On 2006.3.18, at 06:24 PM, James Wilkinson wrote:
Joel Rees wrote:
I'm pretty sure the ssh configurations are all pretty much stock.
Just looked at the configuration files and didn't see anything that I
can recall changing.
I can ssh in and out on the local LAN.
My cohorts at a different company say they can log in and out. (The
box in question is at yet a third company.) They had the admin on the
box in question check the logs, and that admin suggested that my
company's firewall was to blame. (3rd information.)
So I brought my workstation home and set it running static local IP
here, and NAT redirected port 22 to the workstation. Still get
timeouts. But, as I say, I can ssh both in and out of the box on the
local LAN, challenge, password, etc.
I'm a bit confused about that last paragraph.
You, too? (Sorry.)
You're trying to SSH
*from* a box at work *to* your workstation (which is temporarily at
home)? (You're not trying to connect to the computer at the third
company from home?)
It's the latter case, trying to connect to the third company's box from
either home or work.
They have another test server set up, and I can't connect to that one
from work, but I can connect from home.
Try pinging the server in question.
They've shut ping off on the box. (Since I don't talk directly with
them, I can't really second guess them on that.)
Run
traceroute server.example.com
which will show you if your packets are actually making it to the
server in question.
Well, dns lookup finds them. traceroute loses it's way about the 14th
hop. Web browser finds their apache test page. ssh does not complain
about lack of resolution, it just hangs.
Try
telnet google.com 80
and see if you get a connection. (Won't work if you're forced to use a
proxy, won't help if there's a transparent proxy in the way).
Connects, and GET / HTTP/1.0 gets the apache test page. No proxies as
far as I know, but then again if I were guessing I'd guess they've got
the box I'm trying to connect to behind a NATting firewall.
(Sorry I'm being vague, but I really don't want to mess up their
efforts at security, even if I would not do it that way. And, yes, I
know that the very points I'm being vague about are the ones where
things are probably going south for my attempts to connect. But I need
to be able to tell my bosses so with confidence.)
It is quite possible, after all, that your company firewall is to
blame.
If the admins have set it up on a "block everything and unblock when
needed" basis, this might be intentional.
That's what the second company (the one we work directly with) was
suggesting, I believe. And, yes, it is intentional. The third company
is limiting ssh by IP. They were supposed to have opened the firewall
for the second company's contractors (including my company), but that
doesn't seem to be working. The second company's people are (if I
understand it) able to connect.
Oh, I get the same results from my Mac boxes at home, so now I'm pretty
sure the problem is not with the FC settings.
Thanks.