c. Alternatively you can use
> > ssh's ProxyCommand to use a program such as netcat as an alternative
> > transport that doesn't set those bits, eg:
> >
> > ssh -o "ProxyCommand nc %h %p" yourserver
> > [...]
So I tried this command (I have netcat installed), and this is the output:
> > address@hidden:~$ ssh -o "ProxyCommand nc %h %p" address@hidden
> > Enter passphrase for key '/home/peter/.ssh/id_dsa':
> > Last login: Tue Jul 29 00:58:46 2008 from 84.12.100.239
> > You tried to execute:
> > Sorry, you are not allowed to execute that command.
> > Connection to cvs.savannah.gnu.org closed.
So I had a login. Never mind that savannah locks me out immediately - it's set
up that way! I am indeed behind a d-link
adsl router with NAT and Firewall enabled, and it must have choked on OpenSSH
setting the TOS. This means that I now
have to find a way of telling ssh through cvs not to set the IP TOS.
I thought I better report this, as it may help you if other people ask the same
question.
P
[Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Savannah-help-public] progress -> ssh login from behind firewall fails,
Peter Hoppe <=