Custom ssh port to sftp server through ASA
Hello all,
I have a vendor that needs to ftp files to our Linux server using sftp, so I decided to change the default port 22 that ssh uses to a higher number for security reasons (too many brute force attempts), it works internally but somehow I can't get the ASA working with a custom port, I have the configs for the sftp server below, is there another way to achieve it, thanks in advanced.
object network mysftpbox nat (inside,outside) static publicip
access-list ACL_OUT extended permit tcp any host mysftpboxinternalip eq 2128
If your Server is running on tcp/2128, then your config is ok:
object network mysftpbox
nat (inside,outside) static publicip
access-list ACL_OUT extended permit tcp any object mysftpbox eq 2128
If you only want to forward this one port, then you can specify that in the NAT:
object network mysftpbox
nat (inside,outside) static publicip service tcp 2128 2128
access-list ACL_OUT extended permit tcp any object mysftpbox eq 2128
If your server is using the default-port tcp/22, but the connection should go externally to tcp/2128, the ASA can translate that as well:
object network mysftpbox
nat (inside,outside) static publicip service tcp 22 2128
access-list ACL_OUT extended permit tcp any object mysftpbox eq 22
Similar Messages
-
Slow SFTP throughput when passed through ASA 55xx
I have an interesting scenario. I have setup two test boxes for SFTP. One in a DMZ behind an ASA inteface, and the other on our external switch. If I send a file to the one on the external switch, I get 40 Mbps on a transfer from a remote location. When I try the same transfer but using a machine in the same DMZ, I get 100 Mbps while connected to a FastEthernet switchport. When I try the same transfer from the remote location previously mentioned, to the same server even, but using SFTP, my throughput goes down to 670 KB/s. I get that same low speed even on the machine on the external switch to the DMZ. It should be much faster since there is no latency involved. It just goes to the switch to the ASA interface to the SFTP server. I even tried this across two different ASA, same result. One was a 5505, the other a 5520.
So, it seems the only limiting factor here is the ASA. Does anyone have any observations or suggestions that might help?
Thanks!Sorry, I should have been more clear. The throughput is only reduced when the ASA is in the picture and SFTP is used. I can FTP to the same server, same application, just different protocol, and get full throughput. As soon as I select SFTP instead of FTP, the throughput drops dramatically.
I know it is not the over head on the server, because I tested an SFTP transfer from a client machine on the same LAN, and got full throughput. It is only when going through the ASA that the SFTP throughput drops by a factor of 7 -
[SOLVED] SSH port 22
Hi people. I'm tring to learn how to acces from another PC to mine.
I downloaded Putty and I think, I undertood how to do that.
The problem is that I'm not able to open the port 22.
How can I do that?
Thanks a lot!
Last edited by hadso (2010-09-13 02:45:08)ewaller wrote:
Okay, I think we are getting close. Here is an excerpt of ssh -v localhost on this machine
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/ewaller/.ssh/id_rsa
debug1: Trying private key: /home/ewaller/.ssh/id_dsa
debug1: Next authentication method: password
ewaller@localhost's password:
See where yours says
debug1: Authentications that can continue: publickey
whereas mine says
debug1: Authentications that can continue: publickey,password
Both our systems go on to try rsa and dsa keys. When those fail, mine continues on to password. Yours does not.
So, port 22 is open.
If you had put the public dsa or rsa keys in ~/.ssh/ it would probably work (but that is not the point, you want password)
Trying to connect to localhost is perfectly valid and eliminates things like router settings from the equation.
All of the keys exist and the permissions look rational (root owns them and can read / write them , public can read (only) the public keys,
So... Lets take a closer look at /etc/ssh/sshd_config
I diff'ed graysky's config against mine. We differ on port number, root login [Note to self: turn that off], and X11 forwarding.
You said yours was the same except the port number. I think we need to take a closer look. Could you post the sshd_config, or diff it against graysky's and post the diff?
If it is not a sshd_config problem, I am running out of ideas. It could, I guess be a PAM problem -- but that is out of my league.
Here is my sshd_config:
# $OpenBSD: sshd_config,v 1.81 2009/10/08 14:03:41 markus Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
Port 22
#Port 55022
#AddressFamily any
ListenAddress 0.0.0.0
#ListenAddress ::
# The default requires explicit activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication no
#PermitEmptyPasswords no
# Change to no to disable s/key passwords
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
AllowAgentForwarding yes
AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding no
X11DisplayOffset 10
X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/lib/ssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
AllowUsers adso
#Subsystem sftp /usr/lib/ssh/sftp-server -
Is there any API's for providing FTP using ssh port.
Currently we are having a requirement to FTP files only using ssh port(Secure FTP). Can anyone please suggest me an API which provides the FTP'ing operation using SSH port.
I am currently using a Sinetfactory thirdparty package from JScape for the Secure FTP functionality(FTP over SSH). But Sinetfactory package tranfer rate is much slower than the manual sftp(command-line run in linux server for manual ftp using ssh).
Since it is very slower than ordinary sftp(ftp over ssh), I thought of using other thirdparty FTP package which supports FTP using ssh port. Can anyone please suggest me a thirdparty package which will has the sftp functionality and with better transfer rate. -
Problem connecting SFTP server.
Hi Experts,
We are trying to connect to SFTP server outside network from our PI system (advantaco sftp ) we are getting below error.
Delivery of the message to the application using connection SFTP_http://advantco.com/xi/XI/SFTP failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: javax.resource.ResourceException: java.lang.Exception: Cannot connect to SFTP server.
we tried connecting through Filezilla by giving port (22-SFTP) in this case we are not able to connect we are getting the same error.
But when we try the same in filezilla giving port(21-FTP) we are able to login successfully.
but we have been informed by 3rd party that this is the SFTP server and not FTP server, tried using ping also but getting same error .
As it is outside network tried using proxy also but no success.
and also third party tried ping using public network they are able to ping successfully. they don't have any firewall.
any inputs on this ?Are you sure if that is an SFTP server? I don't think so. It's not about PI adapter even the filezilla is throwing the same exception.
>>>but we have been informed by 3rd party that this is the SFTP server and not FTP server, tried using ping also but getting same error .
May be they are referring to FTPS but not SFTP? Both are different as you may already aware.
They should also give you the port information right?
So i would suggest you to verify with them again..
In addition, you can verify if they have enabled FTPS(it has to be explicit) on the default port.
in file zilla, go to File -> Site Manager -> while adding the site
set the protocol -> FTP
Encryption -> use explicit FTP over TLS -
When I try to access the server remotely, it's giving me with an error:
ssh_exchange_identification: Connection closed by remote host
The firewall on Mac is disabled and all the traffic are allowed on my router to access the Mac from public IP. I'm using a custom port 52458 to connect to SSH on Mac and I can telnet to it locally and remotely. When I run telnet localhost 52458, it works but when I run netstat -an | grep ssh or netstat -an | grep 52458 it's not returning any values. I tried running netstat -l to view all listeners but SSH is not listed. The way I edited SSH port is by editing /etc/services and replacing ssh port 22 to 52458. Here is the report of ssh -vv -p52458 admin@localhost
ssh -vv -p52458 admin@localhost
OpenSSH_5.1p1, OpenSSL 0.9.7l 28 Sep 2006
debug1: Reading configuration data /etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to localhost [::1] port 52458.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /var/root/.ssh/identity type -1
debug1: identity file /var/root/.ssh/id_rsa type -1
debug1: identity file /var/root/.ssh/id_dsa type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_5.1
debug1: match: OpenSSH_5.1 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1
debug2: fd 4 setting O_NONBLOCK
debug1: An invalid name was supplied
Configuration file does not specify default realm
debug1: An invalid name was supplied
Configuration file does not specify default realm
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-h ellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes19 2-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes19 2-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit: none,[email protected],zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit:
diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-h ellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes19 2-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes19 2-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit:
hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit: none,[email protected]
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug2: dh_gen_key: priv key bits set: 130/256
debug2: bits set: 530/1024
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '[localhost]:52458' is known and matches the RSA host key.
debug1: Found key in /var/root/.ssh/known_hosts:7
debug2: bits set: 532/1024
debug1: ssh_rsa_verify: signature correct
debug2: kex_derive_keys
debug2: set_newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug2: set_newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug2: service_accept: ssh-userauth
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug2: key: /var/root/.ssh/identity (0x0)
debug2: key: /var/root/.ssh/id_rsa (0x0)
debug2: key: /var/root/.ssh/id_dsa (0x0)
debug1: Authentications that can continue:
publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
debug1: Next authentication method: gssapi-keyex
debug1: No valid Key exchange context
debug2: we did not send a packet, disable method
debug1: Next authentication method: gssapi-with-mic
debug1: An invalid name was supplied
Configuration file does not specify default realm
debug1: An invalid name was supplied
Configuration file does not specify default realm
debug2: we did not send a packet, disable method
debug1: Next authentication method: publickey
debug1: Trying private key: /var/root/.ssh/identity
debug1: Trying private key: /var/root/.ssh/id_rsa
debug1: Trying private key: /var/root/.ssh/id_dsa
debug2: we did not send a packet, disable method
debug1: Next authentication method: keyboard-interactive
debug2: userauth_kbdint
debug2: we sent a keyboard-interactive packet, wait for reply
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 1
Password:
debug2: input_userauth_info_req
debug2: input_userauth_info_req: num_prompts 0
debug1: Authentication succeeded (keyboard-interactive).
debug1: channel 0: new [client-session]
debug2: channel 0: send open
debug1: Requesting [email protected]
debug1: Entering interactive session.
debug2: callback start
debug2: client_session2_setup: id 0
debug2: channel 0: request pty-req confirm 1
debug2: channel 0: request shell confirm 1
debug2: fd 4 setting TCP_NODELAY
debug2: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug2: channel_input_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug2: channel_input_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Last login: Thu Jan 3 15:29:33 2013
Welcome to Darwin!
admins-mac-mini:~ admin$ exit
logout
debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
debug1: client_input_channel_req: channel 0 rtype [email protected] reply 0
debug2: channel 0: rcvd eow
debug2: channel 0: close_read
debug2: channel 0: input open -> closed
debug2: channel 0: rcvd eof
debug2: channel 0: output open -> drain
debug2: channel 0: obuf empty
debug2: channel 0: close_write
debug2: channel 0: output drain -> closed
debug2: channel 0: rcvd close
debug2: channel 0: almost dead
debug2: channel 0: gc: notify user
debug2: channel 0: gc: user detached
debug2: channel 0: send close
debug2: channel 0: is dead
debug2: channel 0: garbage collecting
debug1: channel 0: free: client-session, nchannels 1
Connection to localhost closed.
Transferred: sent 1888, received 2168 bytes, in 562.1 seconds
Bytes per second: sent 3.4, received 3.9
debug1: Exit status 0
Any help is greatly appreciated.admins-mac-mini:/Users/admin root# lsof -i:ssh -sTCP:LISTEN
lsof: unsupported TCP/TPI info selection: C
lsof: unsupported TCP/TPI info selection: P
lsof: unsupported TCP/TPI info selection: :
lsof: unsupported TCP/TPI info selection: L
lsof: unsupported TCP/TPI info selection: I
lsof: unsupported TCP/TPI info selection: S
lsof: unsupported TCP/TPI info selection: T
lsof: unsupported TCP/TPI info selection: E
lsof: unsupported TCP/TPI info selection: N
lsof 4.77
latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
usage: [-?abhlnNoOPRstUvV] [+|-c c] [+|-d s] [+D D] [+|-f[cfgGn]]
[-F [f]] [-g [s]] [-i [i]] [-k k] [+|-L [l]] [-m m] [+|-M] [-o [o]]
[-p s] [+|-r [t]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [--] [names]
Use the ``-h'' option to get more help information. -
It is possible to develop a custom SSH resource adaptor? I've got some homegrown software that runs on a Linux box that I'd like to have managed by Sun IDM. All of the account administration can be done by scripts from the command line, but how would I develop a resource adapter to do that?
I've read through the documentation on developing custom resources, but what I'm missing is how to establish an ssh connection, and if there is any support for doing the "Expect" type string matching, etc. needed. Are there some standard Java libraries for doing this sort of thing?Wouldn't the after/before actions be enough for you?
We have a customer which has some application with command line interface and the application is accessible via SSH, and users need to have application account and SSH server account as well. We're using after-create action to create the application account.
This solution is pretty simple and is not perfect by means of reconciliation - you would be able to reconcile ssh accounts only, not the application acounts off course. But if all of your users on the machine should have the application accounts, you can suppose that by reconcilling SSH accounts you also reconcile the application accounts.
Regards,
IVan -
I am trying to have access tables of the Sql Server through the Oracle
I am trying to have access tables of the Sql Server through the Oracle and this being occurred the error:
ORA-28500: connection from ORACLE to a non-Oracle system returned this message: [Generic Connectivity using ODBC][H006] The init parameter <HS_FDS_CONNECT_INFO> is not set.
Please set it in init <orasid>.ora file.
ORA-02063: preceding 2 lines from HSMSQL
I created the ODBC with name HSMSQL.
I made all the configurations in the archives
tnsnames.ora:
HSMSQL=
(DESCRIPTION=
(ADDRESS= (PROTOCOL = tcp)(HOST = wsus)(PORT = 1521))
(CONNECT_DATA =
(SID = HSMSQL)
(HS = OK)
listener.ora:
(SID_DESC = (SID_NAME=HSMSQL)
(ORACLE_HOME= C:\oracle\ora92)
(PROGRAM =hsodbc)
initHS_SID.ora:
HS_FDS_CONNECT_INFO = HSMSQL
HS_FDS_TRACE_LEVEL = OFF
-- Create database link
create database link HSMSQL.US.ORACLE.COM
connect to TESTE identified by TESTE2
using 'HSMSQL';
But when I execute query the error occurs:
Select * from TabTeste@HSMSQL
ORA-28500: connection from ORACLE to a non-Oracle system returned this message: [Generic Connectivity using ODBC][H006] The init parameter <HS_FDS_CONNECT_INFO> is not set.
Please set it in init <orasid>.ora file.
ORA-02063: preceding 2 lines from HSMSQL
Please they help me, thanks, Paulo.Hi,
It seems that your configuration is Ok. By the way, the workaround for this error is:
ORA-28500: connection from ORACLE to a non-Oracle system returned this message:
[Transparent gateway for ODBC][H001] The environment variable <HS_FDS_CONNECT_INFO> is not set.
* Set HS_FDS_CONNECT_INFO in the hs{sid}init.ora file to the data source name.
Example: HS_FDS_CONNECT_INFO = <ODBC DataSource Name>
* Make sure the hs{sid}init.ora file exists in the ORACLE_HOME/hs/admin directory and has the same name as the SID in the LISTENER.ORA.
Example: If SID=hsodbc in the listener.ora file, then the hs{sid}init.ora file would be named ORACLE_HOME/hs/admin/inithsodbc.ora
For more information see if this [url http://forums.oracle.com/forums/thread.jspa?forumID=61&threadID=576975]thread can help you.
Cheers -
Im in the middle of configuring Ip Phone SSL VPN through ASA, got stuck on authentication.. When I enter username and password on the phone screen, i get "Username and password failed" message on the screen. However, in ASA logs I see the following line
Feb 16 2011 15:12:57 725002 85.132.43.67 52684 Device completed SSL handshake with client vpn:85.132.*.*/52684
Feb 16 2011 15:17:26 725007 85.132.43.67 52745 SSL session with client vpn:85.132.*.*/52745 terminated.
What does it mean? How can I turn on debugging to see what is going on?
Thank you in advance!Hi,
If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password. If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided). Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server. If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure. The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'. If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
Did this answer your question? If so, please mark it Answered! -
How to delete zip file in sftp server
Hi Gurus,
I am having one .zip file with data files inside on the sftp server. Can you please how to delete the .zip files in the sftp server. I am able to delete normal files by using 'rm' on sftp.
And one more request my sftp is prompting for the password everytime, then i need to enter the password manually. Can any one suggest how to write in shell script to accept that.
Thanks in advance.
Regards
NagendraYou might want to look into user equivalence and configure a certificate for ssh so it does not prompt for a password.
It will also allow you to use sftp without a prompt for a password.
On the server side:
Edit /etc/ssh/sshd_config and remove the # from the following:
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys
Then restart the ssh server:
/etc/init.d/sshd restart
Login as the user for whom this is for:
su - <username>
mkdir .ssh
chmod 700 .ssh
On the client side:
Run the following command:
ssh-keygen -t rsa (omit password)
Then use the following to copy the public key from the client to the
corresponding login .ssh directory on the server side;
scp .ssh/id_rsa.pub username@remote_host:.ssh/authorized_keys -
Error while connecting oracle11g to sql server through transparent gateway
Hello
i'm facing this errors when i try to connect oracle 11g to sql server through transparent gateway:
http://www.freeimagehosting.net/newuploads/d4454.jpg
the directory for my db is : C:\oracle\product\11.1.0\db1
and for the gateway: C:\oracle\product\11.1.0\dg4msql
the configurations i used:
gateway :
tnsnames.ora:
dg4msql =
(DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=Kinda-PC)(PORT=1522))
(CONNECT_DATA=(SID=dg4msql))
(HS=OK)
listener.ora:
GATELIST =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = Kinda-PC)(PORT = 1522))
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1522))
SID_LIST_LISTENER =
(SID_LIST =
(SID_DESC =
(PROGRAM = dg4msql)
(SID_NAME = dg4msql)
(ORACLE_HOME = C:\oracle\product\11.1.0\dg4msql)
and for the oracle database :
listener.ora
LISTENER =
(DESCRIPTION_LIST =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
(ADDRESS = (PROTOCOL = TCP)(HOST = Kinda-PC)(PORT = 1521))
tnsnames.ora:
DB1 =
(DESCRIPTION =
(ADDRESS = (PROTOCOL = TCP)(HOST = Kinda-PC)(PORT = 1521))
(CONNECT_DATA =
(SERVER = DEDICATED)
(SERVICE_NAME = db1)
gateway =
(DESCRIPTION=
(ADDRESS=(PROTOCOL=tcp)(HOST=Kinda-PC)(PORT=1522))
(CONNECT_DATA=(SID=dg4msql)
(HS=OK)
thanks :)
Edited by: 903043 on Dec 18, 2011 6:18 AMDid you go through the various steps in the doc?
There is a gateway specific forum below;
Heterogeneous Connectivity
Cheers
David -
How can we allow internal users to access internet through ASA firewall?
Hello,
I am new to security track, i have been asked to setup lab and allow users from inside firewall to access internet. here is my lab setup
PC -> switch 1 (layer2) -> (inside) ASA (outside) -> switch 2 (Layer2) -> Router
does switch 2 port needs internet access through router?
what configuration required on ASA to allow users behind the firewall to access internet?
any help on this would be much appreciated.
thanks,Hi,
Okay , can you clarify on this for me. Are you able to ping the internet from the ASA outside interface ?
Just try something like this:-
ping 4.2.2.2 .. Does this work ?
If this does not work , then i think the ASA even is not able to get to the internet and that would be a problem on the router.
Also , internet from Switch 2 is not a requirement as that is only a Layer 2 device.
You can assign the ISP allocated address on the PC , connect it to the Switch 2 port and then try to ping something on the internet or surf internet and i think that should work.
Thanks and Regards,
Vibhor Amrodia -
Dear friends i am facing an issue in the hosting of my server from ASA publicly
i have already assing a public ip addd to the outside interface of the ASA ,My requirement is to configure firewall to host my web server publicly using the public ip not assign to the outside interface but different subnet,i make every configuration is i have done but i cant ping or connect my web server i can ping the web server from my ASA,but from outside i cannot reach my webserver.Could anyone help me in this because i am facing problem.
Below is the configuration of the firewall
server ip add 10.10.10.4(local,reachable)
public ip add-78.72.232.66(default gateway)
sho run configuration of the firewall
ASA Version 8.2(5)
hostname TAD-FW
domain-name tadrees.com
enable password lpW.MGeEHg0ISQZq encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Ethernet0/0
description Connected to TAD-Router G0/1
nameif outside
security-level 0
ip address 78.72.29.174 255.255.255.252
interface Ethernet0/1
description Connected to Cisco SMB Switch G1
nameif inside
security-level 100
ip address 10.15.1.1 255.255.255.248
interface Ethernet0/2
shutdown
no nameif
no security-level
no ip address
interface Ethernet0/3
shutdown
no nameif
no security-level
no ip address
interface Management0/0
nameif management
security-level 100
no ip address
management-only
banner login ******** TADREES FIREWALL ********
ftp mode passive
dns domain-lookup outside
dns server-group DefaultDNS
name-server 8.8.8.8
name-server 84.22.224.11
name-server 84.22.224.12
domain-name tadrees.com
access-list split-tunnel standard permit 10.10.0.0 255.255.0.0
access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.10.0.0 255.255.0.0
access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.1.1.0 255.255.255.0
access-list Mename-Access extended permit tcp any host78.72.232.66 eq https
access-list Mename-Access extended permit tcp any host 78.72.232.66 eq www
pager lines 24
logging enable
logging buffered debugging
logging asdm debugging
mtu outside 1500
mtu inside 1500
mtu management 1500
ip local pool sslvpnpool 10.1.1.1-10.1.1.254 mask 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-702.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 0 access-list nonat
nat (inside) 1 0.0.0.0 0.0.0.0
static (inside,outside) tcp 78.722..232.66 www 10.10.10.4 www netmask 255.255.255.255
access-group Mename-Access in interface outside
router rip
network 10.0.0.0
version 2
route outside 0.0.0.0 0.0.0.0 78.72.29.173 1
route inside 10.10.10.4 255.255.255.255 10.15.1.1 1
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TAD-AD protocol nt
aaa-server TAD-AD (inside) host 10.10.10.1
aaa authentication ssh console LOCAL
http server enable 444
http 192.168.1.0 255.255.255.0 management
http 0.0.0.0 0.0.0.0 outside
http 0.0.0.0 0.0.0.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
telnet 0.0.0.0 0.0.0.0 inside
telnet timeout 2
ssh 0.0.0.0 0.0.0.0 outside
ssh 0.0.0.0 0.0.0.0 inside
ssh timeout 20
console timeout 0
management-access inside
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
webvpn
enable outside
no anyconnect-essentials
svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
svc enable
tunnel-group-list enable
internal-password enable
group-policy sslvpn internal
group-policy sslvpn attributes
wins-server none
dns-server none
vpn-tunnel-protocol svc webvpn
split-tunnel-policy tunnelspecified
split-tunnel-network-list value split-tunnel
default-domain value tadrees.com
group-policy DfltGrpPolicy attributes
webvpn
svc ask enable default webvpn timeout 30
username asad password GxozRbsh8Rp9vCkf encrypted privilege 15
username cisco password HWFflA1bzYiq7Uut encrypted privilege 15
username naveed password d8KsovrcdE3to7qt encrypted privilege 15
tunnel-group TAD-SSLV type remote-access
tunnel-group TAD-SSLV general-attributes
address-pool sslvpnpool
authentication-server-group TAD-AD LOCAL
default-group-policy sslvpn
tunnel-group TAD-SSLV webvpn-attributes
group-alias ssl enable
group-url https://78.93.29.174/ssl enable
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
inspect ip-options
inspect icmp
inspect http
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
Cryptochecksum:cec976b762f5e1d9d9856eeb4dea4019
: endSolution, give me your number so we can talk about or setup captures on the ASA to confirm that traffic from the Internet is being routed correctly to the ASA and also review logs.
capture out interface outside match ip any host 78.93.232.66
capture in interface inside match ip any host 10.10.10.4
After you try to access the server via the public IP from an Internet client check the captures:
show capture
If you see packets in the capture, download them:
https://10.15.1.1/capture/in/pcap
https://10.15.1.1/capture/out/pcap
It will ask you for your credentials to be able to download the file.
Check logs via ASDM:
Log into ASDM > Monitoring > logging > Real Time log viewer
Type in the external IP address of the server and run another test, if you see logs post them -
Can't connect to local MySQL server through socket '/var/mysql/mysql.sock'
I'm using the pre-installed versions of php and mysql under Mac OS X Server 10.4.4 running on a G4 and am unable to get anything involving mysql to work.
I ssh to the server and enter various commands in Terminal:
on typing "mysql" I get
ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/mysql/mysql.sock' (2)
and on typing "mysqladmin version" I get
mysqladmin: connect to server at 'localhost' failed
error: 'Can't connect to local MySQL server through socket '/var/mysql/mysql.sock' (2)'
Check that mysqld is running and that the socket: '/var/mysql/mysql.sock' exists!
On typing "sudo mysqld_safe" I get
Starting mysqld daemon with databases from /var/mysql
STOPPING server from pid file /var/mysql/MyServer.local.pid
070722 16:06:05 mysqld ended
/var/mysql/MyServer.local.err contains
070722 16:06:04 mysqld started
070722 16:06:04 [Warning] Setting lowercase_tablenames=2 because file system for /var/mysql/ is case insensitive
070722 16:06:04 InnoDB: Database was not shut down normally!
InnoDB: Starting crash recovery.
InnoDB: Reading tablespace information from the .ibd files...
InnoDB: Restoring possible half-written data pages from the doublewrite
InnoDB: buffer...
070722 16:06:05 InnoDB: Starting log scan based on checkpoint at
InnoDB: log sequence number 0 43634.
/var/mysql has permissions 775.
The line
mysql.default_socket = /var/mysql/mysql.sock
is in /etc/php.ini
whereis mysqladmin ->
/usr/bin/mysqladmin
whereis mysql ->
/usr/bin/mysql
ls /var/mysql ->
MyServer.local.err
ib_logfile1
mysql
ib_logfile0
ibdata1
test
Can't find my.cnf or my.ini anywhere
Can't find mysql.sock anywhere
I'm trying to get a bug database running (mantis) under Mac OS X Server 10.4.4 that I can access from local clients.
I'm trying to follow directions at http://www.mantisbugtracker.com/manual/manual.installation.php
without knowing anything about mysql or php and I'm stuck on step 3:
"Next we will create the necessary database tables and a basic configuration
file."
I get a message saying
"Does administrative user have access to the database? ( Lost connection to MySQL server during query )"
I don't even know if following the mantis directions has resulted in the creation of a database or not. Where would it be?
Thanks for any help.
Intel iMac Mac OS X (10.4.10)I've just done a clean install of OSX Server and added the latest MYSQL packaged installer. Afterwards I found the lock file in /private/tmp/mysql.lock
The easiest way to solve this problem is to create a symbolic link so that the lock file appears to be in right place.
e.g.
cd /var
sudo mkdir mysql <== this assumes the directory is missing
cd mysql
sudo ln -s /private/tmp/mysql.sock mysql.sock
After this msql commands should work fine, and you've not fiddled with the security settings on users/groups.
HTH
Christian -
File upload to sftp server using apex
We have an SFTP server on Linux and we want to provide users with web-based interface (Oracle APEX has been chosen for that purpose) so they can upload their flat files to our sftp server via secure transmission. is it possible to implement on APEX? What might be possible solution? or any workarouds?
Thanks in advance.Hello Kevin,
>
if I got it right, in such a case files have to be stored in database directory, as far as I know APEX only allows to store files in database tables. is there any way to put files to a directory without storing them in tables? For instance, I want files to be placed in some oracle directory when users choose files with FILE BROWSE item and then submit the page.
>
Yes APEX stores files to tables, but there is a way to store them to OS directory.
I don't know much about the plugin SaveToDisk:
http://apex-plugin.com/oracle-apex-plugins/process-type-plugin/savetodisk_167.html
but i have tried a blog solution by Håvard Kristiansen and it works fine:
http://monkeyonoracle.blogspot.in/2009/10/storing-images-outside-oracle-xe-with.html
He has given this solution to store images outside Oracle XE i.e. to a server directory.
I had done this way:
1) User uploads a file through file browse.
2) The file is stored to APEX_APPLICATION_FILES or WWV_FLOW_FILES.
3) The file is written to the OS directory using the write_to_file procedure mentioned in the blog.
Hope it helps!
Regards,
Kiran
Maybe you are looking for
-
Help needed in JSP Expression Language
Hi all, I have been working for JSP Expression Language Sample execution since past 5 days. I am using the application server as "Jboss Server" and web server as "Tomcat". I have been included the jsp-api.jar file in my lib directory of application s
-
Hi, I have a Z60m (2530-37U) and am having a lot of problems with Windows XP being very slow. I tried to create R&R disks from the Think Vantage app, but it won't launch. I then bought a new HDD and installed it, I used the BIOS to "restore to factor
-
Multiple webservices in 1servlet context
Hi, I have approx 8 jcds in a project. 1 connectivity map with 1 external ws/soap external system, which is linked to all the jcds. Deployed ok - no errors at all. However, it seems that i cannot call 7 of the web services. The last one (alphabettica
-
Can not browse catalog when triying to create a discount in workshop 8.1
Hi, I am using weblogic portal 8.1 and triying to create a discount. I followed the instructions that are found in workshop help named as "using commerce" and "creating discounts". I have installed commerce services and commerce taglibs. I tried to c
-
Third party remittance simulation document
Hi Guys, When i open third party remittance simulation posting document in PCP0 and when double click on vendor to see the details of payments it shows me following error. "An explanation of some or all document lines is not possible". Here is the de