Aller au contenu

Messages recommandés

Posté(e) (modifié)

Bonjour à tous,

Je cherche à changer de port pour mes connexions en ssh (afin de limiter les attaques...) sur mon DS411+ (DSM 5.1-5022 Update 3)

J'ai donc édité le fichier /etc/ssh/sshd_config en décommentant la ligne #port 22 et ajouté une nouvelle ligne avec le nouveau port. cela donne :

port 2222

port 22

(ainsi, je peux continuer à me connecter en ssh sur le port "classique" 22 le temps de faire fonctionner le port 2222)

J'ai, naturellement, effectué la redirection au niveau de mon router (freebox)

J'ai redémarré le synology.

Or, impossible de me connecter en ssh sur le synology via le port 2222, que ce soit en local connecté sur le syno via le port 22 (ssh root@127.0.0.1 -p 2222) ou depuis le wan :

En local :

ssh root@127.0.0.1 -p 2222
root@127.0.0.1's password:
Permission denied, please try again.
Connection to 127.0.0.1 closed.

Depuis le wan :

ssh root@<IP DE MON NAS> -p 2222
root@<IP DE MON NAS>.fr's password:
Permission denied, please try again.
Connection to <IP DE MON NAS> closed.

Naturellement, le password renseigné est correct :-)

Pour info, je me connecte correctement sur le port 22, que ce soit en local ou depuis le WAN.

/var/log/messages ne contient aucun message relatif à la connexion.

En revanche, lorsque je me connecte en local, le fichier /var/log/synolog/synoconn.log indique :

info 2015/03/18 10:24:58 SYSTEM: User [root] from [127.0.0.1] logged in successfully via [sSH].

Pourtant, je me fais sortir avec le message "Permission denied, please try again."...

Voici le résultat de la commande ssh -vvv root@127.0.0.1 -p 2222 (c'est verbeux, mais au moins, il y a tout!)

OpenSSH_6.6, OpenSSL 1.0.1k-fips 8 Jan 2015

debug2: ssh_connect: needpriv 0

debug1: Connecting to 127.0.0.1 [127.0.0.1] port 2222.

debug1: Connection established.

debug1: permanently_set_uid: 0/0

debug1: identity file /var/services/homes/root/.ssh/id_rsa type -1

debug1: identity file /var/services/homes/root/.ssh/id_rsa-cert type -1

debug1: identity file /var/services/homes/root/.ssh/id_dsa type -1

debug1: identity file /var/services/homes/root/.ssh/id_dsa-cert type -1

debug1: identity file /var/services/homes/root/.ssh/id_ecdsa type -1

debug1: identity file /var/services/homes/root/.ssh/id_ecdsa-cert type -1

debug1: identity file /var/services/homes/root/.ssh/id_ed25519 type -1

debug1: identity file /var/services/homes/root/.ssh/id_ed25519-cert type -1

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_6.6p2-hpn14v4

debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6p2-hpn14v4

debug1: match: OpenSSH_6.6p2-hpn14v4 pat OpenSSH* compat 0x04000000

debug2: fd 3 setting O_NONBLOCK

debug3: put_host_port: [127.0.0.1]:2222

debug3: load_hostkeys: loading entries for host "[127.0.0.1]:2222" from file "/var/services/homes/root/.ssh/known_hosts"

debug3: load_hostkeys: loaded 0 keys

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: AUTH STATE IS 0

debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,dif

fie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh

-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-s

ha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,arcfour256,arcfou

r128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,arcfour256,arcfou

r128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@ope

nssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1

-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@ope

nssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1

-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib

debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,dif

fie-hellman-group14-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com

debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@ope

nssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@ope

nssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: kex_parse_kexinit: none,zlib@openssh.com

debug2: kex_parse_kexinit: none,zlib@openssh.com

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: mac_setup: setup umac-64-etm@openssh.com

debug1: REQUESTED ENC.NAME is 'aes128-ctr'

debug1: kex: server->client aes128-ctr umac-64-etm@openssh.com none

debug2: mac_setup: setup umac-64-etm@openssh.com

debug1: REQUESTED ENC.NAME is 'aes128-ctr'

debug1: kex: client->server aes128-ctr umac-64-etm@openssh.com none

debug1: sending SSH2_MSG_KEX_ECDH_INIT

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug1: Server host key: ECDSA f9:30:29:b9:59:7e:d9:bc:27:b6:a0:8d:76:55:e6:27

debug3: put_host_port: [127.0.0.1]:2222

debug3: put_host_port: [127.0.0.1]:2222

debug3: load_hostkeys: loading entries for host "[127.0.0.1]:2222" from file "/var/services/homes/root/.ssh/known_hosts"

debug3: load_hostkeys: loaded 0 keys

debug1: checking without port identifier

debug3: load_hostkeys: loading entries for host "127.0.0.1" from file "/var/services/homes/root/.ssh/known_hosts"

debug3: load_hostkeys: found key type ECDSA in file /var/services/homes/root/.ssh/known_hosts:82

debug3: load_hostkeys: loaded 1 keys

debug1: Host '127.0.0.1' is known and matches the ECDSA host key.

debug1: Found key in /var/services/homes/root/.ssh/known_hosts:82

debug1: found matching key w/out port

debug1: ssh_ecdsa_verify: signature correct

debug2: kex_derive_keys

debug2: set_newkeys: mode 1

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug2: set_newkeys: mode 0

debug1: SSH2_MSG_NEWKEYS received

debug1: Roaming not allowed by server

debug1: SSH2_MSG_SERVICE_REQUEST sent

debug2: service_accept: ssh-userauth

debug1: SSH2_MSG_SERVICE_ACCEPT received

debug2: key: /var/services/homes/root/.ssh/id_rsa ((nil)),

debug2: key: /var/services/homes/root/.ssh/id_dsa ((nil)),

debug2: key: /var/services/homes/root/.ssh/id_ecdsa ((nil)),

debug2: key: /var/services/homes/root/.ssh/id_ed25519 ((nil)),

debug1: Authentications that can continue: publickey,password

debug3: start over, passed a different list publickey,password

debug3: preferred publickey,keyboard-interactive,password

debug3: authmethod_lookup publickey

debug3: remaining preferred: keyboard-interactive,password

debug3: authmethod_is_enabled publickey

debug1: Next authentication method: publickey

debug1: Trying private key: /var/services/homes/root/.ssh/id_rsa

debug3: no such identity: /var/services/homes/root/.ssh/id_rsa: No such file or directory

debug1: Trying private key: /var/services/homes/root/.ssh/id_dsa

debug3: no such identity: /var/services/homes/root/.ssh/id_dsa: No such file or directory

debug1: Trying private key: /var/services/homes/root/.ssh/id_ecdsa

debug3: no such identity: /var/services/homes/root/.ssh/id_ecdsa: No such file or directory

debug1: Trying private key: /var/services/homes/root/.ssh/id_ed25519

debug3: no such identity: /var/services/homes/root/.ssh/id_ed25519: No such file or directory

debug2: we did not send a packet, disable method

debug3: authmethod_lookup password

debug3: remaining preferred: ,password

debug3: authmethod_is_enabled password

debug1: Next authentication method: password

root@127.0.0.1's password: Je renseigne le bon mot de passe ici :-)

debug3: packet_send2: adding 64 (len 52 padlen 12 extra_pad 64)

debug2: we sent a password packet, wait for reply

debug1: Single to Multithread CTR cipher swap - client request

debug1: Authentication succeeded (password).

Authenticated to 127.0.0.1 ([127.0.0.1]:2222).

debug1: Final hpn_buffer_size = 2097152

debug1: HPN Disabled: 0, HPN Buffer Size: 2097152

debug1: channel 0: new [client-session]

debug1: Enabled Dynamic Window Scaling

debug3: ssh_session2_open: channel_new: 0

debug2: channel 0: send open

debug1: Requesting no-more-sessions@openssh.com

debug1: Entering interactive session.

debug1: need rekeying

debug1: SSH2_MSG_KEXINIT sent

debug1: rekeying in progress

debug1: SSH2_MSG_KEXINIT received

debug1: AUTH STATE IS 1

debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,dif

fie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh

-ed25519-cert-v01@openssh.com,ssh-rsa-cert-v01@openssh.com,ssh-dss-cert-v01@openssh.com,ssh-rsa-cert-v00@openssh.com,ssh-dss-cert-v00@openssh.com,ecdsa-s

ha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519,ssh-rsa,ssh-dss

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,arcfour256,arcfou

r128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,arcfour256,arcfou

r128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-cbc@lysator.liu.se

debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@ope

nssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1

-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@ope

nssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1,hmac-md5-etm@openssh.com,hmac-ripemd160-etm@openssh.com,hmac-sha1

-96-etm@openssh.com,hmac-md5-96-etm@openssh.com,hmac-md5,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib

debug2: kex_parse_kexinit: none,zlib@openssh.com,zlib

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: kex_parse_kexinit: curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,dif

fie-hellman-group14-sha1

debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com

debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com

debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@ope

nssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: kex_parse_kexinit: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@ope

nssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: kex_parse_kexinit: none,zlib@openssh.com

debug2: kex_parse_kexinit: none,zlib@openssh.com

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit:

debug2: kex_parse_kexinit: first_kex_follows 0

debug2: kex_parse_kexinit: reserved 0

debug2: mac_setup: setup umac-64-etm@openssh.com

debug1: REQUESTED ENC.NAME is 'aes128-ctr'

debug1: kex: server->client aes128-ctr umac-64-etm@openssh.com none

debug2: mac_setup: setup umac-64-etm@openssh.com

debug1: REQUESTED ENC.NAME is 'aes128-ctr'

debug1: kex: client->server aes128-ctr umac-64-etm@openssh.com none

debug1: sending SSH2_MSG_KEX_ECDH_INIT

debug1: expecting SSH2_MSG_KEX_ECDH_REPLY

debug1: Server host key: ECDSA f9:30:29:b9:59:7e:d9:bc:27:b6:a0:8d:76:55:e6:27

debug3: put_host_port: [127.0.0.1]:2222

debug3: put_host_port: [127.0.0.1]:2222

debug3: load_hostkeys: loading entries for host "[127.0.0.1]:2222" from file "/var/services/homes/root/.ssh/known_hosts"

debug3: load_hostkeys: loaded 0 keys

debug1: checking without port identifier

debug3: load_hostkeys: loading entries for host "127.0.0.1" from file "/var/services/homes/root/.ssh/known_hosts"

debug3: load_hostkeys: found key type ECDSA in file /var/services/homes/root/.ssh/known_hosts:82

debug3: load_hostkeys: loaded 1 keys

debug1: Host '127.0.0.1' is known and matches the ECDSA host key.

debug1: Found key in /var/services/homes/root/.ssh/known_hosts:82

debug1: found matching key w/out port

debug1: ssh_ecdsa_verify: signature correct

debug2: kex_derive_keys

debug2: set_newkeys: mode 1

debug1: set_newkeys: rekeying

debug1: spawned a thread

debug1: spawned a thread

debug1: SSH2_MSG_NEWKEYS sent

debug1: expecting SSH2_MSG_NEWKEYS

debug2: set_newkeys: mode 0

debug1: set_newkeys: rekeying

debug1: spawned a thread

debug1: spawned a thread

debug1: SSH2_MSG_NEWKEYS received

debug2: callback start

debug2: fd 3 setting TCP_NODELAY

debug3: packet_set_tos: set IP_TOS 0x10

debug2: client_session2_setup: id 0

debug2: channel 0: request pty-req confirm 1

debug2: channel 0: request shell confirm 1

debug2: callback done

debug2: channel 0: open confirm rwindow 0 rmax 32768

debug2: tcpwinsz: 87380 for connection: 3

debug2: tcpwinsz: 87380 for connection: 3

debug2: channel_input_status_confirm: type 99 id 0

debug2: PTY allocation request accepted on channel 0

debug2: channel 0: rcvd adjust 87380

debug2: channel_input_status_confirm: type 99 id 0

debug2: shell request accepted on channel 0

debug2: tcpwinsz: 87380 for connection: 3

debug2: tcpwinsz: 87380 for connection: 3

Permission denied, please try again.

debug2: tcpwinsz: 87380 for connection: 3

debug1: client_input_channel_req: channel 0 rtype exit-status reply 0

debug1: client_input_channel_req: channel 0 rtype eow@openssh.com reply 0

debug2: channel 0: rcvd eow

debug2: channel 0: close_read

debug2: channel 0: input open -> closed

debug2: channel 0: rcvd eof

debug2: channel 0: output open -> drain

debug2: channel 0: obuf empty

debug2: channel 0: close_write

debug2: channel 0: output drain -> closed

debug2: channel 0: rcvd close

debug3: channel 0: will not send data after close

debug2: tcpwinsz: 87380 for connection: 3

debug2: channel 0: almost dead

debug2: channel 0: gc: notify user

debug2: channel 0: gc: user detached

debug2: channel 0: send close

debug2: channel 0: is dead

debug2: channel 0: garbage collecting

debug1: channel 0: free: client-session, nchannels 1

debug3: channel 0: status: The following connections are open:

#0 client-session (t4 r0 i3/0 o3/0 fd -1/-1 cc -1)

Connection to 127.0.0.1 closed.

Transferred: sent 4816, received 2820 bytes, in 0.2 seconds

Bytes per second: sent 25428.5, received 14889.6

debug1: Exit status 1

Auriez-vous des idées?

Quel est le problème??

Un grand merci pour votre aide!

Modifié par lool38
Posté(e)

Si tu veux mon avis, modifier des fichiers systèmes pour ce genre de manip ne me semble pas la meilleure approche (d'autant plus que le fichier de conf sera écrasés lors de la plupart des upgrades firmware).

J'imagine que c'est essentiellement le port SSH utilisé pour les connexions externe WAN que tu souhaite modifier?

Dans ce cas il est bien plus simple de le faire dans la règle de redirection de port que tu as déclaré dans ton routeur pour le service SSH et continuer à utiliser le port 22 sur le LAN.

Faut savoir également que les versions plus récentes de DSM donnent accès à cette option directement dans l'interface d'administration.

Posté(e) (modifié)

Salut!

Tu as tout à fait raison, je n'y avais pas pensé.

Il suffit de rediriger le port 2222 du wan vers le 22 en local sur mon routeur (et de ne pas rediriger le 22) pour faire ce que je veux faire.

Testé et approuvé!

Sinon, j'ai vu la possibilité de faire le changement de port via l'interface d'admin du DSM, mais il ne me laisse pas mettre le 2222.

Un grand grand merci en tout cas ;-)

Modifié par lool38

Rejoindre la conversation

Vous pouvez publier maintenant et vous inscrire plus tard. Si vous avez un compte, connectez-vous maintenant pour publier avec votre compte.

Invité
Répondre à ce sujet…

×   Collé en tant que texte enrichi.   Coller en tant que texte brut à la place

  Seulement 75 émoticônes maximum sont autorisées.

×   Votre lien a été automatiquement intégré.   Afficher plutôt comme un lien

×   Votre contenu précédent a été rétabli.   Vider l’éditeur

×   Vous ne pouvez pas directement coller des images. Envoyez-les depuis votre ordinateur ou insérez-les depuis une URL.

×
×
  • Créer...

Information importante

Nous avons placé des cookies sur votre appareil pour aider à améliorer ce site. Vous pouvez choisir d’ajuster vos paramètres de cookie, sinon nous supposerons que vous êtes d’accord pour continuer.