PDA

View Full Version : SSH/SFTP from outside to my Mac




Kilamite
Nov 17, 2012, 09:33 AM
I have a Raspberry Pi and a Mac with SSH enabled. I want to SSH to my Mac from outside, however having trouble differentiating between my Mac and Raspberry Pi.

If I SSH from the outside using my public IP, my router always relays that onto the Raspberry Pi. I can then tunnel from the Pi to my Mac, but that isn't ideal when I want to SFTP.

I've tried opening up additional ports on my router, one for my Mac's LAN IP and one for the Pi, and SSH using those ports to differentiate between my Mac and Pi but no luck.

Worth mentioning that even with the Pi turned off, I can't SSH to my Mac from the outside.



switon
Nov 17, 2012, 10:19 AM
Hi Kilamite,

Depending upon your router, some routers allow you to specify which internal LAN IP address a connection on a particular external port (WAN-Internet) will be directed to. You have to setup the differentiated port forwarding at the router level.

It looks like you have already attempted this non-standard SSH port scheme. Did you edit both the ssh_config and sshd_config files to specify the non-standard ports for the Mac? Can you SSH to your Mac from the outside when using the standard port 22 (obviously with the Pi unplugged)? If not, then you may have a router issue. If so, then you may have a firewall issue on your Mac when using the non-standard port.

I don't have and am not familiar with the Raspberry Pi, but I've done precisely the above non-standard SSH port strategy for SSH-ing to multiple computers on a LAN from the external Internet. Has the Pi reset the configuration on your router to forward everything to itself?

Good luck,
Switon

Kilamite
Nov 17, 2012, 10:38 AM
Thanks for the reply switon.

To make things simpler, I'll use Cyberduck SFTP to test, since it is easier to quickly configure ports (screenshot 2).

I've attached my router settings with port forwarding. I've blocked out the other ports I have open, however, port 22 is open by default.

When I use port 9092 to connect to the Pi, it doesn't work. If I use port 22, it works fine.

EDIT - I noticed I actually had port 22 forwarding to the Pi's IP address (set this up ages ago). I changed that to my Mac's IP and I can now remotely SFTP to my Mac. But using non SSH ports to differentiate between LAN computers still isn't working for me.

switon
Nov 17, 2012, 01:01 PM
EDIT - I noticed I actually had port 22 forwarding to the Pi's IP address (set this up ages ago). I changed that to my Mac's IP and I can now remotely SFTP to my Mac. But using non SSH ports to differentiate between LAN computers still isn't working for me.

Hi Kilamite,

Glad to hear that you can sftp to your Mac when on the standard port 22. So sftp is working. But you can't sftp when on a non-standard port. Unfortunately, I don't use CyberDuck, so I can't answer any questions about that. Rather I use the SSH that comes with Mac OS/Xcode. Does CyberDuck use the same /etc/sshd_config file, or does it have its own? When you look at /etc/sshd_config, is the "#" in front of the "Port xxxx" line missing? The "#" makes the line a comment and thus it is not read. If you edit this file manually, change the "#Port 22" to "Port xxxx". Then restart the SSH daemon. (I don't know how you do this with CyberDuck, so I'm giving you the way I do it using the system's built-in ssh.) Once restarted, the daemon should now be looking for connections on port xxxx. You would then have port xxxx forwarded by your router to your Mac's IP address, and you would "ssh -p xxxx", or however CyberDuck connects on a different port, from your external Mac.

One possible way of tracking this down is to use a packet sniffer (I use wireshark -- free from the MacPorts or Fink projects) on your LAN Mac to see if your ssh packets are properly being forwarded through your router to your LAN Mac. If they are properly forwarded, then you must have a firewall problem with the non-standard port for ssh. You might check if this is the case by switching off your firewall for a minute and performing the test to see if it works without the firewall. If it does, then you know that its your firewall that is causing the connection problem. Or, if you don't want to switch off your firewall, then turn on firewall logging and look at the log files to see if the ssh packets are being deep sixed by your firewall. If it is your firewall, then you can write a specific rule to allow the non-standard port.

...just some more thoughts...

Good luck,
Switon

switon
Nov 17, 2012, 01:26 PM
When I use port 9092 to connect to the Pi, it doesn't work. If I use port 22, it works fine.


Assuming that CyberDuck is working correctly, then it sounds like your router may not be forwarding the non-standard ports properly, since the Pi also does not work on non-standard ports...

Personally, I track these problems down with wireshark, but any packet sniffer would work. The WiFi Diagnostics.app from Mac OS has a rudimentary packet sniffer built-in, but I have no experience with it.

Switon

switon
Nov 17, 2012, 01:41 PM
Hi,

I assume that this is not the problem, but it is worth checking. Is CyberDuck using the same protocol when it is on a non-standard port? It should be using Protocol 2.

Switon

torid110
Nov 17, 2012, 05:53 PM
I don't think this will work the way that you have it configured, because SSH is still listening on port 22 on both your devices, which are default ports. You will need to change the configuration on each machine to have SSH start up using the ports that you are listing as the INT port on the router.

See this post:

http://zanshin.net/2012/07/03/change-sshd-port-on-mac-os-x-lion/

switon
Nov 18, 2012, 08:06 AM
Hi torid110,

Yes, that is what Kilamite is attempting to achieve: ssh-ing to two different machines on a LAN through a router from the WAN (Internet) by using non-standard ports for one machine and the standard port 22 for the other. The problem is the non-standard port didn't work, so he/she attempted SSH-ing to both machines on the standard port, just to be certain that the ssh server was working on both machines. Once that was verified, then he/she can return to attempt to figure out why the non-standard port does not work. Is it the router's forwarding problem or the machine's firewall, or what?

Thanks for the link....I wonder if upgrading to Lion/ML automatically updates this plist? Since I use MacPorts, I wonder if we are using different ssh/sshd utilities?

Regards,
Switon

torid110
Nov 18, 2012, 08:48 AM
Switon, yup, got that part. The reason i'm saying that it's not working is because the machines themselves are always listening for SSH connections on port 22, unless you change them. This is independent of the router.

Even if he sets the forward on the router, the machines don't know that they have to listen for SSH connections on the ports he specified on the router.

He can test the following, keep the EXT port what he wants (9901), and change the INT port that it forwards to to 22. If he connects via ssh to WAN-IP port 9901, he will be able to make the connection.

switon
Nov 18, 2012, 09:23 AM
Hi torid110,

Yup, got that part too. That's why I had asked Kilamite about the sshd_config file, this is the file (old style -- more on this in a moment) that resets the port on the sshd daemon so that the machine is also listening on the non-standard port.

Your link made me realize that I may be using the older Linux version of ssh/sshd, as I'm a relatively new convert to Mac OSX from Linux, and indeed I am using the Linux utilities and not the Mac OSX ones. (I change my ports the old Linux way, which I just retested. And then I switched from the Linux utilities to the Mac OSX OpenSSH utilities, and these are controlled by the ssh.plist. I changed the port on my machines using the ssh.plist so that also works when using the Mac OSX default OpenSSH routines.) Thanks so much for pointing out this link...it didn't cross my mind that I was still using the Linux utilities, although I probably should have remembered this, but I set this up in 2010 and it just hadn't occurred to me.

Thanks again, much appreciated,
Switon

P.S. So, Kilamite, the upshot of this is that you need to make sure that your CyberDuck is altering the ssh port correctly (I assume that CyberDuck is doing the correct thing, but who knows). I don't know how CyberDuck sets its ssh/sshd ports, but you might try reverting to the Mac OSX ssh utilities and testing them by changing their ports using the /etc/services and /System/Library/LaunchDaemons/ssh.plist way. I checked both the old Linux way using Linux utilities that I had downloaded and built, and this worked; and I also checked the Mac OSX OpenSSH utilities using the ssh.plist and /etc/services, and this way also worked --- so you can use non-standard ports for ssh either way. The only thing left to do is for you to make certain that your CyberDuck ssh is also changing the ports correctly. Maybe you have to reboot your machine after changing the port in CyberDuck in order to restart the CyberDuck ssh daemon?

P.P.S. So now the question is, when the next OSX update comes along, 10.8.3(?), will it overwrite ssh.plist or will it do the proper "merge", keeping the non-standard port numbers? I assume that it will do the proper "merge", the way Linux distros do. But if non-standard ssh ports stop working after an upgrade, we'll have to remember to check this.

Kilamite
Nov 18, 2012, 12:41 PM
I've changed the Pi ssh_config to use port 9092 rather than port 22, and rebooted it. Cyberduck is using port 9092 to SFTP to the Pi, however it still isn't working.

So to clarify the setup:

1. The Pi has IP 192.168.1.4 and the router forwards port 9092 to the Pi's IP (TCP and UDP).
2. The Pi's ssh_config files is set to use port 9092 instead of 22.
3. Cyberduck is set to use port 9092 for SFTP.
4. If I use port 22, everything works fine.

Appreciate the help guys!

EDIT: Doh. I edited the ssh_config instead of the sshd_config file.

It all works now!

Thanks for your help.

switon
Nov 18, 2012, 02:48 PM
Great! Glad it all works now.

So CyberDuck and the Pi use the sshd_config file, like my old Linux distros, instead of the Mac OSX way!

Regards,
Switon

P.S. I just switched from my Linux ssh utilities to the Mac OSX OpenSSH utilities. I'm thinking I might switch back since I'm more familiar with the ssh_config and sshd_config way of setting parameters.

torid110
Nov 18, 2012, 03:11 PM
Glad to hear it's working !

Kilamite
Nov 18, 2012, 03:15 PM
So CyberDuck and the Pi use the sshd_config file, like my old Linux distros, instead of the Mac OSX way!

Well CyberDuck lets you specify the port you want to connect using, and the Pi will refuse anything that isn't on that port.

The Pi uses sshd_config because it runs Linux.

Not sure what you mean by the Mac OS X way in this sense since they aren't relating to OS X!

switon
Nov 18, 2012, 09:07 PM
Well CyberDuck lets you specify the port you want to connect using, and the Pi will refuse anything that isn't on that port.

The Pi uses sshd_config because it runs Linux.

Not sure what you mean by the Mac OS X way in this sense since they aren't relating to OS X!

Hi Kilamite,

By "Mac OS X way" I mean the way the Mac OS X uses ssh.plist to specify the parameters for ssh. For instance, in ssh.plist you tell OpenSSH to use the ports with a specific label in the /etc/services file. The Linux way is to specify the "Port xxxx" command in the /etc/sshd_config file. Both are unix, but the Mac OS X is getting away from the "old" way and is rather using plists to do much of its configurations.

Switon