Store PLCnext CommunityPLCnext on LinkedInPLCnext on Instagram  PLCnext on YouTube Github PLCnext CommunityStore PLCnext Community

  1. besi
  2. PLCnext Technology & PLCnext Controls
  3. Saturday, 24 April 2021
Hi,

I have the follwing setup:

internet <--> router with wireguard VPN termination <- LAN -> PLCnext Controller

Internet traffic to the router on port [CENSORED] will be forwared to the PCLnext controller port 22 (SSH).
I want to connect via SSH to the PLCnext controller from the internet.

when connecting via SSH to the PLCnext StarterKit [1] I will receive the following message


~ $ ssh -vvv -p [CENSORED] admin@91.193.[CENSORED]
OpenSSH_8.5p1, OpenSSL 1.1.1k 25 Mar 2021
debug1: Reading configuration data /home/[CENSORED]
[...]
ebug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Bad packet length 3480882771.
debug3: send packet: type 1
ssh_dispatch_run_fatal: Connection to 91.193.[CENSORED] port [CENSORED]: Connection corrupted
~ $


The same experiment is successful with a Raspberry Pi instead of the PLCnext controller. [2]
The results (for Raspberri Pi and PLCnext) are reproducible on different ports.

Please note, that things seem to go wrong, after the shell request was accepted.

debug2: shell request accepted on channel 0


That's the last(!) line, before SSH access should be granted (compare with [2])
I can SSH to the PLCnext controller from LAN.

Any kind of advice is welcome.

Kind regards

---

[1]
URL formatted as code because the URL environment seems to have issues

https://www.phoenixcontact.com/online/portal/ch?uri=pxc-oc-itemdetail:pid=1046568&library=chde&tab=1


[2]

debug2: channel 0: request shell confirm 1
debug3: send packet: type 98
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 0 rmax 32768
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: PTY allocation request accepted on channel 0
debug2: channel 0: rcvd adjust 2097152
debug3: receive packet: type 99
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Linux raspberrypi 5.10.11+ #1399 Thu Jan 28 12:02:28 GMT 2021 armv6l

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Sat Apr 24 07:04:19 2021 from [CENSORED]
pi@raspberrypi:~ $
Martin PLCnext Team Accepted Answer Pending Moderation
0
Votes
Undo
It might be worth comparing the ssh_config files on the two devices, to see if there are any differences that might be significant in this case.
Phoenix Contact Electronics Headquarters - PLCnext Runtime Product Management and Support
besi Accepted Answer Pending Moderation
0
Votes
Undo
Hi Martin PLCnext Team
Thank you for your reply and sorry for the delay on my side (did not get a notification mail).

Since I am trying to connect _TO_ the devices (PLCnext starter kit and Raspi) I assume you're referring to sshd_config (the SSH server's config file).

Here is the diff between both sshd_config (left pi, right plcnext starterkit) files:


~ $ diff sshd_config_pi sshd_config_plcnext
1c1
< # $OpenBSD: sshd_config,v 1.103 2018/04/09 20:41:22 tj Exp $
---
> # $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
10c10
< # possible, but leave them commented. Uncommented options override the
---
> # possible, but leave them commented. Uncommented options change a
17a18,23
> # The default requires explicit activation of protocol 1
> Protocol 2
>
> # HostKey for protocol version 1
> #HostKey /etc/ssh/ssh_host_key
> # HostKeys for protocol version 2
18a25
> #HostKey /etc/ssh/ssh_host_dsa_key
21a29,32
> # Lifetime and size of ephemeral version 1 server key
> #KeyRegenerationInterval 1h
> #ServerKeyBits 1024
>
25a37
> # obsoletes QuietMode and FascistLogging
32c44
< #PermitRootLogin prohibit-password
---
> #PermitRootLogin yes
36a49
> #RSAAuthentication yes
39,40c52,54
< # Expect .ssh/authorized_keys2 to be disregarded by default in future.
< #AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
---
> # The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
> # but this is overridden so installations will only check .ssh/authorized_keys
> AuthorizedKeysFile .ssh/authorized_keys /home/%u/.ssh/authorized_keys
47a62,63
> #RhostsRSAAuthentication no
> # similar for protocol version 2
50c66
< # HostbasedAuthentication
---
> # RhostsRSAAuthentication and HostbasedAuthentication
59,60c75
< # Change to yes to enable challenge-response passwords (beware issues with
< # some PAM modules and threads)
---
> # Change to no to disable s/key passwords
72,73d86
< #GSSAPIStrictAcceptorCheck yes
< #GSSAPIKeyExchange no
89c102
< X11Forwarding yes
---
> #X11Forwarding no
93c106
< PrintMotd no
---
> #PrintMotd yes
95a109
> #UseLogin no
97,100c111,114
< #Compression delayed
< #ClientAliveInterval 0
< #ClientAliveCountMax 3
< #UseDNS no
---
> Compression no
> ClientAliveInterval 15
> ClientAliveCountMax 4
> #UseDNS yes
107,111c121,122
< # no default banner path
< #Banner none
<
< # Allow client to pass locale environment variables
< AcceptEnv LANG LC_*
---
> # banner set to system use notification of arp
> Banner /opt/plcnext/config/System/Um/SystemUseNotification.txt
114c125
< Subsystem sftp /usr/lib/openssh/sftp-server
---
> Subsystem sftp internal-sftp -u 002


I'll try to make some progress by tuning sshd_config accordingly as soon as time permits.

Kind regards
Martin PLCnext Team Accepted Answer Pending Moderation
0
Votes
Undo
Sorry about the lack of notification - as you have discovered, notifications do not work on this forum, but hopefully this will be fixed on the next generation forum (coming soon).
Yes, you're right, I meant the sshd_config file.
Please let us know if the changes you make to the ssh configuration help with the problem.
Phoenix Contact Electronics Headquarters - PLCnext Runtime Product Management and Support
besi Accepted Answer Pending Moderation
0
Votes
Undo
Hi,

I modified the sshd_config files to find the core issue but was not successful (could not make PLCnext work, could not make Raspberry Pi fail).

Finally, I was able to establish a SSH connection successfully over Mullvad's Wireguard after executing

~# ethtool -K eth0 gso off gro off


This command modifies the offloading parameters of the PLCnext controller. I am not sure if that allows any conclusion about the fault's source (PLCnext or Mullvad). I did not investigate further.

Hopefully this information will help someone in a similar situation.

Martin PLCnext Team Do you happen to know of any issues/bug related to ethernet offloading parameters? An answer is optional, as I will mark this issue [RESOLVED].

Cheers!
  • Page :
  • 1


There are no replies made for this post yet.
However, you are not allowed to reply to this post.