Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Suggestion: add "IPQoS 0x00" to "/etc/ssh/sshd_config", Rpi3, WiFi SSH issue #294

Closed
Cyberman-tM opened this issue Jan 17, 2017 · 17 comments
Closed

Suggestion: add "IPQoS 0x00" to "/etc/ssh/sshd_config", Rpi3, WiFi SSH issue #294

Cyberman-tM opened this issue Jan 17, 2017 · 17 comments

Comments

@Cyberman-tM
Copy link

Cyberman-tM commented Jan 17, 2017
edited
Loading

This probably only affects a few, but it's rather annoying. Details here:
https://www.raspberrypi.org/forums/viewtopic.php?f=28&t=138631&p=1085534&hilit=qos#p1085534

Short version: Some(?) Raspi 3 stop responding to SSH after the (correct!) password has been entered.
Attaching a keyboard works, so it's just SSH.

Adding the line
IPQoS 0x00
to the file
/etc/ssh/sshd_config
solves the issue.

I have no idea what IPQoS is, but I do know it solved the issue of not being able to log in remotely at once. (After restarting the ssh daemon or the raspi.)

[edit]Note: this concerns a fresh install of OctoPi!
@guysoft
Copy link
Owner

guysoft commented Jan 18, 2017

Where exactly do you need to add this? Can you send your /etc/ssh/sshd_config?

@Cyberman-tM
Copy link
Author

I've added it near the bottom, above the last paragraph. Can't give you the details right now, I'm at work, sorry.
I don't think it matters where it's put, but as I said I don't understand why it solves the issue either.)

@Cyberman-tM
Copy link
Author

Cyberman-tM commented Jan 20, 2017
edited
Loading

Finally, here's the sshd_config file content, after image-writing, first boot, changed password, and me inserting the line:

# Package generated configuration file
# See the sshd_config(5) manpage for details

# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes

# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024

# Logging
SyslogFacility AUTH
LogLevel INFO

# Authentication:
LoginGraceTime 120
PermitRootLogin without-password
StrictModes yes

RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile     %h/.ssh/authorized_keys

# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes

# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no

# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no

# Change to no to disable tunnelled clear text passwords
#PasswordAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

X11Forwarding yes
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no

#MaxStartups 10:30:60
#Banner /etc/issue.net

# Allow client to pass locale environment variables
AcceptEnv LANG LC_*

Subsystem sftp /usr/lib/openssh/sftp-server
IPQoS 0x00
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes

@guysoft
Copy link
Owner

guysoft commented Jan 25, 2017

Added it to nightly build, would be appreciated if you could test it helps

@Cyberman-tM
Copy link
Author

Sorry, I completely forgot about this :-(

If you still need me to test it, I can probably do that tomorrow - although right now I've got problems reaching the server with the nightlies?

@guysoft
Copy link
Owner

guysoft commented Feb 15, 2017 via email

@guysoft
Copy link
Owner

guysoft commented Feb 15, 2017

Fixed the server, try now

@guysoft
Copy link
Owner

guysoft commented Feb 15, 2017

Down again, will fix

@guysoft
Copy link
Owner

guysoft commented Feb 15, 2017

Fixed, sorry for the mess, local connection was a mess here

@timmmmmey
Copy link

I can confirm the problem and the fix !

@guysoft
Copy link
Owner

guysoft commented Feb 18, 2017

@timmmmmey @Cyberman-tM I want to close this too, you didn't need to enable anything, right?
#286

@Cyberman-tM
Copy link
Author

Cyberman-tM commented Feb 18, 2017
edited
Loading

Update: # IT WORKS!

I'm testing right now - sorry, forgot again - having problems connecting right now - getting "connection refused", but I'm not sure if the problem is the Raspi or my new modem...

I'll keep trying until I figure out what's happening, I'll write again today.

[edit]Octoprint is running and accessible, so connection is there. But Putty can't connect via SSH?
[edit2]This image: 2016-11-25-octopi-jessie-lite-0.14.0
[edit3]Slighty off-topic: apparently Raspi 3 doesn't support wifi channel 13

[final edit]
# IT WORKS!

Apparently SSH wasn't enabled. I've plugged in a keyboard, went to setup, enabled SSH, and was able to connect via putty from my computer to the raspi - log in worked flawlessly.

Many thanks, you can close this.

foosel added a commit to foosel/OctoPi that referenced this issue Mar 24, 2017
@foosel
Prevent NTP updates from failing on RPi3 wifi
0720d5f 
While I couldn't reproduce this issue on a current build, apparently
it doesn't necessarily have to happen always and the corresponding
ticket on the rpi bug tracker (raspberrypi/linux#1519) is still
open as well.

Hence this change. As documented at

  https://www.raspberrypi.org/forums/viewtopic.php?f=28&t=141454

and other locations, ntp updates on RPi3 (sometimes?) fail if the
built-in WiFi interface is used. This appears to be the same issue
or at least related to SSH not properly functioning as described
in guysoft#294 and also documented in raspberrypi/linux#1519.

A wrong system date of the underlying OS will cause issues with
SSL handshakes, which in turn will produce fatal errors when
attempting to install plugins (see OctoPrint/OctoPrint#1827) or
probably also when updating either OctoPrint or the system itself.
Basically anything that does certificate validity checks will fall
on its face.

Having the Pi properly set its system date is hence crucial for
operation, so we need to make sure ntp can do its job.

This might also affect RPiZeroW - I haven't observed the issue
with a current build there though.
@foosel foosel mentioned this issue Mar 24, 2017
Merged
@guysoft guysoft mentioned this issue Mar 31, 2017
Closed
@guysoft guysoft mentioned this issue Jun 18, 2017
Closed
@guysoft guysoft mentioned this issue Jun 25, 2017
Closed
@Kalle3D Kalle3D mentioned this issue Mar 7, 2018
Closed
guysoft added a commit to guysoft/CustomPiOS that referenced this issue Mar 7, 2018
@guysoft
Fixes guysoft/OctoPi#501 and guysoft/OctoPi#294
d0fcef5
@lechu77
Copy link

lechu77 commented Jan 27, 2021

Same here using rpi4, fixed adding " IPQoS 0x00" to /etc/ssh/sshd_config

@guysoft
Copy link
Owner

guysoft commented Jan 27, 2021

@lechu77 What version of OctoPi are you using? because this has been fixed in later versions here:
https://github.com/guysoft/CustomPiOS/blob/devel/src/modules/base/start_chroot_script#L77

@morezco
Copy link

morezco commented Mar 30, 2023

This works! Many thanks!

@bittorf
Copy link

bittorf commented Aug 5, 2024
edited
Loading

It does not work with the recent OpenSSH update anymore,
but instead of using 0x00 one can use throughput, e.g.:

user@host:~$ cat ~/.ssh/config
Host *
  HostKeyAlgorithms=+ssh-rsa
  PubkeyAcceptedKeyTypes=+ssh-rsa
  IPQoS throughput

At least on my side since the latest debian update, this happens:
(using throughput instead of the former 0x00 let disappear the error)

bastian@ryzen:~$ ssh root@intercity-vpn.de
/home/bastian/.ssh/config line 4: Bad IPQoS value: 0x00
/home/bastian/.ssh/config: terminating, 1 bad configuration options

bastian@ryzen:~$ ssh -V
OpenSSH_9.8p1 Debian-2, OpenSSL 3.2.2 4 Jun 2024

I can't quite work out which change is responsible for this:
http://metadata.ftp-master.debian.org/changelogs/main/o/openssh/unstable_changelog

@guysoft
Copy link
Owner

guysoft commented Aug 5, 2024

@bittorf if this has changed then it needs to be updated here:
https://github.com/guysoft/CustomPiOS/blob/devel/src/modules/base/start_chroot_script#L130
Is there some documentation to why/how it was changed?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@bittorf @guysoft @Cyberman-tM @lechu77 @timmmmmey @morezco