| Both sides previous revisionPrevious revisionNext revision | Previous revision |
| faq:tcpip [2018/03/04 22:53] – [Ports] Add port 587 deuce | faq:tcpip [2025/01/29 23:12] (current) – [SSH Session Key] Added some common logged ssh errors nelgin |
|---|
| * [[#ftp_connect|Why can't users connect to my FTP server]]? | * [[#ftp_connect|Why can't users connect to my FTP server]]? |
| * [[#ftp_nat|Why do FTP clients lock-up or time-out when listing directories or downloading files from my FTP server]]? | * [[#ftp_nat|Why do FTP clients lock-up or time-out when listing directories or downloading files from my FTP server]]? |
| | * [[#ftp_html|Why won't a web browser render HTML content from my FTP Server]]? |
| * [[#bind|Why do some or all of my servers get bind errors when starting or recycling]]? | * [[#bind|Why do some or all of my servers get bind errors when starting or recycling]]? |
| * [[#bandwidth|How many nodes/clients/users can I support with my Internet connection]]? | * [[#bandwidth|How many nodes/clients/users can I support with my Internet connection]]? |
| * [[#block_hackers|Can Synchronet automatically block the IP address of hackers]]? | * [[#block_hackers|Can Synchronet automatically block the IP address of hackers]]? |
| * [[#ssh_kex_algo|Why do some SSH clients fail to connect to my BBS]]? | * [[#ssh_algo|Why do some SSH clients fail to connect to my BBS]]? |
| | * [[#ssh_session_key|How do resolve the SSH error: importing session key to protect private key]]? |
| |
| ===== Ports ===== | ===== Ports ===== |
| |SSH |22 |- |For SecureShell logins (recommended)| | |SSH |22 |- |For SecureShell logins (recommended)| |
| |RLogin |513 |- |Optional for quick-login from RLogin clients (e.g. SyncTERM)| | |RLogin |513 |- |Optional for quick-login from RLogin clients (e.g. SyncTERM)| |
| |SMTP |25 |- |Necessary for receiving Internet e-mail and inter-BBS instant messages| | |SMTP |25 |- |Necessary for receiving Internet e-mail | |
| |Submission |587 |- |Necessary for users to send Internet e-mail through the BBS from a standard e-mail client| | |Submission |587 |- |Necessary for users to send Internet e-mail through the BBS from a standard e-mail client| |
| | |Submission/TLS |465 |- |Necessary for users to send Internet e-mail through the BBS from a standard e-mail client using TLS((encrypted communications over TCP))| |
| |POP3 |110 |- |Allows BBS users to check their e-mail using standard Internet mail clients (e.g. Outlook Express)| | |POP3 |110 |- |Allows BBS users to check their e-mail using standard Internet mail clients (e.g. Outlook Express)| |
| | |POP3/TLS |995 |- |Allows BBS users to check their e-mail using standard Internet mail clients (e.g. Outlook Express) using TLS| |
| |FTP |21 |- |Allows access to the BBS file/download areas using a standard FTP client or web browser| | |FTP |21 |- |Allows access to the BBS file/download areas using a standard FTP client or web browser| |
| |HTTP |80 |- |Required for access to the BBS's web server| | |HTTP |80 |- |Required for access to the BBS's web server| |
| | |HTTPS |443 |- |Required for secure access to the BBS's web server using TLS| |
| |NNTP |119 |- |Allows BBS users to read and post messages using standard news readers/clients| | |NNTP |119 |- |Allows BBS users to read and post messages using standard news readers/clients| |
| |Gopher |70 |- |Archaic protocol allows reading of messages and other BBS info| | |Gopher |70 |- |Archaic protocol allows reading of messages and other BBS info| |
| |IRC |6667 |- |Allows Internet Relay Chat (IRC) clients to connect to your BBS| | |IRC |6667 |- |Allows Internet Relay Chat (IRC) clients to connect to your BBS| |
| |Finger |79 |79 |Allows remote querying of BBS user info, who's online, and other BBS info| | |Finger |79 | |Allows remote querying of BBS user info, who's online, and other BBS info| |
| |SYSTAT |11 |11 |Allows remote querying of who's online (aka Active Users)| | |SYSTAT |11 |11 |Allows remote querying of who's online (aka Active Users) required for [[module:sbbsimsg|inter-BBS instant messaging]]| |
| |QOTD |17 |17 |Allows remote querying of the current auto-message (aka Quote Of The Day)| | |MSP |18 | |Allows incoming [[module:sbbsimsg|inter-BBS instant messages]]| |
| |MSP |18 |18 |Allows incoming inter-BBS instant messages without SMTP connectivity| | |WS |1123 | |WebSocket Service - to support the [[http://ftelnet.ca|fTelnet web browser-based terminal]] | |
| | |WSS |11235 | |WebSocket Secure Service - to support the [[http://ftelnet.ca|fTelnet web browser-based terminal]] over TLS | |
| | |
| | Additionally, a default Synchronet installation includes *disabled* servers and services on the following ports: |
| | |
| | ^Protocol ^TCP ^UDP ^Comments^ |
| | |QOTD |17 |17 |Allows remote querying of BBS's auto-message (e.g. via ''qotdservice.js'')| |
| | |IMAP |143 |- |Allows remote download of user's email (similar to POP3, via ''imapservice.js'')| |
| | |IMAPS |993 |- |Allows secure remote download of user's email (similar to POP3/TLS)| |
| | |BINKP |24554 |- |Allows exchange of FidoNet files (e.g. mail bundles and packets, via ''binkit.js'')| |
| | |BINKPS |24553 |- |Allows secure exchange of FidoNet files| |
| | |NNTPS |563 |- |Allows BBS users to securely read and post messages using standard news readers/clients| |
| | |Hotline |5500 |- |Allows interaction with Hotline client| |
| | |Hotline-TRANS |5501 |- |""| |
| | |
| |
| Enabling connectivity to Synchronet through your firewall is no different than enabling connectivity to any other TCP/IP server. Follow your firewall documentation for forwarding or opening ports for TCP/IP servers located "behind" the firewall. Your firewall may have the option of placing the entire BBS computer in a "DMZ" (opening all its ports to the public Internet), but doing so is not normally recommended. | Enabling connectivity to Synchronet through your firewall is no different than enabling connectivity to any other TCP/IP server. Follow your firewall documentation for forwarding or opening ports for TCP/IP servers located "behind" the firewall. Your firewall may have the option of placing the entire BBS computer in a "DMZ" (opening all its ports to the public Internet), but doing so is not normally recommended. |
| In general, you need to check your Synchronet Mail Server window/log output for details about why Internet e-mail delivery attempts may be failing. | In general, you need to check your Synchronet Mail Server window/log output for details about why Internet e-mail delivery attempts may be failing. |
| |
| | ==== GMail ==== |
| | :?: **Question:**\\ |
| | Why can't I send Internet e-mail from my BBS to GMail.com? |
| | |
| | Example: |
| | cvs.synchro.net reporting delivery failure of message |
| | from Someone to annyone@gmail.com |
| | |
| | Reason: |
| | gmail-smtp-in.l.google.com replied with: |
| | "550 5.7.26 https://support.google.com/mail/answer/81126#authentication |
| | d9443c01a7336-21a919d2ef1si90834815ad.334 - gsmtp" |
| | instead of the expected reply: |
| | "250 ..." |
| | |
| | :!: **Answer:**\\ |
| | GMail.com requires mail severs have a valid **SPF** DNS record to send email to their servers. This requirement from Google is an anti-spoofing/SPAM measurement and nothing to do specifically with the Synchronet Mail Server. [[https://support.google.com/a/answer/33786?sjid=18257063204175362891-NC|Here are helpful instructions from Google on how to set up an SPF record your domain]]. |
| | |
| | An SPF record is a specially formatted DNS **TXT** (text) record. You can check if your domain has an SPF record by querying the DNS for TXT records for your domain using common network tools provided with your OS such as ''host'', ''dig'', and ''nslookup''. |
| | |
| | $ host -t txt vert.synchro.net |
| | vert.synchro.net descriptive text "v=spf1 mx a -all" |
| | |
| | If you are [[howto:relay_smtp|relaying your outbound Internet mail through Vertrauen]], then it is Vertrauen's mail servers that you need to reference in your domain's SPF record (not your own): |
| | mail.synchro.net |
| | |
| | If you are relaying your outbound Internet mail through Vertrauen **and** [[howto:vert_mx|using Vertrauen as your inbound Internet Mail Exchange (MX)]], then setting your domain's SPF record to just the following will suffice: |
| | v=spf1 mx a -all |
| | |
| | If you are using the Synchronet dynamic DNS service to have/update a ''//yourbbs//.synchro.net'' hostname, then see [[module:dyndns#SPF]] for details on how to create the appropriate SPF record. |
| ===== Receive Mail ===== | ===== Receive Mail ===== |
| |
| You should also see evidence of the successful SMTP connection to the server in your Synchronet Mail Server window/log output. If you do not, then it's likely that your firewall or Internet Service Provider is blocking incoming connections to TCP port 25. Before concluding this is the case, verify that the remote Telnet client can connect to other SMTP servers first (e.g. ''vert.synchro.net'', TCP port 25). If it cannot, then this remote client probably has restrictions on which (if any) connections he can make to TCP port 25. Try using a different, less restricted, remote Internet connection for your test. | You should also see evidence of the successful SMTP connection to the server in your Synchronet Mail Server window/log output. If you do not, then it's likely that your firewall or Internet Service Provider is blocking incoming connections to TCP port 25. Before concluding this is the case, verify that the remote Telnet client can connect to other SMTP servers first (e.g. ''vert.synchro.net'', TCP port 25). If it cannot, then this remote client probably has restrictions on which (if any) connections he can make to TCP port 25. Try using a different, less restricted, remote Internet connection for your test. |
| |
| If your firewall or Internet Service Provider is blocking incoming connections to TCP port 25 (many consumer-class ISPs do), then you won't be able to receive Internet e-mail on your BBS. Fixing your firewall configuration is rather simple, but changing ISPs is often not. One possible work-around is having a mail proxy (3rd party server) receive the e-mail for you and forward it to a non-standard, non-filtered/blocked SMTP port. Many Dynamic DNS services offer this service [[http://www.dyndns.com/services/mailhop/relay.html|for a fee]]. Or a fellow sysop may be able and willing to perform this service for you as a favor. | If your firewall or Internet Service Provider is blocking incoming connections to TCP port 25 (many consumer-class ISPs do), then you won't be able to receive Internet e-mail on your BBS. Fixing your firewall configuration is rather simple, but changing ISPs is often not. One possible work-around is having a mail proxy (3rd party server) receive the e-mail for you and forward it to a non-standard, non-filtered/blocked SMTP port. Many Dynamic DNS services offer this Mail Exchange (MX) service [[http://www.dyndns.com/services/mailhop/relay.html|for a fee]]. [[howto:vert_mx|Or a fellow sysop may be able and willing to perform this service for you as a favor]]. |
| |
| ===== FTP Connect ===== | ===== FTP Connect ===== |
| [[http://www.ncftpd.com/ncftpd/doc/misc/ftp_and_firewalls.html|This document]] contains the technical details about how and why and the recommended solutions. | [[http://www.ncftpd.com/ncftpd/doc/misc/ftp_and_firewalls.html|This document]] contains the technical details about how and why and the recommended solutions. |
| |
| **Note**: Most web browsers (e.g. //Microsoft Internet Explorer//) use passive FTP transfer mode by default. | **Note**: Most web browsers use //passive// FTP transfer mode by default, though this may be configurable. |
| |
| **Note**: Some FTP clients (e.g. the Windows command-line FTP client, ''ftp.exe'') only support active mode transfers. | **Note**: Some FTP clients (e.g. the Windows command-line FTP client, ''ftp.exe'') //only// support //active// mode transfers. |
| |
| Enabling the logging of FTP data channel activity can help diagnose these kinds of problems. This can be done by adding the ''DEBUG_DATA'' option to the ''Options'' value in the ''[FTP]'' section of your ''[[dir:ctrl]]/[[config:sbbs.ini]]'' file or by checking the //Data Channel Activity// checkbox in the //Log// tab of the FTP Server Configuration dialog in the Synchronet Control Panel for Win32. | Enabling the logging of FTP data channel activity can help diagnose these kinds of problems. This can be done by adding the ''DEBUG_DATA'' option to the ''Options'' value in the ''[FTP]'' section of your ''[[dir:ctrl]]/[[config:sbbs.ini]]'' file or by checking the //Data Channel Activity// checkbox in the //Log// tab of the FTP Server Configuration dialog in the Synchronet Control Panel for Windows. |
| | |
| If you're having problems with passive transfers and you're seeing | |
| !UNSUPPORTED COMMAND from username: 'P@SW' | |
| in your FTP server log/window output, you're probably using an //SMC Barricade// router (see [[http://www.gbnetwork.co.uk/smcftpd/|this document]] for details). Upgrade to Synchronet v3.13a (FTP Server Revision 1.296) or later to work-around this problem with this device. | |
| |
| If you're having problems with passive (PASV) transfers through your NAT/firewall device and you're running Synchronet v3.13a (FTP Server Revision 1.296) or later: | If you're having problems with passive (PASV) transfers through your NAT/firewall device and you're running Synchronet v3.13a (FTP Server Revision 1.296) or later: |
| If the remote client is attempting to connect to your [[#private IP]] address (your NAT device isn't translating the PASV response from the FTP server) and you have a static [[#public IP]] address, you can work-around this limitation of your NAT device by using the ''PasvIpAddress'' value in the ''[FTP]'' section of your ''[[dir:ctrl]]/[[config:sbbs.ini]]'' file to specify your [[#public IP]] address. | If the remote client is attempting to connect to your [[#private IP]] address (your NAT device isn't translating the PASV response from the FTP server) and you have a static [[#public IP]] address, you can work-around this limitation of your NAT device by using the ''PasvIpAddress'' value in the ''[FTP]'' section of your ''[[dir:ctrl]]/[[config:sbbs.ini]]'' file to specify your IPv4 [[#public IP]] address. |
| |
| This problem can be identified (on the client) by finding a comma-separated [[#private IP]] address in the PASV response received from the FTP server (in response to a directory or file transfer request from the client). | This problem can be identified (on the client) by finding a comma-separated [[#private IP]] address in the PASV response received from the FTP server (in response to a directory or file transfer request from the client). |
| If you have a dynamically-assigned IP address (via DHCP), then your IP address may change at some point, so setting the ''PasvIpAddress'' to a specific IP address may not be a long term solution for your FTP Server. In Synchronet v3.14a and later, you can enable the new //Lookup Passive IP// feature by checking the //Lookup// checkbox on the //Passive// tab of the FTP Server Configuration Dialog in [[monitor:SBBSCTRL]]-Win32, or by adding ''LOOKUP_PASV_IP'' to the Options value in the ''[FTP]'' section of your ''[[dir:ctrl]]/[[config:sbbs.ini]]'' file. This option instructs the Synchronet FTP Server to perform a DNS hostname lookup on your BBS's public hostname and use the resulting IP address (which should be your BBS's [[#public IP]] address) in passive responses. | If you have a dynamically-assigned IP address (via DHCP), then your IP address may change at some point, so setting the ''PasvIpAddress'' to a specific IP address may not be a long term solution for your FTP Server. In Synchronet v3.14a and later, you can enable the new //Lookup Passive IP// feature by checking the //Lookup// checkbox on the //Passive// tab of the FTP Server Configuration Dialog in [[monitor:SBBSCTRL]]-Win32, or by adding ''LOOKUP_PASV_IP'' to the Options value in the ''[FTP]'' section of your ''[[dir:ctrl]]/[[config:sbbs.ini]]'' file. This option instructs the Synchronet FTP Server to perform a DNS hostname lookup on your BBS's public hostname and use the resulting IP address (which should be your BBS's [[#public IP]] address) in passive responses. |
| |
| If your firewall cannot dynamically open/forward FTP PASV data ports for incoming passive FTP data connections, you can specifiy a limited range of TCP port numbers to use for passive transfers by modifying the PasvPortLow and PasvPortHigh values in the ''[FTP]'' section of your ''[[dir:ctrl]]/[[config:sbbs.ini]]'' file. You will of course need to configure your firewall device to open/forward these ports to your FTP server. | If your firewall cannot dynamically open/forward FTP PASV data ports for incoming passive FTP data connections, you can specify a limited range of TCP port numbers to use for passive transfers by modifying the PasvPortLow and PasvPortHigh values in the ''[FTP]'' section of your ''[[dir:ctrl]]/[[config:sbbs.ini]]'' file. You will of course need to configure your firewall device to open/forward these ports to your FTP server. |
| | |
| | ===== FTP HTML ===== |
| | :?: **Question:**\\ |
| | Why will a web browser not (no longer) render the HTML content sent by the Synchronet FTP Server (i.e. ''00index.html'' generated by ''ftp-html.js'')? |
| | |
| | :!: **Answer:**\\ |
| | For security reasons, modern web browsers (e.g. Google Chrome) have stopped rendering HTML content served by protocols other than HTTP or HTTPS. |
| | * [[https://www.bleepingcomputer.com/news/google/chrome-and-firefox-developers-aim-to-remove-support-for-ftp/]] |
| | |
| | Some web browsers (e.g. Microsoft Edge) are removing FTP support altogether. |
| | * [[https://www.ghacks.net/2020/03/19/mozilla-will-remove-ftp-support-in-the-firefox-web-browser/]] |
| |
| ===== Bind ===== | ===== Bind ===== |
| 0420 !ERROR 48 binding FTP Server socket to port 21 | 0420 !ERROR 48 binding FTP Server socket to port 21 |
| |
| This usually means you have another TCP/IP server on your system that is already bound to (and is presumably already listening for incoming connections on) this port. This could be a pre-existing instance of Synchronet or any other Telnet/Web/Mail/FTP servers that you may have installed on your system. You can use utilities such as [[man>netstat]] (for Windows or Unix) or [[http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx|TCPView]] (for Windows) to verify what programs (if any) have the TCP or UDP port in question already bound. If these utilities do not report any program is bound to (and listening) on this port, you can try Telnetting to the port in question and see if anything answers. If you're unable to connect to the port with a Telnet client and Synchronet cannot bind the port, your TCP/IP stack probably needs to be reset, so a system reboot may be in order. | **Note:**\\ |
| | On Unix-like systems, the error number may be different, e.g. ''ERROR 98'' (EADDRINUSE) on Linux. |
| |
| If you're running a Unix-like operating system (not Windows) and get bind errors only when recycling servers, this is most likely because a TCP session is stuck in a ''TCP TIMEWAIT'' state (you can use netstat to verify this). The session will eventually time-out and close properly on its own, allowing the port to be re-bound at that time. To work-around this problem, you can either increase the ''BindRetryCount'' and/or ''BindRetryDelay'' values in your ''[[dir:ctrl]]/[[config:sbbs.ini]]'' file, or you can add the following line to your ''[[dir:ctrl]]/[[config:sockopts.ini]]'' file: | This usually means you have another TCP/IP server on your system that is already bound to (and is presumably already listening for incoming connections on) this port. This could be a pre-existing instance of Synchronet or any other Telnet/Web/Mail/FTP servers that you may have installed on your system. You can use utilities such as ''[[man>netstat]]'' (for Windows or Unix((e.g. 'netstat -naptu' as root user on Linux))) or [[http://technet.microsoft.com/en-us/sysinternals/bb897437.aspx|TCPView]] (for Windows) to verify what programs (if any) have the TCP or UDP port in question already bound. If these utilities do not report any program is bound to (and listening) on this port, you can try Telnetting to the port in question and see if anything answers. If you're unable to connect to the port with a Telnet client and Synchronet cannot bind the port, your TCP/IP stack probably needs to be reset, so a system reboot may be in order. |
| REUSEADDR=1 | |
| |
| :!: **Answer:**\\ | :!: **Answer:**\\ |
| |
| Error ''13'' means "access denied". | Error ''13'' means "access denied". |
| This error upon binding usually means that you're running Synchronet as non-privileged user account (e.g. not 'root') and the operating system you're running does not allow processes run under non-privileged user accounts to bind to low (TCP or UDP) port numbers (usually less than 1024). You can either use higher TCP port numbers in your configuration or have Synchronet switch to a non-privileged user *after* binding the TCP ports (see [[config:nix]] for details). | This error upon binding usually means that you're running Synchronet as non-privileged user account (e.g. not 'root') and the operating system you're running does not allow processes run under non-privileged user accounts to bind to low (TCP or UDP) port numbers (usually less than 1024). You can either use higher TCP port numbers in your configuration or have Synchronet switch to a non-privileged user *after* binding the TCP ports (see [[config:nix]] for details), see also: [[howto:Linux non-root]]. |
| | |
| | ==== Rebind ==== |
| | :!: **Answer:**\\ |
| | If you're running a Unix-like operating system (not Windows) and get bind errors //only// when recycling servers: |
| | sbbs: term 0001 !ERROR 98 binding Telnet Server socket to port 23 |
| | sbbs: term 0001 Will retry in 15 seconds (1 of 2) |
| | |
| | ... this is most likely because a TCP session is stuck in a TCP "TIME WAIT" or "CLOSE WAIT" state (you can use ''[[man>netstat]]'' to verify this). The session will eventually time-out and close properly on its own, allowing the port to be re-bound at that time. To work-around this problem, you can either increase the ''BindRetryCount'' and/or ''BindRetryDelay'' values in your ''[[dir:ctrl]]/[[config:sbbs.ini]]'' file, or you can add the following line to the root section of your ''[[dir:ctrl]]/[[config:sockopts.ini]]'' file: |
| | REUSEADDR=1 |
| |
| ===== Bandwidth ===== | ===== Bandwidth ===== |
| Yes, see [[howto:Block-Hackers]] for detailed instructions. | Yes, see [[howto:Block-Hackers]] for detailed instructions. |
| |
| ===== SSH Kex Algo ===== | ===== SSH Algo ===== |
| :?: **Question:**\\ | :?: **Question:**\\ |
| Why do some SSH clients (e.g. [[http://www.openssh.com/|OpenSSH]]) fail to connect to the Synchronet SSH Server? | Why do some SSH clients (e.g. [[http://www.openssh.com/|OpenSSH]]) fail to connect to the Synchronet SSH Server? |
| | |
| | :!: **Answer:**\\ |
| | SSH supports a variety of cryptographic algorithms for encryption (privacy), integrity (mac) and authentication (key-exchange). As stronger algorithms are introduced, older (less-strong) algorithms are deprecated. As a result, when using a newer version of any SSH client (especially OpenSSH), it may fail to connect to SSH servers which only support less-than-the-strongest (newest) algorithms. There is no permanent solution to this issue as cryptographic algorithms are constantly improving (becoming stronger) and older (weaker) algorithms are going out of favor. |
| | |
| | |
| | ==== SSH Cipher Algo ==== |
| | |
| | Should be fixed as of Fri Feb 14 07:37:04 2020 UTC. aes128-ctr and aes256-ctr support was added. |
| |
| Example: | Example: |
| $ ssh vert.synchro.net | $ ssh vert.synchro.net |
| $ Received disconnect from 71.95.196.34: 2: Handshake failed | Unable to negotiate with vert.synchro.net port 22: no matching cipher found. Their offer: aes128-cbc,3des-cbc |
| | |
| or: | Workarounds for OpenSSH: |
| Unable to negotiate with legacyhost: no matching key exchange method found. | |
| Their offer: diffie-hellman-group1-sha1 | |
| |
| :!: **Answer:**\\ | $ ssh -c aes128-cbc user@yourbbs.com |
| | |
| | or in the ''~/.ssh/config'' file (OpenSSH v6): |
| |
| //**NOTE: This has been fixed in CVS now.**// | Host yourbbs.com |
| | Ciphers aes128-cbc |
| | |
| | ==== SSH Kex Algo ==== |
| |
| Synchronet uses [[http://www.cs.auckland.ac.nz/~pgut001/cryptlib/|Cryptlib]], a cryptographic library, for SSH and TSL/SSL support in Synchronet. Cryptlib's v3.4.2 SSH support uses an older "Key Exchange Algorithm". OpenSSH has deprecated support for this older key exchange algorithm. Cryptlib v3.4.4, the currently latest version of Cryptlib now used by Synchronet, does not have this problem. | Should be fixed as of Mon Jun 3 22:21:15 2019 UTC. diffie-hellman-group-exchange-sha256 and diffie-hellman-group14-sha256 support was added. |
| | |
| | Example: |
| | $ ssh vert.synchro.net |
| | Received disconnect from 71.95.196.34: 2: Handshake failed |
| | |
| | or: |
| | Unable to negotiate with legacyhost: no matching key exchange method found. |
| | Their offer: diffie-hellman-group1-sha1 |
| |
| From the OpenSSH [[http://www.openssh.com/legacy.html|legacy page]]: | From the OpenSSH [[http://www.openssh.com/legacy.html|legacy page]]: |
| Note: Run ''ssh -V'' to see what version of OpenSSH you have. | Note: Run ''ssh -V'' to see what version of OpenSSH you have. |
| |
| :!: **Answer:**\\ | ==== SSH MAC Algo ==== |
| | |
| | Should be fixed as of Mon Jun 3 22:21:15 2019 UTC. hmac-sha2-256 support was added. |
| Another observed problem is with the negotiated Message Authentication Code (MAC) algorithm. | Another observed problem is with the negotiated Message Authentication Code (MAC) algorithm. |
| |
| $ ssh -m hmac-md5 user@yourbbs.com | $ ssh -m hmac-md5 user@yourbbs.com |
| |
| | ===== SSH Session Key ===== |
| | :?: **Question:**\\ |
| | How do I resolve the following terminal server SSH error? |
| | |
| | 'Couldn't import the session key used to protect the private key' (-22) getting private key |
| | |
| | :!: **Answer:**\\ |
| | Rename/move or delete your ''[[dir:ctrl]]/cryptlib.key'' file. |
| | |
| | If you're using TLS for your other [[server:|Synchronet servers (e.g. web, mail, ftp, etc.)]], you may also need to rename/move or delete your ''[[dir:ctrl]]/ssl.cert'' file. |
| | |
| | These files (''cryptlib.key'' and ''ssl.cert'') are encrypted with the Synchronet //system password//, so if the system password is changed then these files must also be regenerated. The files are automatically recreated by //sbbs// upon startup if they do not already exist. |
| | |
| | ===== SSH Errors ===== |
| | :?: **Question:**\\ |
| | Should I be concerned about ssh errors in my log files? |
| | |
| | :!: **Answer**\\ |
| | A number of ssh errors are generated mainly due to clients disconnecting or not actually using a valid ssh client, such as port scanners or bots. Some of these errors are |
| | |
| | 'Internal consistency check failed' (-16) setting session active |
| | |
| | 'ENOTCONN: Socket is not connected' (-42) setting session active |
| | |
| | 'Error reading client's SSH identifier string: ETIMEDOUT: Function timed out before completion' (-41) setting session active |
| | |
| | No data was read because the remote system closed the connection (recv() == 0)' (-41) setting session active |
| | |
| | 'Need resource to proceed' (-50) setting session active |
| | |
| |
| ===== See Also ===== | ===== See Also ===== |
