Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

fwbuilder installer ssh

2009-11-20
2014-01-15
  • Henry Gunter
    Henry Gunter
    2009-11-20

    I have fwbuilder 3.0.7 running on debian lenny. fire wall server is also debian lenny. I can ssh into the server fine. When I try to use the installer to install the script, it connects then disconnects and fails
    lost connection
    SSH session terminated, exit status: 1

     
  • Vadim Kurland
    Vadim Kurland
    2009-11-20

    does it print more than just that ? There is not enough context in this report.

    You can also try to run installer with checkbox "verbose" turned on, it will add ssh debug output which may help.

     
  • Henry Gunter
    Henry Gunter
    2009-11-20

    Summary:
    * firewall name : hgnfleet
    * user name : root
    * management address : 192.168.2.1
    * platform : iptables
    * host OS : linux24
    * Loading configuration from file /home/henryg/fwbuilder/hgnfleet.fwb

    Copying /home/henryg/fwbuilder/hgnfleet.fw -> 192.168.2.1:/etc/fwbuilder//
    Running command '/usr/bin/fwbuilder -Y -q /home/henryg/fwbuilder/hgnfleet.fw root@192.168.2.1:/etc/fwbuilder//'
    lost connection
    SSH session terminated, exit status: 1

     
  • Vadim Kurland
    Vadim Kurland
    2009-11-20

    can connect to the firewall with ssh using command

    ssh root@192.168.2.1

    does directory /etc/fwbuilder exist on the firewall ?

     
  • Henry Gunter
    Henry Gunter
    2009-11-20

    Yes I can scp the file into the directory and then ssh into the server and execute it.

     
  • Vadim Kurland
    Vadim Kurland
    2009-11-20

    try "verbose" option

     
  • Henry Gunter
    Henry Gunter
    2009-11-21

    Let me summarize, ssh/scp is working on the workstation "192.168.2.10" . I can ssh/scp to the lan interface on the firewall "192.168.2.1" with no problem. The firewall is being copied to "drwxr-xr-x  2 root root     4096 2008-04-03 09:25 fwbuilder". I can manually scp the firewall script "hgnfleet", then ssh into the firewall and activate it with no problem. 

    This is the output with verbose option checked. There is very little!

    FIREWALL PROGRESS

    hgnfleet failure

    PROCESS LOG

    Summary:
    * firewall name : hgnfleet
    * user name : root
    * management address : 192.168.2.1
    * platform : iptables
    * host OS : linux24
    * Loading configuration from file /home/henryg/fwbuilder/hgnfleet.fwb

    Copying /home/henryg/fwbuilder/hgnfleet.fw -> 192.168.2.1:/etc/fwbuilder//
    Running command '/usr/bin/fwbuilder -Y -q /home/henryg/fwbuilder/hgnfleet.fw root@192.168.2.1:/etc/fwbuilder//'
    lost connection
    SSH session terminated, exit status: 1

     
  • Henry Gunter
    Henry Gunter
    2009-11-21

    More info:

    I have looked at the auth log on the firewall, there is no failed attempt to connect from the workstation. I have also removed and reinstalled fwbuilder on the workstation. Still the same results, the installer fails to install the connect to the firewall.

     
  • Vadim Kurland
    Vadim Kurland
    2009-11-21

    this is strange, the command that was executed when you say you checked the "verbose" checkbox did not have the "-v" flag that should be there in this case. Are you sure you checked "verbose" checkbox when you tried ?

    check what do you have in the "SSH" tab in the preferences dialog in the GUI (you can open it using main menu Edit/Preferences). You do not need to put anything in the dialog fields "ssh" and "scp" there.

     
  • Henry Gunter
    Henry Gunter
    2009-11-21

    ssh tab settings

    /usr/bin/ssh

    /usr/bin/scp

    I am certain that the verbose setting is checked. This states that it will print all commands as they are executed on the firewall. There are no commands executed on the fire wall, there is no connection to the firewall that I can tell.

     
  • Vadim Kurland
    Vadim Kurland
    2009-11-21

    does it actually copy the file to the firewall ? Try to delete or rename file in /etc/fwbuilder and then repeat the install. Do you get the file in that directory on the firewall after this  ?

     
  • Henry Gunter
    Henry Gunter
    2009-11-22

    I have already tried that. It does not copy the file.

     
  • Vadim Kurland
    Vadim Kurland
    2009-11-22

    could it be that you have two versions of ssh on your workstation or on the firewall installed in different directories ?

    I know you can copy the file with scp when you try this manually. Try command "which scp" to see if you use /usr/bin/scp that is configured in the SSH tab of the fwbuilder preferences . 

    Also try to remove anything from the lines scp and ssh in that tab in preferences. You can leave these input fields empty on Linux, the program will find scp and ssh clients using PATH environment variable.

     
  • Henry Gunter
    Henry Gunter
    2009-11-22

    Using which scp returns /usr/bin/scp

    There is only one ssh package installed on the workstation. It is managed with debian apt exclusively no packages compiled manually. 

     
  • Henry Gunter
    Henry Gunter
    2009-11-22

    fwbuilder will not allow ssh tab-fields to be left blank, complains that installer needs ssh please configure.

     
  • Vadim Kurland
    Vadim Kurland
    2009-11-22

    try to execute the command it is running manually, like this:

    /usr/bin/fwbuilder -Y -v /home/henryg/fwbuilder/hgnfleet.fw root@192.168.2.1:/etc/fwbuilder//

    I added flag "-v" to produce verbose output.  What happens if you do this ? How does the output look like ?

     
  • Henry Gunter
    Henry Gunter
    2009-11-22

    fwbuilder will not allow ssh tab-fields to be left blank, complains that installer needs ssh please configure.

     
  • Henry Gunter
    Henry Gunter
    2009-11-23

    fwbuilder will not allow ssh tab-fields to be left blank, complains that installer needs ssh please configure.

     
  • Vadim Kurland
    Vadim Kurland
    2009-11-23

    You repeat the same post for the third time. Please try to run the command I suggested and post the output. Thank you.

     
  • Henry Gunter
    Henry Gunter
    2009-11-24

    Sorry for the duplicate post, not sure what caused that. I only refreshed the screen.
    Any way running the command that you suggested worked, copied the file.

    thor:~$ /usr/bin/fwbuilder -Y -v /home/henryg/fwbuilder/hgnfleet.fw root@192.168.2.1:/etc/fwbuilder//
    Executing: program /usr/bin/ssh host 192.168.2.1, user root, command scp -v -t /etc/fwbuilder//
    OpenSSH_5.1p1 Debian-5, OpenSSL 0.9.8g 19 Oct 2007
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug1: Connecting to 192.168.2.1  port 22.
    debug1: Connection established.
    debug1: identity file /home/henryg/.ssh/identity type -1
    debug1: identity file /home/henryg/.ssh/id_rsa type -1
    debug1: identity file /home/henryg/.ssh/id_dsa type -1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5
    debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-cbc hmac-md5 none
    debug1: kex: client->server aes128-cbc hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host '192.168.2.1' is known and matches the RSA host key.
    debug1: Found key in /home/henryg/.ssh/known_hosts:1
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,password
    debug1: Next authentication method: publickey
    debug1: Trying private key: /home/henryg/.ssh/identity
    debug1: Trying private key: /home/henryg/.ssh/id_rsa
    debug1: Trying private key: /home/henryg/.ssh/id_dsa
    debug1: Next authentication method: password
    root@192.168.2.1's password: XXXXXX

    debug1: Authentication succeeded (password).
    debug1: channel 0: new
    debug1: Requesting no-more-sessions@openssh.com
    debug1: Entering interactive session.
    debug1: Sending environment.
    debug1: Sending env LANG = en_US.UTF-8
    debug1: Sending command: scp -v -t /etc/fwbuilder//
    Sending file modes: C0755 216623 hgnfleet.fw
    Sink: C0755 216623 hgnfleet.fw
    hgnfleet.fw                                   100%  212KB 211.6KB/s   00:00   
    debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
    debug1: channel 0: free: client-session, nchannels 1
    debug1: fd 0 clearing O_NONBLOCK
    debug1: fd 1 clearing O_NONBLOCK
    Transferred: sent 218544, received 2136 bytes, in 0.1 seconds
    Bytes per second: sent 2961137.8, received 28941.5
    debug1: Exit status 0
    thor:~$

    So why does the installer fail?

     
  • Henry Gunter
    Henry Gunter
    2009-11-24

    I removed fwbuilder from the workstation again "see earlier post" reinstalled again and alll is working now not sure why. But glad that it is.

    Thanks so much for all your help. Fwbuilder is a great product and I have been using for about several years, this is the first time that I have had any trouble.

    Keep up the great work!

    Thanks again

    henryg

     
  • Yuggie
    Yuggie
    2009-12-08

    Hello,

    I have the same problem too.

    I installed fwbuilder application on the firewall server (Fedora 11). So there should be no issue on ssh compatibility. I can compile the update policy successfully because I saw the time of the firewall script file matched the compile time. However, when I installed it in GUI, it showed me below error.

    +++++++++++++++++++++++++++++++++
    Summary:
    * firewall name : myfw
    * user name : root
    * management address : 192.168.69.1
    * platform : iptables
    * host OS : linux24
    * Loading configuration from file /etc/fwbuilder/myfirewall.fwb

    Copying /etc/fwbuilder/myfw.fw -> 192.168.69.1:/etc/fwbuilder
    Running command '/usr/bin/fwbuilder -Y -q /etc/fwbuilder/myfw.fw root@192.168.69.1:/etc/fwbuilder'
    lost connection
    SSH session terminated, exit status: 1
    +++++++++++++++++++++++++++++++++

    However, I can run the script "/etc/fwbuilder/myfw.fw" and apply the change. Just can't do it in fwbuilder GUI.

    I followed above instruction and ran below command. But it could not apply the changes I made on iptables.

            ]#/usr/bin/fwbuilder -Y -q -v /etc/fwbuilder/Torusfw.fw root@192.168.69.1:/etc/fwbuilder//

    I use the -v switch and received the log as below.

    I checked the permission on folder /etc/fwbuilder which is 775.

    Will that be the logon reason? I logon to Fedora GUI as my user name like "yuggie". But the installer use root to install the script. Will this confuse the server? When I ran the above command, I logon as root via ssh, it should have only one user involve which is "root".

    Any idea?

    Yuggie

    ++++++++++++++++++++++++++++++++++++++++++
    # /usr/bin/fwbuilder -Y -q -v /etc/fwbuilder/myfw.fw root@192.168.69.1:/etc/fwbuilder//
    Executing: program /usr/bin/ssh host 192.168.69.1, user root, command scp -v -t /etc/fwbuilder//
    OpenSSH_5.2p1, OpenSSL 0.9.8k-fips 25 Mar 2009
    debug1: Reading configuration data /etc/ssh/ssh_config
    debug1: Applying options for *
    debug1: Connecting to 192.168.69.1  port 22.
    debug1: Connection established.
    debug1: permanently_set_uid: 0/0
    debug1: identity file /root/.ssh/identity type -1
    debug1: identity file /root/.ssh/id_rsa type -1
    debug1: identity file /root/.ssh/id_dsa type -1
    debug1: Remote protocol version 2.0, remote software version OpenSSH_5.2
    debug1: match: OpenSSH_5.2 pat OpenSSH*
    debug1: Enabling compatibility mode for protocol 2.0
    debug1: Local version string SSH-2.0-OpenSSH_5.2
    debug1: SSH2_MSG_KEXINIT sent
    debug1: SSH2_MSG_KEXINIT received
    debug1: kex: server->client aes128-ctr hmac-md5 none
    debug1: kex: client->server aes128-ctr hmac-md5 none
    debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
    debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
    debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
    debug1: Host '192.168.69.1' is known and matches the RSA host key.
    debug1: Found key in /root/.ssh/known_hosts:2
    debug1: ssh_rsa_verify: signature correct
    debug1: SSH2_MSG_NEWKEYS sent
    debug1: expecting SSH2_MSG_NEWKEYS
    debug1: SSH2_MSG_NEWKEYS received
    debug1: SSH2_MSG_SERVICE_REQUEST sent
    debug1: SSH2_MSG_SERVICE_ACCEPT received
    debug1: Authentications that can continue: publickey,gssapi-with-mic,password
    debug1: Next authentication method: gssapi-with-mic
    debug1: Unspecified GSS failure.  Minor code may provide more information
    Ticket expired

    debug1: Unspecified GSS failure.  Minor code may provide more information
    Ticket expired

    debug1: Unspecified GSS failure.  Minor code may provide more information

    debug1: Next authentication method: publickey
    debug1: Trying private key: /root/.ssh/identity
    debug1: Trying private key: /root/.ssh/id_rsa
    debug1: Trying private key: /root/.ssh/id_dsa
    debug1: Next authentication method: password
    root@192.168.69.1's password: mypassword

    debug1: Authentication succeeded (password).
    debug1: channel 0: new
    debug1: Requesting no-more-sessions@openssh.com
    debug1: Entering interactive session.
    debug1: Sending environment.
    debug1: Sending env LANG = en_US.UTF-8
    debug1: Sending command: scp -v -t /etc/fwbuilder//
    Sending file modes: C0755 24525 myfw.fw
    Sink: C0755 24525 myfw.fw
    debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
    debug1: channel 0: free: client-session, nchannels 1
    debug1: fd 0 clearing O_NONBLOCK
    debug1: fd 1 clearing O_NONBLOCK
    Transferred: sent 26048, received 2088 bytes, in 0.1 seconds
    Bytes per second: sent 516680.8, received 41417.0
    debug1: Exit status 0
    ++++++++++++++++++++++++++++++++++++++++++

     
  • Vadim Kurland
    Vadim Kurland
    2009-12-08

    command "/usr/bin/fwbuilder -Y" only copies the script to the firewall, it does not activate it there. It seems this command worked though.

    since you run the GUI as user yuggie, please try the "fwbuilder -Y" command while logged in as that user too. It looks like you tried it while logged in as root.

     
  • Yuggie
    Yuggie
    2009-12-09

    I logged on to GUI with account yuggie and ran below command in terminal screen as yuggie instead of root. I received "Connection Lost" error immediately.

    /usr/bin/fwbuilder -Y -q -v /etc/fwbuilder/myfw.fw root@192.168.69.1:/etc/fwbuilder//

    However, it I ran the same command in SSH (logged on at root) on my windows box, I received the debug message I posted yesterday which ended up with "Exit status 0".

    I still couldn't install fwbuilder script in fwbuilder GUI.

    This is my permission in /etc/fwbuilder. yuggie is a member of admin.

    -rw-rw-r-. 1 root   admin  214457 2009-12-08 17:39 myfirewall.fwb

    -rwxr-xr-x. 1 yuggie yuggie  24525 2009-12-09 11:33 myfw.fw

    -rwxrwxr-x. 1 root   admin   24525 2009-12-08 14:43 myfw.fw.old

    Any idea?

    Yuggie

     
  • Vadim Kurland
    Vadim Kurland
    2009-12-09

    ok, so when you log in as yuggie to the Linux machine where you run fwbuilder GUI and run fwbuilder -Y  command you get "Connection lost" error and it does not work. This is the problem we need to focus on.

    Log in as yuggie to the Linux machine where you run the GUI, start it and look in the Preferences dialog, tab "SSH". What do you have configured there for the ssh and scp path ? These should be real path to the ssh and scp programs on the machine where you run the GUI.

    Then run the following commands and copy the output here:

    /usr/bin/fwbuilder -Y -d -v /etc/fwbuilder/myfw.fw root@192.168.69.1:/etc/fwbuilder/

    ssh -v root@192.168.69.1 "uname -a"

    by the way, is address 192.168.69.1 correct ? This should be the address of your firewall machine.

     
  • Yuggie
    Yuggie
    2009-12-10

    The SSH in preferences are set to full path which are /usr/bin/ssh and /usr/bin/scp.

    I found out the problem.

    According to your instruction, I ran ssh -v root@192.168.69.1 "uname -a". It showed me the signature/finger print error.

    Before I put this server into production, I accessed to 192.168.69.1 (the old firewall server) from this box whose IP was 192.168.69.100. This left a finger print of 192.168.69.1 on this new server. When I changed the new server's IP to 192.168.69.1 and disconnected the old server, the finger print of 192.168.69.1 still points to the old server. This confused the server because 192.168.69.1 should be itself rather than the old server. It blocked the ssh session which write the script into the kernel.

    After I re-generate the finger print for 192.168.69.1, it works now!

    Thanks very much for your guide!

     
  • Juan
    Juan
    2014-01-15

    Hi,

    I had the same problem with te version fwbuilder 5.1.3599. I've been reading this posts and trying that but unfortunately I've not been successful.

    If someone have a new solution, please tell me.


    Installation plan:
    Copy file: /root/firewall/firewall.fw --> /etc/firewall.fw
    Run script echo '------'; chmod +x /etc/firewall.fw; sudo -S /etc/firewall.fw && echo 'Policy activated'

    lost connection
    SSH session terminated, exit status: 1
    Firewall policy installation failed


    Thanks.