Github ssh loging probelm

Similar Messages

• Nginx client_ip in log file, with ssh -R Port forwarding

  Hi, everyone!
  First, I run a nginx server M1 (in my offce)  behind a router R1 and M1's IP addr is 192.168.5.126. I set nginx's log format like this:
  log_format main '$remote_addr - $remote_user [$time_local] "$request" '
  '$status $body_bytes_sent "$http_referer" '
  '"$http_user_agent" "$http_x_forwarded_for"';
  After that, I will get the correct client ip in the access log.
  192.168.5.88 - - [21/Apr/2015:11:12:47 +0800] "GET /js/date.js HTTP/1.1" 200 403 "http://192.168.5.126/" "Mozilla/5.0 (Windows NT 5.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/537.36" "-"
  Then, I want to visit M1 outside (in the campus) .  Unfortunately, I can do nothing with the router R1. But I have a router R2 whose framework is OpenWrt and its IP 222.xx.xx.xx can be visited by anyone who has logged into the campus network.
  Then I wrote a autossh service to do that:
  [Unit]
  Description=AutoSSH service for local port 80 forwarded to 222.xx.xx.xx:80
  # place this in /etc/systemd/system/, than enable this.
  After=network.target
  Requires=nginx.service
  After=nginx.service
  [Service]
  Environment="AUTOSSH_GATETIME=0" "AUTOSSH_POLL=60" "AUTOSSH_LOGFILE=/var/log/nginxssh.log"
  ExecStart=/usr/bin/autossh -M 22000 -NR 222.xx.xx.xx:808:localhost:808 -NR 222.xx.xx.xx:80:localhost:80 -o TCPKeepAlive=yes -p xxxx [email protected] -i /home/username/.ssh/id_rsa
  [Install]
  WantedBy=multi-user.target
  Yeah, It works! BUT BUT when someone visits 222.xx.xx.xx, I lost the  the client ip in nginx log file. That would always be 127.0.0.1, why?
  127.0.0.1 - - [27/Apr/2015:00:34:07 +0800] "GET /static/mathjax/MathJax.js?config=TeX-AMS_HTML HTTP/1.1" 304 0 "http://222.xx.xx.xx:808/url/jakevdp.github.com/downloads/notebooks/XKCD_plots.ipynb" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:37.0) Gecko/20100101 Firefox/37.0" "-"
  After ``ssh -R Port forwarding``,  client ip is lost?
  If so,  what should I use to replace ``ssh -R``?
  Last edited by limser (2015-05-04 12:39:18)

  It seems there is a port forwarding configuration trouble with you modem.
  When you access from the WAN or from the LAN, you don't enter in you modem the same way, so the behavior is different.
  It seems that the port 22 of your modem is not directly forwarded to your server. The modem itself asks you a login/password. The key-pair authentification is between laptop and server. The modem itself is not recognized during this authentification.
  Don't touch your ssh-config. It's OK since it was working for monthes before you change your modem.

• Seahorse keeps asking about password, even when ssh-key is used

  Hi,
  I want easy access to my repos on bitbucket.
  I have set my id_rsa.pub in bitbucket preferences, but when I try take any action on repo I have to type password .
  First there is graphical popup menu to type password, when I cancel it I can type password in terminal.
  error: unable to read askpass response from '/usr/lib/seahorse/seahorse-ssh-askpass'
  Password for 'https://[email protected]':
  I have tried set ssh-key for bitbucket on my raspberry pi, and it works properly (no password is needed).

  I do not use Bitbucket, but I think this is similar to the issue with GitHub that I have noticed. Basically, when the url scheme of the remote is https:// , I am always asked for a password, but when there is no scheme (for github this is 'remote  [email protected]:XXX/XXX') (or when the scheme is ssh:// , I assume), the ssh key is used.
  I suggest you see whether you can use an alternate url scheme and see if it fixes the problem.
  Hope this helps!

• [SOLVED] SSH, email - connection 'hangs'

  Hello,
  I have a problem with connections at work - it happens only at work, I tried on Arch and also Debian.
  I haven't noticed it to affect 'web browsing' - it affects for sure ssh (incl. git) and sending email mesages.
  What happens:
  About 3/4 of times I try to send an email (google account from thunderbird), or log in to one of our servers with ssh (or pull/push some code from/to github) the connection 'hangs' and nothing happens. If I try ^C and 'redo' few times I finally manage to log in.
  Log from ssh (unsuccessfull connection):
  ssh bb5 -vvvv
  OpenSSH_5.9p1, OpenSSL 1.0.0g 18 Jan 2012
  debug1: Reading configuration data /home/kaczor/.ssh/config
  debug1: /home/kaczor/.ssh/config line 18: Applying options for bb5
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug2: ssh_connect: needpriv 0
  debug1: Connecting to XXX.XXX.XXX.XXX [XXX.XXX.XXX.XXX] port 22.
  debug1: Connection established.
  debug3: Incorrect RSA1 identifier
  debug3: Could not load "/home/kaczor/.ssh/id_rsa" as a RSA1 public key
  debug1: identity file /home/kaczor/.ssh/id_rsa type 1
  debug1: identity file /home/kaczor/.ssh/id_rsa-cert type -1
  debug1: identity file /home/kaczor/.ssh/id_dsa type -1
  debug1: identity file /home/kaczor/.ssh/id_dsa-cert type -1
  debug1: identity file /home/kaczor/.ssh/id_ecdsa type -1
  debug1: identity file /home/kaczor/.ssh/id_ecdsa-cert type -1
  [-- and I can wait for ages on this --]
  If the login is successfull the next lines are:
  debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6+squeeze1
  debug1: match: OpenSSH_5.5p1 Debian-6+squeeze1 pat OpenSSH*
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_5.9
  debug2: fd 3 setting O_NONBLOCK
  My /etc/ssh/ssh_config on Arch is default (everything commented out)
  ~/.ssh/config has only few Host, User, entries
  On Debian:
  /etc/ssh/ssh_config
  Host *
  SendEnv LANG LC_*
  HashKnownHosts yes
  GSSAPIAuthentication yes
  GSSAPIDelegateCredentials no
  Trying to ssh to server's IP doesn't change anything.
  Any ideas how could I track where lies the problem? Or maybe I could at least make it 'retry' automatically?
  Edit:
  After setting timeout in ssh_config I get
  Connection timed out during banner exchange
  at the end of unsuccessfull connection.
  Last edited by kaczor1984 (2012-04-24 15:15:17)

  firecat53 wrote:
  Try downgrading openssl and openssh to the previous versions. I had issues similiar (but not exactly) to this. I think try openssl-1.0.0.h and openssh-5.9p1-5
  Scott
  On Debian the openssl is 0.9.8g-15 and openssh is 5.1p1-5
  Gcool wrote:Try connecting with the "-o ConnectTimeout=60" parameter....
  I've set it already in ssh_config file (see my edit). Is there any way to make ssh 'retry' few times because now it gives up after first failure.
  I've set   ConnectionAttempts 5 but i'm not sure if it works - I'll have to give it another try on tuesday.
  mr.MikyMaus wrote:Can it be that your employer does not like encrypted traffic in his network? I could imagine an IPS system trying to decipher the connection... Try moving the server-side ssl service to a non-standard port if you can...
  It is possible - however I don't know exactly how is the network 'distributed'. Maybe I'll try to change it at least at one server and give it a try.
  Anyway - what about emails for example - this uses port 25 (smtp on gmail) and is experiencing the same problems (message sending lasts until timeout 8 out of 10 times).
  I don't know too much about networks - maybe there is some kind of service which doesn't work properly in my network at the office. Any clues what could it be?
  Most important for me is to make 'git pull' work - because it's executed automatically on those Debian boxes and if it fails they are not updated.
  So solution like 'make it retry 10 times per 5 seconds' will do the job for 90% cases I think.

• GPG-AGENT "ignoring" pinentry program? wrong pinentry app for ssh-keys

  Hi!
  I am using gpg-agent to handle my gpg keys and wanted it to handle my ssh keys too, since it is running anyway.
  it works perfectly fine with gpg keys, my pinentry program is pinentry-qt4 , upon request that window pops up for me to enter my passphrase.
  as window manager i use awesome wm.
  however, when i try to use my ssh key, e.g. for github, no pinentry program pops up and in xterm it looks like:
  [me@mybox dotfiles]$ git push origin master
  it seems that is is waiting for my passphrase input but it isnt asking for it. neither does it accept it.
  when i quit my WM, i see that it executed the pinentry program directly in my tty1, to which i do not have access while running my WM.
  my gpg-agent.conf:
  me@mybox ~/.gnupg> cat gpg-agent.conf
  default-cache-ttl 300
  max-cache-ttl 7200
  pinentry-program /usr/bin/pinentry-qt4
  how do i get gpg-agent to respect my pinentry choice for my ssh keys as well?
  thanks for your time !

  I use this
  $ cat /etc/kde/env/gpg-agent-startup.sh
  #!/bin/sh
  # see https://wiki.archlinux.org/index.php/SSH_Keys
  GPG_AGENT=/usr/bin/gpg-agent
  ## Run gpg-agent only if not already running, and available
  if [ -x "${GPG_AGENT}" ] ; then
  # check validity of GPG_SOCKET (in case of session crash)
  GPG_AGENT_INFO_FILE=${HOME}/.gpg-agent-info
  if [ -f "${GPG_AGENT_INFO_FILE}" ]; then
  GPG_AGENT_PID=`cat ${GPG_AGENT_INFO_FILE} | grep GPG_AGENT_INFO | cut -f2 -d:`
  GPG_PID_NAME=`cat /proc/${GPG_AGENT_PID}/comm`
  if [ ! "x${GPG_PID_NAME}" = "xgpg-agent" ]; then
  rm -f "${GPG_AGENT_INFO_FILE}" 2>&1 >/dev/null
  else
  GPG_SOCKET=`cat "${GPG_AGENT_INFO_FILE}" | grep GPG_AGENT_INFO | cut -f1 -d: | cut -f2 -d=`
  if ! test -S "${GPG_SOCKET}" -a -O "${GPG_SOCKET}" ; then
  rm -f "${GPG_AGENT_INFO_FILE}" 2>&1 >/dev/null
  fi
  fi
  unset GPG_AGENT_PID GPG_SOCKET GPG_PID_NAME SSH_AUTH_SOCK
  fi
  if [ -f "${GPG_AGENT_INFO_FILE}" ]; then
  eval "$(cat "${GPG_AGENT_INFO_FILE}")"
  eval "$(cut -d= -f 1 "${GPG_AGENT_INFO_FILE}" | xargs echo export)"
  export GPG_TTY=$(tty)
  else
  eval "$(${GPG_AGENT} -s --enable-ssh-support --daemon --pinentry-program /usr/bin/pinentry-qt4 --write-env-file)"
  fi
  fi
  I think I could probably use the /etc/profile.d location but when I first set it up, kde was already running gpg-agent so I adapted its file. Later, I uninstalled the thing which does that in kde and just kept my own customised version.
  Are you sure that your xinitrc isn't starting a second gpg-agent?

• [SOLVED] Can't push to github (openssh-askpass fails to authenticate)

  Greetings
  I am having trouble pushing to github. I have added my public key to github
  and checked that it works using
  ssh -T [email protected]
  When I try to use git to do a git push origin master I get a password prompt
  dialog from openssh-askpass. I tried removing openssh-askpass but it seems
  there is not fallback as I get an error of it missing.
  There are two dialogs that pop up and I think they don't do the same thing
  even though they both ask the same thing viz "enter your ssh passphrase"
  I think the first one is actually asking for my username and the second one
  is the passphrase. I have tried entering "git" as a username, my github
  username and my passphrase as instructed and this all fails to authenticate.
  I also can't find where the logs are for openssh. I did
  tail -f /var/log/*
  and nothing changes while try to login.
  Is there a configuration for git to use openssh-askpass which was added
  that I missed?
  Which logs should I be looking at?
  Last edited by lunamystry (2012-09-07 12:26:49)

  This is my solution which seems to work:
  After web searching the error I got, I found that there is an environment
  variable GIT_ASKPASS and SSH_ASKPASS which launch whatever you tell
  them to get the passphrase.
  GIT_ASKPASS is not set by default and git calls SSH_ASKPASS instead.
  One of them has to be set otherwise git (and I assume ssh if SSH_ASKPASS
  is not set) will not use the passphrase but  will prompt for the password.
  The password in my case was the github password. I installed ksshaskpass
  because I am on KDE and that removed ssh_askpass and integrates with
  KWallet. Here are the commands I used in case the above was not clear:
  export SSH_ASKPASS=""
  sudo pacman -S ksshaskpass
  export GIT_ASKPASS="/usr/bin/ksshaskpass"
  cd Projects/Scripts/
  git push origin master
  You obviously don't need the last two commands.

• Unable to create ssh key

  Hi all,
  I'm having trouble creating an ssh key in the Terminal on Snow Leopard.  Here are the steps I follow:
  $ ssh-keygen -t rsa
  Generating public/private rsa key pair.
  Enter file in which to save the key (/Users/.../.ssh/id_rsa): (I hit enter)
  /Users/.../.ssh/id_rsa already exists.
  Overwrite (y/n)? y
  Enter passphrase (empty for no passphrase):
  Enter same passphrase again:
  (And then I see this message:)
  open /Users/.../.ssh/id_rsa failed: Is a directory.
  Saving the key failed: /Users/.../.ssh/id_rsa.
  How can I bypass this error?  I thought maybe the problem is that I have a previous keypair, but if so I followed the steps outlined in http://help.github.com/mac-set-up-git/ to remove the old pair before generating the new one, and I still get the same error message. 
  Any help would be greatly appreciated.
  T

  I actually fixed the problem, if anyone else comes across it: if facing this issue, when backing up and removing existing ssh keys before generating new ones, the command should be
  $ cp -R id_rsa* key_backup
  (Add the -R to the line in the GitHub instructions.)

• Unable to create a SSH key

  Hi,
  Not sure if this is the right place to post, so I hope you can help me, basically I am tryin to setup github using the command line instructions but I am unable to do it using the Terminal, here a copy/paste from the terminal:
  +Ricardo-Sanchezs-MacBook-Pro:~ nardove$ ssh-keygen -t rsa -C "[email protected]"+
  +Generating public/private rsa key pair.+
  +Enter file in which to save the key (/Users/nardove/.ssh/id_rsa):+
  +*Could not create directory '/Users/nardove/.ssh'.*+
  +Enter passphrase (empty for no passphrase):+
  +Enter same passphrase again:+
  +open /Users/nardove/.ssh/id_rsa failed: *No such file or directory.*+
  +Saving the key failed: /Users/nardove/.ssh/id_rsa.+
  +Ricardo-Sanchezs-MacBook-Pro:~ nardove$+
  I hope that makes sense, and here is a link to the instructions I am following
  http://help.github.com/mac-key-setup/
  Any help will be much appreciated!
  Cheers
  rS

  Can you post the output of
  # ls -la ~
  (only interested in the .ssh directory permissions)
  For reference, here's mine:
  drwx------ 4 krism staff 136B Aug 5 15:44 .ssh

• Zuul - Simple two-factor authentication for SSH unless using publickey

  To quote myself:
  I wrote:I have a few machines I want to access using SSH. I use public keys when connecting from a trusted computer. However, I also want to access the machines from other computers using passwords. To eliminate the consequences of brute force password cracking or even stolen passwords, I been looking for a two-factor authentication scheme to use if anything but public keys are used. The method described here lets me log in using publickeys without any further hassle, while I must enter a second, one time password delivered to my mobile phone by email if I use a password.
  Comments are welcome! (Especially on a better way to figure out what authentication method the current SSH session used)
  https://github.com/halhen/techsperiment … aster/zuul

  Finally, this is what I looking. Thanks for giving the link.

• Cdot with ssh keys for domain accounts

  Has anyone on this board got ssh working with domain keys for cdot??

  I use multiple keys; it is easy enough to manage them using keyring, and it means that I am able to compartmentalize them according to use case: work (which I obviously have a professional interest as well as personal in protecting) home (one for each box), and then keys for specific tasks (eg., automated backups, acess to particular services like github, mercurial etc).
  This means that if one key is compromised, the others are unaffected and I can revoke the compromised key and, after cleaning up the mess as best I can, generate another and move on.
  The only system I employ is to give each key a meaningful name (having multiple keys named id_{d,r}sa doesn't scale at all) and a policy of only adding the minimum necessary keys to each box's keyring; again, entering all the passphrases with any frequency helps manage this tendency.
  I am also very careful about the key on my android as I see this as the most obvious risk: losing your phone is a pain; losing your phone and potentially relinquishing the key on it would be catastrophically asinine...

• Ssh use

  I can't get in to the home machine via ssh.
  What do I need to change?
  I have Remote LogIn set on Sharing Prefs.
  I have 22 PF'd on the router to the Mac.
  I am behind a FiOS ActionTec router, FYI.
  ssh [email protected]

  The '-t' option has to do with using ssh in scripts where there may not be a terminal to attach to. I include it in my example because if you script this procedure, you're going to wonder why it has issues.
  The '-C' option turns on data compression. For VNC it helps a small amount.
  As for key-based login... SSH is secure because it uses two-factor encryption to secure the information that's sent using the protocol, that's the "secure" part of the protocol. The one weakness, however, is that if you use your regular username and password, an attacker has a relatively good chance of figuring those out using what's called a "dictionary attack" (namely, they try millions of usernames and passwords one after another until one eventually works). While that sounds slow, it is still fairly effective.
  SSH, however, provides a means for you to login without using a password - and you can even disable password-based logins altogether. This involves creating a secure "key-pair" used for loging into your computer. You generate the key-pair on the remote machine that you want to authorize to connect. The public key from the pair, you append to the file ~/.ssh/authorized_keys on your home computer, and the private key you use to login (if you are on a Mac, you put it in ~/.ssh/id_rsa and it will be used automaticall).
  These keys are random 2 kilobit or 4 kilobit keys and would take comparatively much longer to attempt to guess (hundreds of years), and you can revoke a key for a remote system by simply removing it from the authorized key list.
  See http://www.google.com/search?q=passwordless+ssh+setup

• Sshmc - control music from anywhere via SSH

  SSH Music Controller
  Information:
  * Written in python
  * Allows you to play, pause, skip forward, skip backwards, and stop a song on a remote computer
  * Adjust volume on a remote computer
  Screenshot:
  Known bugs:
  * If the song ends and goes on to the next song, the line of text that displays the current song doesn't change. A workaround is to press play.
  Currently supported music players:
  * ncmpcpp
  Dependencies for client machine (controlling the music):
  * python (official repos)
  * wxpython (official repos)
  Dependencies for remote machine (playing the music):
  * one of the supported music players from above
  Installation (this requires git):
  1) First, clone the files from my github:
  $ git clone git://github.com/itsbrad212/sshmc.git
  2) Run the install script on the client machine as root
  # ./install.sh
  3) Edit /usr/share/sshmc/sshmc.py to set the IP address of the remote machine, the SSH port to use, and the user to login as
  4) You're done! You should now be able to launch the application by executing the sshmc command from wherever you choose.
  Configuration:
  * Edit /usr/share/sshmc/sshmc.py to set the IP address of the remote machine, the SSH port to use, and the user to login as
  Footnotes:
  * Please report any bugs so I can fix them
  * If you would like support for your music player, just ask
  * I am using keychain so I am not prompted with an SSH password. I strongly reccomend using this, or using a public key.
  Changelog:
  * Added an install script and icons (7/23/10)
  * Removed need for amixer-wrapper [falconindy] (7/25/10)
  Last edited by itsbrad212 (2010-07-25 19:06:53)

  falconindy wrote:
  A few points:
  * You've left yourself hardcoded in def PlaySong. On line 91:
  os.system("ssh -p 22 [email protected] 'ncmpcpp play'")
  * A separate user based config file would be good to have rather than editing the script itself.
  * I don't understand the need for the C wrapper on amixer when a python function would suffice to read and parse the output.
  * Consider adopting, updating, and using python-mpdclient. It would allow you to do a lot more things solely in Python rather than constantly forking and calling the OS. ...I suppose at that point, you're moving towards a more full fledged MPD client.
  Crap...thanks for those tips falconindy. I had removed that hardcoded portion, but I forgot to commit the changes I'll definitely check out python-mpdclient.
  Also, about the C wrapper: It's all I could find at the moment. If you, myself, or someone else could find/write something in python, I'll be happy to replace amixer-wrapper. I will most likely make a seperate config file as well. This release was an sort of an alpha.
  Last edited by itsbrad212 (2010-07-25 17:36:20)

• SSH Passphrase Window

  Hello everyone,
  I recently switched to xfce from gnome3. I use SSH keys with a passphrase for logging into my servers and github and such. Whenever I SSH'd into my network server in gnome3, a window used to popup asking me for my passphrase. I like this window, but it doesn't show up in xfce. I tried using keychain, but it always asks for the password whether I use the SSH key or not.
  I also tried setting $SSH_ASKPASS to gnome-ssh-askpass.sh, but the window never pops up. The gnome-ssh-askpass package is installed.
  I also tried using nm-applet to unlock the keyring after login. I have no problems with NetworkManager connecting to my wifi.
  I am not using xfce4 directly, only it's settings system (xfsettingsd). I am not logging into xfce4-session. My window manager is wmfs.
  So, does anyone know how gnome handles this, or where I can look. I am thinking gnome-keyring, but I am not sure. I want to know why I get a window when I try to use a key in gnome..
  Thank you for your time.
  Last edited by demizer (2011-08-13 20:13:49)

  graysky wrote:https://wiki.archlinux.org/index.php/GNOME_Keyring
  Thank you for the help, but I have done that already aswell. Seahorse shows my ssh key under private keys, but SSH doesn't use it:
  [~]
  [demizer@helium]$ ssh demizer@lithium
  Enter passphrase for key '/home/demizer/.ssh/id_dsa':
  Basically want to know how gnome detects this and shows a password box so I can implement that into my desktop.

• How do I disable password based login for ssh

  Before upgrading to Mountain Lion I had setup my computer to allow remote login via SSH. Now that I have upgraded I can no longer login to my computer via SSH without specifying a password.  How do I get back to not having to supply a password to login?
  I created a user named `remotepair` and generated a RSA ssh key. I had setup password-less login to this user by adding the public keys of those who login to the ~/.ssh/authorized_keys file and the following settings in /etc/sshd_config
  Protocol 2
  PubkeyAuthentication yes
  PermitRootLogin no
  PasswordAuthentication no
  PermitEmptyPasswords no
  ChallengeResponseAuthentication no
  AllowUsers remotepair
  I also created a question on ServerFault about other issues I have with SSH. I solved the issue by doing a PRAM reset.
  Since my settings are no longer working for password-less login, how do I enable password-less login to my Mountain Lion enable Mac?

  Output for ssh -vvv [email protected]
  OpenSSH_5.9p1, OpenSSL 0.9.8r 8 Feb 2011
  debug1: Reading configuration data /Users/jjasonclark/.ssh/config
  debug1: Reading configuration data /usr/local/Cellar/openssh/5.9p1/etc/ssh_config
  debug2: ssh_connect: needpriv 0
  debug1: Connecting to home.jjasonclark.com [50.47.10.153] port 22.
  debug1: Connection established.
  debug3: Incorrect RSA1 identifier
  debug3: Could not load "/Users/jjasonclark/.ssh/id_rsa" as a RSA1 public key
  debug1: identity file /Users/jjasonclark/.ssh/id_rsa type 1
  debug1: identity file /Users/jjasonclark/.ssh/id_rsa-cert type -1
  debug1: identity file /Users/jjasonclark/.ssh/id_dsa type -1
  debug1: identity file /Users/jjasonclark/.ssh/id_dsa-cert type -1
  debug1: identity file /Users/jjasonclark/.ssh/id_ecdsa type -1
  debug1: identity file /Users/jjasonclark/.ssh/id_ecdsa-cert type -1
  debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3p1 Debian-3ubuntu7
  debug1: match: OpenSSH_5.3p1 Debian-3ubuntu7 pat OpenSSH*
  debug1: Enabling compatibility mode for protocol 2.0
  debug1: Local version string SSH-2.0-OpenSSH_5.9
  debug2: fd 3 setting O_NONBLOCK
  debug3: load_hostkeys: loading entries for host "home.jjasonclark.com" from file "/Users/jjasonclark/.ssh/known_hosts"
  debug3: load_hostkeys: found key type RSA in file /Users/jjasonclark/.ssh/known_hosts:20
  debug3: load_hostkeys: loaded 1 keys
  debug3: order_hostkeyalgs: prefer hostkeyalgs: [email protected],[email protected],ssh-rsa
  debug1: SSH2_MSG_KEXINIT sent
  debug1: SSH2_MSG_KEXINIT received
  debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-e xchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14
  -sha1,diffie-hellman-group1-sha1
  debug2: kex_parse_kexinit: [email protected],[email protected],ssh-rsa,[email protected],[email protected],ecd
  [email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss
  debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blow fish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.
  liu.se
  debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blow fish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.
  liu.se
  debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[email protected],hmac-sha
  1-96,hmac-md5-96
  debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,[email protected],hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,[email protected],hmac-sha
  1-96,hmac-md5-96
  debug2: kex_parse_kexinit: none,[email protected],zlib
  debug2: kex_parse_kexinit: none,[email protected],zlib
  debug2: kex_parse_kexinit:
  debug2: kex_parse_kexinit:
  debug2: kex_parse_kexinit: first_kex_follows 0
  debug2: kex_parse_kexinit: reserved 0
  debug2: mac_setup: found hmac-md5
  debug1: kex: server->client aes128-ctr hmac-md5 none
  debug2: mac_setup: found hmac-md5
  debug1: kex: client->server aes128-ctr hmac-md5 none
  debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
  debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
  debug2: dh_gen_key: priv key bits set: 125/256
  debug2: bits set: 510/1024
  debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
  debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
  debug1: Server host key: RSA 80:b1:a1:11:8f:73:3a:bf:29:04:e9:70:18:d8:d5:cd
  debug3: load_hostkeys: loading entries for host "home.jjasonclark.com" from file "/Users/jjasonclark/.ssh/known_hosts"
  debug3: load_hostkeys: found key type RSA in file /Users/jjasonclark/.ssh/known_hosts:20
  debug3: load_hostkeys: loaded 1 keys
  debug3: load_hostkeys: loading entries for host "50.47.10.153" from file "/Users/jjasonclark/.ssh/known_hosts"
  debug3: load_hostkeys: found key type RSA in file /Users/jjasonclark/.ssh/known_hosts:20
  debug3: load_hostkeys: loaded 1 keys
  debug1: Host 'home.jjasonclark.com' is known and matches the RSA host key.
  debug1: Found key in /Users/jjasonclark/.ssh/known_hosts:20
  debug2: bits set: 475/1024
  debug1: ssh_rsa_verify: signature correct
  debug2: kex_derive_keys
  debug2: set_newkeys: mode 1
  debug1: SSH2_MSG_NEWKEYS sent
  debug1: expecting SSH2_MSG_NEWKEYS
  debug2: set_newkeys: mode 0
  debug1: SSH2_MSG_NEWKEYS received
  debug1: Roaming not allowed by server
  debug1: SSH2_MSG_SERVICE_REQUEST sent
  debug2: service_accept: ssh-userauth
  debug1: SSH2_MSG_SERVICE_ACCEPT received
  debug2: key: /Users/jjasonclark/.ssh/id_rsa (0x7fbb53c14d60)
  debug2: key: /Users/jjasonclark/.ssh/github (0x7fbb53c15600)
  debug2: key: /Users/jjasonclark/.ssh/id_dsa (0x0)
  debug2: key: /Users/jjasonclark/.ssh/id_ecdsa (0x0)
  debug1: Authentications that can continue: publickey,password
  debug3: start over, passed a different list publickey,password
  debug3: preferred publickey,keyboard-interactive,password
  debug3: authmethod_lookup publickey
  debug3: remaining preferred: keyboard-interactive,password
  debug3: authmethod_is_enabled publickey
  debug1: Next authentication method: publickey
  debug1: Offering RSA public key: /Users/jjasonclark/.ssh/id_rsa
  debug3: send_pubkey_test
  debug2: we sent a publickey packet, wait for reply
  debug1: Authentications that can continue: publickey,password
  debug1: Offering RSA public key: /Users/jjasonclark/.ssh/github
  debug3: send_pubkey_test
  debug2: we sent a publickey packet, wait for reply
  debug1: Authentications that can continue: publickey,password
  debug1: Trying private key: /Users/jjasonclark/.ssh/id_dsa
  debug3: no such identity: /Users/jjasonclark/.ssh/id_dsa
  debug1: Trying private key: /Users/jjasonclark/.ssh/id_ecdsa
  debug3: no such identity: /Users/jjasonclark/.ssh/id_ecdsa
  debug2: we did not send a packet, disable method
  debug3: authmethod_lookup password
  debug3: remaining preferred: ,password
  debug3: authmethod_is_enabled password
  debug1: Next authentication method: password
  [email protected]'s password:

• Not able to connecct SSH

  Hi
  I configured Cisco ASA5510 firewall, but i am facing the problem with ssh login, i gave ssh for inside and outside access, but i am getting "server ... error" i enabled LOCAL  for the authentication for ssh and HTTP. and i am able to acees the device through HTTP using ASDM, but not able to access from outside.
  please find the configuration
  thanks in advance
  regards
  Javahar
  ASA Version 8.2(1)
  hostname ASA5510
  domain-name default.domain.invalid
  enable password Nbxmt7LFbcxtLo.o encrypted
  passwd 2KFQnbNIdI.2KYOU encrypted
  names
  name 10.251.38.0 SAP_remote
  interface Ethernet0/0
  nameif inside
  security-level 100
  ip address 192.168.1.1 255.255.255.0
  interface Ethernet0/1
  nameif outside
  security-level 0
  ip address xxx.xxx.xxx.xxx 255.255.255.252
  interface Ethernet0/2
  shutdown
  no nameif
  no security-level
  no ip address
  interface Ethernet0/3
  shutdown
  no nameif
  no security-level
  no ip address
  interface Management0/0
  shutdown
  no nameif
  no security-level
  no ip address
  ftp mode passive
  dns server-group DefaultDNS
  domain-name default.domain.invalid
  access-list inside_nat0_outbound extended permit ip 192.168.1.0 255.255.255.0 SAP_remote 255.255.255.128
  access-list outside_cryptomap extended permit ip 192.168.1.0 255.255.255.0 SAP_remote 255.255.255.128
  access-list outside_cryptomap_1 extended permit ip 192.168.1.0 255.255.255.0 SAP_remote 255.255.255.128
  pager lines 24
  logging enable
  logging asdm informational
  mtu inside 1500
  mtu outside 1500
  icmp unreachable rate-limit 1 burst-size 1
  icmp permit any inside
  icmp permit any outside
  asdm image disk0:/asdm-621.bin
  no asdm history enable
  arp timeout 14400
  global (outside) 1 interface
  nat (inside) 0 access-list inside_nat0_outbound
  nat (inside) 1 0.0.0.0 0.0.0.0
  route outside 0.0.0.0 0.0.0.0 115.115.169.241 1
  timeout xlate 3:00:00
  timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
  timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
  timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
  timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
  timeout tcp-proxy-reassembly 0:01:00
  dynamic-access-policy-record DfltAccessPolicy
  no snmp-server location
  no snmp-server contact
  snmp-server enable traps snmp authentication linkup linkdown coldstart
  crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-SHA esp-aes esp-sha-hmac
  crypto ipsec transform-set ESP-AES-256-MD5 esp-aes-256 esp-md5-hmac
  crypto ipsec transform-set ESP-DES-MD5 esp-des esp-md5-hmac
  crypto ipsec transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac
  crypto ipsec transform-set ESP-AES-128-MD5 esp-aes esp-md5-hmac
  crypto ipsec transform-set ESP-DES-SHA esp-des esp-sha-hmac
  crypto ipsec transform-set ESP-AES-192-MD5 esp-aes-192 esp-md5-hmac
  crypto ipsec transform-set ESP-AES-192-SHA esp-aes-192 esp-sha-hmac
  crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
  crypto ipsec security-association lifetime seconds 28800
  crypto ipsec security-association lifetime kilobytes 4608000
  crypto map outside_map 1 match address outside_cryptomap_1
  crypto map outside_map 1 set peer XXX.XXX.XXX.20
  crypto map outside_map 1 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map 2 match address outside_cryptomap
  crypto map outside_map 2 set pfs group5
  crypto map outside_map 2 set peer XXX.XXX.XXX.20
  crypto map outside_map 2 set transform-set ESP-AES-128-SHA ESP-AES-128-MD5 ESP-AES-192-SHA ESP-AES-192-MD5 ESP-AES-256-SHA ESP-AES-256-MD5 ESP-3DES-SHA ESP-3DES-MD5 ESP-DES-SHA ESP-DES-MD5
  crypto map outside_map interface outside
  crypto isakmp enable inside
  crypto isakmp enable outside
  crypto isakmp policy 10
  authentication pre-share
  encryption 3des
  hash sha
  group 5
  lifetime 28800
  http server enable
  http 0.0.0.0 0.0.0.0 inside
  http 0.0.0.0 0.0.0.0 outsde
  ssh 0.0.0.0 0.0.0.0 inside
  ssh 0.0.0.0 0.0.0.0 outsde
  telnet 0.0.0.0 0.0.0.0 inside
  telnet timeout 5
  ssh timeout 5
  console timeout 0
  threat-detection basic-threat
  threat-detection statistics access-list
  no threat-detection statistics tcp-intercept
  username test1234 password /FzQ9W6s1KjC0YQ7 encrypted
  username cisco1234 password 5sSb..e9ZNWMmk2e encrypted privilege 15
  tunnel-group Remote-p2p-vpn type ipsec-l2l
  tunnel-group Remote-p2p-vpn ipsec-attributes
  pre-shared-key *
  tunnel-group XXX.XXX.XXXX.20 type ipsec-l2l
  tunnel-group XXX.XXX.XXXX.20 ipsec-attributes
  pre-shared-key *
  class-map inspection_default
  match default-inspection-traffic
  policy-map type inspect dns preset_dns_map
  parameters
    message-length maximum 512
  message-length maximum client auto
  policy-map global_policy
  class inspection_default
    inspect dns preset_dns_map
    inspect ftp
    inspect h323 h225
    inspect h323 ras
    inspect netbios
    inspect rsh
    inspect rtsp
    inspect skinny 
    inspect esmtp
    inspect sqlnet
    inspect sunrpc
    inspect tftp
    inspect sip 
    inspect xdmcp
  service-policy global_policy global
  prompt hostname context
  Cryptochecksum:83eab0b7ae2d2d9e74f8ea0b005076ea
  : end

  Hi,
  Did you issue the command
  ASA(config)# crypto key generate rsa modulus 2048
  So that you can use SSH.
  EDIT: I would suggest narrowing down the source address from where you can connect to the ASA from "outside" if possible.
  - Jouni