SSH error when changing default port

[nameless']

Hello,

I have changed the config of sshd of my zimbra server, to disallow root login, and use a private/public key.

Now, my stats doesn't work anymore, and in the log I get ssh errors.

Here what I've done :

- Changing the default management port from 22 to my new port (722)
- Generating new key with zmsshkeygen
- Copied my public key xxxx.pkk to /root/.ssh/id_rsa and /opt/zimbra/.ssh/id_rsa


Here is what I get from Putty when trying to run :

ssh -vi .ssh/zimbra_identity -o strictHostKeyChecking=no zimbra@srv.domain.com -p 722

Code:

root@srv:~/.ssh# ssh -vi .ssh/zimbra_identity -o strictHostKeyChecking=no zimbra@srv.domain.com -p 722
OpenSSH_5.3p1 Debian-3ubuntu4, OpenSSL 0.9.8k 25 Mar 2009
Warning: Identity file .ssh/zimbra_identity not accessible: No such file or directory.
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to srv.domain.com [192.168.x.x] port 722.
debug1: Connection established.
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/identity type -1
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3p1 Debian-3ubuntu4
debug1: match: OpenSSH_5.3p1 Debian-3ubuntu4 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu4
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Host '[srv.domain.com]:722' is known and matches the RSA host key.
debug1: Found key in /root/.ssh/known_hosts:1
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey
debug1: Next authentication method: publickey
debug1: Trying private key: /root/.ssh/identity
debug1: Trying private key: /root/.ssh/id_rsa
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/root/.ssh/id_rsa':
debug1: PEM_read_PrivateKey failed
debug1: read PEM private key done: type <unknown>
Enter passphrase for key '/root/.ssh/id_rsa':

So, I'm prompted for the passphrase, but entering it doesn't make anything.

And the mailbox.log :

Code:

com.zimbra.common.service.ServiceException: system failure: exception during auth {RemoteManager: srv.domain.com->zimbra@srv.domain.com:722}
ExceptionId:btpool0-9://192.168.100.210:7071/service/admin/soap/BatchRequest:1288706318328:9bd98ac034af0950
Code:service.FAILURE
        at com.zimbra.common.service.ServiceException.FAILURE(ServiceException.java:248)
        at com.zimbra.cs.rmgmt.RemoteManager.getSession(RemoteManager.java:193)
        at com.zimbra.cs.rmgmt.RemoteManager.execute(RemoteManager.java:127)
        at com.zimbra.cs.service.admin.GetServerNIFs.handle(GetServerNIFs.java:65)
        at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEngine.java:420)
        at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:264)
        at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:158)
        at com.zimbra.soap.SoapServlet.doWork(SoapServlet.java:291)
        at com.zimbra.soap.SoapServlet.doPost(SoapServlet.java:212)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
        at com.zimbra.cs.servlet.ZimbraServlet.service(ZimbraServlet.java:181)
        at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
        at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:511)
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1166)
        at com.zimbra.cs.servlet.SetHeaderFilter.doFilter(SetHeaderFilter.java:79)
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
        at org.mortbay.servlet.UserAgentFilter.doFilter(UserAgentFilter.java:81)
        at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter.java:132)
        at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1157)
        at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:388)
        at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
        at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:182)
        at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:765)
        at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:418)
        at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:230)
        at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
        at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
        at org.mortbay.jetty.handler.rewrite.RewriteHandler.handle(RewriteHandler.java:230)
        at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
        at org.mortbay.jetty.handler.DebugHandler.handle(DebugHandler.java:77)
        at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:152)
        at org.mortbay.jetty.Server.handle(Server.java:326)
        at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:543)
        at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:939)
        at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:755)
        at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:218)
        at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:405)
        at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:413)
        at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:451)
Caused by: java.io.IOException: auth failed
        at com.zimbra.cs.rmgmt.RemoteManager.getSession(RemoteManager.java:186)
        ... 37 more

Thanks for any help...

[iway]

Have you changed the Zimbra ssh port as well?

[nameless']

Yes, as you can see on my mailbox.log, zimbra is trying to connect to port 722.

I just changed it by running a command changing the default maintenance port (Don't remember the command and not near my server right now )

But I assume it's working, or do I have to change it elsewhere ?

[nameless']

Any help ?

The command I ran to change default port was :

zmprov ms server.domain.com zimbraRemoteManagementPort 722

Btw, I tried loggin-in in SSH using putty and zimbra account and after prompting me for the passphrase, it works

[nameless']

Please, really need help !

[Dirk]

I know that the zimbra modules use ssh to talk to eachother in various placed and generally I'd lean towards not playing with it. Can I ask what you are trying to achieve as there may be a simpler way?

[nameless']

Just want securing SSH, as my mail server will be exposed to the internet

Btw, it seems that now it's working, but I don't really know what I did to achieve this...

The command ssh -vi .ssh/zimbra_identity -o strictHostKeyChecking=no zimbra@srv.domain.com -p 722

doesn't still work, but I'm not getting errors anymore, in the Zimbra Admin WebGUI nor in the Zimbra logs, so I assume it's working well...

I'll try to reproduce my steps and post them here.

[Dirk]

Glad that you have it working, while you will see fewer ssh attempts by moving the port, you wont see them go away entirely.
If a perimeter firewall is not available in your case, I'd use iptables in the zimbra server to drop all traffic that's not essential (so allow only port 25 and 443, more if you need it) and then administer the box from the local network or a vpn.