[c-nsp] PIX, PAT and SSH - not working

Michael K. Smith - Adhost mksmith at adhost.com
Mon Nov 21 20:27:10 EST 2005 

I wish it were something so obtuse.  :-)  Turns out we didn't have DNS
entries for the IP addresses so it was failing on the lookup. <sheepish
grin>.

Mike

-----Original Message-----
From: Ted Mittelstaedt [mailto:tedm at toybox.placo.com] 
Sent: Monday, November 21, 2005 4:50 PM
To: mksmith at adhost.com; 'Cisco-Nsp'
Subject: RE: [c-nsp] PIX, PAT and SSH - not working


Common problem when the SSH server is not set to allow password
authentication, and your trying to use password authentication on the
ssh client.

This can also happen if the ssh server uses a key length longer than
what the client supports.

I noticed on the latest FreeBSD distribution the key length is 2048 bits
and
password authenticaton is turned off, this breaks several older SSH
clients
I like, and use regularly.  I expect the current Linux distros do the
same
thing.  The first thing I do is turn it back on and regenerate the keys
to 1024
bits.  I am willing to only require the crackers to use 100 years of
supercomputer
time to brute force my passwords, instead of 1000 years. ;-)

Ted

>-----Original Message-----
>From: cisco-nsp-bounces at puck.nether.net
>[mailto:cisco-nsp-bounces at puck.nether.net]On Behalf Of Michael
>K. Smith - Adhost
>Sent: Thursday, November 17, 2005 8:15 PM
>To: 'Cisco-Nsp'
>Subject: [c-nsp] PIX, PAT and SSH - not working
>
>
>Hello All:
>
>I'm not sure if this is a Pix issue or not, but it's the one
>device common
>to all clients.  In short, ssh connections initiated from behind the
>firewall to hosts outside the firewall all have the same behavior; the
>hostname is entered and the client starts, there is an
>unusually long pause,
>then the username prompt is presented, then nothing. Finally, after some
>time the connection times out and the client closes.  This has been
>replicated using 3 different clients on 3 different OS's (2 Windows, 1
>Unix).  All other transmission types (http, telnet, smtp, ssl,
>etc.) work
>with no trouble.  Finally, there are no errors or deny hits in
>the logs and
>we're running 6.3.5.
>
>Has anyone ever seen this? I am completely stumped.
>
>Thanks in advance,
>
>Mike
>
>
>_______________________________________________
>cisco-nsp mailing list  cisco-nsp at puck.nether.net
>https://puck.nether.net/mailman/listinfo/cisco-nsp
>archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>--
>No virus found in this incoming message.
>Checked by AVG Free Edition.
>Version: 7.1.362 / Virus Database: 267.13.4/175 - Release Date:
>11/18/2005
>

More information about the cisco-nsp mailing list