Results 1 to 8 of 8

Thread: SSH error when changing default port

  1. #1
    Join Date
    Aug 2010
    Posts
    40
    Rep Power
    5

    Unhappy SSH error when changing default port

    Hello,

    I have changed the config of sshd of my zimbra server, to disallow root login, and use a private/public key.

    Now, my stats doesn't work anymore, and in the log I get ssh errors.

    Here what I've done :

    - Changing the default management port from 22 to my new port (722)
    - Generating new key with zmsshkeygen
    - Copied my public key xxxx.pkk to /root/.ssh/id_rsa and /opt/zimbra/.ssh/id_rsa


    Here is what I get from Putty when trying to run :

    ssh -vi .ssh/zimbra_identity -o strictHostKeyChecking=no zimbra@srv.domain.com -p 722

    Code:
    root@srv:~/.ssh# ssh -vi .ssh/zimbra_identity -o strictHostKeyChecking=no zimbra@srv.domain.com -p 722
    OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar 2009
    Warning: Identity file .ssh/zimbra_identity not accessible: No such file or directory.
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug1: Connecting to srv.domain.com [192.168.x.x] port 722.
    debug1: Connection established.
    debug1: permanently_set_uid: 0/0
    debug1: identity file /root/.ssh/identity type -1
    debug1: identity file /root/.ssh/id_rsa type -1
    debug1: identity file /root/.ssh/id_dsa type -1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3p1 Debian-3ubuntu4
    debug1: match: OpenSSH_5.3p1 Debian-3ubuntu4 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-ctr hmac-md5 none
    debug1: kex: client->server aes128-ctr hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host '[srv.domain.com]:722' is known and matches the RSA host key.
    debug1: Found key in /root/.ssh/known_hosts:1
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey
    debug1: Next authentication method: publickey
    debug1: Trying private key: /root/.ssh/identity
    debug1: Trying private key: /root/.ssh/id_rsa
    debug1: PEM_read_PrivateKey failed
    debug1: read PEM private key done: type <unknown>
    Enter passphrase for key '/root/.ssh/id_rsa':
    debug1: PEM_read_PrivateKey failed
    debug1: read PEM private key done: type <unknown>
    Enter passphrase for key '/root/.ssh/id_rsa':
    So, I'm prompted for the passphrase, but entering it doesn't make anything.

    And the mailbox.log :

    Code:
    com.zimbra.common.service.ServiceException: system failure: exception during auth {RemoteManager: srv.domain.com->zimbra@srv.domain.com:722}
    ExceptionId:btpool0-9://192.168.100.210:7071/service/admin/soap/BatchRequest:1288706318328:9bd98ac034af0950
    Code:service.FAILURE
            at com.zimbra.common.service.ServiceException.FAILURE(ServiceException.java:248)
            at com.zimbra.cs.rmgmt.RemoteManager.getSession(RemoteManager.java:193)
            at com.zimbra.cs.rmgmt.RemoteManager.execute(RemoteManager.java:127)
            at com.zimbra.cs.service.admin.GetServerNIFs.handle(GetServerNIFs.java:65)
            at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEngine.java:420)
            at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:264)
            at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:158)
            at com.zimbra.soap.SoapServlet.doWork(SoapServlet.java:291)
            at com.zimbra.soap.SoapServlet.doPost(SoapServlet.java:212)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
            at com.zimbra.cs.servlet.ZimbraServlet.service(ZimbraServlet.java:181)
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
            at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511)
            at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1166)
            at com.zimbra.cs.servlet.SetHeaderFilter.doFilter(SetHeaderFilter.java:79)
            at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
            at org.mortbay.servlet.UserAgentFilter.doFilter(UserAgentFilter.java:81)
            at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter.java:132)
            at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
            at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:388)
            at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
            at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
            at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765)
            at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:418)
            at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:230)
            at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
            at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
            at org.mortbay.jetty.handler.rewrite.RewriteHandler.handle(RewriteHandler.java:230)
            at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
            at org.mortbay.jetty.handler.DebugHandler.handle(DebugHandler.java:77)
            at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
            at org.mortbay.jetty.Server.handle(Server.java:326)
            at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:543)
            at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:939)
            at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:755)
            at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:218)
            at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:405)
            at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:413)
            at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:451)
    Caused by: java.io.IOException: auth failed
            at com.zimbra.cs.rmgmt.RemoteManager.getSession(RemoteManager.java:186)
            ... 37 more
    Thanks for any help...

  2. #2
    Join Date
    May 2008
    Posts
    432
    Rep Power
    7

    Default

    Have you changed the Zimbra ssh port as well?

  3. #3
    Join Date
    Aug 2010
    Posts
    40
    Rep Power
    5

    Default

    Yes, as you can see on my mailbox.log, zimbra is trying to connect to port 722.

    I just changed it by running a command changing the default maintenance port (Don't remember the command and not near my server right now )

    But I assume it's working, or do I have to change it elsewhere ?

  4. #4
    Join Date
    Aug 2010
    Posts
    40
    Rep Power
    5

    Default

    Any help ?

    The command I ran to change default port was :

    zmprov ms server.domain.com zimbraRemoteManagementPort 722

    Btw, I tried loggin-in in SSH using putty and zimbra account and after prompting me for the passphrase, it works

  5. #5
    Join Date
    Aug 2010
    Posts
    40
    Rep Power
    5

    Default

    Please, really need help !

  6. #6
    Join Date
    May 2006
    Location
    England.
    Posts
    927
    Rep Power
    10

    Default

    I know that the zimbra modules use ssh to talk to eachother in various placed and generally I'd lean towards not playing with it. Can I ask what you are trying to achieve as there may be a simpler way?

  7. #7
    Join Date
    Aug 2010
    Posts
    40
    Rep Power
    5

    Default

    Just want securing SSH, as my mail server will be exposed to the internet

    Btw, it seems that now it's working, but I don't really know what I did to achieve this...

    The command ssh -vi .ssh/zimbra_identity -o strictHostKeyChecking=no zimbra@srv.domain.com -p 722

    doesn't still work, but I'm not getting errors anymore, in the Zimbra Admin WebGUI nor in the Zimbra logs, so I assume it's working well...

    I'll try to reproduce my steps and post them here.

  8. #8
    Join Date
    May 2006
    Location
    England.
    Posts
    927
    Rep Power
    10

    Default

    Glad that you have it working, while you will see fewer ssh attempts by moving the port, you wont see them go away entirely.
    If a perimeter firewall is not available in your case, I'd use iptables in the zimbra server to drop all traffic that's not essential (so allow only port 25 and 443, more if you need it) and then administer the box from the local network or a vpn.

Similar Threads

  1. Replies: 3
    Last Post: 07-18-2008, 11:22 PM
  2. Replies: 45
    Last Post: 11-28-2007, 06:39 PM
  3. [SOLVED] mail queues on non-standard SSH port
    By sjobeck in forum Administrators
    Replies: 7
    Last Post: 09-07-2007, 01:01 PM
  4. Replies: 0
    Last Post: 11-16-2006, 07:28 PM
  5. MTA is Dying after yum update
    By tonyawbrey in forum Administrators
    Replies: 27
    Last Post: 04-02-2006, 07:11 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •