Solved

ssh: connect to host <hostname> port 22: Connection refused

Posted on 2006-11-08
14
25,640 Views
Last Modified: 2013-12-27
Hi,

I have just installed openssh on a recently installed Solaris 8 server and ran the ssh command "ssh -vv <hostname> -l <user name>" from another server to the new server .  In return, I would only receive about four debug lines  and then an error message of "ssh: connect to host <host name> port 22: Connection refused."  Do you happen to know how and where I can resolve this ssh issue?  Thank you.
0
Comment
Question by:gsalcedo
  • 6
  • 5
  • 3
14 Comments
 

Author Comment

by:gsalcedo
ID: 17901890
This is in addition to the question above.... From the recently installed Solaris server, I am able to "ssh" to another server but not the other way around.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 17901960
"connection refused" generally indicates that an SSH server daemon is not running on the system you're trying to access. Unless there is a firewall between the machine you're on and the machine you're trying to reach, I'd suspect that no SSH server is running.
0
 

Author Comment

by:gsalcedo
ID: 17902024
Hi PsiCop,

If I am able to "ssh" out successfully from the initially installed Solaris 8, shouldn't the ssh daemon be running?
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 48

Expert Comment

by:Tintin
ID: 17902082
Being able to ssh out doesn't rely on the sshd daemon running.

Do

ps -ef|grep sshd

If it is running, then the problem is almost certain to be a firewall blocking port 22.
0
 

Author Comment

by:gsalcedo
ID: 17902315
Hi,

The ssh daemon is on....  After checking with the "ps -ef | grep sshd, it did show that the sshd is on.  When I to execute the daemon from the /usr/local/sbin directory (sshd), it would then come back with a "sshd re-exec requires execution with an absolute path."  With that message, it seems as though ssh daemon is on.  

From previous exprience with installing Solaris 8, I have never encountered with the firewall being turned on.  If it is, where would I go to turn it off?

0
 
LVL 48

Expert Comment

by:Tintin
ID: 17902363
Is the client you are connecting from in the same subnet as the Solaris 8 server?
Do you have a network admin?
Do you have any ACL's defined in /etc/ssh/sshd_config?
0
 

Author Comment

by:gsalcedo
ID: 17902455
Hi Tintin,

The two Solaris servers are on different subnets.  I have talk to our network engineer and he mentioned that the port 22 is not blocked on the PIX firewall.  Is there someing in the ssh_config file that would block any port 22 activity coming in to be blocked and port 22 going out to be open?  Thank you very much for your help.
0
 
LVL 48

Expert Comment

by:Tintin
ID: 17902929
Firstly sshd and sshd_config have nothing to do with outgoing ssh connections.

Do you have any of the following set in sshd_config?

AllowUsers
AllowGroups
DenyUsers
DenyGroups

If none of the above are set, on the Solaris 8 server as root, do

/usr/lib/ssh/sshd -d

This runs ssh in debug mode with output to the screen.

Then on the client, try to ssh to the server.

If you see no ssh debug output, it means it is definitely a network/firewall issue.
0
 
LVL 48

Expert Comment

by:Tintin
ID: 17902936
Additionally on the Solaris 8 server you can do

snoop src <ip of the host you are sshing from>

again, if you see no output when you try to ssh to the server, it means it is definitely a network/firewall issue.

0
 
LVL 48

Expert Comment

by:Tintin
ID: 17902940
Ah, forgot you have a different path to ssh

/usr/lib/ssh/sshd  on your system should be /usr/local/sbin/sshd
0
 

Author Comment

by:gsalcedo
ID: 17930758
Hi Tintin,

When I input the /usr/local/sbin/sshd -d command, I would receive the below message in return...

debug1: sshd version OpenSSh_4.1p1
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
Privilege separation user sshd does not exist

Does the above return message mean anything to help in resolving the issue that I am going through?

Thank you..
0
 
LVL 34

Accepted Solution

by:
PsiCop earned 125 total points
ID: 17931029
sshd is configured to use a special user account, by default named "sshd", to create "privilege separation" between the privileged daemon running the port listener and the eventual secure shell session that will be created for the successfully-authenticating user. Use of privilege separation insures that if an SSH daemon process is compromised, the breach happens to an unprivileged user ID, not to the privileged instance of the daemon.

You should create a user account in /etc/passwd for a user named "sshd". The home directory for this account should be the Privilege Separation (PrivSep) Directory specified when the sshd daemon was built - this is usually /var/empty, which should be owned by the PrivSep user ID and mode 755 or 750.

The "sshd" entry in /etc/shadow should be locked.
0
 

Author Comment

by:gsalcedo
ID: 17931125
Hi PsiCop,

Yes... that worked....  Do you happen to know why I need to add "sshd" user in the passwd and group file when I did no thave to do that in the previous systems that I had to configure with the use of OpenSSH?

Thank you...
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 17931212
Normally, I don't gripe about points/grades, but I think I'll make an exception here, especially since you asked a followup Question in this one.

A) TinTin contributed substantively to the solution by suggesting the diagnostic commands that revealed the root cause. In my opinion, he deserved some of the credit.

B) A grade of C does not seem to be congruent with the quality of assistance supplied.

As to your followup...

"Do you happen to know why I need to add "sshd" user in the passwd and group file when I did no thave to do that in the previous systems that I had to configure with the use of OpenSSH?"

No. Altho possible scenarios to explain that include:

1) The user ID was already present

2) You were installing a pre-PrivSep version of OpenSSH

3) You were installing a version of OpenSSH that had been built without PrivSep support

4) The configuration setting "UsePrivilegeSeparation No" was present in sshd_config

In any event, SSH is safer with PrivSep than without it.
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Let's say you need to move the data of a file system from one partition to another. This generally involves dismounting the file system, backing it up to tapes, and restoring it to a new partition. You may also copy the file system from one place to…
Installing FreeBSD… FreeBSD is a darling of an operating system. The stability and usability make it a clear choice for servers and desktops (for the cunning). Savvy?  The Ports collection makes available every popular FOSS application and packag…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
This video shows how to set up a shell script to accept a positional parameter when called, pass that to a SQL script, accept the output from the statement back and then manipulate it in the Shell.

822 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question