Hello, On Wed, Jun 3, 2015, at 10:41 AM, Fryer, David wrote: Are you running SSH on the standard port of 22? Are you using SELinux in Enforcing mode? If you are running SSH on a non-standard port, and have SELinux enabled, you would also need to do something like: /usr/sbin/semanage port -a -t ssh_port_t -p tcp 1234 Where 1234 is the new port that you are using. This would set things up so that SELinux would be managing that port for SSH connections. If that's not the issue, kindly post the output of your ssh connection attempt using the -v or -vv flags so that we can see where the connection is getting stuck. Thanks, Jim

On 06/04/2015 07:15 AM, Fryer, David wrote: Actually, those of us ingrained into the Fedora Project prefer to use fpaste.org for pasting data, but it's not that big of a deal. Now, with that said, we need to see the sshd logs from the target system. In /etc/ssh/sshd.conf, set the LogLevel line to 'debugging', restart sshd.service, and try to connect again. Then give us the output of 'journalctl -b -u sshd'. Dan -- Dan Mossor, RHCSA Systems Engineer Fedora Server WG | Fedora KDE WG | Fedora QA Team Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA

Here are the sshd logs: http://fpaste.org/228902/43343143/ ________________________________________ From: firewalld-users-bounces(a)lists.fedorahosted.org [firewalld-users-bounces(a)lists.fedorahosted.org] on behalf of Dan Mossor [danofsatx(a)gmail.com] Sent: Thursday, June 04, 2015 10:59 AM To: firewalld-users(a)lists.fedorahosted.org Subject: Re: New to firewalld, Questions about getting started. On 06/04/2015 07:15 AM, Fryer, David wrote: Actually, those of us ingrained into the Fedora Project prefer to use fpaste.org for pasting data, but it's not that big of a deal. Now, with that said, we need to see the sshd logs from the target system. In /etc/ssh/sshd.conf, set the LogLevel line to 'debugging', restart sshd.service, and try to connect again. Then give us the output of 'journalctl -b -u sshd'. Dan -- Dan Mossor, RHCSA Systems Engineer Fedora Server WG | Fedora KDE WG | Fedora QA Team Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA _______________________________________________ firewalld-users mailing list firewalld-users(a)lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users

Unfortunately, I don't think that was the issue. I am not using key-based authentication, but even after adding creating /root/.ssh/authorized_keys and adding my public key (done as separate steps, attempting to log in in between), I remain unable to ssh into the machine. Can anyone think of a reason that adding "UseDNS no" to the sshd configuration would allow connections? Even when ssh is not an allowed service on the machine (from firewalld)? --David Fryer ________________________________________ From: firewalld-users-bounces(a)lists.fedorahosted.org [firewalld-users-bounces(a)lists.fedorahosted.org] on behalf of Dan Mossor [danofsatx(a)gmail.com] Sent: Thursday, June 04, 2015 12:09 PM To: Firewalld users discussion list Subject: Re: New to firewalld, Questions about getting started. On 06/04/2015 10:22 AM, Fryer, David wrote: There it is on line 43: Jun 04 11:13:29 lin302.mno.stratus.com sshd[40203]: debug1: Could not open authorized keys '/root/.ssh/authorized_keys': No such file or directory -- Dan Mossor, RHCSA Systems Engineer Fedora Server WG | Fedora KDE WG | Fedora QA Team Fedora Infrastructure Apprentice FAS: dmossor IRC: danofsatx San Antonio, Texas, USA _______________________________________________ firewalld-users mailing list firewalld-users(a)lists.fedorahosted.org https://lists.fedorahosted.org/mailman/listinfo/firewalld-users

On 06/07/2015 07:44 AM, Jorge Fábregas wrote: Eventually the login prompt appears (minutes later), but the login always ends up timing out from the long delay. But it turns out that UseDNS was a very important clue! Something popped into my head on Friday -- we're applying additional configuration to nsswitch.conf in order to set up the box as an NIS client (yes, in 2015! :( If "nis" was removed from the hosts line of nsswitch.conf, then logins proceeded normally, even with the firewall up. Put it back in and a simple "gethostbyname()" test program failed. Turning off firewalld and then applying the following iptables rule: % iptables -I INPUT -m state --state NEW -j LOG we could see the NIS server attempting to connect back to our box on several UDP ports (anywhere from 600 to 1000) upon ssh login. so I added a rich-rule to the default zone: ... <rule family="ipv4"> <source address="www.xxx.yyy.zzz"/> <port protocol="udp" port="512-1023"/> <accept/> </rule> ... to allow these connections to the machine. Logins appear to be functioning now. It would be great if firewalld (or firewall-config) provided a logging mechanism to help examine dropped packets. Even nicer would be a "learning mode" that could be enabled while various services are exercised and a summary of ports/protocols/sources suggested for the firewall exclusion. Easier said than done perhaps. Anyway, thanks everyone for the help and suggestions along the way! -- Joe