Cannot ssh out of NN to another machine on my LAN. Other direction works fine.
Delbert Franz
ddf at sonic.net
Fri Sep 14 14:48:17 EDT 2012
On Thu, 13 Sep 2012 10:39:50 +0200
David Kuehling <dvdkhlng at gmx.de> wrote:
> >>>>> "Delbert" == Delbert Franz <ddf at sonic.net> writes:
>
> > Have another thing I cannot get to work on the NN. I can ssh to the
> > NN from other computers in my network. However, so far, I have not
> > been able to ssh from the NN to any other machine in the network.
> > Note: I am not using dropbear but openssh-server and openssh-client.
> > Those seem to work better with Git in my limited experience. The
> > message I get back on the NN when I try to ssh to a host on my LAN is:
>
> > ssh: connect to host <whatever> port 22: Connection timed out.
>
> How is you usb0 network configured? Is it bridged to the LAN? Or is it
> merely routed? How are your routing tables set up at the hosts in
> question? Are you employing NAT somewhere on the route to/from the
> nanonote? Can you ping the other hosts? Have the other hosts an ssh
> server installed (and no firewall interfers)?
>
> cheers,
>
> David
David,
Thanks for the quick reply. I and my wife of nearly 46 years, took a
day off yesterday and spent it on Angel Island in San Francisco Bay
exploring the old Immigration Station which is partially restored. It
was active from 1910-1940 and has a rather sorry history, with its
main purpose being to keep immigrants from China OUT, based on a law
passed in 1882. Different era, different issues and values. Besides
the weather here is gorgeous. I enjoy working with computers but the
outdoors is nice too:-)
Anyway, I apologize for firing something off without the supporting
information. After sending out my "appeal" I switched back to my old
micro SD install, VERSION: 2011-08-27, of more than one year ago ( I
tend to wait a bit before upgrading to a new version.). It did ssh to
my other computers on the LAN with no problems.
So late last night, when I couldn't sleep, I started the process of
finding out what was the cause of the failure now but success before.
I first made sure that /etc/config/network was identical in both, then
that /etc/ssh/ssh_config and /etc/ssh/sshd_config were also identical.
Still no good: the latest image could not ssh nor scp but it could
ping to the names on my LAN.
I then did some fiddling with updating the authorized_keys files on
both computers but that made no difference. Then, I noticed something
that I had overlooked: when I pinged from the NN to my other LAN
machines, the IP addresses were wrong. They were all WAN addresses.
Then my foggy grey matter recalled: "I have seen this before!" There
is a problem with DNS in the /etc/config/network file!
Here is that file, as I had it on both versions:
# Copyright (C) 2006 OpenWrt.org
config interface loopback
option ifname lo
option proto static
option ipaddr 127.0.0.1
option netmask 255.0.0.0
config interface lan
option ifname usb0
option proto static
option ipaddr 192.168.254.101
option netmask 255.255.255.0
option gateway 192.168.254.100
# option dns "192.168.1.1"
option dns "192.168.1.1 208.67.222.222"
Notice that the active "option dns" line has two IP's: first a local
DNS for my LAN and second a global DNS, opendns, for when I am not
connected in my office.
Under VERSION: 2011-08-27, DNS IP's would be accessed in order from
left to right. So, if I was in my office, 192.168.1.1 would give the
proper addresses on my LAN. Outside my office, 192.168.1.1, would
fail to know anything about the machines on my LAN, and 208.67.222.222
would be used.
Here is the part that I overlooked earlier, that is, every one of my
machine names yields a valid WAN address via 208.67.222.222! One of
my machines is named "ac" and on the latest image on the NN the above
"option dns" will get some other machine somewhere in the world!
Usually when I ping, I don't look at the IP address returned, I just
look at there being a response. That appears to be a bad idea.
Then the task was to find out what was wrong in the latest image with
the old "option dns" line. I must say, the documentation for the
network file has some points that should be expanded.
http://wiki.openwrt.org/doc/uci/network, the most detailed discussion
I found on my search, describes the "option dns" in this fashion:
Name Type Required Default Description
dns list of ip addresses no (none) DNS server(s)
However, I found no discussion of how the "list of ip addresses"
should by set up. It may be someplace else on the wiki but I could not
find it. I also could not find cases with more than one IP address in
any example in the above wiki page or elsewhere on the web.
After a bit of trial and error, it appears that just reversing the
order of the IP addresses in the "option dns" gives me what works in
the latest image. So the network file that works for the latest image
is:
# Copyright (C) 2006 OpenWrt.org
config interface loopback
option ifname lo
option proto static
option ipaddr 127.0.0.1
option netmask 255.0.0.0
config interface lan
option ifname usb0
option proto static
option ipaddr 192.168.254.101
option netmask 255.255.255.0
option gateway 192.168.254.100
# option dns "192.168.1.1"
option 'dns' '208.67.222.222 192.168.1.1'
Notice that I have used single quotes here: both double and single
work. Also, all the examples in the above references wiki page, show
the use of single quotes for all responses. For example, instead of
option proto static
it would be
option 'proto' 'static'
However, I don't recall there being any quotes at all in the network
file as it comes in the latest or any earlier version for the NN.
Apparently they are optional.
So the root cause of my problem was that the order of using DNS IP's has
changed and the related cause, was my failure to notice that the ping
responses to my LAN machines were giving WAN IP addresses and not my
LAN IP addresses.
Everything is working now-I can ssh to any machine on my LAN. I also
put in an invalid dns IP for my LAN and I could still ping to machines
outside my LAN. So it seems clear that the addresses are now used in
right to left order.
Hope this helps some one else, after all the dead ends I encountered.
The major conclusion is: LOOK at the IP address returned by a PING.
It just might have a WAN value instead of a LAN value. I have no idea
why a two letter machine name makes sense to a global DNS but it
apparently does:-)
Delbert
More information about the discussion
mailing list
