Re: Unable to ssh to Debian 9 from 9 or 11
On Mon, 17 Jul 2023, to...@tuxteam.de wrote: On Sun, Jul 16, 2023 at 03:21:06PM -0400, Timothy M Butterworth wrote: Do you have TCP wrappers installed and running? Please post the output of: `less /etc/hosts.allow` `less /etc/hosts.deny` tcpwrappers would lead to a connection refused, not a timeout. Confirmed. File /etc/hosts.allow contains nothing but comments, and file /etc/hosts.deny doesn't exist. Roger
Re: Unable to ssh to Debian 9 from 9 or 11
On Sun, Jul 16, 2023 at 03:21:06PM -0400, Timothy M Butterworth wrote: [...] > Do you have TCP wrappers installed and running? Please post the output > of: `less > /etc/hosts.allow` `less /etc/hosts.deny` tcpwrappers would lead to a connection refused, not a timeout. Cheers -- t signature.asc Description: PGP signature
Re: Unable to ssh to Debian 9 from 9 or 11
On Sat, Jul 15, 2023 at 4:32 PM Roger Price wrote: > On Sat, 15 Jul 2023, to...@tuxteam.de wrote: > > > @Roger: what does "sudo ss -antp" (or "netstat -antp") say? Is sshd > > listening on 0.0.0.0:22? Then it's firewall, otherwise (not very > > probable,but hey) it's sshd config. > > Here is netstat -antp on one of the Debian 9 machines where I am currently > logged in locally as root via ssh. > > Active Internet connections (servers and established) > Proto Recv-Q Send-Q Local AddressForeign Address State > PID/Program name > tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN > 521/sshd > tcp0 0 127.0.0.1:6310.0.0.0:* LISTEN > 4578/cupsd > tcp0 0 127.0.0.1:22 127.0.0.1:50124 ESTABLISHED > 2905/sshd: root@pts > tcp0 0 127.0.0.1:50124 127.0.0.1:22 ESTABLISHED > 2903/ssh > > Roger > Do you have TCP wrappers installed and running? Please post the output of: `less /etc/hosts.allow` `less /etc/hosts.deny` -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org/ ⠈⠳⣄⠀⠀
Re: Unable to ssh to Debian 9 from 9 or 11
On Sun, 16 Jul 2023, Anssi Saari wrote: Roger Price writes: Does the style of comment give a clue to the tool used ? Earlier you posted a list of firewall rules like this: iptables -L -n --line-numbers reports Chain INPUT (policy ACCEPT) num targetprot opt source destination 1ufw-before-logging-input all -- 0.0.0.0/0 0.0.0.0/0 So I would guess ufw. That's what I thought, but there is no ufw in this Debian 9 machine. So I had to do some archaeology. It took me a while to discover that long ago this machine ran openSuSE 12.2 and was directly attached to the internet, so it ran a modification of the openSuSE firewall. The machine was then migrated to Debian and placed behind a box supplied by the internet provider, but it kept running the openSuSE firewall. root@kananga ~ systemctl is-enabled SuSEfirewall2 enabled The years have gone by. It's still running on Debian 9!. I stopped it with root@kananga ~ systemctl disable SuSEfirewall2 Removed /etc/systemd/system/SuSEfirewall2_setup.service. Removed /etc/systemd/system/multi-user.target.wants/SuSEfirewall2.service. Removed /etc/systemd/system/multi-user.target.wants/SuSEfirewall2_init.service. root@kananga ~ systemctl stop SuSEfirewall2 root@kananga ~ systemctl is-enabled SuSEfirewall2 disabled I then recycled the machine, power off, power on, and I can now ssh into this Debian 9 machine from Debian 11 :-) , so I have a permanent solution. My thanks to all who participated in the discussion, Roger
Re: Unable to ssh to Debian 9 from 9 or 11
Roger Price writes: > Does the style of comment give a clue to the tool used ? Earlier you posted a list of firewall rules like this: iptables -L -n --line-numbers reports Chain INPUT (policy ACCEPT) num targetprot opt source destination 1ufw-before-logging-input all -- 0.0.0.0/0 0.0.0.0/0 2ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0 3ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0 4ufw-after-logging-input all -- 0.0.0.0/0 0.0.0.0/0 5ufw-reject-input all -- 0.0.0.0/0 0.0.0.0/0 6ufw-track-input all -- 0.0.0.0/0 0.0.0.0/0 So I would guess ufw.
Re: Unable to ssh to Debian 9 from 9 or 11
Roger Price wrote: > After the restart, I tried to ssh from Debian 11 to that Debian 9 machine > > rprice@titan ~ ssh -v rprice@kananga > ssh: connect to host kananga port 22: Connection timed out > > So it's something else? Roger Sorry, but I didn't follow the whole thread complete. Maybe parts of this were already asked... • Can you check on the host kananga, if sshd is running and really listening on port 22? Can you (as root) on host kanaga, and send us the output: lsof -P -i -n | grep ssh | grep root | grep LISTEN Check especially, if ssh is listening for all hosts (indicated by an asterisk '*')? • Can you check, if there are no Firewall restrictions for Port 22 on host kanaga: Do as root: iptables -L -n | grep dpt:22 • Check, if there are no Firewall restrictions regarding the host on host kanaga for your host titan: Do as root: for i in `host titan | awk '{print $NF}'` ; do iptables -L -n | grep $i ; done • Finally, if you didn't get the answer yet, check on host titan, what ssh is really doing, with lots of more verbose messages: ssh -vvv rprice@kananga date Thanks. Best regards, Klaus. -- Klaus Singvogel GnuPG-Key-ID: 1024R/5068792D 1994-06-27
Re: Unable to ssh to Debian 9 from 9 or 11
mick.crane (12023-07-16): > I'd compare the public key of you at 11 to what's in the authorized_keys on > 9. > and what's in known_hosts. > and what's in the sshd config file on 9 about "Listen" > after that I dunno. Oh, please stop. The symptoms do not point to issues with the key AT ALL and the issue has been fixed for hours anyway. -- Nicolas George signature.asc Description: PGP signature
Re: Unable to ssh to Debian 9 from 9 or 11
On 2023-07-16 10:53, Roger Price wrote: On Sun, 16 Jul 2023, mick.crane wrote: did you try to ssh to the ip address? I vaguely remember something to do with the keys where I could ssh by number but not name. I ssh from Debian 11 to Debian 9 : rprice@titan ~ ssh rprice@192.168.1.13 ssh: connect to host 192.168.1.13 port 22: Connection timed out Roger I'd compare the public key of you at 11 to what's in the authorized_keys on 9. and what's in known_hosts. and what's in the sshd config file on 9 about "Listen" after that I dunno. mick
Re: Unable to ssh to Debian 9 from 9 or 11
On Sun, 16 Jul 2023, mick.crane wrote: did you try to ssh to the ip address? I vaguely remember something to do with the keys where I could ssh by number but not name. I ssh from Debian 11 to Debian 9 : rprice@titan ~ ssh rprice@192.168.1.13 ssh: connect to host 192.168.1.13 port 22: Connection timed out Roger
Re: Unable to ssh to Debian 9 from 9 or 11
On 2023-07-16 09:28, Roger Price wrote: On Sun, 16 Jul 2023, mick.crane wrote: Can you ping the problem machine by name? rprice@titan ~ ping -c2 kananga PING kananga (192.168.1.16) 56(84) bytes of data. 64 bytes from kananga (192.168.1.16): icmp_seq=1 ttl=64 time=1.38 ms 64 bytes from kananga (192.168.1.16): icmp_seq=2 ttl=64 time=1.37 ms Roger did you try to ssh to the ip address? I vaguely remember something to do with the keys where I could ssh by number but not name. mick
Re: Unable to ssh to Debian 9 from 9 or 11
On Sun, Jul 16, 2023 at 11:03:52AM +0200, Roger Price wrote: [...] > On a Debian 9 machine I typed the commands > > iptables -F > iptables -X > iptables -P INPUT ACCEPT > iptables -P FORWARD ACCEPT > iptables -P OUTPUT ACCEPT > > and then _immediately_ attempted to ssh from Debian 11 to that Debian 9 > machine. > > rprice@titan ~ ssh rprice@kananga > rprice@kananga's password: > Linux kananga 4.9.0-4-686 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) i686 > ... > > Success! I can ssh 11->9 after flushing the firewall and before rebooting. \o/ :-) > I do not know what firewall management tool is in use. The first 4 lines > shown by iptables -L were > > Chain INPUT (policy DROP) > num target prot opt source destination > 1ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* > "main[2993]-set_basic_rules[971]" */ > 2ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHED /* > "set_basic_rules[1028]-allow_basic_established[878]" */ > 3ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED /* > "set_basic_rules[1028]-allow_basic_established[892]" */ > > Does the style of comment give a clue to the tool used ? I must pass up on this one. I'm not very much into all those tools (and a bit tight on time, guests now getting up and hoping for some breakfast :-) I'll dig into it later unless someone (TM) beats me to it. Cheers -- t signature.asc Description: PGP signature
Re: Unable to ssh to Debian 9 from 9 or 11
On Sun, 16 Jul 2023, to...@tuxteam.de wrote: On Sun, Jul 16, 2023 at 09:39:35AM +0200, Roger Price wrote: I tried to clear out the existing firewall on a Debian 9 machine with the commands This would be a good time to try ssh :-) But before chasing that culprit it'd be nice to know we are barking up the right tree: can you ssh after flushing the firewalls and /before/ rebooting? On a Debian 9 machine I typed the commands iptables -F iptables -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT and then _immediately_ attempted to ssh from Debian 11 to that Debian 9 machine. rprice@titan ~ ssh rprice@kananga rprice@kananga's password: Linux kananga 4.9.0-4-686 #1 SMP Debian 4.9.65-3+deb9u1 (2017-12-23) i686 ... Success! I can ssh 11->9 after flushing the firewall and before rebooting. I do not know what firewall management tool is in use. The first 4 lines shown by iptables -L were Chain INPUT (policy DROP) num target prot opt source destination 1ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 /* "main[2993]-set_basic_rules[971]" */ 2ACCEPT all -- 0.0.0.0/0 0.0.0.0/0 ctstate ESTABLISHED /* "set_basic_rules[1028]-allow_basic_established[878]" */ 3ACCEPT icmp -- 0.0.0.0/0 0.0.0.0/0 ctstate RELATED /* "set_basic_rules[1028]-allow_basic_established[892]" */ Does the style of comment give a clue to the tool used ? Roger
Re: Unable to ssh to Debian 9 from 9 or 11
On Sun, 16 Jul 2023, mick.crane wrote: Can you ping the problem machine by name? rprice@titan ~ ping -c2 kananga PING kananga (192.168.1.16) 56(84) bytes of data. 64 bytes from kananga (192.168.1.16): icmp_seq=1 ttl=64 time=1.38 ms 64 bytes from kananga (192.168.1.16): icmp_seq=2 ttl=64 time=1.37 ms Roger
Re: Unable to ssh to Debian 9 from 9 or 11
On Sun, Jul 16, 2023 at 09:07:03AM +0100, mick.crane wrote: [...] > Can you ping the problem machine by name? > mick No, it isn't a name resolution issue. The original "ssh -v" output, which I re-quote here shows that clearly: | rprice@kananga:~$ ssh -v rprice@maria | OpenSSH_7.4p1 Debian-10+deb9u2, OpenSSL 1.0.2l 25 May 2017 | debug1: Reading configuration data /etc/ssh/ssh_config | debug1: /etc/ssh/ssh_config line 19: Applying options for * | debug1: Connecting to maria [192.168.1.13] port 22. | debug1: connect to address 192.168.1.13 port 22: Connection timed out | ssh: connect to host maria port 22: Connection timed out Cheers -- t signature.asc Description: PGP signature
Re: Unable to ssh to Debian 9 from 9 or 11
On 2023-07-16 07:26, Roger Price wrote: On Sun, 16 Jul 2023, Intense Red wrote: Are you trying to ssh into the box as the root user? I do not ssh into remote boxes as root; I use ssh to root only within the box. If so, remember Debian's ssh configuration stops root from logging in. In my Debian 9 and 11 boxes I see in /etc/ssh/sshd_config "PermitRootLogin yes" by default, and by default local and remote root login is possible. Roger Can you ping the problem machine by name? mick
Re: Unable to ssh to Debian 9 from 9 or 11
On Sun, Jul 16, 2023 at 03:46:06PM +0800, jeremy ardley wrote: > > On 16/7/23 15:39, Roger Price wrote: > > So it's something else? Roger > > > Have you checked /etc/ssh/sshd_config on the target to see if it is actually > listening on port 22? You can also use netstat to see listening ports and > processes OP has checked with netstat/ss. Yes, sshd /is/ listening on 0.0.0.0:22 Besides this would lead (as Greg noted) to a "connection refused", not to a timeout. > Second is to check the /etc/ssh/ssh_config on the originating machine to > make sure nothing funny. > > Finally check ~/.ssh/config on your originating machine and see if there is > any conflicting lines that may perhaps make you try and connect to the wrong > host All those options effect too late for the observed behaviour. cheers -- t signature.asc Description: PGP signature
Re: Unable to ssh to Debian 9 from 9 or 11
On Sun, Jul 16, 2023 at 09:39:35AM +0200, Roger Price wrote: > On Sat, 15 Jul 2023, Greg Wooledge wrote: > > On Sat, Jul 15, 2023 at 11:59:33AM +0200, Roger Price wrote: > > > rprice@kananga:~$ ssh -v rprice@maria > > > ssh: connect to host maria port 22: Connection timed out > > > > A timeout is an ENTIRELY different symptom, and when combined with > > "but I can ping the remote", it means a firewall is involved. Every > > time. > > I tried to clear out the existing firewall on a Debian 9 machine with the > commands > > iptables -F > iptables -X > iptables -P INPUT ACCEPT > iptables -P FORWARD ACCEPT > iptables -P OUTPUT ACCEPT > > iptables -L -n --line-numbers reports > > Chain INPUT (policy ACCEPT) > num targetprot opt source destination > 1ufw-before-logging-input all -- 0.0.0.0/0 0.0.0.0/0 > 2ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0 > 3ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0 > 4ufw-after-logging-input all -- 0.0.0.0/0 0.0.0.0/0 > 5ufw-reject-input all -- 0.0.0.0/0 0.0.0.0/0 > 6ufw-track-input all -- 0.0.0.0/0 0.0.0.0/0 > >... and so on This would be a good time to try ssh :-) > I then recycled the Debian 9 machine, power off, power on, for a clean > restart, > After the restart, I tried to ssh from Debian 11 to that Debian 9 machine That's too late: the iptables command just modifies the kernel's settings. They are not persistent across a reboot. This is the job of whatever firewall management thingy sets the firewall at boot (it may be as simple as a self-made script calling iptables or as complex as some firewalld or ufw, or some systemd thingmajig). > rprice@titan ~ ssh -v rprice@kananga > ssh: connect to host kananga port 22: Connection timed out > > So it's something else? Roger No, this is to be expected: whatever did set up your firewall on first boot will do that again at every reboot. But before chasing that culprit it'd be nice to know we are barking up the right tree: can you ssh after flushing the firewalls and /before/ rebooting? Cheers -- tomás signature.asc Description: PGP signature
Re: Unable to ssh to Debian 9 from 9 or 11
On 16/7/23 15:39, Roger Price wrote: So it's something else? Roger Have you checked /etc/ssh/sshd_config on the target to see if it is actually listening on port 22? You can also use netstat to see listening ports and processes Second is to check the /etc/ssh/ssh_config on the originating machine to make sure nothing funny. Finally check ~/.ssh/config on your originating machine and see if there is any conflicting lines that may perhaps make you try and connect to the wrong host
Re: Unable to ssh to Debian 9 from 9 or 11
On Sat, 15 Jul 2023, Greg Wooledge wrote: On Sat, Jul 15, 2023 at 11:59:33AM +0200, Roger Price wrote: rprice@kananga:~$ ssh -v rprice@maria ssh: connect to host maria port 22: Connection timed out A timeout is an ENTIRELY different symptom, and when combined with "but I can ping the remote", it means a firewall is involved. Every time. I tried to clear out the existing firewall on a Debian 9 machine with the commands iptables -F iptables -X iptables -P INPUT ACCEPT iptables -P FORWARD ACCEPT iptables -P OUTPUT ACCEPT iptables -L -n --line-numbers reports Chain INPUT (policy ACCEPT) num targetprot opt source destination 1ufw-before-logging-input all -- 0.0.0.0/0 0.0.0.0/0 2ufw-before-input all -- 0.0.0.0/0 0.0.0.0/0 3ufw-after-input all -- 0.0.0.0/0 0.0.0.0/0 4ufw-after-logging-input all -- 0.0.0.0/0 0.0.0.0/0 5ufw-reject-input all -- 0.0.0.0/0 0.0.0.0/0 6ufw-track-input all -- 0.0.0.0/0 0.0.0.0/0 ... and so on I then recycled the Debian 9 machine, power off, power on, for a clean restart, After the restart, I tried to ssh from Debian 11 to that Debian 9 machine rprice@titan ~ ssh -v rprice@kananga ssh: connect to host kananga port 22: Connection timed out So it's something else? Roger
Re: Unable to ssh to Debian 9 from 9 or 11
On Sun, Jul 16, 2023 at 2:27 AM Roger Price wrote: > > On Sun, 16 Jul 2023, Intense Red wrote: > > > Are you trying to ssh into the box as the root user? > > I do not ssh into remote boxes as root; I use ssh to root only within the box. > > > If so, remember Debian's ssh configuration stops root from logging in. > > In my Debian 9 and 11 boxes I see in /etc/ssh/sshd_config "PermitRootLogin > yes" > by default, and by default local and remote root login is possible. $ cat /etc/ssh/sshd_config.d/20-no_root_login.conf PermitRootLogin no Also see https://wiki.debian.org/SSH . Jeff
Re: Unable to ssh to Debian 9 from 9 or 11
On Sun, 16 Jul 2023, Intense Red wrote: Are you trying to ssh into the box as the root user? I do not ssh into remote boxes as root; I use ssh to root only within the box. If so, remember Debian's ssh configuration stops root from logging in. In my Debian 9 and 11 boxes I see in /etc/ssh/sshd_config "PermitRootLogin yes" by default, and by default local and remote root login is possible. Roger
Re: Unable to ssh to Debian 9 from 9 or 11
On Sun, Jul 16, 2023 at 12:47:43AM -0500, Intense Red wrote: >Are you trying to ssh into the box as the root user? If so, remember > Debian's ssh configuration stops root from logging in. The ssh -v tells another story: the port isn't even open. If this were root being rejected, it would connect and progress up to the authentication dialog. So this one is ruled out. Cheers -- t signature.asc Description: PGP signature
Re: Unable to ssh to Debian 9 from 9 or 11
On Sat, Jul 15, 2023 at 10:32:11PM +0200, Roger Price wrote: > On Sat, 15 Jul 2023, to...@tuxteam.de wrote: > > > @Roger: what does "sudo ss -antp" (or "netstat -antp") say? Is sshd > > listening on 0.0.0.0:22? Then it's firewall, otherwise (not very > > probable,but hey) it's sshd config. > > Here is netstat -antp on one of the Debian 9 machines where I am currently > logged in locally as root via ssh. > > Active Internet connections (servers and established) > Proto Recv-Q Send-Q Local AddressForeign Address State > PID/Program name > tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN 521/sshd > tcp0 0 127.0.0.1:6310.0.0.0:* LISTEN 4578/cupsd > tcp0 0 127.0.0.1:22 127.0.0.1:50124 ESTABLISHED > 2905/sshd: root@pts > tcp0 0 127.0.0.1:50124 127.0.0.1:22 ESTABLISHED 2903/ssh Then (and as Greg wrote elsewhere in this thread, there were other strong indicators) it is definitely a firewall blocking port 22. One of those two (or both), "nft list ruleset" or "iptables -L" (both to be run as root) might shed light on that. Of course, once you have found out that there is a rule, you'll want to find out what is setting it (there are many packages which ease setting up firewall rules, like ufw, firewalld...: I have lost count of those; hopefully someone else can chime in here). Cheers -- t signature.asc Description: PGP signature
Re: Unable to ssh to Debian 9 from 9 or 11
On Sat, 15 Jul 2023, to...@tuxteam.de wrote: @Roger: what does "sudo ss -antp" (or "netstat -antp") say? Is sshd listening on 0.0.0.0:22? Then it's firewall, otherwise (not very probable,but hey) it's sshd config. Here is netstat -antp on one of the Debian 9 machines where I am currently logged in locally as root via ssh. Active Internet connections (servers and established) Proto Recv-Q Send-Q Local AddressForeign Address State PID/Program name tcp0 0 0.0.0.0:22 0.0.0.0:* LISTEN 521/sshd tcp0 0 127.0.0.1:6310.0.0.0:* LISTEN 4578/cupsd tcp0 0 127.0.0.1:22 127.0.0.1:50124 ESTABLISHED 2905/sshd: root@pts tcp0 0 127.0.0.1:50124 127.0.0.1:22 ESTABLISHED 2903/ssh Roger
Re: Unable to ssh to Debian 9 from 9 or 11
On Sat, Jul 15, 2023 at 11:12:23AM -0400, Greg Wooledge wrote: > On Sat, Jul 15, 2023 at 11:59:33AM +0200, Roger Price wrote: > > rprice@kananga:~$ ssh -v rprice@maria > > OpenSSH_7.4p1 Debian-10+deb9u2, OpenSSL 1.0.2l 25 May 2017 > > debug1: Reading configuration data /etc/ssh/ssh_config > > debug1: /etc/ssh/ssh_config line 19: Applying options for * > > debug1: Connecting to maria [192.168.1.13] port 22. > > debug1: connect to address 192.168.1.13 port 22: Connection timed out > > ssh: connect to host maria port 22: Connection timed out > > On Sat, Jul 15, 2023 at 07:31:51AM -0400, Timothy M Butterworth wrote: > > It sounds like the problem is either the firewall or the SSH Server not > > running. > > If the ssh server were not running, the error would be "connection > refused", and it would be immediate. Yes. Cheers -- t signature.asc Description: PGP signature
Re: Unable to ssh to Debian 9 from 9 or 11
On Sat, Jul 15, 2023 at 07:31:51AM -0400, Timothy M Butterworth wrote: > On Sat, Jul 15, 2023 at 7:23 AM Roger Price wrote: > > > On Sat, 15 Jul 2023, Timothy M Butterworth wrote: > > > > > On Sat, Jul 15, 2023 at 7:12 AM Roger Price > > wrote: > > > > > > The two debian 9 machines can ssh to themselves. > > > > > > Can you SSH from one Debian 9 to the other Debian 9? > > > > No. I can ping, but I cannot ssh. The ssh hangs after "Connecting to > > maria > > [192.168.1.13] port 22". Roger > > > It sounds like the problem is either the firewall or the SSH Server not > running. Second possibility ruled out, since the boxes can ssh to themselves. @Roger: what does "sudo ss -antp" (or "netstat -antp") say? Is sshd listening on 0.0.0.0:22? Then it's firewall, otherwise (not very probable,but hey) it's sshd config. Cheers -- t signature.asc Description: PGP signature
Re: Unable to ssh to Debian 9 from 9 or 11
Greg Wooledge (12023-07-15): > A timeout is an ENTIRELY different symptom, and when combined with > "but I can ping the remote", it means a firewall is involved. Every > time. It can on occasion be a MTU black hole. But I am nitpicking and you are almost certainly right here. Regards, -- Nicolas George signature.asc Description: PGP signature
Re: Unable to ssh to Debian 9 from 9 or 11
On Sat, Jul 15, 2023 at 11:59:33AM +0200, Roger Price wrote: > rprice@kananga:~$ ssh -v rprice@maria > OpenSSH_7.4p1 Debian-10+deb9u2, OpenSSL 1.0.2l 25 May 2017 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: /etc/ssh/ssh_config line 19: Applying options for * > debug1: Connecting to maria [192.168.1.13] port 22. > debug1: connect to address 192.168.1.13 port 22: Connection timed out > ssh: connect to host maria port 22: Connection timed out On Sat, Jul 15, 2023 at 07:31:51AM -0400, Timothy M Butterworth wrote: > It sounds like the problem is either the firewall or the SSH Server not > running. If the ssh server were not running, the error would be "connection refused", and it would be immediate. A timeout is an ENTIRELY different symptom, and when combined with "but I can ping the remote", it means a firewall is involved. Every time.
Re: Unable to ssh to Debian 9 from 9 or 11
On Sat, Jul 15, 2023 at 7:23 AM Roger Price wrote: > On Sat, 15 Jul 2023, Timothy M Butterworth wrote: > > > On Sat, Jul 15, 2023 at 7:12 AM Roger Price > wrote: > > > > The two debian 9 machines can ssh to themselves. > > > > Can you SSH from one Debian 9 to the other Debian 9? > > No. I can ping, but I cannot ssh. The ssh hangs after "Connecting to > maria > [192.168.1.13] port 22". Roger It sounds like the problem is either the firewall or the SSH Server not running. -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org/ ⠈⠳⣄⠀⠀
Re: Unable to ssh to Debian 9 from 9 or 11
On Sat, 15 Jul 2023, Timothy M Butterworth wrote: On Sat, Jul 15, 2023 at 7:12 AM Roger Price wrote: The two debian 9 machines can ssh to themselves. Can you SSH from one Debian 9 to the other Debian 9? No. I can ping, but I cannot ssh. The ssh hangs after "Connecting to maria [192.168.1.13] port 22". Roger
Re: Unable to ssh to Debian 9 from 9 or 11
On Sat, Jul 15, 2023 at 7:12 AM Roger Price wrote: > On Sat, 15 Jul 2023, to...@tuxteam.de wrote: > > To sort out the possible things: > > - log in to maria > > - try "ssh rprice@localhost": what happens? > > The two debian 9 machines can ssh to themselves. > Can you SSH from one Debian 9 to the other Debian 9? > > - if it works, there's an ssh daemon running on maria; > >next to check would be > >- is it listening on the external IP address? > >- is there any firewall in front of it? > > It looks as if I have a firewall problem. Work needed. > > -- ⢀⣴⠾⠻⢶⣦⠀ ⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system ⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org/ ⠈⠳⣄⠀⠀
Re: Unable to ssh to Debian 9 from 9 or 11
On Sat, 15 Jul 2023, to...@tuxteam.de wrote: To sort out the possible things: - log in to maria - try "ssh rprice@localhost": what happens? The two debian 9 machines can ssh to themselves. - if it works, there's an ssh daemon running on maria; next to check would be - is it listening on the external IP address? - is there any firewall in front of it? It looks as if I have a firewall problem. Work needed.
RE: Unable to ssh to Debian 9 from 9 or 11
On Sat, 15 Jul 2023, Ming Kuang wrote: Are you using any firewall rules? The phenomenon you describe is very much like a firewall blocking connections to these ports (you can connect out, can't connect in). Thanks for the suggestion. The two Debian 9 machines have customising firewall rules set that I can see with iptables -L. Could well be the problem. However I have completely forgotten how and why the rules were set. I have more work to do. Thanks again, Roger
Re: Unable to ssh to Debian 9 from 9 or 11
On Sat, Jul 15, 2023 at 11:59:33AM +0200, Roger Price wrote: > I have three Debian machines on a 192.168.1/24 WiFi network. One is debian > 11 and the two others are debian 9. The network is connected, I can ping > from any machine to any other. > > The problem is that I can ssh from the debian 9's to the debian 11, but not > to any debian 9, although all the machines can ssh to themselves: > > Some ascii art for people with fixed width fonts: > >.--OK--->-debian 11--<--OK--. >| .<--FAIL titan->--FAIL--. | >| | | | >| v v | >debian 9-FAIL--->debian 9 >maria -<---FAILkananga > > # Debian 9 to debian 11: OK > rprice@kananga:~$ ssh rprice@titan > Linux titan 5.10.0-15-amd64 #1 SMP Debian 5.10.120-1 (2022-06-09) x86_64 ... > > # Debian 9 to debian 9: FAIL > rprice@kananga:~$ ssh -v rprice@maria > OpenSSH_7.4p1 Debian-10+deb9u2, OpenSSL 1.0.2l 25 May 2017 > debug1: Reading configuration data /etc/ssh/ssh_config > debug1: /etc/ssh/ssh_config line 19: Applying options for * > debug1: Connecting to maria [192.168.1.13] port 22. > debug1: connect to address 192.168.1.13 port 22: Connection timed out > ssh: connect to host maria port 22: Connection timed out ^ [...] OK. We know routing is OK, we also know there's "no one" listening at port 22 on maria (to the "outside", at least). To sort out the possible things: - log in to maria - try "ssh rprice@localhost": what happens? - if it works, there's an ssh daemon running on maria; next to check would be - is it listening on the external IP address? - is there any firewall in front of it? - if not, get an SSH daemon up and running on maria (that's Debian package openssh-server) Cheers -- t signature.asc Description: PGP signature
Re: Unable to ssh to Debian 9 from 9 or 11
On Sat, 15 Jul 2023, Roger Price wrote: Sorry, a formatting problem. Let's hope this is clearer _ The debian 9 machines are listening on ports 22 and 3493: root@maria ~ netstat -pnlt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address StatePID/Program name tcp0 0 0.0.0.0:80 0.0.0.0:*LISTEN 822/apache2 tcp0 0 0.0.0.0:22 0.0.0.0:*LISTEN 791/sshd tcp0 0 0.0.0.0:34930.0.0.0:*LISTEN 1919/upsd tcp0 0 0.0.0.0:873 0.0.0.0:*LISTEN 666/rsync
Unable to ssh to Debian 9 from 9 or 11
I have three Debian machines on a 192.168.1/24 WiFi network. One is debian 11 and the two others are debian 9. The network is connected, I can ping from any machine to any other. The problem is that I can ssh from the debian 9's to the debian 11, but not to any debian 9, although all the machines can ssh to themselves: Some ascii art for people with fixed width fonts: .--OK--->-debian 11--<--OK--. | .<--FAIL titan->--FAIL--. | | | | | | v v | debian 9-FAIL--->debian 9 maria -<---FAILkananga # Debian 9 to debian 11: OK rprice@kananga:~$ ssh rprice@titan Linux titan 5.10.0-15-amd64 #1 SMP Debian 5.10.120-1 (2022-06-09) x86_64 ... # Debian 9 to debian 9: FAIL rprice@kananga:~$ ssh -v rprice@maria OpenSSH_7.4p1 Debian-10+deb9u2, OpenSSL 1.0.2l 25 May 2017 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Connecting to maria [192.168.1.13] port 22. debug1: connect to address 192.168.1.13 port 22: Connection timed out ssh: connect to host maria port 22: Connection timed out The same problem also exists for port 3493 used for UPS management, with the same pattern of success and failure between the three machines. # Debian 9 to debian 11: OK rprice@kananga:~$ upsc Eaton@titan battery.charge 100 # Debian 9 and 11 to debian 9: FAIL rprice@kananga:~$ upsc Eaton@maria battery.charge Error: Connection failure: Connection timed out rprice@titan /mnt/home upsc Eaton@maria battery.charge Error: Connection failure: Connection timed out Any hint or suggestion as to what the problem is would be very welcome, Roger _ The debian 9 machines are listening on ports 22 and 3493: root@maria ~ netstat -pnlt Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address StatePID/Program name tcp0 0 0.0.0.0:80 0.0.0.0:*LISTEN 822/apache2 tcp0 0 0.0.0.0:22 0.0.0.0:*LISTEN 791/sshd tcp0 0 0.0.0.0:34930.0.0.0:*LISTEN 1919/upsd tcp0 0 0.0.0.0:873 0.0.0.0:*LISTEN 666/rsync Has systemctl enabled the ssh service? rprice@kananga:~$ systemctl status ssh ● ssh.service - OpenBSD Secure Shell server Loaded: loaded (/lib/systemd/system/ssh.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2023-07-14 09:35:17 CEST; 3h 45min ago Process: 2856 ExecReload=/bin/kill -HUP $MAINPID (code=exited, status=0/SUCCESS) Process: 2848 ExecReload=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS) Process: 438 ExecStartPre=/usr/sbin/sshd -t (code=exited, status=0/SUCCESS) Main PID: 521 (sshd) Tasks: 1 (limit: 4915) CGroup: /system.slice/ssh.service └─521 /usr/sbin/sshd -D Jul 14 09:51:09 kananga sshd[521]: Received SIGHUP; restarting. Jul 14 09:51:09 kananga systemd[1]: Reloaded OpenBSD Secure Shell server. Jul 14 09:51:09 kananga sshd[521]: Server listening on 0.0.0.0 port 22. Jul 14 10:10:43 kananga sshd[2905]: Accepted password for root from 127.0.0.1 port 50124 ssh2 Jul 14 10:10:43 kananga sshd[2905]: pam_unix(sshd:session): session opened for user root by (uid=0) _ What about ssh from non-Debian? I can ssh to debian 11 from a Samsung Galaxy Tab S, but not to any debian 9 box.