Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

impossible to connect windows 10 client machine through public ipv4 #2285

Open
3 tasks done
aragon5956 opened this issue Oct 13, 2024 · 20 comments
Open
3 tasks done

impossible to connect windows 10 client machine through public ipv4 #2285

aragon5956 opened this issue Oct 13, 2024 · 20 comments
Labels
Waiting on Author Need more information to diagnose

Comments

@aragon5956
Copy link

Prerequisites

  • Write a descriptive title.
  • Make sure you are able to repro it on the latest version
  • Search the existing issues.

Steps to reproduce

hello ,
i can't to connect my windows 10 machine client , i have this version of openssh : ```
OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2
usage: sshd [-46DdeGiqTtV] [-C connection_spec] [-c host_cert_file]
[-E log_file] [-f config_file] [-g login_grace_time]
[-h host_key_file] [-o option] [-p port] [-u len]
PS C:\Program Files\OpenSSH>


my `sshd_config` in `ProgrammData`  directory is  : ```
# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options override the
# default value.

Port 2222
#AddressFamily any
ListenAddress 0.0.0.0
ListenAddress ::

#HostKey __PROGRAMDATA__/ssh/ssh_host_rsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_dsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ecdsa_key
#HostKey __PROGRAMDATA__/ssh/ssh_host_ed25519_key

# Ciphers and keying
#RekeyLimit default none

# Logging
SyslogFacility LOCAL0
LogLevel DEBUG

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10

PubkeyAuthentication yes

# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile	.ssh/authorized_keys

#AuthorizedPrincipalsFile none

# For this to work you will also need host keys in %programData%/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
PasswordAuthentication yes
#PermitEmptyPasswords no

# GSSAPI options
#GSSAPIAuthentication no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#PermitUserEnvironment no
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem	sftp	sftp-server.exe

# Example of overriding settings on a per-user basis
#Match User anoncvs
#	AllowTcpForwarding no
#	PermitTTY no
#	ForceCommand cvs server

Match Group administrators
       AuthorizedKeysFile __PROGRAMDATA__/ssh/administrators_authorized_keys

could you help me ?
Regards

Expected behavior

connected with success

Actual behavior

timeout

Error details

No response

Environment data

windows 10 lastest build : 19045.5011

Version

OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2

Visuals

20241013144552.mp4
@tgauth
Copy link
Collaborator

tgauth commented Oct 14, 2024

Can you run ipconfig in terminal and ensure that IPV4 address is correct?

@tgauth tgauth added the Waiting on Author Need more information to diagnose label Oct 14, 2024
@aragon5956
Copy link
Author

It's a public ipv4 !! not private!!

@tgauth
Copy link
Collaborator

tgauth commented Oct 15, 2024

Can you check the firewall rules and make sure sshd can accept incoming connections on public networks?

@aragon5956
Copy link
Author

aragon5956 commented Oct 16, 2024

I will try as soon as , it's vert strangely because even i disable firewall, i Can't connect through public ipv4 ,on 22 port pr 2222 , but inwill verify again
Regards

@Chao216
Copy link

Chao216 commented Oct 16, 2024

got same issue

ltsc 24h2
lastest GitHub Release, installed by ps1 script

turn off firewall completely, connect
turn on firewall, timed out

@tgauth
Copy link
Collaborator

tgauth commented Oct 17, 2024

@Chao216 did you verify the firewall rules to ensure sshd can accept incoming connections on public networks?

@Chao216
Copy link

Chao216 commented Oct 18, 2024

Hi @tgauth,

A weird thing is that i found on some Old os, install open ssh server will automatically add a firewall inbound rule allow port 22 ,
vice versa.

but new windows seems don't behave like that, I have to manually add firewall inbound rule.

regarding permissions for log folder, I used a local admin account, could not open and got uac prompt, this cause the later on ssh server break (restart 1607 error), a question I would like to know is as i set System and administrators to have full control, why my account (member of administrators) can't access log folder by default?

@tgauth
Copy link
Collaborator

tgauth commented Oct 18, 2024

Hi @tgauth,

A weird thing is that i found on some Old os, install open ssh server will automatically add a firewall inbound rule allow port 22 , vice versa.

but new windows seems don't behave like that, I have to manually add firewall inbound rule.

Yes - newer Windows versions still create a firewall rule, but only for private networks.

regarding permissions for log folder, I used a local admin account, could not open and got uac prompt, this cause the later on ssh server break (restart 1607 error), a question I would like to know is as i set System and administrators to have full control, why my account (member of administrators) can't access log folder by default?

Technically, the check is for the SYSTEM and Administrators group SIDs so that is why the account, although administrator, is rejected. We're working on updating this, but in the meantime, if you navigate to the log folder via terminal, the user can still view the logs without the ACLs being modified by file explorer.

@aragon5956
Copy link
Author

Pouvez-vous vérifier les règles du pare-feu et vous en assurer sshdpeut-on accepter les connexions entrantes sur les réseaux publics?
i have a another firewall , it GDATA internet security solution , and, even i disabled the firewall i can't connect myself through ipv4

Can you check the firewall rules and make sure sshd can accept incoming connections on public networks?

i can only with private netwok , i've tested it

@aragon5956
Copy link
Author

aragon5956 commented Oct 18, 2024

Can you check the firewall rules and make sure sshd can accept incoming connections on public networks?

i cant only private ip like 192.168.1.x or localhost , and i listen on 0.0.0.0 on 2222 port
regards

@Chao216
Copy link

Chao216 commented Oct 19, 2024

Hi @tgauth,

A weird thing is that i found on some Old os, install open ssh server will automatically add a firewall inbound rule allow port 22 , vice versa.

but new windows seems don't behave like that, I have to manually add firewall inbound rule.

Yes - newer Windows versions still create a firewall rule, but only for private networks.

regarding permissions for log folder, I used a local admin account, could not open and got uac prompt, this cause the later on ssh server break (restart 1607 error), a question I would like to know is as i set System and administrators to have full control, why my account (member of administrators) can't access log folder by default?

Technically, the check is for the SYSTEM and Administrators group SIDs so that is why the account, although administrator, is rejected. We're working on updating this, but in the meantime, if you navigate to the log folder via terminal, the user can still view the logs without the ACLs being modified by file explorer.

reverted permissions full control back to Nt system and administrators, if i use elevated CMD or PowerShell prompt,can cd into log folder and cat the log content.

Maybe an elevated Explorer process will be able to access just like the CLI environment

@aragon5956
Copy link
Author

aragon5956 commented Oct 19, 2024

Can you run ipconfig in terminal and ensure that IPV4 address is correct?

I have another problem waiting and I do not know how to solve it : #1176

or
most recently : #2290

@aragon5956
Copy link
Author

aragon5956 commented Oct 22, 2024

Can you check the firewall rules and make sure sshd can accept incoming connections on public networks?

Do you want video proof ,as i solve others problem , about firewall and ssh port ?

@tgauth
Copy link
Collaborator

tgauth commented Oct 28, 2024

@aragon5956 - can you provide sshd logs from the connection attempt via public ip?

@aragon5956
Copy link
Author

aragon5956 commented Oct 28, 2024

i've jsut this :

PS C:\Program Files\OpenSSH> sshd  -d
debug1: sshd version OpenSSH_for_Windows_9.5, LibreSSL 3.8.2
debug1: get_passwd: lookup_sid() failed: 1332.
debug1: private host key #0: ssh-rsa SHA256:ClEXD2C/iaTwtFDxUOPwcIrK8+CqXHlutDxXSgzIPTM
debug1: private host key #1: ecdsa-sha2-nistp256 SHA256:7qwfTYBphjkTNFm+wSF+LX9P9JKPMgu++qLcOKjd/FQ
debug1: private host key #2: ssh-ed25519 SHA256:T3TryzsUax+Lm1/tPpZtoH12STRWvMY/teFwy4HPa6o
debug1: rexec_argv[0]='C:\\Program Files\\OpenSSH\\sshd.exe'
debug1: rexec_argv[1]='-d'
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.

and i can't start the service too !

@aragon5956
Copy link
Author

I will see as soon as, if the service configuration points to

 C:\Program Files\OpenSSH\sshd

And no to

C:\Program Files\OpenSSH\

@aragon5956
Copy link
Author

so i checked it , and it's ok : " C:\Program Files\OpenSSH\sshd"

@aragon5956
Copy link
Author

after solve this issue partially : #2290, i've still problem to connect through ipv4

@aragon5956
Copy link
Author

aragon5956 commented Nov 2, 2024

if I scan my ip with zenmap software on windows , and even connecting my computer to a shared wifi without restriction and high level security policies, I do not see port 22 open. the connection on the service sshd.exe only works locally with the local address 127.0.0.1 and the private ip address of my computer at my home network

@tgauth
Copy link
Collaborator

tgauth commented Nov 4, 2024

@aragon5956, can you run the following in PowerShell to confirm the network firewall rule(s) for sshd:
Get-NetFirewallApplicationFilter -Program "*sshd*" | Get-NetFirewallRule

The profile field for the sshd rule must include Public in order to connect over a public IP.

See https://learn.microsoft.com/en-us/windows/security/operating-system-security/network-security/windows-firewall/configure-with-command-line?tabs=powershell for more information on configuring firewall rules.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Waiting on Author Need more information to diagnose
Projects
None yet
Development

No branches or pull requests

3 participants