New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Suggestion: add "IPQoS 0x00" to "/etc/ssh/sshd_config", Rpi3, WiFi SSH issue #294

Closed
Cyberman-tM opened this Issue Jan 17, 2017 · 12 comments

Comments

Projects
None yet
3 participants
@Cyberman-tM

Cyberman-tM commented Jan 17, 2017

This probably only affects a few, but it's rather annoying. Details here:
https://www.raspberrypi.org/forums/viewtopic.php?f=28&t=138631&p=1085534&hilit=qos#p1085534

Short version: Some(?) Raspi 3 stop responding to SSH after the (correct!) password has been entered.
Attaching a keyboard works, so it's just SSH.

Adding the line
IPQoS 0x00
to the file
/etc/ssh/sshd_config
solves the issue.

I have no idea what IPQoS is, but I do know it solved the issue of not being able to log in remotely at once. (After restarting the ssh daemon or the raspi.)

[edit]Note: this concerns a fresh install of OctoPi!

@guysoft

This comment has been minimized.

Show comment
Hide comment
@guysoft

guysoft Jan 18, 2017

Owner

Where exactly do you need to add this? Can you send your /etc/ssh/sshd_config?

Owner

guysoft commented Jan 18, 2017

Where exactly do you need to add this? Can you send your /etc/ssh/sshd_config?

@Cyberman-tM

This comment has been minimized.

Show comment
Hide comment
@Cyberman-tM

Cyberman-tM Jan 19, 2017

I've added it near the bottom, above the last paragraph. Can't give you the details right now, I'm at work, sorry.
I don't think it matters where it's put, but as I said I don't understand why it solves the issue either.)

I've added it near the bottom, above the last paragraph. Can't give you the details right now, I'm at work, sorry.
I don't think it matters where it's put, but as I said I don't understand why it solves the issue either.)

@Cyberman-tM

This comment has been minimized.

Show comment
Hide comment
@Cyberman-tM

Cyberman-tM Jan 20, 2017

Finally, here's the sshd_config file content, after image-writing, first boot, changed password, and me inserting the line:

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server
IPQoS 0x00
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

Cyberman-tM commented Jan 20, 2017

Finally, here's the sshd_config file content, after image-writing, first boot, changed password, and me inserting the line:

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server
IPQoS 0x00
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
@guysoft

This comment has been minimized.

Show comment
Hide comment
@guysoft

guysoft Jan 25, 2017

Owner

Added it to nightly build, would be appreciated if you could test it helps

Owner

guysoft commented Jan 25, 2017

Added it to nightly build, would be appreciated if you could test it helps

@Cyberman-tM

This comment has been minimized.

Show comment
Hide comment
@Cyberman-tM

Cyberman-tM Feb 14, 2017

Sorry, I completely forgot about this :-(

If you still need me to test it, I can probably do that tomorrow - although right now I've got problems reaching the server with the nightlies?

Sorry, I completely forgot about this :-(

If you still need me to test it, I can probably do that tomorrow - although right now I've got problems reaching the server with the nightlies?

@guysoft

This comment has been minimized.

Show comment
Hide comment
@guysoft

guysoft Feb 15, 2017

Owner
Owner

guysoft commented Feb 15, 2017

@guysoft

This comment has been minimized.

Show comment
Hide comment
@guysoft

guysoft Feb 15, 2017

Owner

Fixed the server, try now

Owner

guysoft commented Feb 15, 2017

Fixed the server, try now

@guysoft

This comment has been minimized.

Show comment
Hide comment
@guysoft

guysoft Feb 15, 2017

Owner

Down again, will fix

Owner

guysoft commented Feb 15, 2017

Down again, will fix

@guysoft

This comment has been minimized.

Show comment
Hide comment
@guysoft

guysoft Feb 15, 2017

Owner

Fixed, sorry for the mess, local connection was a mess here

Owner

guysoft commented Feb 15, 2017

Fixed, sorry for the mess, local connection was a mess here

@timmmmmey

This comment has been minimized.

Show comment
Hide comment
@timmmmmey

timmmmmey Feb 17, 2017

I can confirm the problem and the fix !

I can confirm the problem and the fix !

@guysoft guysoft closed this in e3aa517 Feb 18, 2017

@guysoft

This comment has been minimized.

Show comment
Hide comment
@guysoft

guysoft Feb 18, 2017

Owner

@timmmmmey @Cyberman-tM I want to close this too, you didn't need to enable anything, right?
#286

Owner

guysoft commented Feb 18, 2017

@timmmmmey @Cyberman-tM I want to close this too, you didn't need to enable anything, right?
#286

@Cyberman-tM

This comment has been minimized.

Show comment
Hide comment
@Cyberman-tM

Cyberman-tM Feb 18, 2017

Update: # IT WORKS!

I'm testing right now - sorry, forgot again - having problems connecting right now - getting "connection refused", but I'm not sure if the problem is the Raspi or my new modem...

I'll keep trying until I figure out what's happening, I'll write again today.

[edit]Octoprint is running and accessible, so connection is there. But Putty can't connect via SSH?
[edit2]This image: 2016-11-25-octopi-jessie-lite-0.14.0
[edit3]Slighty off-topic: apparently Raspi 3 doesn't support wifi channel 13

[final edit]
# IT WORKS!

Apparently SSH wasn't enabled. I've plugged in a keyboard, went to setup, enabled SSH, and was able to connect via putty from my computer to the raspi - log in worked flawlessly.

Many thanks, you can close this.

Cyberman-tM commented Feb 18, 2017

Update: # IT WORKS!

I'm testing right now - sorry, forgot again - having problems connecting right now - getting "connection refused", but I'm not sure if the problem is the Raspi or my new modem...

I'll keep trying until I figure out what's happening, I'll write again today.

[edit]Octoprint is running and accessible, so connection is there. But Putty can't connect via SSH?
[edit2]This image: 2016-11-25-octopi-jessie-lite-0.14.0
[edit3]Slighty off-topic: apparently Raspi 3 doesn't support wifi channel 13

[final edit]
# IT WORKS!

Apparently SSH wasn't enabled. I've plugged in a keyboard, went to setup, enabled SSH, and was able to connect via putty from my computer to the raspi - log in worked flawlessly.

Many thanks, you can close this.

foosel added a commit to foosel/OctoPi that referenced this issue Mar 24, 2017

Prevent NTP updates from failing on RPi3 wifi
While I couldn't reproduce this issue on a current build, apparently
it doesn't necessarily have to happen always and the corresponding
ticket on the rpi bug tracker (raspberrypi/linux#1519) is still
open as well.

Hence this change. As documented at

  https://www.raspberrypi.org/forums/viewtopic.php?f=28&t=141454

and other locations, ntp updates on RPi3 (sometimes?) fail if the
built-in WiFi interface is used. This appears to be the same issue
or at least related to SSH not properly functioning as described
in #294 and also documented in raspberrypi/linux#1519.

A wrong system date of the underlying OS will cause issues with
SSL handshakes, which in turn will produce fatal errors when
attempting to install plugins (see foosel/OctoPrint#1827) or
probably also when updating either OctoPrint or the system itself.
Basically anything that does certificate validity checks will fall
on its face.

Having the Pi properly set its system date is hence crucial for
operation, so we need to make sure ntp can do its job.

This might also affect RPiZeroW - I haven't observed the issue
with a current build there though.

guysoft added a commit to guysoft/CustomPiOS that referenced this issue Mar 7, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment