[Techtalk] SSHD Authenticates on Only One Interface

Kai MacTane kmactane at GothPunk.com
Sun Aug 8 13:58:10 EST 2004


I've got a really odd problem going on with sshd on one of my machines, and 
it's driving me nuts. This machine is a gateway between my internal network 
and the net-at-large, so it has two interfaces - public (eth1) is 
66.92.49.123, and the private net (eth0) is on 192.168.1.0/24, which should 
be no great shock.

When I connect on the public interface, I can log in just fine. When I 
connect from the private net, however, I am prompted for a password (which 
shows that sshd *is* listening to that interface), but then I'm always told 
that the password was wrong. Even when I've double-checked it very 
carefully. (Yes, the Caps Lock key is off. <g>)

If I telnet to port 22 on the private interface, I even see a 
"SSH-1.99-OpenSSH_3.7.1p1" banner. It's not a ListenAddress problem.

This affects all user accounts on the machine. Any user can log in and 
authenticate through the public interface, and nobody can authenticate 
through the private net. If I'm on the private net and I want to access 
this machine, I have to ssh transparently through it to an outside machine, 
then ssh from there back in on the public interface. (Which is the 
workaround I've been using for months.)

My /etc/ssh/sshd_config file is only 30 lines long, so I've included it 
below. The system is Mandrake Linux 7.1, with the 2.2.15-4mdksecure kernel. 
My thanks in advance for any assistance anyone can provide.


#   $OpenBSD: sshd_config,v 1.42 2001/09/20 20:57:51 mouring Exp $

# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/bin

# This is the sshd server system-wide configuration file.  See sshd(8)
# for more information.

#Port 22
#Protocol 2,1
#0.0.0.0
#ListenAddress ::

# HostKey for protocol version 1
HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key

# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# Uncomment to disable s/key passwords
#ChallengeResponseAuthentication no

# Uncomment to enable PAM keyboard-interactive authentication
# Warning: enabling this may bypass the setting of 'PasswordAuthentication'
#PAMAuthenticationViaKbdInt yes

Subsystem   sftp    /usr/local/libexec/sftp-server



                                                 --Kai MacTane
----------------------------------------------------------------------
"Death and money make their point once more,
  In the shape of philosophical assassins..."
                                                 --Shriekback,
                                                  "Gunning for the
                                                   Buddha"



More information about the Techtalk mailing list