Ssh connexion failure

1

root@openziti:/home/test# ziti edge list identities
╭────────────┬───────────────┬─────────┬─────────────┬─────────────╮
│ ID │ NAME │ TYPE │ ATTRIBUTES │ AUTH-POLICY │
├────────────┼───────────────┼─────────┼─────────────┼─────────────┤
│ By99wgXG7 │ CAMER_ROUTER │ Router │ edge router │ Default │
│ Wx6OUjCG7 │ ssh_server │ Default │ host │ Default │
│ cipU8DUn76 │ ssh_client │ Default │ user │ Default │
│ zR8KD2mlg │ Default Admin │ Default │ │ Default │
╰────────────┴───────────────┴─────────┴─────────────┴─────────────╯
results: 1-4 of 4
root@openziti:/home/test# ziti edge list services
╭────────────────────────┬──────────┬────────────┬─────────────────────┬────────────╮
│ ID │ NAME │ ENCRYPTION │ TERMINATOR STRATEGY │ ATTRIBUTES │
│ │ │ REQUIRED │ │ │
├────────────────────────┼──────────┼────────────┼─────────────────────┼────────────┤
│ 3ArZCawcRx5WODiNSPTTp2 │ ssh_ziti │ true │ smartrouting │ │
╰────────────────────────┴──────────┴────────────┴─────────────────────┴────────────╯
results: 1-1 of 1
root@openziti:/home/test# ziti edge list edge-router-policies
╭────────────────────────┬──────────────────────────────┬───────────────────┬────────────────╮
│ ID │ NAME │ EDGE ROUTER ROLES │ IDENTITY ROLES │
├────────────────────────┼──────────────────────────────┼───────────────────┼────────────────┤
│ 7U27XSpipiV08rsDYRfMK9 │ ssh_client_router_policy │ @CAMER_ROUTER@ssh_client
│ By99wgXG7 │ edge-router-By99wgXG7-system │ @CAMER_ROUTER@CAMER_ROUTER
│ y75hShH1H2XD1YUk1oRPU │ allow-ssh-server │ @CAMER_ROUTER@ssh_server
╰────────────────────────┴──────────────────────────────┴───────────────────┴────────────────╯
results: 1-3 of 3
root@openziti:/home/test# ziti edge list service-policies
╭────────────────────────┬────────────────────────┬──────────┬───────────────┬────────────────┬─────────────────────╮
│ ID │ NAME │ SEMANTIC │ SERVICE ROLES │ IDENTITY ROLES │ POSTURE CHECK ROLES │
├────────────────────────┼────────────────────────┼──────────┼───────────────┼────────────────┼─────────────────────┤
│ 1MX2Ho2gDcuJOvtF5mqTQq │ ssh_ziti_dial_identity │ AllOf │ @ssh_ziti@ssh_client │ │
│ 2t72wffqjW8pHTKH7gE8yb │ ssh_ziti_bind_identity │ AllOf │ @ssh_ziti@ssh_server │ │
╰────────────────────────┴────────────────────────┴──────────┴───────────────┴────────────────┴─────────────────────╯
results: 1-2 of 2
root@openziti:/home/test# ziti edge list configs
╭────────────────────────┬──────────────────────┬──────────────╮
│ ID │ NAME │ CONFIG TYPE │
├────────────────────────┼──────────────────────┼──────────────┤
│ 4mpluRa5Rl3pDTomgn6M9Y │ ssh_config_intercept │ intercept.v1 │
│ qi47RDOQCnrJr5FQLeoCr │ ssh_config_host │ host.v1 │
╰────────────────────────┴──────────────────────┴──────────────╯
results: 1-2 of 2
root@openziti:/home/test# ziti edge policy-advisor services |grep ssh_ziti
OKAY : ssh_server (1) -> ssh_ziti (1) Common Routers: (1/1) Dial: N Bind: Y
OKAY : ssh_client (1) -> ssh_ziti (1) Common Routers: (1/1) Dial: Y Bind: N
root@openziti:/home/test#
I installed a router and an openziti controller; the idea is to do local tests by connecting to an ssh server via the ziti network; for this I created the client and server identities, I created host and intercept configurations and I also created policies for bind and dial; for the server I used an edge tunnel and for the client a ziti desktop edge and the enrollment was successful but from the client the connection does not go through. please, could someone have an idea of ​​what is missing? below you have the result of my tests on the client the name I gave to the service is ssh.ziti in the intercept configuration

C:\Users\Murielle>ping ssh.ziti

Envoi d’une requête 'ping' sur ssh.ziti [100.64.0.3] avec 32 octets de données :
Réponse de 100.64.0.3 : octets=32 temps<1ms TTL=255
Réponse de 100.64.0.3 : octets=32 temps<1ms TTL=255
Réponse de 100.64.0.3 : octets=32 temps<1ms TTL=255

Statistiques Ping pour 100.64.0.3:
Paquets : envoyés = 3, reçus = 3, perdus = 0 (perte 0%),
Durée approximative des boucles en millisecondes :
Minimum = 0ms, Maximum = 0ms, Moyenne = 0ms
Ctrl+C
^C
C:\Users\Murielle>ssh user2@ssh.ziti
ssh: connect to host ssh.ziti port 22: Connection refused

2

Hi @MURIELLE,

Just an FYI, ping can be useful to get the resovled ip (to make sure the intercept is working) but is not reliable as OpenZiti won't tunnel ICMP.

ssh: connect to host ssh.ziti port 22: Connection refused

My guess is that the host.v1 config is incorrect here. Can you show the log from the identity that is to offload ssh? Is it using "localhost" or "127.0.0.1" or something else?

From the identity that should be offloading ssh, can it ssh TO that machine?

3

below you have the content of hostv1 config
root@openziti:/home/test# ziti edge show config ssh_config_host
{
"address": "127.0.0.1",
"listenOptions": {
"bindUsingEdgeIdentity": false,
"identity": "ssh_server"
},
"port": 22,
"protocol": "tcp"

4

root@server2:/home/user2# nc -zv localhost 22
nc: connect to localhost (::1) port 22 (tcp) failed: Connection refused
Connection to localhost (127.0.0.1) 22 port [tcp/ssh] succeeded!

root@server2:/home/user2# nc -zv 127.0.0.1 22
Connection to 127.0.0.1 22 port [tcp/ssh] succeeded!
root@server2:/home/user2#

5

Hi,

I noticed your config specifies a listening identity of "ssh_server". Make sure this lines up with the value you're specifying as the dial identity (e.g. in your intercept.v1 dial options if you're using a tunneler on the client side).

Most of the dial-by-identity examples you'll see here use variables in the service configurations and the identities are named to exactly match the intercept IP or hostname that targets the identity. This makes it possible to target multiple hosts with a single service.

You could hard-code both the dial identity and the listen identity (maybe this is what you've done), but then you'd need to create a service for each host that you want to reach. In this case you actually wouldn't need to specify dial or listen options at all... If you do specify dial options or listen options, you need to make sure that the dialing and listening sides agree on what the identity name will be.