Obfuscated ssh
Since the performance of Great LAN is so frustrating, I have to use some new approaches to evade censorship.
Although with ssh I can circumvent most of the censorship, the DPI equipment interferes my ssh connection all the day. This is terribly annoying.
Rather than reconnect ssh without cease, I finally deployed an obfuscated ssh and enjoying it now.
Here is obfuscated ssh deploy instructions for debian/ubuntu.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 |
#update system, install compiler and other dependents. apt-get update apt-get -y install gcc apt-get -y install build-essential apt-get -y install zlib1g-dev apt-get -y install libssl-dev #compile. wget -O ofcssh.tar.gz https://github.com/brl/obfuscated-openssh/tarball/master tar zxvf ofcssh.tar.gz cd brl-obfuscated-openssh-ca93a2c ./configure make make install #If no error occurred, then you might get #the ssh daemon in /usr/local/sbin/sshd #the ssh client will be in /usr/local/bin/ssh #the config files will be in /usr/local/etc/ #configuration. #I assume that you are using port 22 as normal ssh port. #then we install new obfuscated ssh separately from regular ssh daemon. #We assign port 1234 to new obfuscated ssh daemon. mv /usr/local/sbin/sshd /usr/sbin/sshd_ofc cp /etc/ssh/sshd_config /etc/ssh/sshd_ofc_config #Port 22 is handled by regular ssh daemon, so Port option is not required. sed -i "s/Port /#Port /g" /etc/ssh/sshd_ofc_config #obfuscated-openssh does not support UsePAM option.(by default) sed -i "s/UsePAM /#UsePAM /g" /etc/ssh/sshd_ofc_config #Add two additional configuration options. echo "ObfuscatedPort 1234" >> /etc/ssh/sshd_ofc_config echo "ObfuscateKeyword yourkeyword" >> /etc/ssh/sshd_ofc_config #Note that "ObfuscatedPort 1234" will listen all the IPs on VPS. #If you just want sshd_ofc to listen a certain IP, then you can add this #echo "ListenAddress x.x.x.x" >> /etc/ssh/sshd_ofc_config #(replace x.x.x.x with your IP) #finally, run it and set it to self-starting /usr/sbin/sshd_ofc -f /etc/ssh/sshd_ofc_config #If no error occurred, run "netstat -an", then you might see #sshd_ofc binding to the port 1234 |
If you are using debian, here is self-starting method for debian.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 |
echo '#! /bin/sh ### BEGIN INIT INFO # Provides: sshd_ofc # Required-Start: $remote_fs $syslog # Required-Stop: $remote_fs $syslog # Default-Start: 2 3 4 5 # Default-Stop: # Short-Description: OpenBSD Secure Shell server (ofc) ### END INIT INFO case "$1" in start) /usr/sbin/sshd_ofc -f /etc/ssh/sshd_ofc_config ;; stop) killall /usr/sbin/sshd_ofc ;; restart|force-reload) $0 stop sleep 1 $0 start ;; *) echo "Usage: $0 start|stop|restart" exit 1 esac exit 0 ' > /etc/init.d/ssh_ofc chmod +x /etc/init.d/ssh_ofc insserv -v -d /etc/init.d/ssh_ofc |
If you are using ubuntu, here is self-starting method for ubuntu.
|
1 2 3 |
echo "/usr/sbin/sshd_ofc -f /etc/ssh/sshd_ofc_config" > /etc/init.d/ssh_ofc chmod +x /etc/init.d/ssh_ofc ln -s /etc/init.d/ssh_ofc /etc/rcS.d/S42ssh_ofc |
Some notable security information:
1. Vulnerability Summary for CVE-2012-2110
2. OpenSSL ASN.1 vulnerability: sshd not affected
The following is setting of client (For Windows)
You can simply download the PoTTY client for windows, and use the following command to connect your obfuscated ssh server.
|
1 |
PoTTY.exe -N -ssh User@Server -P Port -pw Pass -C -z -Z yourkeyword -D 127.0.0.1:1080 |
Usually the above command is work.
Since the obfuscated ssh client PoTTY has not yet auto-reconnect feature.
I can only use batch to implement this feature.
Place following 4 batch files to the PoTTY directory.
(Of course you need to fill out the highlighted lines)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
@echo off goto profile1 :profile1 set ServerIP=1.2.3.4 set Port=1234 set User= set Pass= set ObfuscatedKeyword=yourkeyword goto end :profile2 set ServerIP= set Port= set User= set Pass= set ObfuscatedKeyword= goto end :end |
|
1 2 3 4 |
@echo off call Config.bat start PoTTY.exe -N -ssh %User%@%ServerIP% -P %Port% -pw %Pass% -C -z -Z %ObfuscatedKeyword% -D 127.0.0.1:1080 exit |
|
1 2 |
taskkill /f /im "PoTTY.exe" Connect.bat |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 |
call Config.bat set Conn=%ServerIP%:%Port% @echo off&setlocal enabledelayedexpansion :Repeat set ReConn=1 for /f "tokens=4 delims= " %%a in ('netstat -ano^|find "%Conn%"') do ( echo %%a %time% if "%%a" equ "ESTABLISHED" ( set ReConn=0 Goto Break ) ) :Break if %ReConn% == 1 start /b Reconnect.bat ping -n 6 127.0.0.1>nul Goto Repeat pause |
CheckConn.bat keeps checking the tcp connection status in order to confirm whether the ssh connection is disconnected.
So, run CheckConn.bat , then PoTTY will reconnect on connection failure.
At last. Compared with regular ssh's handshake, the obfuscated ssh's is apparently different.
regular ssh handshake:
obfuscated ssh handshake:
请问,当我输入
# /usr/sbin/sshd_ofc -f /etc/ssh/sshd_ofc_config
结果出现以下错误:
PEM_read_PrivateKey: mismatch or unknown EVP_PKEY save_type 408
Could not load host key: /etc/ssh/ssh_host_ecdsa_key
是什么情况?
我确定编译安装都没问题,配置也都是按照你的Sample来的,系统是 Ubuntu 12.10
If you get error message : 'Could not load host key: /etc/ssh/ssh_host_ecdsa_key' when restarting ssh,
you need to create new ecdsa key with following command
ssh-keygen -t ecdsa -f /etc/ssh/ssh_host_ecdsa_key -N ''
then restart the sshd service
service ssh restart
However, if you get 'unknown key type ecdsa' when using ssh-keygen. Then your ssh probably not support ecdsa algorithm...
Try to use rsa algorithm instead.
跪求centos 服务器的配置啊,怎么能联系到您?
Here is obfuscated ssh deploy instructions for CentOS, which is very similar to Debian/Ubuntu.
yum update
yum -y install gcc
yum -y install make
#yum -y install zlib-devel #CentOS x86
yum -y install zlib-devel.x86_64 #CentOS x64
#yum -y install openssl-devel #CentOS x86
yum -y install openssl-devel.x86_64 #CentOS x64
wget -O ofcssh.tar.gz https://github.com/brl/obfuscated-openssh/tarball/master
tar zxvf ofcssh.tar.gz
cd brl-obfuscated-openssh-ca93a2c
./configure
make
make install
Configuration is the same as Debian/Ubuntu.
问一下客户端只能用potty么,用openssh能连 obfuscated ssh server么
Of course, because putty and openssh does not support the -Z parameter.
if you encountered the ssh-host-key cannot load error, please regenerate it follow the steps below, it may fix it.
Step # 1: Delete old ssh host keys
Login as the root and type the following command:
# /bin/rm /etc/ssh/ssh_host_*
Step # 2: Reconfigure OpenSSH Server
Now create a new set of keys, enter:
# dpkg-reconfigure openssh-server
Sample output:
Creating SSH2 RSA key; this may take some time ...
Creating SSH2 DSA key; this may take some time ...
Restarting OpenBSD Secure Shell server: sshd.
Bad news!!
It seems that GameFirstWin may probably "guess" out some sync information of obfuscated handshaking.
I set up both the client and the server side with obfuscated patched ssh, i t works fine for 2 weeks.
But today, once I try to connect to my server with PoTTY, the connection timed out, and I got timed out ping feedback.
After 3 or 5 minutes later, ping to my server reconnected, but it would fail once I try to visit my server again.
I've no idea how to overcome this right now 🙁
I have deployed obfuscated SSH on several VPS and routers, but none of them is subject to interference from WHYGAAAFBBBWhat. At least, they are working properly so far.
Did you install some services that it is very easy to identify by GoGoFireWork on the same IP? Like pptp vpn.
Obfuscated SSH is theoretically a private protocol, as long as the ObfuscateKeyword is not compromised.
"overcome this" ...... change your VPS IP?
Or...change your port to a SSL service port, like 563,636 ...
Details: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
Thank you for the post. very useful.
I found that lots of nodes in Japan have being messing by openGameFamidWyou, the nodes only set up apache server on them will also be interrupted once someone is connecting to. From this perspective of view, it's not ofc-ssh's fault, it's safe 🙂 and thanks for your explanation.
I've fixed it by switching my node's IP, say goodbye to Japan and say hello to the world 🙂
By the way, there is another version of ofc-ssh on github at "https://github.com/aligo/obfuscated-openssh", does this version work?
Glad to hear you solved the problem.
The aligo version of ofc-ssh is based on OpenSSH6.1p1, which is newer than brls.
And as mentioned in his blog
http://aligo.me/2013/01/13/obfuscate-six-stucked-hogs/
and his post
http://www.v2ex.com/t/52105
, that version supports MAC.
But I have not tested that version.
There was a host_key issue while connection to sshd via PoTTY, someone feeded that back to aligo, and he has fixed it. His latest version of ofc-ssh seems work properly from another user's prespective of view.
Fight for freedom, and thank you DZF & aligo, you're bravo!
Thanks. Since the hiGirl-ifF-wwWill came out, I kind feel insecure about some softwares from Chinese, although I am Chinese too, really sucks! I would rather believe Hong-Kongnese or Taiwanese at this point, am I crazy?!! sad. I knew the new version of openSSH client support Obfuscated SSH too, your article is good if you can add some about how to do from Mac or Linux with openSSH client, would be great.
"I would rather believe Hong-Kongnese or Taiwanese (software)", Agree.
I don't have a Mac, so I don't know how to use SSH on Mac.
But, on Linux, there are many ways to run SSH proxy. You can install proxychains and obfuscated ssh and autossh, etc.
sudo apt-get update
sudo apt-get install proxychains
sudo sed -i '/^socks4/d' /etc/proxychains.conf
sudo sed -i '/^socks5/d' /etc/proxychains.conf
sudo sed -i '$a socks5 127.0.0.1 1080' /etc/proxychains.conf
ssh -N $User@$ServerIP -p $Port -v -i id_rsa -C -D 1080 -z -Z yourkeyword
proxychains firefox
Thanks I tried, found "ssh" on MacOS, doesn't support "-Z" option. So I googled to know, for MacOS, there is a tool named "Secret Socket", I downloaded and checked its source, it has a new "ssh". I think it's from obfsc-openSSH, so I download obfsc-openSSH, and compile it on MacOS, it worked, I got a new "ssh" with "-Z" support. I shared the method here - http://apple.stackexchange.com/questions/86278/ssh-command-has-no-z-option-obfuscated-ssh-client/86282#86282
Hope it helps more people.
Hi
Thanks for your great blog 1st.
But I am facing one problem, when i try to run the connect using Potty.
I am getting an "server unexpectedly closed connection" message.
What should I do
Thanks in advance
Although I guess you have solved the problem.
If not yet, the following link may helps you,
http://winscp.net/eng/docs/message_unexpected_close
Hi thank you for your quick response. I myself has done some debugging practice and get the following things
ssh -p 1234 -vvv ip
OpenSSH_5.9p1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /usr/local/etc/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to 127.0.0.1 [127.0.0.1] port 1234.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
ssh_exchange_identification: Connection closed by remote host
Please note that my /etc/hosts.allow has the following entry sshd: ALL
and /etc/hosts.deny has none but the default values.
We don't want the public key thing we just want to login with username and password like you have explained in this blog.
My system is Debian 6-64bit.
Please suggest me what should I do to make the server working.
Thanks in advance.
Regards
Aaviskaar
Hi,
aaviskaar. You probably still use system's ssh client, which dose not supports obfuscation. And obviously you have not add the -z parameter. So, ssh handshake is unsuccessful. You need to use a new ssh client that supports obfuscation.
Hi
Again I am adding some new information please look at them and help us in resolving the issue.
We used PoTTY with the following command.
PoTTY.exe -N -ssh user@ip -P 1234 -pw password -C -z -Z keyword -D 127.0.0.1:9998
We changed the port number to 9998( also tried with 1080)
Now the problems are-
Sometimes the server works I mean a connection is established,but very rarely I have been able to do so for once only. During that time socks proxy 2 127.0.0.1:9998 worked fine.
Most of the time, the PoTTY window opens with nothing and after a few minutes one error message is being showed saying "Server unexpectedly closed network connection"
The problem should not be an ISP or firewall issue because using the same ISP and firewall we are able to setup Tunneling once from the same PC.
We have also tried with different ISPs and from different countries but again we failed and got the same error message.
The 1234 port is open in the server for outside access.
What should be the problem and what to do for fixing it?
Again thanks in advance for your kind help.
Regards
Aaviskaar
Hi,
Can you get reply by using the Ping command? If so, then telnet to your server by running "telnet ServerIP 1234" command. If telnet is successful, then the obfuscated ssh server may work properly.
Otherwise, your obfuscated ssh server or your network between server and client should be something wrong.
Hi,
Thank you for your reply. We have fixed the issue. Though it is not a valid reason, but it worked with plonk.exe without any issues and we are currently using it. Thank you for your kind help.
We are using the following command now
plonk -P 1234 -l user -D 1080 -N -z -Z keyword xx.xx.xx.xx
it asks for the password for a the user, we type it and it works fine. Though I want to ask you that is there any way to embed the password in the plonk command like you have used with PoTTY? I have searched for plonk manual but didn't found it anywhere.
Secondly I want to create the tunnel from a LAN gateway(Maybe windows or Linux) so that the gateway accepts requests from all ports and sends it through the tunnel. Is it possible? Linux or Windows, both solutions are OK.
If possible please help us in doing it.
Thanks for your great blog again, this is the only one blog available for step by step obfuscated ssh support.
Regards
Neelim
1.
C:\>plonk
PoTTY Link: command-line connection utility
Mr. Hinky Dink's build, Aug 26 2011 23:23:10
Usage: plonk [options] [user@]host [command]
("host" can also be a PuTTY saved session name)
Options:
-V print version information and exit
-pgpfp print PGP key fingerprints and exit
-v show verbose messages
-load sessname Load settings from saved session
-ssh -telnet -rlogin -raw -serial
force use of a particular protocol
-P port connect to specified port
-l user connect with specified username
-batch disable all interactive prompts
The following options only apply to SSH connections:
-pw passw login with specified password
-D [listen-IP:]listen-port
Dynamic SOCKS-based port forwarding
-L [listen-IP:]listen-port:host:port
Forward local port to remote address
-R [listen-IP:]listen-port:host:port
Forward remote port to local address
-X -x enable / disable X11 forwarding
-A -a enable / disable agent forwarding
-t -T enable / disable pty allocation
-1 -2 force use of particular protocol version
-4 -6 force use of IPv4 or IPv6
-C enable compression
-i key private key file for authentication
-noagent disable use of Pogeant
-agent enable use of Pogeant
-m file read remote command(s) from file
-s remote command is an SSH subsystem (SSH-2 only)
-N don't start a shell/command (SSH-2 only)
-nc host:port
open tunnel in place of session (SSH-2 only)
-z obfuscate key exchange (SSH-2 only)
-Z keywd obfuscate with keyword (SSH-2 only)
-sercfg configuration-string (e.g. 19200,8,n,1,X)
Specify the serial configuration (serial only)
------------------------------------------------------------------------
So, -pw parameter will meet your demand.
2.
Do you mean that you want to use SSH like using VPN?
If so, there are some ways to do it.
In Windows, you can use Proxifier to proxy any ports and any applications you want, and even global proxy.
In Linux, usually use ProxyChain.
sudo apt-get install proxychains
sudo sed -i '/^socks4/d' /etc/proxychains.conf
sudo sed -i '/^socks5/d' /etc/proxychains.conf
sudo sed -i '$a socks5 127.0.0.1 1080' /etc/proxychains.conf
ssh -N $User@$ServerIP -p $Port -v -i id_rsa -C -D 1080 -z -Z yourkeyword
proxychains firefox
Hi
Thanks for your great reply.
First one worked for us. Thanks again.
Secondly, we don't need an VPN exactly, Actually what we want is that, for our LAN, it is not a good idea to allow the users to connect from their PC's as they are not technically so much good.
What we want to do is that,we will have a local gateway with internet connection. in one interface it will listen to requests from all ports and in the other interface it will create a obfuscated SSH tunnel, using that tunnel it will send all network traffic received from the other hosts.
We can use windows or Linux.
Will proxychain work in this configuration or I have to use something else. Please answer this question.
Thanks
Aaviskaar
Hi,
Do you mean that all LAN users use that local gateway to connect your local server first, and then the local server run a obfuscated ssh client and setup a NAT service?
I never done that before.
But, a alternative method is running a obfuscated ssh client( -D 0.0.0.0:1080 ) in your local server, then all LAN users connect the server's socks proxy. LAN users can use Proxifier(Windows) or Proxychains(Linux) to proxy applications without proxy setting options.
Thanks for your reply first.
Yes all LAN users use that local gateway to connect my local server first, and then the local server run a obfuscated ssh client and setup a NAT service. This is exactly what I want.
Theoretically it is possible with iptables, but I do not know it will work or not. However with the -D 0.0.0.0:1080 option i will try to setup a local proxy and then I will use NAT to redirect all traffics to that server.
I will let you know if it works or not.
I have some VOIP devices that can not use a proxy so I have to setup a gateway.
However if you have any suggestions please suggest me.
You have helped us very much.
Thanks Again
Hi Thanks for your great blog first
We have successfully installed the SSH+using your guide in Debian 6.07 and using it now. But when we tried to install it in Debian 6.05 and Ubuntu 12.04 we got some issues. We installed all dependencies and configured as you have said. But when we try to start the server using the command
/usr/local/sbin/sshd -f /usr/local/etc/sshd_config
It works perfectly with Debian 6.07, it do not show any output but the port starts listening and we can do SSH+ tunneling
But when we use the same command with Debian 6.07 and Ubuntu 12.04 we do not get any output like the above one but the SSH+ service is not started. We have also done port scanning but the port for SSH+ is not opened.
What should we do to solve this issue.
Thanks Again
Amir
Hi,
run "netstat -an", can you see sshd_ofc binding to the port 1234?
If so, then the SSH+ service is working properly. you need to check the firewall and iptables settings if they block the port 1234.
Thanks for your reply. After testing many things with different versions of Ubuntu and Debian we figured out that the problem was not with the OS.
SSH+ server is working with ports starting from 1025 to 1234 but when we try to use any port after 1234 it do not work. The netstat -an or nmap do not show any open port for SSH+
When we start the server with any port exceeding 1234 as Obfuscated port then the server starts without any error but the port is not opened. Though it is not a firewall issue as far as I know,I have tried with opening the port on firewall then started the server. the port is opened as per nmap scan result but the server didn't listened on the port.
please help us in fixing the issue.
"SSH+ server is working with ports starting from 1025 to 1234", How is this possible??
I have deployed many obfuscated SSH services on several VPS and routers, I used the port from 9xx to 3xxxx, and they are working properly so far.
Yeah it sounds strange, even i am unable to believe this. However i have rented some other VPS and the port issue is resolved there. We are able to use any open ports here.
I have another question for you, suppose I have a SSH+ and SSH server running in the same system. How can I find the active SSH+ users in a particular moment?
I also want to know the failed login attempts of SSH+, the IP details of logged in users etc.
Thanks in advance
Regards
Amir
Get list of online SSH(SSH+) users:
netstat -an|grep :22
w
who
Failed login attempts of SSH(SSH+):
Redhat/Fedora:
cat /var/log/secure|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $2"="$1;}'
Debian/Ubuntu/other:
cat /var/log/auth.log|awk '/Failed/{print $(NF-3)}'|sort|uniq -c|awk '{print $2"="$1;}'
Dear Sir
I am able to setup some SSH+ servers for my friend who lives in a country where everything is blocked, the credit goes to your blog.
But unfortunately for last few days we are facing connection drop issues on SSH+. After a 2-5 minutes session the ssh+ connection drops saying FATAL ERROR: NETWORK ERROR: SOFTWARE CLOSED CONNECTION ABORT.
However we are able to use ssh+ from my country without any problem and connection drop issue. I think the government has found some way to detect ssh+ packets. At the same time Psiphon 3 is also not working. We have played with ports but that didn't worked. Even we changed ssh+ to 22 and ssh to something else. It is working from my country but not from his country. I think the firewall inspects the packet pattern not the port.
What will be our next step to fool the new inspection technique.
Your help will be greatly appreciated.
Thanks in Advance
John
Hi,
Psiphon is blocked in many country because too many people use Psiphon.
SSH+ is theoretically a private protocol, as long as the ObfuscateKeyword is not compromised.
You can change your port to a SSL service port, such as 443,563,636 ...
Details: https://en.wikipedia.org/wiki/List_of_TCP_and_UDP_port_numbers
Or you could consider using obfsproxy, ShadowSocks, etc.
Of course, no matter what technology you use, if your proxy services have too many users or too much traffic, your proxy services will be blocked. It's just a matter of time.
Hi, Sir.
I have added SELinux support and set 'UsePAM yes" for my obfuscate openssh, because I think it would provide as much as security of official openssh-server.
But I suffered error like "Sep 16 16:30:53 xxx sshd_ofc[11002]: Failed publickey for user from xxx.xx.xxx.xx port 6287 ssh2" and selinux error "Sep 16 17:03:47 xxx sshd_ofc[11188]: fatal: ssh_selinux_getctxbyname: Failed to get default SELinux security context for user (in enforcing mode)" from /var/log/secure
I want to secure my obfuscate ssh server as much as possible, rather than giving up most security feature (selinux, pam, etc) just for obfuscated ssh connection.
Do you have any idea how to achieve it ? I'm looking forward to any hints on how to do that.
Thank you!
Sorry for my late reply.
I have been quite busy over the past few months.
When run ./configure, there are some pam options disabled.
./configure | grep pam
checking pam/pam_appl.h usability... no
checking pam/pam_appl.h presence... no
checking for pam/pam_appl.h... no
checking security/pam_appl.h usability... yes
checking security/pam_appl.h presence... yes
checking for security/pam_appl.h... yes
PAM support: no
Then I read some source code, I found this
/* Define to 1 if you have the header file. */
#undef HAVE_SECURITY_PAM_APPL_H
/* Define to 1 if you have the header file. */
#define HAVE_PAM_PAM_APPL_H 1
in "config.h.in" file.
And the pam_appl.h is missing.
To get pam_appl.h, just run "apt-get install libpam0g-dev" in debian or "yum install pam-devel" in centos, then you can get it in /usr/include/security/pam_appl.h
Then add pam_appl.h to brl-obfuscated-openssh-ca93a2c/security/pam_appl.h
and
brl-obfuscated-openssh-ca93a2c/pam/pam_appl.h
and
#define HAVE_SECURITY_PAM_APPL_H 1
#define HAVE_PAM_PAM_APPL_H 1
Hope this may help you.
tanks Bro, i reallly is useful
这个potty用上以后,流量只要一大就会断线,目测potty有bug
If you get these errors
# /usr/sbin/sshd_ofc -f /etc/ssh/sshd_ofc_config
PEM_read_PrivateKey: mismatch or unknown EVP_PKEY save_type 408
Could not load host key: /etc/ssh/ssh_host_ecdsa_key
Could not load host key: /etc/ssh/ssh_host_ed25519_key
Comment these lines in your sshd_config.
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
Hello Sir,
At first I would like to thank you for your great blog the instructions are clear and very helpful.
I have tried to make a ssh+ connection on two different ISPs
The first one Potty gives a black screen for 1 minute then it says: Software caused connection abort
Plonk is the same: FATAL ERROR: Network error: Software caused connection abort
When trying to ping in that ISP we get an ip address but no received packages so I guess that the DNS is working fine.
-The second ISP, potty connects successfully then after a while a message pops up :
“server sent disconnect message
type 2 (protocole error):
received oclose for nonexistent channel 3145224”
When I checked the auth.log that time I get:
“channel_by_id: 0: bad id: channel free
Disconnecting: Received oclose for nonexistent channel 0.”
Could you please tell me what to do to solve these problems?
Thanks in advance
Hi,
For the first case, when you running "netstat -an" on your first VPS, can you see
sshd_ofc binding to the port 1234(or the port you specified) ?
if not, your configuration on server side may have some errors.
if so, since you got "Software caused connection abort" and "no received packages", I think the network between your client and VPS may be unstable.
(Or network is interfered by your Internet Service Provider? )
The second case, that's some weird. I think you have to check your configurations, including server side and client side.
It is significantly slow when using ofc-ssh.
How can I imporve the speed?
If you use a very special port for ofc-ssh, perhaps your ISP will lower your traffic priority due to the QoS policy.
Thanks.
After change port to a regular one and enable compression explicitly.
Speed improved.
Years also have a insurance focus of moreover 200-300 offences with 120-180 decisions that should be visited in 1-2 or 3 identification . will make their choices today Buy amoxicillin Online Without Prescription Fast Delivery buy amoxicillin online with paypal find amoxicillin Alternative Best Deals Online. Great Quality - Bonus Pills Added.
Mecklenburg mill, away of mid-size street, began amoxicillin. No prior prescription needed! buy cod amoxicillin wire transfer at Woodstock buy amoxicillin online cheap Free Shipping amoxicillin causing depression Fast and Guaranteed Worldwide Shipping.