UNIX for Dummies Questions & Answers

summary: I have 2 devices on same LAN which tunnel through one gateway to a cluster, using ssh with public keys for password/passphrase-less login. I configured both devices, and those ssh configurations are nearly identical with regard to ssh. From either device I can shell into the cluster. However on one device I can shell in without getting a credential challenge (good), but on the other device I always get challenged (bad). How to debug the latter?

details: I'd appreciate help debugging the following:

I'm in a scientific workplace with (to a very first approximation) 1 LAN for users and lightweight servers, and 1 cluster where the science gets done. Users (like me) on the outer LAN can only connect to the cluster through a gateway/firewall server. Users get issued an XP PC; the servers (mostly) and clusters (exclusively) run RHEL.

The first thing I did to "my" windows box (call it W) was install cygwin, from which I then generated and distributed RSA keys, and setup an SSH tunnel from W through the gateway server (G) to the cluster (C), via

+ a bash script `w2g` on W which connects only W->G

+ a stanza in W:.ssh/config which connects W->G (via `ssh g` from W's commandline)

+ a bash script `g2c` in my homespace on G which connects only G->C

+ a stanza in G:.ssh/config which connects G->C (via `ssh c` from G's commandline)

+ a bash script `w2c` on W (which tunnels W->G->C)

+ a stanza in W:.ssh/config (which tunnels W->G->C, via `ssh c` from W's commandline)

Those all work correctly on W, i.e., without password/passphrase challenge (except when I try to tunnel W->C without first setting up the W->G connection--will post a separate question about that).

But W is still a windows box, so I was thrilled to discover that I could finally start using my personal debian laptop (call it L) on the user LAN. I have configured SSH on L many times for many networks, and quickly got L ssh'ing on the user LAN, using nearly the same procedure as I used with cygwin on W (note both run OpenSSH). So I am a bit chagrined to observe that, while these run password/passphrase-less on L

+ bash script `l2g` on L connecting L->G

+ stanza in L:.ssh/config connecting L->G (via `ssh g` from L's commandline)

and these of course still works without challenge on G once I have ssh'ed in from L

+ bash script `g2c` on G connecting G->C

+ stanza in G:.ssh/config connecting G->C (via `ssh c` from G's commandline)

the following get password-challenged, every time, whether or not I have an already-open L->G SSH session:

- bash script `l2c` on L (tunneling L->G->C)

- stanza in L:.ssh/config (tunneling L->G->C, via `ssh c` from L's commandline)

Note also that

* the contents of file=`l2c` are identical to the contents of file=`w2c`

* the contents of file=W:.ssh/config are identical to the contents of file=L:.ssh/config

particularly, both are forwarding through port#=10230 (dunno how I chose that).

To hopefully clarify the problem, compare how W succeeds with how L fails:

A session on W is like this: with 2 shells open, I can do

1 `ssh g` in one shell: this goes directly to the splash screen and prompt for the gateway, no credential challenge.

2 `w2g` in another shell: this gets the gateway splash screen, then

> bind: Address already in use
> channel_setup_fwd_listener: cannot listen to port: 10230
> Could not request local forwarding.

then I get the prompt for the cluster, no credential challenge. By contrast, on L, with 2 shells open, I can do

1 `ssh g` in one shell: this goes directly to the splash screen and prompt for the gateway, no credential challenge.

2 `l2g` in another shell: this gets the gateway splash screen, then

> bind: Address already in use
> channel_setup_fwd_listener: cannot listen to port: 10230
> bind: Address already in use
> channel_setup_fwd_listener: cannot listen to port: 10230
> Could not request local forwarding.
> me@localhost's password:

i.e., a credential challenge.

What am I doing wrong? or for what should I check?

This post is virtually beyond the power of human comprehension. Those cleverer than I may disagree.

"bind: Address already in use". At a fundamental TCP/IP comms level, check for duplicate IP addresses-port combinations - starting with duplicate IP address.

Completely lost the plot on how many physical computers you have and what O/S is running on each computer when it's not cygwin.

For the benefit of me and others reading this post, what is a "stanza" ?

Big question. Is there any physical distance involved? Like is this an international network with routers controlled by a Service Provider or some sort of local LAN test rig where you have control over every component in the network?

Is this a University or College LAN? If so, we will walk away as it might be a crack attempt.

You possibly need to look into that bind error or what your scripts are doing related to bind/dns/tcp?

Also, make yourself a little diagram with IP addresses, and IP ports: you can only use an IP port 'once' (I'm keeping things simple...). Maybe you've been using copy/paste a bit too quickly

It is also possible that you are ignoring an existing SSH daemon running on the 10230 port, or maybe setting up one too many?

And learn how to control your SSH ports: I suspect you will need that control in order to solve your little Rubik's cube :-)

---------- Post updated at 01:35 AM ---------- Previous update was at 01:32 AM ----------

Good point, I left out a crucial point