SSH wont log in remotely

[godinman]

Hi All,

Having a bit of an issue logging in remotely to a pi running Raspbian Jessie Lite, I can access it fine via the local network, but when I try remotely I get 'access denied'. But...I can log in if I change the external port on the router (so port 120 resolves to port 22 internally.

This was sort of fine, but I'm trying to setup ssh keys from a pi on my local network to the remote pi I'm having issues with in the above paragraph. Using the 'cat' command to send the keys made on my pi, I am required to log in to the remote one, when I do I get the 'access denied' error.

Now I'm pretty sure that tomorrow when I take the pi out and try it later on at home that I will be able to send the keys over the lan but the question remains, why do I get access denied when sending stuff remotely? Is it to do with how I'm port forwarding? I haven't set any security stuff up in the pi as far as I know.

I hope some of that makes sense, let me know if there is any more info I can give!

 

[bscott]

By 'change the external port on the router' do you mean that you forward port 120 to the Pi's port 22 but if you don't set up port forwarding you can't connect?

Without port forwarding when you ssh to your external IP you are trying to ssh into your router. You can't connect remotely to your Pi without port forwarding set up on the router so that connecting to say port 2222 on the external IP forwards the traffic to port 22 on the Pi.

 

[joeyjojo]

As above, forward port 22 in the "router" to the pi if you want to be able to just `ssh x.x.x.x` without giving a different port number.

If the pi is going to be exposed to the internet this way, lock it down! Disable root login over SSH, and preferably disable keyboard-interactive (password) login. The Ubuntu page on SSH has the details to give you an idea https://help.ubuntu.com/community/SSH/OpenSSH/Configuring

If I were you I'd set it up locally (same LAN), make sure the keys are working, then it should be a simple case of enabling the port forward to get it working remotely.

 

[godinman]

What I'm saying is that port forwarding only works if I choose a different external port, so if I forward port 22 externally to port 22 on the pi, I still get asked for my password by the pi but I then get 'access denied', but if I choose a different external port then I can login fine. More of a quirk than anything.

I've setup keys now, I found that I hadn't specified the port on the cat transfer :/ so will do as disable other forms of login.

Ideally what I want is a central pi at home that all the others connect to automatically via ssh tunnel using keys, then this should allow me to access them without requiring port forwarding etc at the remote sites. (This is so I can proxy across to lan devices for fault finding etc).

 

[joeyjojo]

As bscott hinted, are you sure that 'access denied' is originating from the Pi?

I've setup keys now, I found that I hadn't specified the port on the cat transfer :/ so will do as disable other forms of login.

I'm a bit confused about this. cat just prints the contents of a file to stdout, it doesn't need a port. To add the key over SSH you're presumably doing something like

scp [-P port] ~/.ssh/id.pub username@ip:.ssh/authorized_keys

You can only cat it onto authorized_keys if you're logged in already.

 

[godinman]

Maybe it's just the the forwarding isn't working correctly and I assumed it was the pi being odd. Will try on a different router..

I haven't got the documentation, but when I sent the keys over I had to initiate an ssh connection to the remote pi to send them over and that failed because I forgot to specify the port.

I think I'm going to start again as I've been messing around with keys and stuff so much that I'm not sure what stage I'm at now!

What I want is a proxy device I can leave on site, but doesn't require port forwarding etc. This is to be achieved by the remote pi setting up an ssh tunnel (I think) to my office pi which can then access the proxy using this, I think?