SSH connection refused

kevinhaag · April 23, 2020, 4:34am

Hi

I’m trying to get ssh running on my vyos router. But everytime i try to connect, i get an connection refused error.
The first problem was i wasn’t able to bind the ssh service to an vif interface. So i have to set

sudo sysctl -w net.ipv4.ip_nonlocal_bind=1

After that i was able to set the address to this interface eth3.1606 and the ssh service was comming up and is listening on this address…

vyos@VyOS-SPOKE-01:~$ netstat -tulpn | grep 22
(No info could be read for “-p”: geteuid()=1003 but you should be root.)
tcp 0 0 10.2.140.1:22 0.0.0.0:* LISTEN -

Interface Configuration:

And then if i’m trying to get a connection on this interface i will get a connection refused.
With tcpdump port 22 i don’t see any connections

Edit: i’m currently running 1.3-rolling-202004220702

Maybe anyone of you have a hint for me

Kind regards
Kevin

pirateghost · April 23, 2020, 1:27pm

set service ssh listen-address <IPOFYOURVIF> works just fine for me.

kevinhaag · April 24, 2020, 4:43am

@pirateghost Thank you for your reply!

Something i forget to say is that i also use vrf…

set interfaces ethernet eth1 vif 600 address '10.2.140.1/24'
set interfaces ethernet eth1 vif 600 description 'mgmt-network'
set interfaces ethernet eth1 vif 600 vrf 'Mgmt'

Just now i tried to remove the vrf option and it works!

But maybe you or someone else have an idea why this is not working with the vrf option?

kevinhaag · April 24, 2020, 10:31am

I think i have to route/forward the incoming traffic in interface eth1.600 to the SSH Daemon or something like this…
Or is there a way in SSH to listen on an interface which is in a diffrent routing table?

pirateghost · April 26, 2020, 12:52am

Sorry, I am not familiar with VRF

g.skupien · April 27, 2020, 8:23pm

Try this one:
set vrf bind-to-all

kevinhaag · April 28, 2020, 5:22am

Hi @g.skupien

Thank you very much for your reply!
Now it works great!

I overread this in the documentation

But one more thing, you need to set this
net.ipv4.ip_nonlocal_bind=1

Binding to Non-local IP addresses in Linux permanently

Create the file:
sudo vi /etc/sysctl.d/99-custom.conf

Add the following lines:

## allow System Services to start and bind to non local IP ##
net.ipv4.ip_nonlocal_bind=1

Apply it:
sudo sysctl -f /etc/sysctl.d/99-custom.conf

Copied from:
https://www.cyberciti.biz/faq/linux-bind-ip-that-doesnt-exist-with-net-ipv4-ip_nonlocal_bind/

Maybe the documentation should be expanded with this…

Kind regards
Kevin

system · April 30, 2020, 5:22am

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.