Estou tentando configurar um servidor Debian 12 e não consigo fazer com que ele aceite conexões ssh da minha máquina Ubuntu 22.04 (ou de uma máquina Ubuntu mais antiga). Ele não pede uma senha; o comando ssh simplesmente termina imediatamente. Ssh para localhost e [Debian 12 IP] funcionam - solicita a senha, aceita e efetua login. Esta deve ser uma instalação próxima do estoque do Debian 12. Eu até tentei copiar o arquivo sshd_config de estoque da máquina Ubuntu 22.04 (que aceita conexões da máquina Debian) para a máquina Debian, mas sem sucesso.
Veja o que a máquina Ubuntu 22.04 apresenta quando tento uma conexão:
[localuser]@[localmachine]:~$ ssh -vvv [remoteuser]@192.168.2.9
OpenSSH_8.9p1 Ubuntu-3ubuntu0.10, OpenSSL 3.0.2 15 Mar 2022
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: resolve_canonicalize: hostname 192.168.2.9 is address
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/[localuser]/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/[localuser]/.ssh/known_hosts2'
debug3: ssh_connect_direct: entering
debug1: Connecting to 192.168.2.9 [192.168.2.9] port 22.
debug3: set_sock_tos: set socket 3 IP_TOS 0x10
debug1: Connection established.
debug1: identity file /home/[localuser]/.ssh/id_rsa type -1
debug1: identity file /home/[localuser]/.ssh/id_rsa-cert type -1
debug1: identity file /home/[localuser]/.ssh/id_ecdsa type -1
debug1: identity file /home/[localuser]/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/[localuser]/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/[localuser]/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/[localuser]/.ssh/id_ed25519 type -1
debug1: identity file /home/[localuser]/.ssh/id_ed25519-cert type -1
debug1: identity file /home/[localuser]/.ssh/id_ed25519_sk type -1
debug1: identity file /home/[localuser]/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/[localuser]/.ssh/id_xmss type -1
debug1: identity file /home/[localuser]/.ssh/id_xmss-cert type -1
debug1: identity file /home/[localuser]/.ssh/id_dsa type -1
debug1: identity file /home/[localuser]/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.9p1 Ubuntu-3ubuntu0.10
kex_exchange_identification: read: Connection reset by peer
Connection reset by 192.168.2.9 port 22
[localuser]@[localmachine]:~$
Isto é o que a máquina Debian relata:
Dec 06 21:45:08 fafnir sshd[5704]: debug3: fd 5 is not O_NONBLOCK
Dec 06 21:45:08 fafnir sshd[5704]: debug1: Forked child 8037.
Dec 06 21:45:08 fafnir sshd[5704]: debug3: send_rexec_state: entering fd = 8 config len 3271
Dec 06 21:45:08 fafnir sshd[5704]: debug3: ssh_msg_send: type 0
Dec 06 21:45:08 fafnir sshd[5704]: debug3: send_rexec_state: done
Dec 06 21:45:08 fafnir sshd[8037]: debug3: oom_adjust_restore
Dec 06 21:45:08 fafnir sshd[8037]: debug1: Set /proc/self/oom_score_adj to 0
Dec 06 21:45:08 fafnir sshd[8037]: debug1: rexec start in 5 out 5 newsock 5 pipe 7 sock 8
Dec 06 21:45:08 fafnir sshd[8037]: debug1: inetd sockets after dupping: 4, 4
Dec 06 21:45:08 fafnir sshd[8037]: debug1: getpeername failed: Transport endpoint is not connected
Dec 06 21:45:08 fafnir sshd[8037]: debug3: process_channel_timeouts: setting 0 timeouts
Dec 06 21:45:08 fafnir sshd[8037]: debug3: channel_clear_timeouts: clearing
Dec 06 21:45:08 fafnir sshd[8037]: debug1: ssh_remote_port failed
O arquivo de configuração atualmente é:
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
Include /etc/ssh/sshd_config.d/*.conf
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_ecdsa_key
#HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
#LogLevel INFO
LogLevel Debug3
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin prohibit-password
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# Expect .ssh/authorized_keys2 to be disregarded by default in future.
#AuthorizedKeysFile .ssh/authorized_keys .ssh/authorized_keys2
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
KbdInteractiveAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the KbdInteractiveAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via KbdInteractiveAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and KbdInteractiveAuthentication to 'no'.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
PrintMotd no
#PrintLastLog yes
#TCPKeepAlive yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS no
#PidFile /run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
# override default of no subsystems
Subsystem sftp /usr/lib/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
Alguma ideia do que está errado? Note que não instalei nem configurei nenhum software de firewall, mas é possível que haja algo de estoque que eu não saiba.
Achei! A máscara de sub-rede da máquina Debian foi definida como 255.255.255.255 (CIDR 192.168.2.9/32), fazendo-a pensar que era a única máquina na sub-rede. Verifique o CIDR com "ip addr". Alterar a sub-rede para 255.255.255.0 (CIDR 192.168.2.9/24, como deveria ter sido) consertou o ssh. Como o ping faria o ssh funcionar, ainda não sei, mas foi uma solução alternativa utilizável.
Como eu perdi isso nas minhas primeiras rodadas de buscas de DDG, eu também não sei. Mas aqui estão algumas coisas para tentar (além da sub-rede) para qualquer outra pessoa que tenha esse problema:
18.04 - Não é possível fazer SSH no servidor até que eu tenha feito ping nele - Ask Ubuntu
ssh - O servidor Ubuntu pode ser acessado somente após ping - Falha do servidor
A conexão SSH com meu servidor doméstico SÓ funciona se o servidor estiver efetuando ping ao mesmo tempo: r/linux4noobs (reddit.com)
[RESOLVIDO] ssh não consegue conectar, então eu ping, então ssh consegue, como pode ser? situação estranha... (linuxquestions.org)