Custom ssh port to sftp server through ASA

Similar Messages

• Slow SFTP throughput when passed through ASA 55xx

  I have an interesting scenario. I have setup two test boxes for SFTP.  One in a DMZ behind an ASA inteface, and the other on our external switch. If I send a file to the one on the external switch, I get 40 Mbps on a transfer from a remote location. When I try the same transfer but using a machine in the same DMZ, I get 100 Mbps while connected to a FastEthernet switchport. When I try the same transfer from the remote location previously mentioned, to the same server even, but using SFTP, my throughput goes down to 670 KB/s.  I get that same low speed even on the machine on the external switch to the DMZ. It should be much faster since there is no latency involved. It just goes to the switch to the ASA interface to the SFTP server. I even tried this across two different ASA, same result. One was a 5505, the other a 5520. 
  So, it seems the only limiting factor here is the ASA.  Does anyone have any observations or suggestions that might help?
  Thanks!

  Sorry, I should have been more clear. The throughput is only reduced when the ASA is in the picture and SFTP is used. I can FTP to the same server, same application, just different protocol, and get full throughput. As soon as I select SFTP instead of FTP, the throughput drops dramatically.
  I know it is not the over head on the server, because I tested an SFTP transfer from a client machine on the same LAN, and got full throughput. It is only when going through the ASA that the SFTP throughput drops by a factor of 7

• [SOLVED] SSH port 22

  Hi people. I'm tring to learn how to acces from another PC to mine.
  I downloaded Putty and I think, I undertood how to do that.
  The problem is that I'm not able to open the port 22.
  How can I do that?
  Thanks a lot!
  Last edited by hadso (2010-09-13 02:45:08)

  ewaller wrote:
  Okay, I think we are getting close.  Here is an excerpt of ssh -v localhost on this machine
  debug1: Authentications that can continue: publickey,password
  debug1: Next authentication method: publickey
  debug1: Trying private key: /home/ewaller/.ssh/id_rsa
  debug1: Trying private key: /home/ewaller/.ssh/id_dsa
  debug1: Next authentication method: password
  ewaller@localhost's password:
    See where yours says
  debug1: Authentications that can continue: publickey
  whereas mine says
  debug1: Authentications that can continue: publickey,password
  Both our systems go on to try rsa and dsa keys.  When those fail, mine continues on to password.  Yours does not.
  So, port 22 is open.
  If you had put the public dsa or rsa keys in ~/.ssh/ it would probably work (but that is not the point, you want password)
  Trying to connect to localhost is perfectly valid and eliminates things like router settings from the equation.
  All of the keys exist and the permissions look rational (root owns them and can read / write them , public can read (only) the public keys,
  So...  Lets take a closer look at /etc/ssh/sshd_config
  I diff'ed graysky's config against mine.  We differ on port number, root login [Note to self: turn that off], and X11 forwarding.
  You said yours was the same except the port number.  I think we need to take a closer look.  Could you post the sshd_config, or diff it against graysky's and post the diff?
  If it is not a sshd_config problem, I am running out of ideas.  It could, I guess be a PAM problem -- but that is out of my league.
  Here is my sshd_config:
  #    $OpenBSD: sshd_config,v 1.81 2009/10/08 14:03:41 markus Exp $
  # This is the sshd server system-wide configuration file.  See
  # sshd_config(5) for more information.
  # This sshd was compiled with PATH=/usr/bin:/bin:/usr/sbin:/sbin
  # The strategy used for options in the default sshd_config shipped with
  # OpenSSH is to specify options with their default value where
  # possible, but leave them commented.  Uncommented options change a
  # default value.
  Port 22
  #Port 55022
  #AddressFamily any
  ListenAddress 0.0.0.0
  #ListenAddress ::
  # The default requires explicit activation of protocol 1
  Protocol 2
  # HostKey for protocol version 1
  #HostKey /etc/ssh/ssh_host_key
  # HostKeys for protocol version 2
  #HostKey /etc/ssh/ssh_host_rsa_key
  #HostKey /etc/ssh/ssh_host_dsa_key
  # Lifetime and size of ephemeral version 1 server key
  #KeyRegenerationInterval 1h
  #ServerKeyBits 1024
  # Logging
  # obsoletes QuietMode and FascistLogging
  #SyslogFacility AUTH
  #LogLevel INFO
  # Authentication:
  LoginGraceTime 120
  PermitRootLogin no
  #StrictModes yes
  #MaxAuthTries 6
  #MaxSessions 10
  #RSAAuthentication yes
  #PubkeyAuthentication yes
  #AuthorizedKeysFile    .ssh/authorized_keys
  # For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
  #RhostsRSAAuthentication no
  # similar for protocol version 2
  #HostbasedAuthentication no
  # Change to yes if you don't trust ~/.ssh/known_hosts for
  # RhostsRSAAuthentication and HostbasedAuthentication
  #IgnoreUserKnownHosts no
  # Don't read the user's ~/.rhosts and ~/.shosts files
  #IgnoreRhosts yes
  # To disable tunneled clear text passwords, change to no here!
  PasswordAuthentication no
  #PermitEmptyPasswords no
  # Change to no to disable s/key passwords
  ChallengeResponseAuthentication no
  # Kerberos options
  #KerberosAuthentication no
  #KerberosOrLocalPasswd yes
  #KerberosTicketCleanup yes
  #KerberosGetAFSToken no
  # GSSAPI options
  #GSSAPIAuthentication no
  #GSSAPICleanupCredentials yes
  # Set this to 'yes' to enable PAM authentication, account processing,
  # and session processing. If this is enabled, PAM authentication will
  # be allowed through the ChallengeResponseAuthentication and
  # PasswordAuthentication.  Depending on your PAM configuration,
  # PAM authentication via ChallengeResponseAuthentication may bypass
  # the setting of "PermitRootLogin without-password".
  # If you just want the PAM account and session checks to run without
  # PAM authentication, then enable this but set PasswordAuthentication
  # and ChallengeResponseAuthentication to 'no'.
  UsePAM yes
  AllowAgentForwarding yes
  AllowTcpForwarding yes
  #GatewayPorts no
  X11Forwarding no
  X11DisplayOffset 10
  X11UseLocalhost yes
  #PrintMotd yes
  #PrintLastLog yes
  #TCPKeepAlive yes
  #UseLogin no
  #UsePrivilegeSeparation yes
  #PermitUserEnvironment no
  #Compression delayed
  #ClientAliveInterval 0
  #ClientAliveCountMax 3
  #UseDNS yes
  #PidFile /var/run/sshd.pid
  #MaxStartups 10
  #PermitTunnel no
  #ChrootDirectory none
  # no default banner path
  #Banner none
  # override default of no subsystems
  Subsystem    sftp    /usr/lib/ssh/sftp-server
  # Example of overriding settings on a per-user basis
  #Match User anoncvs
  #    X11Forwarding no
  #    AllowTcpForwarding no
  #    ForceCommand cvs server
  AllowUsers    adso
  #Subsystem       sftp    /usr/lib/ssh/sftp-server

• Is there any API's for providing FTP using ssh port.

  Currently we are having a requirement to FTP files only using ssh port(Secure FTP). Can anyone please suggest me an API which provides the FTP'ing operation using SSH port.

  I am currently using a Sinetfactory thirdparty package from JScape for the Secure FTP functionality(FTP over SSH). But Sinetfactory package tranfer rate is much slower than the manual sftp(command-line run in linux server for manual ftp using ssh).
  Since it is very slower than ordinary sftp(ftp over ssh), I thought of using other thirdparty FTP package which supports FTP using ssh port. Can anyone please suggest me a thirdparty package which will has the sftp functionality and with better transfer rate.

• Problem connecting SFTP server.

  Hi Experts,
  We are trying to connect to SFTP server outside network from our PI system  (advantaco sftp ) we are getting below error.
  Delivery of the message to the application using connection SFTP_http://advantco.com/xi/XI/SFTP failed, due to: com.sap.engine.interfaces.messaging.api.exception.MessagingException: javax.resource.ResourceException: java.lang.Exception: Cannot connect to SFTP server.
  we tried connecting through Filezilla by giving port (22-SFTP) in this case we are not able to connect we are getting the same error.
  But when we try the same in filezilla giving port(21-FTP) we are able to login successfully.
  but we have been informed by 3rd party that this is the SFTP server and not FTP server, tried using ping also but getting same error .
  As it is outside network tried using proxy also but no success.
  and also third party tried ping using public network they are able to ping successfully. they don't have any firewall.
  any inputs on this ?

  Are you sure if that is an SFTP server? I don't think so. It's not about PI adapter even the filezilla is throwing the same exception.
  >>>but we have been informed by 3rd party that this is the SFTP server and not FTP server, tried using ping also but getting same error .
  May be they are referring to FTPS but not SFTP? Both are different as you may already aware.
  They should also give you the port information right?
  So i would suggest you to verify with them again..
  In addition, you can verify if they have enabled FTPS(it has to be explicit) on the default port.
  in file zilla,  go to File -> Site Manager -> while adding the site
  set the protocol -> FTP
  Encryption -> use explicit FTP over TLS

• Mac not listening to SSH port

  When I try to access the server remotely, it's giving me with an error:
  ssh_exchange_identification: Connection closed by remote host
  The firewall on Mac is disabled and all the traffic are allowed on my router to access the Mac from public IP. I'm using a custom port 52458 to connect to SSH on Mac and I can telnet to it locally and remotely. When I run telnet localhost 52458, it works but when I run netstat -an | grep ssh or netstat -an | grep 52458 it's not returning any values. I tried running netstat -l to view all listeners but SSH is not listed. The way I edited SSH port is by editing /etc/services and replacing ssh port 22 to 52458. Here is the report of ssh -vv -p52458 admin@localhost
  ssh -vv -p52458 admin@localhost
  OpenSSH_5.1p1, OpenSSL 0.9.7l 28 Sep 2006
  debug1: Reading configuration data /etc/ssh_config
  debug2: ssh_connect: needpriv 0
  debug1: Connecting to localhost [::1] port 52458.
  debug1: Connection established.
  debug1: permanently_set_uid: 0/0
  debug1: identity file /var/root/.ssh/identity type -1
  debug1: identity file /var/root/.ssh/id_rsa type -1
  debug1: identity file /var/root/.ssh/id_dsa type -1
  debug1: Remote protocol version 1.99, remote software version OpenSSH_5.1
  debug1: match: OpenSSH_5.1 pat OpenSSH*
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_5.1
  debug2: fd 4 setting O_NONBLOCK
  debug1: An invalid name was supplied
  Configuration file does not specify default realm
  debug1: An invalid name was supplied
  Configuration file does not specify default realm
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug2: kex_parse_kexinit:
  diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-h ellman-group14-sha1,diffie-hellman-group1-sha1
  debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
  debug2: kex_parse_kexinit:
  aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes19 2-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
  debug2: kex_parse_kexinit:
  aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes19 2-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
  debug2: kex_parse_kexinit:
  hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
  debug2: kex_parse_kexinit:
  hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
  debug2: kex_parse_kexinit: none,[email protected],zlib
  debug2: kex_parse_kexinit: none,[email protected],zlib
  debug2: kex_parse_kexinit:
  debug2: kex_parse_kexinit:
  debug2: kex_parse_kexinit: first_kex_follows 0
  debug2: kex_parse_kexinit: reserved 0
  debug2: kex_parse_kexinit:
  diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-h ellman-group14-sha1,diffie-hellman-group1-sha1
  debug2: kex_parse_kexinit: ssh-rsa,ssh-dss
  debug2: kex_parse_kexinit:
  aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes19 2-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
  debug2: kex_parse_kexinit:
  aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour128,arcfour256,arcfour,aes19 2-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr
  debug2: kex_parse_kexinit:
  hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
  debug2: kex_parse_kexinit:
  hmac-md5,hmac-sha1,[email protected],hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96
  debug2: kex_parse_kexinit: none,[email protected]
  debug2: kex_parse_kexinit: none,[email protected]
  debug2: kex_parse_kexinit:
  debug2: kex_parse_kexinit:
  debug2: kex_parse_kexinit: first_kex_follows 0
  debug2: kex_parse_kexinit: reserved 0
  debug2: mac_setup: found hmac-md5
  debug1: kex: server->client aes128-cbc hmac-md5 none
  debug2: mac_setup: found hmac-md5
  debug1: kex: client->server aes128-cbc hmac-md5 none
  debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
  debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
  debug2: dh_gen_key: priv key bits set: 130/256
  debug2: bits set: 530/1024
  debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
  debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
  debug1: Host '[localhost]:52458' is known and matches the RSA host key.
  debug1: Found key in /var/root/.ssh/known_hosts:7
  debug2: bits set: 532/1024
  debug1: ssh_rsa_verify: signature correct
  debug2: kex_derive_keys
  debug2: set_newkeys: mode 1
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug2: set_newkeys: mode 0
  debug1: SSH2_MSG_NEWKEYS received
  debug1: SSH2_MSG_SERVICE_REQUEST sent
  debug2: service_accept: ssh-userauth
  debug1: SSH2_MSG_SERVICE_ACCEPT received
  debug2: key: /var/root/.ssh/identity (0x0)
  debug2: key: /var/root/.ssh/id_rsa (0x0)
  debug2: key: /var/root/.ssh/id_dsa (0x0)
  debug1: Authentications that can continue:
  publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive
  debug1: Next authentication method: gssapi-keyex
  debug1: No valid Key exchange context
  debug2: we did not send a packet, disable method
  debug1: Next authentication method: gssapi-with-mic
  debug1: An invalid name was supplied
  Configuration file does not specify default realm
  debug1: An invalid name was supplied
  Configuration file does not specify default realm
  debug2: we did not send a packet, disable method
  debug1: Next authentication method: publickey
  debug1: Trying private key: /var/root/.ssh/identity
  debug1: Trying private key: /var/root/.ssh/id_rsa
  debug1: Trying private key: /var/root/.ssh/id_dsa
  debug2: we did not send a packet, disable method
  debug1: Next authentication method: keyboard-interactive
  debug2: userauth_kbdint
  debug2: we sent a keyboard-interactive packet, wait for reply
  debug2: input_userauth_info_req
  debug2: input_userauth_info_req: num_prompts 1
  Password:
  debug2: input_userauth_info_req
  debug2: input_userauth_info_req: num_prompts 0
  debug1: Authentication succeeded (keyboard-interactive).
  debug1: channel 0: new [client-session]
  debug2: channel 0: send open
  debug1: Requesting [email protected]
  debug1: Entering interactive session.
  debug2: callback start
  debug2: client_session2_setup: id 0
  debug2: channel 0: request pty-req confirm 1
  debug2: channel 0: request shell confirm 1
  debug2: fd 4 setting TCP_NODELAY
  debug2: callback done
  debug2: channel 0: open confirm rwindow 0 rmax 32768
  debug2: channel_input_confirm: type 99 id 0
  debug2: PTY allocation request accepted on channel 0
  debug2: channel 0: rcvd adjust 2097152
  debug2: channel_input_confirm: type 99 id 0
  debug2: shell request accepted on channel 0
  Last login: Thu Jan  3 15:29:33 2013
  Welcome to Darwin!
  admins-mac-mini:~ admin$ exit
  logout
  debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
  debug1: client_input_channel_req: channel 0 rtype [email protected] reply 0
  debug2: channel 0: rcvd eow
  debug2: channel 0: close_read
  debug2: channel 0: input open -> closed
  debug2: channel 0: rcvd eof
  debug2: channel 0: output open -> drain
  debug2: channel 0: obuf empty
  debug2: channel 0: close_write
  debug2: channel 0: output drain -> closed
  debug2: channel 0: rcvd close
  debug2: channel 0: almost dead
  debug2: channel 0: gc: notify user
  debug2: channel 0: gc: user detached
  debug2: channel 0: send close
  debug2: channel 0: is dead
  debug2: channel 0: garbage collecting
  debug1: channel 0: free: client-session, nchannels 1
  Connection to localhost closed.
  Transferred: sent 1888, received 2168 bytes, in 562.1 seconds
  Bytes per second: sent 3.4, received 3.9
  debug1: Exit status 0
  Any help is greatly appreciated.

  admins-mac-mini:/Users/admin root# lsof -i:ssh -sTCP:LISTEN
  lsof: unsupported TCP/TPI info selection: C
  lsof: unsupported TCP/TPI info selection: P
  lsof: unsupported TCP/TPI info selection: :
  lsof: unsupported TCP/TPI info selection: L
  lsof: unsupported TCP/TPI info selection: I
  lsof: unsupported TCP/TPI info selection: S
  lsof: unsupported TCP/TPI info selection: T
  lsof: unsupported TCP/TPI info selection: E
  lsof: unsupported TCP/TPI info selection: N
  lsof 4.77
  latest revision: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/
  latest FAQ: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/FAQ
  latest man page: ftp://lsof.itap.purdue.edu/pub/tools/unix/lsof/lsof_man
  usage: [-?abhlnNoOPRstUvV] [+|-c c] [+|-d s] [+D D] [+|-f[cfgGn]]
  [-F [f]] [-g [s]] [-i [i]] [-k k] [+|-L [l]] [-m m] [+|-M] [-o [o]]
  [-p s] [+|-r [t]] [-S [t]] [-T [t]] [-u s] [+|-w] [-x [fl]] [--] [names]
  Use the ``-h'' option to get more help information.

• Custom SSH adaptor

  It is possible to develop a custom SSH resource adaptor? I've got some homegrown software that runs on a Linux box that I'd like to have managed by Sun IDM. All of the account administration can be done by scripts from the command line, but how would I develop a resource adapter to do that?
  I've read through the documentation on developing custom resources, but what I'm missing is how to establish an ssh connection, and if there is any support for doing the "Expect" type string matching, etc. needed. Are there some standard Java libraries for doing this sort of thing?

  Wouldn't the after/before actions be enough for you?
  We have a customer which has some application with command line interface and the application is accessible via SSH, and users need to have application account and SSH server account as well. We're using after-create action to create the application account.
  This solution is pretty simple and is not perfect by means of reconciliation - you would be able to reconcile ssh accounts only, not the application acounts off course. But if all of your users on the machine should have the application accounts, you can suppose that by reconcilling SSH accounts you also reconcile the application accounts.
  Regards,
  IVan

• I am trying to have access tables of the Sql Server through the Oracle

  I am trying to have access tables of the Sql Server through the Oracle and this being occurred the error:
  ORA-28500: connection from ORACLE to a non-Oracle system returned this message: [Generic Connectivity using ODBC][H006] The init parameter <HS_FDS_CONNECT_INFO> is not set.
  Please set it in init <orasid>.ora file.
  ORA-02063: preceding 2 lines from HSMSQL
  I created the ODBC with name HSMSQL.
  I made all the configurations in the archives
  tnsnames.ora:
  HSMSQL=
  (DESCRIPTION=
  (ADDRESS= (PROTOCOL = tcp)(HOST = wsus)(PORT = 1521))
  (CONNECT_DATA =
  (SID = HSMSQL)
  (HS = OK)
  listener.ora:
  (SID_DESC = (SID_NAME=HSMSQL)
  (ORACLE_HOME= C:\oracle\ora92)
  (PROGRAM =hsodbc)
  initHS_SID.ora:
  HS_FDS_CONNECT_INFO = HSMSQL
  HS_FDS_TRACE_LEVEL = OFF
  -- Create database link
  create database link HSMSQL.US.ORACLE.COM
  connect to TESTE identified by TESTE2
  using 'HSMSQL';
  But when I execute query the error occurs:
  Select * from TabTeste@HSMSQL
  ORA-28500: connection from ORACLE to a non-Oracle system returned this message: [Generic Connectivity using ODBC][H006] The init parameter <HS_FDS_CONNECT_INFO> is not set.
  Please set it in init <orasid>.ora file.
  ORA-02063: preceding 2 lines from HSMSQL
  Please they help me, thanks, Paulo.

  Hi,
  It seems that your configuration is Ok. By the way, the workaround for this error is:
  ORA-28500: connection from ORACLE to a non-Oracle system returned this message:
  [Transparent gateway for ODBC][H001] The environment variable <HS_FDS_CONNECT_INFO> is not set.
  * Set HS_FDS_CONNECT_INFO in the hs{sid}init.ora file to the data source name.
  Example: HS_FDS_CONNECT_INFO = <ODBC DataSource Name>
  * Make sure the hs{sid}init.ora file exists in the ORACLE_HOME/hs/admin directory and has the same name as the SID in the LISTENER.ORA.
  Example: If SID=hsodbc in the listener.ora file, then the hs{sid}init.ora file would be named ORACLE_HOME/hs/admin/inithsodbc.ora
  For more information see if this [url http://forums.oracle.com/forums/thread.jspa?forumID=61&threadID=576975]thread can help you.
  Cheers

• IP Phone SSL VPN through ASA

  Im in the middle of configuring Ip Phone SSL VPN through ASA, got stuck on authentication.. When I enter username and password on the phone screen, i get "Username and password failed" message on the screen. However, in ASA logs I see the following line
  Feb 16 2011    15:12:57    725002    85.132.43.67    52684            Device completed SSL handshake with client vpn:85.132.*.*/52684
  Feb 16 2011    15:17:26    725007    85.132.43.67    52745            SSL session with client vpn:85.132.*.*/52745 terminated.
  What does it mean?  How can I turn on debugging to see what is going on?
  Thank you in advance!

  Hi,
  If you're not using certificates in client authentication then the SSL handshake will complete before the user is requested to authenticate with username/password.  If this authentication request fails you will see the SSL session terminated immediately following this failure (as in the logs you provided).  Notice the 5 seconds between the SSL session establishment and termination, this is most likely when the user is being authenticated against the aaa server.  If the phone is failing authentication against an external aaa-server you'll want to investigate the logs on that server to determine the root cause of the failure.  The ASA can also provide confirmation of the authentication request/reject with the command 'show aaa-server'.  If you want to see what's going on at an authentication protocol level you can enable several debugs including "debug aaa authentication|common|internal' and protocol specific debugs such as 'debug radius user|session|all' or 'debug ldap'.
  Did this answer your question? If so, please mark it Answered!

• How to delete zip file in sftp server

  Hi Gurus,
  I am having one .zip file with data files inside on the sftp server. Can you please how to delete the .zip files in the sftp server. I am able to delete normal files by using 'rm' on sftp.
  And one more request my sftp is prompting for the password everytime, then i need to enter the password manually. Can any one suggest how to write in shell script to accept that.
  Thanks in advance.
  Regards
  Nagendra

  You might want to look into user equivalence and configure a certificate for ssh so it does not prompt for a password.
  It will also allow you to use sftp without a prompt for a password.
  On the server side:
  Edit /etc/ssh/sshd_config and remove the # from the following:
  RSAAuthentication yes
  PubkeyAuthentication yes
  AuthorizedKeysFile .ssh/authorized_keys
  Then restart the ssh server:
  /etc/init.d/sshd restart
  Login as the user for whom this is for:
  su - <username>
  mkdir .ssh
  chmod 700 .ssh
  On the client side:
  Run the following command:
  ssh-keygen -t rsa (omit password)
  Then use the following to copy the public key from the client to the
  corresponding login .ssh directory on the server side;
  scp .ssh/id_rsa.pub username@remote_host:.ssh/authorized_keys

• Error while connecting oracle11g to sql server through transparent gateway

  Hello
  i'm facing this errors when i try to connect oracle 11g to sql server through transparent gateway:
  http://www.freeimagehosting.net/newuploads/d4454.jpg
  the directory for my db is : C:\oracle\product\11.1.0\db1
  and for the gateway: C:\oracle\product\11.1.0\dg4msql
  the configurations i used:
  gateway :
  tnsnames.ora:
  dg4msql =
  (DESCRIPTION=
  (ADDRESS=(PROTOCOL=tcp)(HOST=Kinda-PC)(PORT=1522))
  (CONNECT_DATA=(SID=dg4msql))
  (HS=OK)
  listener.ora:
  GATELIST =
  (DESCRIPTION_LIST =
  (DESCRIPTION =
  (ADDRESS = (PROTOCOL = TCP)(HOST = Kinda-PC)(PORT = 1522))
  (DESCRIPTION =
  (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1522))
  SID_LIST_LISTENER =
  (SID_LIST =
  (SID_DESC =
  (PROGRAM = dg4msql)
  (SID_NAME = dg4msql)
  (ORACLE_HOME = C:\oracle\product\11.1.0\dg4msql)
  and for the oracle database :
  listener.ora
  LISTENER =
  (DESCRIPTION_LIST =
  (DESCRIPTION =
  (ADDRESS = (PROTOCOL = IPC)(KEY = EXTPROC1521))
  (ADDRESS = (PROTOCOL = TCP)(HOST = Kinda-PC)(PORT = 1521))
  tnsnames.ora:
  DB1 =
  (DESCRIPTION =
  (ADDRESS = (PROTOCOL = TCP)(HOST = Kinda-PC)(PORT = 1521))
  (CONNECT_DATA =
  (SERVER = DEDICATED)
  (SERVICE_NAME = db1)
  gateway =
  (DESCRIPTION=
  (ADDRESS=(PROTOCOL=tcp)(HOST=Kinda-PC)(PORT=1522))
  (CONNECT_DATA=(SID=dg4msql)
  (HS=OK)
  thanks :)
  Edited by: 903043 on Dec 18, 2011 6:18 AM

  Did you go through the various steps in the doc?
  There is a gateway specific forum below;
  Heterogeneous Connectivity
  Cheers
  David

• How can we allow internal users to access internet through ASA firewall?

  Hello,
  I am new to security track, i have been asked to setup lab and allow users from inside firewall to access internet. here is my lab setup
  PC -> switch 1 (layer2) -> (inside) ASA (outside) -> switch 2 (Layer2) -> Router
  does switch 2 port needs internet access through router?
  what configuration required on ASA to allow users behind the firewall to access internet?
  any help on this would be much appreciated.
  thanks,

  Hi,
  Okay , can you clarify on this for me. Are you able to ping the internet from the ASA outside interface ?
  Just try something like this:-
  ping 4.2.2.2 .. Does this work ?
  If this does not work , then i think the ASA even is not able to get to the internet and that would be a problem on the router.
  Also , internet from Switch 2 is not a requirement as that is only a Layer 2 device.
  You can assign the ISP allocated address on the PC , connect it to the Switch 2 port and then try to ping something on the internet or surf internet and i think that should work.
  Thanks and Regards,
  Vibhor Amrodia

• Dear friends i am facing an issue in the hosting of my server from ASA publicly

  i have already assing a public ip addd to the outside interface of the ASA ,My requirement is to configure firewall to host my web server publicly using the public ip not assign to  the outside interface but different subnet,i make every configuration is i have done but i cant ping or connect my web server i can ping the web server from my ASA,but from outside i  cannot reach my webserver.Could anyone help me in this because i am facing problem.
  Below is the configuration of the firewall
  server ip add 10.10.10.4(local,reachable)
  public ip add-78.72.232.66(default gateway)
  sho run configuration of the firewall
  ASA Version 8.2(5)
  hostname TAD-FW
  domain-name tadrees.com
  enable password lpW.MGeEHg0ISQZq encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  interface Ethernet0/0
  description Connected to TAD-Router G0/1
  nameif outside
  security-level 0
  ip address 78.72.29.174 255.255.255.252
  interface Ethernet0/1
  description Connected to Cisco SMB Switch G1
  nameif inside
  security-level 100
  ip address 10.15.1.1 255.255.255.248
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  nameif management
  security-level 100
  no ip address
  management-only
  banner login ********  TADREES FIREWALL ********
  ftp mode passive
  dns domain-lookup outside
  dns server-group DefaultDNS
  name-server 8.8.8.8
  name-server 84.22.224.11
  name-server 84.22.224.12
  domain-name tadrees.com
  access-list split-tunnel standard permit 10.10.0.0 255.255.0.0
  access-list nonat extended permit ip 10.1.1.0 255.255.255.0 10.10.0.0 255.255.0.0
  access-list nonat extended permit ip 10.10.0.0 255.255.0.0 10.1.1.0 255.255.255.0
  access-list Mename-Access extended permit tcp any host78.72.232.66 eq https
  access-list Mename-Access extended permit tcp any host 78.72.232.66 eq www
  pager lines 24
  logging enable
  logging buffered debugging
  logging asdm debugging
  mtu outside 1500
  mtu inside 1500
  mtu management 1500
  ip local pool sslvpnpool 10.1.1.1-10.1.1.254 mask 255.255.255.0
  no failover
  icmp unreachable rate-limit 1 burst-size 1
  asdm image disk0:/asdm-702.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list nonat
  nat (inside) 1 0.0.0.0 0.0.0.0
  static (inside,outside) tcp 78.722..232.66 www 10.10.10.4 www netmask 255.255.255.255
  access-group Mename-Access in interface outside
  router rip
  network 10.0.0.0
  version 2
  route outside 0.0.0.0 0.0.0.0 78.72.29.173 1
  route inside 10.10.10.4 255.255.255.255 10.15.1.1 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  timeout floating-conn 0:00:00
  dynamic-access-policy-record DfltAccessPolicy
  aaa-server TAD-AD protocol nt
  aaa-server TAD-AD (inside) host 10.10.10.1
  aaa authentication ssh console LOCAL
  http server enable 444
  http 192.168.1.0 255.255.255.0 management
  http 0.0.0.0 0.0.0.0 outside
  http 0.0.0.0 0.0.0.0 inside
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  telnet 0.0.0.0 0.0.0.0 inside
  telnet timeout 2
  ssh 0.0.0.0 0.0.0.0 outside
  ssh 0.0.0.0 0.0.0.0 inside
  ssh timeout 20
  console timeout 0
  management-access inside
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  webvpn
  enable outside
  no anyconnect-essentials
  svc image disk0:/anyconnect-win-2.5.2014-k9.pkg 1
  svc enable
  tunnel-group-list enable
  internal-password enable
  group-policy sslvpn internal
  group-policy sslvpn attributes
  wins-server none
  dns-server none
  vpn-tunnel-protocol svc webvpn
  split-tunnel-policy tunnelspecified
  split-tunnel-network-list value split-tunnel
  default-domain value tadrees.com
  group-policy DfltGrpPolicy attributes
  webvpn
    svc ask enable default webvpn timeout 30
  username asad password GxozRbsh8Rp9vCkf encrypted privilege 15
  username cisco password HWFflA1bzYiq7Uut encrypted privilege 15
  username naveed password d8KsovrcdE3to7qt encrypted privilege 15
  tunnel-group TAD-SSLV type remote-access
  tunnel-group TAD-SSLV general-attributes
  address-pool sslvpnpool
  authentication-server-group TAD-AD LOCAL
  default-group-policy sslvpn
  tunnel-group TAD-SSLV webvpn-attributes
  group-alias ssl enable
  group-url https://78.93.29.174/ssl enable
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum client auto
    message-length maximum 512
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect rsh
    inspect rtsp
    inspect esmtp
    inspect sqlnet
    inspect skinny
    inspect sunrpc
    inspect xdmcp
    inspect sip
    inspect netbios
    inspect tftp
    inspect ip-options
    inspect icmp
    inspect http
  service-policy global_policy global
  prompt hostname context
  no call-home reporting anonymous
  Cryptochecksum:cec976b762f5e1d9d9856eeb4dea4019
  : end

  Solution, give me your number so we can talk about or setup captures on the ASA to confirm that traffic from the Internet is being routed correctly to the ASA and also review logs.
  capture out interface outside match ip any host 78.93.232.66
  capture in interface inside match ip any host  10.10.10.4
  After you try to access the server via the public IP from an Internet client check the captures:
  show capture
  If you see packets in the capture, download them:
  https://10.15.1.1/capture/in/pcap
  https://10.15.1.1/capture/out/pcap
  It will ask you for your credentials to be able to download the file.
  Check logs via ASDM:
  Log into ASDM > Monitoring > logging > Real Time log viewer
  Type in the external IP address of the server and run another test, if you see logs post them

• Can't connect to local MySQL server through socket '/var/mysql/mysql.sock'

  I'm using the pre-installed versions of php and mysql under Mac OS X Server 10.4.4 running on a G4 and am unable to get anything involving mysql to work.
  I ssh to the server and enter various commands in Terminal:
  on typing "mysql" I get
  ERROR 2002 (HY000): Can't connect to local MySQL server through socket '/var/mysql/mysql.sock' (2)
  and on typing "mysqladmin version" I get
  mysqladmin: connect to server at 'localhost' failed
  error: 'Can't connect to local MySQL server through socket '/var/mysql/mysql.sock' (2)'
  Check that mysqld is running and that the socket: '/var/mysql/mysql.sock' exists!
  On typing "sudo mysqld_safe" I get
  Starting mysqld daemon with databases from /var/mysql
  STOPPING server from pid file /var/mysql/MyServer.local.pid
  070722 16:06:05 mysqld ended
  /var/mysql/MyServer.local.err contains
  070722 16:06:04 mysqld started
  070722 16:06:04 [Warning] Setting lowercase_tablenames=2 because file system for /var/mysql/ is case insensitive
  070722 16:06:04 InnoDB: Database was not shut down normally!
  InnoDB: Starting crash recovery.
  InnoDB: Reading tablespace information from the .ibd files...
  InnoDB: Restoring possible half-written data pages from the doublewrite
  InnoDB: buffer...
  070722 16:06:05 InnoDB: Starting log scan based on checkpoint at
  InnoDB: log sequence number 0 43634.
  /var/mysql has permissions 775.
  The line
  mysql.default_socket = /var/mysql/mysql.sock
  is in /etc/php.ini
  whereis mysqladmin ->
  /usr/bin/mysqladmin
  whereis mysql ->
  /usr/bin/mysql
  ls /var/mysql ->
  MyServer.local.err
  ib_logfile1
  mysql
  ib_logfile0
  ibdata1
  test
  Can't find my.cnf or my.ini anywhere
  Can't find mysql.sock anywhere
  I'm trying to get a bug database running (mantis) under Mac OS X Server 10.4.4 that I can access from local clients.
  I'm trying to follow directions at http://www.mantisbugtracker.com/manual/manual.installation.php
  without knowing anything about mysql or php and I'm stuck on step 3:
  "Next we will create the necessary database tables and a basic configuration
  file."
  I get a message saying
  "Does administrative user have access to the database? ( Lost connection to MySQL server during query )"
  I don't even know if following the mantis directions has resulted in the creation of a database or not. Where would it be?
  Thanks for any help.
  Intel iMac   Mac OS X (10.4.10)  

  I've just done a clean install of OSX Server and added the latest MYSQL packaged installer. Afterwards I found the lock file in /private/tmp/mysql.lock
  The easiest way to solve this problem is to create a symbolic link so that the lock file appears to be in right place.
  e.g.
  cd /var
  sudo mkdir mysql <== this assumes the directory is missing
  cd mysql
  sudo ln -s /private/tmp/mysql.sock mysql.sock
  After this msql commands should work fine, and you've not fiddled with the security settings on users/groups.
  HTH
  Christian

• File upload to sftp server using apex

  We have an SFTP server on Linux and we want to provide users with web-based interface (Oracle APEX has been chosen for that purpose) so they can upload their flat files to our sftp server via secure transmission. is it possible to implement on APEX? What might be possible solution? or any workarouds?
  Thanks in advance.

  Hello Kevin,
  >
  if I got it right, in such a case files have to be stored in database directory, as far as I know APEX only allows to store files in database tables. is there any way to put files to a directory without storing them in tables? For instance, I want files to be placed in some oracle directory when users choose files with FILE BROWSE item and then submit the page.
  >
  Yes APEX stores files to tables, but there is a way to store them to OS directory.
  I don't know much about the plugin SaveToDisk:
  http://apex-plugin.com/oracle-apex-plugins/process-type-plugin/savetodisk_167.html
  but i have tried a blog solution by Håvard Kristiansen and it works fine:
  http://monkeyonoracle.blogspot.in/2009/10/storing-images-outside-oracle-xe-with.html
  He has given this solution to store images outside Oracle XE i.e. to a server directory.
  I had done this way:
  1) User uploads a file through file browse.
  2) The file is stored to APEX_APPLICATION_FILES or WWV_FLOW_FILES.
  3) The file is written to the OS directory using the write_to_file procedure mentioned in the blog.
  Hope it helps!
  Regards,
  Kiran