Just upgraded to R6 and am gradually trying to get things back to the way they were in R5.5. Here's the latest one I can't figure out.

I know mythtv and root are denied ssh access.

I can ssh into my machine when I do it from a local machine (IP # 192.168.blah) and from the one user account I set up when installing R6.

I can't log in, however, when I am outside of my network. It doesn't even prompt me for username. For instance, when I use putty I get "server unexpectedly closed network connection."

I have tried:
* adding an "AllowUsers" and my one account username to /etc/ssh/sshd_config
* tried commenting out the "ALL: ALL: DENY" line in /etc/hosts.deny

I do a "sv restart sshd" after each of those attempts and still can't connect.

What else should I be looking at? Thanks.

Here's what I have and I have no issues from WAN or LAN:

_________________
Mike
My Hardware Profile

Thanks; coulda sworn I restarted sshd after commenting out the hosts.deny line, but I must not have, because now it works. Appreciate the double-check.

I confirm that commenting the line

is the easiest way to allow ssh connexions from WAN. The change took effect immediately, no sshd restart requiered. Unfortunately, it also lowers security.

I tried a few other ways to selectively open access over ssh from the WAN, but they all failed; for instance:

fails to grant access from a host in that domain, or even
seems ineffective (perhaps the command ALLOW is ignored in /etc/hosts.deny file ?). Connexion reads the following message, then drops:
Somebody skilled might turn us to a configuration better balanced between accessibility and security.

BTW, here is an easy to read how-to covering /etc/hosts.allow and /etc/hosts.deny syntax :
HOWTO - Limiting Access to TCP-wrapped services with hosts.allow

I think I had the same problem and stumbled upon this setup that works (can't remember where I got this solution):



Seems a little more secure since it only opens up sshd to the whole world. Maybe there is an even more secure setup?

No restart of system or service needed: add the bolded line:

[root@mythtv ~]# cat /etc/hosts.allow
#
# /etc/hosts.allow
#
sshd:ALL
ALL: 192.168.
ALL: 10.
ALL: 127.0.0.1
ALL: 172.16.
# End of file

_________________
R7.3: 0.22.20091023-1, Hauppauge PVR-500 (Philips FQ1236A MK4), Gigabyte Gigabyte EG45M-UD2H, E5200 2.4Ghz, 2GB RAM, NVIDIA GEFORCE 256MB

Also recommended on the _useful_ security through obscurity front, if you're going to expose it to the outside changing your default ssh port can effectively reduce your exposure. Friends in the network security world tell me that the number of probes they see against default ports versus nonstandard ports are hundreds or even thousands to one. At the very least it'll reduce the amount of noise in your log files...

Additional Guidance and discussion regarding adaptive SSH security found in this thread: http://knoppmyth.net/phpBB2/viewtopic.php?p=129317#129317

_________________
R7.3: 0.22.20091023-1, Hauppauge PVR-500 (Philips FQ1236A MK4), Gigabyte Gigabyte EG45M-UD2H, E5200 2.4Ghz, 2GB RAM, NVIDIA GEFORCE 256MB