How do I SSH into my Samba file server?
Scriptonaut, probably your problem has nothing to do with Samba, but has to do with port forwarding/NAT. If you have your SAMBA serving Debian computer in a LAN network, behind a router, you need it configured to transfer requests to some of its ports to your SAMBA running machine:
First, I'll tell, how outgoing connections work with router. When 2 machines speak via TCP/IP each machine (source machine and destination machine) is addressed with a pair IP/port number, so the connection is determined by 2 pairs: source IP/port number and destination IP/port number.
When you open a tab in Mozilla and access Google on your 192.168.1.2 machine, it transfers some IP packets to the Router with source address of itself IP=192.168.1.2 and arbitrary outgoing TCP port number it allocated for that tab of browser (like 43694) and asks the router to transfer that packets to Google machine with certain IP on 80 port of that machine, cause 80 is standard port for incoming http connections (you can see the list of standard TCP ports in /etc/services
file on Linux). Router allocates a port of its own at random (e.g.12345), replaces source IP/port pair in that packets with its own WAN IP (74.25.14.86) and port 12345 and remembers, that if it gets response on port 12345 from Google, it should automatically transfer that response back to 192.168.1.2, port 43694.
Now, what happens when an outer machine wants to access your server?
When you try to access your SAMBA server from the outer machine, it sends IP packets to your WAN IP=74.25.14.86, port 22 of it (because, 22 is a standard TCP port for listening to SSH connections, you can see the list of standard TCP ports in /etc/services
file on Linux). Your Router receives that packets. By default, firewalls on routers are configured to block all incoming connections to any port, if there was no outgoing connection, bound to that port (so, when you were accessing Google in previous case, router didn't block response from Google to port 12345 of itself, cause it remembered that your 192.168.1.2 initiated connection to Google and response from google should come to port 12345). But it would block attempts to initiate connections from the outer world to port 22 of it, cause port 22 was not mapped for any connections incoming from LAN.
So, what you need to do is to configure your router to transfer all the connections to its port 22 from the outside to port 22 of your 192.168.1.2. This can be done in web-interfaces of hardware routers, usually the menu option you need is called "Port-forwarding" or "NAT - network address translation".
Related videos on Youtube
Scriptonaut
Updated on September 18, 2022Comments
-
Scriptonaut over 1 year
So I made a dedicated Samba file server on my Debian(3.2) machine. I have had great success accessing it from both Windows and Unix. I can SSH into it on the local network.
When I try to SSH into it via the public IP address, it says connection refused.
I would like to be able to ssh into it remotely, directing into the Samba share. How would I go about doing this? I hear I might have to port forward? Do I need to change anything in the smb.conf file?
Here's my sshd_config file:
# Package generated configuration file # See the sshd_config(5) manpage for details # What ports, IPs and protocols we listen for Port 22 # Use these options to restrict which interfaces/protocols sshd will bind to #ListenAddress :: #ListenAddress 0.0.0.0 Protocol 2 # HostKeys for protocol version 2 HostKey /etc/ssh/ssh_host_rsa_key HostKey /etc/ssh/ssh_host_dsa_key #Privilege Separation is turned on for security UsePrivilegeSeparation yes # Lifetime and size of ephemeral version 1 server key KeyRegenerationInterval 3600 ServerKeyBits 768 # Logging SyslogFacility AUTH LogLevel INFO # Authentication: LoginGraceTime 120 PermitRootLogin yes StrictModes yes RSAAuthentication yes PubkeyAuthentication yes #AuthorizedKeysFile %h/.ssh/authorized_keys # Don't read the user's ~/.rhosts and ~/.shosts files IgnoreRhosts yes # For this to work you will also need host keys in /etc/ssh_known_hosts RhostsRSAAuthentication no # similar for protocol version 2 HostbasedAuthentication no # Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication #IgnoreUserKnownHosts yes # To enable empty passwords, change to yes (NOT RECOMMENDED) PermitEmptyPasswords no # Change to yes to enable challenge-response passwords (beware issues with # some PAM modules and threads) ChallengeResponseAuthentication no # Change to no to disable tunnelled clear text passwords #PasswordAuthentication yes # Kerberos options #KerberosAuthentication no #KerberosGetAFSToken no #KerberosOrLocalPasswd yes #KerberosTicketCleanup yes # GSSAPI options #GSSAPIAuthentication no #GSSAPICleanupCredentials yes X11Forwarding yes X11DisplayOffset 10 PrintMotd no PrintLastLog yes TCPKeepAlive yes #UseLogin no #MaxStartups 10:30:60 #Banner /etc/issue.net # Allow client to pass locale environment variables AcceptEnv LANG LC_* Subsystem sftp /usr/lib/openssh/sftp-server # Set this to 'yes' to enable PAM authentication, account processing, # and session processing. If this is enabled, PAM authentication will # be allowed through the ChallengeResponseAuthentication and # PasswordAuthentication. Depending on your PAM configuration, # PAM authentication via ChallengeResponseAuthentication may bypass # the setting of "PermitRootLogin without-password". # If you just want the PAM account and session checks to run without # PAM authentication, then enable this but set PasswordAuthentication # and ChallengeResponseAuthentication to 'no'. UsePAM yes
-
Keith over 11 yearsMost likely your filewall is blocking the incoming connection. Is your server on a private LAN? Do you have a firewall? Are you using NAT? What router do you have?
-
Scriptonaut over 11 yearsWhat is a private LAN? Ya I have a firewall(as far as I can tell). I don't know what NAT is, and my router is a trendnet TEW-632BRP.
-
Keith over 11 yearsWhat's the IP address of your server? PS. you can remove the rather long config file, we don't need it.
-
Scriptonaut over 11 yearsWhy is my IP address necessary(Sorry I'm paranoid, I posted on hear a few months ago and some guy got control of my machine and destroyed it).
-
Keith over 11 yearsJust to tell if it's private or not. Also, are you getting an dynamic IP from your ISP, or static?
-
Scriptonaut over 11 yearsI'm really weary about putting my IP up here, how can I easily tell you? The first 3 set of numbers is 67.161.81. The ip is static.
-
Keith over 11 years
-
sparticvs over 11 yearsBy local network are you referring to 127.0.0.1? If so, check your
/etc/ssh/sshd.conf
and make sure its setup to listen on0.0.0.0
instead of just on localhost. Also check to see if you have any iptable rules that might be restricting access:iptables --list
-
Scriptonaut over 11 yearsI put my /etc/ssh/sshd.conf file up
-
-
Scriptonaut over 11 yearsAlright, so I forwarded port 22, and put 192.168.10.110 as the address for the LAN server. This is the private IP address of the Samba machine. Now when I try to ssh remotely it times out, rather than saying connection refused for some reason.
-
Scriptonaut over 11 yearsHey, so I just read that it's possible that my ISB(comcast) blocks port 22. Would changing it to a different port be possible? How hard would it be to ssh on a different port(especially for programs like CVS and stuff)?
-
Bonsi Scott over 11 yearsThis may help, but i must say, that I don't understand why comcast blocks port 22.
-
CoOl over 11 yearsQuite often Internet Service Providers block ports 80 and 8080, so that if computer illiterate users run their routers off the box without setting admin password, they don't have hackers immediately high-jacking their routers (although, I don't understand, why would router at all process any connections to its WAN IP's 80th port; IMO, it makes sense to show admin page on 80th port of LAN IP only and any access to 80th of WAN should be either forwarded or blocked). But I never heard of blocking 22 port. My ISP blocks 80 and 8080, but doesn't touch 22.
-
CoOl over 11 yearsHm, I'm also not sure that 192.168.10.110 LAN IP is ok. Cause, typically LANs nowadays have /24 bit mask, which means that if your router's LAN IP is 192.168.1.1 you can access only 192.168.1.* machines, not 192.168.10.*. As for time out: may be you could run
tcpdump
on port 22 of your SAMBA server to check, whether it receives the packets at all. If it does - probablysshd
is misconfigured, else - problems with port forwarding. There are good examples inman tcpdump
just in case. -
Scriptonaut over 11 yearsI'm having a bit of trouble with tcpdump, how would I check? How do I find my routers LAN IP? My default gateway is 192.168.10.1 Another thing, I discovered that I can ssh into the server from outside of my network. If I'm somewhere else it works great. However using the public IP from within the network doesn't work, but the private IP still allows me access.
-
CoOl over 11 yearsAh, it's fine that from within the LAN you can't access your server by WAN IP - it's a routers-side problem, that for some reason they wouldn't forward requests from within LAN back to LAN and typically don't allow to configure this (although, who knows about yours :)). It's a standard pain in the ass and I don't know how to overcome this accurately. I usually just write the LAN IP of my server in
/etc/hosts
on other linux machines in the network, so that they resolve "MYSERVER" as 192.168.1.2. With Windows machines - dunno. -
CoOl over 11 yearsYou don't need them by now as everything seems to work fine for you, but here are TCPdump examples: danielmiessler.com/study/tcpdump
-
CoOl over 11 yearsAs for your Windows machines,
/etc/hosts
analogue isc:\windows\system32\drivers\etc\hosts
. Also they should be able to identify your server by its NetBIOS name by now thanks to SAMBA (NetBIOS names are those, Windows uses for network workgroups like, \\Computer1). Though I don't know if there is any Windows SSH client, which can resolve NetBIOS name into LAN IP. So you're pretty much done now :)