Solved

ssh: connect to host <hostname> port 22: Connection refused

Posted on 2006-11-08
14
25,512 Views
Last Modified: 2013-12-27
Hi,

I have just installed openssh on a recently installed Solaris 8 server and ran the ssh command "ssh -vv <hostname> -l <user name>" from another server to the new server .  In return, I would only receive about four debug lines  and then an error message of "ssh: connect to host <host name> port 22: Connection refused."  Do you happen to know how and where I can resolve this ssh issue?  Thank you.
0
Comment
Question by:gsalcedo
  • 6
  • 5
  • 3
14 Comments
 

Author Comment

by:gsalcedo
ID: 17901890
This is in addition to the question above.... From the recently installed Solaris server, I am able to "ssh" to another server but not the other way around.
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 17901960
"connection refused" generally indicates that an SSH server daemon is not running on the system you're trying to access. Unless there is a firewall between the machine you're on and the machine you're trying to reach, I'd suspect that no SSH server is running.
0
 

Author Comment

by:gsalcedo
ID: 17902024
Hi PsiCop,

If I am able to "ssh" out successfully from the initially installed Solaris 8, shouldn't the ssh daemon be running?
0
 
LVL 48

Expert Comment

by:Tintin
ID: 17902082
Being able to ssh out doesn't rely on the sshd daemon running.

Do

ps -ef|grep sshd

If it is running, then the problem is almost certain to be a firewall blocking port 22.
0
 

Author Comment

by:gsalcedo
ID: 17902315
Hi,

The ssh daemon is on....  After checking with the "ps -ef | grep sshd, it did show that the sshd is on.  When I to execute the daemon from the /usr/local/sbin directory (sshd), it would then come back with a "sshd re-exec requires execution with an absolute path."  With that message, it seems as though ssh daemon is on.  

From previous exprience with installing Solaris 8, I have never encountered with the firewall being turned on.  If it is, where would I go to turn it off?

0
 
LVL 48

Expert Comment

by:Tintin
ID: 17902363
Is the client you are connecting from in the same subnet as the Solaris 8 server?
Do you have a network admin?
Do you have any ACL's defined in /etc/ssh/sshd_config?
0
 

Author Comment

by:gsalcedo
ID: 17902455
Hi Tintin,

The two Solaris servers are on different subnets.  I have talk to our network engineer and he mentioned that the port 22 is not blocked on the PIX firewall.  Is there someing in the ssh_config file that would block any port 22 activity coming in to be blocked and port 22 going out to be open?  Thank you very much for your help.
0
Do You Know the 4 Main Threat Actor Types?

Do you know the main threat actor types? Most attackers fall into one of four categories, each with their own favored tactics, techniques, and procedures.

 
LVL 48

Expert Comment

by:Tintin
ID: 17902929
Firstly sshd and sshd_config have nothing to do with outgoing ssh connections.

Do you have any of the following set in sshd_config?

AllowUsers
AllowGroups
DenyUsers
DenyGroups

If none of the above are set, on the Solaris 8 server as root, do

/usr/lib/ssh/sshd -d

This runs ssh in debug mode with output to the screen.

Then on the client, try to ssh to the server.

If you see no ssh debug output, it means it is definitely a network/firewall issue.
0
 
LVL 48

Expert Comment

by:Tintin
ID: 17902936
Additionally on the Solaris 8 server you can do

snoop src <ip of the host you are sshing from>

again, if you see no output when you try to ssh to the server, it means it is definitely a network/firewall issue.

0
 
LVL 48

Expert Comment

by:Tintin
ID: 17902940
Ah, forgot you have a different path to ssh

/usr/lib/ssh/sshd  on your system should be /usr/local/sbin/sshd
0
 

Author Comment

by:gsalcedo
ID: 17930758
Hi Tintin,

When I input the /usr/local/sbin/sshd -d command, I would receive the below message in return...

debug1: sshd version OpenSSh_4.1p1
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
Privilege separation user sshd does not exist

Does the above return message mean anything to help in resolving the issue that I am going through?

Thank you..
0
 
LVL 34

Accepted Solution

by:
PsiCop earned 125 total points
ID: 17931029
sshd is configured to use a special user account, by default named "sshd", to create "privilege separation" between the privileged daemon running the port listener and the eventual secure shell session that will be created for the successfully-authenticating user. Use of privilege separation insures that if an SSH daemon process is compromised, the breach happens to an unprivileged user ID, not to the privileged instance of the daemon.

You should create a user account in /etc/passwd for a user named "sshd". The home directory for this account should be the Privilege Separation (PrivSep) Directory specified when the sshd daemon was built - this is usually /var/empty, which should be owned by the PrivSep user ID and mode 755 or 750.

The "sshd" entry in /etc/shadow should be locked.
0
 

Author Comment

by:gsalcedo
ID: 17931125
Hi PsiCop,

Yes... that worked....  Do you happen to know why I need to add "sshd" user in the passwd and group file when I did no thave to do that in the previous systems that I had to configure with the use of OpenSSH?

Thank you...
0
 
LVL 34

Expert Comment

by:PsiCop
ID: 17931212
Normally, I don't gripe about points/grades, but I think I'll make an exception here, especially since you asked a followup Question in this one.

A) TinTin contributed substantively to the solution by suggesting the diagnostic commands that revealed the root cause. In my opinion, he deserved some of the credit.

B) A grade of C does not seem to be congruent with the quality of assistance supplied.

As to your followup...

"Do you happen to know why I need to add "sshd" user in the passwd and group file when I did no thave to do that in the previous systems that I had to configure with the use of OpenSSH?"

No. Altho possible scenarios to explain that include:

1) The user ID was already present

2) You were installing a pre-PrivSep version of OpenSSH

3) You were installing a version of OpenSSH that had been built without PrivSep support

4) The configuration setting "UsePrivilegeSeparation No" was present in sshd_config

In any event, SSH is safer with PrivSep than without it.
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Attention: This article will no longer be maintained. If you have any questions, please feel free to mail me. jgh@FreeBSD.org Please see http://www.freebsd.org/doc/en_US.ISO8859-1/articles/freebsd-update-server/ for the updated article. It is avail…
My previous tech tip, Installing the Solaris OS From the Flash Archive On a Tape (http://www.experts-exchange.com/articles/OS/Unix/Solaris/Installing-the-Solaris-OS-From-the-Flash-Archive-on-a-Tape.html), discussed installing the Solaris Operating S…
Learn several ways to interact with files and get file information from the bash shell. ls lists the contents of a directory: Using the -a flag displays hidden files: Using the -l flag formats the output in a long list: The file command gives us mor…
Learn how to get help with Linux/Unix bash shell commands. Use help to read help documents for built in bash shell commands.: Use man to interface with the online reference manuals for shell commands.: Use man to search man pages for unknown command…

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now