The super-unhelpful ssh error Connection closed by UNKNOWN port 65535 can be reported quand votre ssh client in a peu de différent situations quand le remote sshd cannot be reached at tous parce que of something happening "in le middle".
Cela peut be extra-tricky to debug parce que dans certains cas le remote sshd has no idea that anyone is ever tried to connect to it.
(Aside 65535 is "special" number to computer folks as it is 2^16 - 1, aka 0xFFFF -- le maximum unsigned 16 bit integer (also le max port number))
Case A -- Interference avant sshd
(From @doug 's original question) - In this case le remote sshd got le incoming connection et delegated auth down to Linux libraries for PAM (Pluggable Authentication Modules). PAM hands off to KRB5 ou SSS et that fails. So tous le poor remote sshd gets is a big NOPE depuis PAM. ...it jamais got into c'est "normal" protocol parsing et error checking that would let it return a more helpful error message.
(C'est possible that old Kerberos config options like gssapiauthentication might behave similarly)
Similarly, tcp_wrappers (with hosts.allow et hosts.deny files) on le server can "interfere" avec le connection avant sshd sees it.
Case B -- Firewalls
In our case we saw this quand network firewalls prevented connections depuis le dev/test machines to staging/production machines.
Depending on votre network, you might be able get more diagnostics info avec tcping 22 $remote_hostname, ou (less helpful): UDP network tests like ping $remote_hostname, traceroute $remote_hostname, ou le IPv6 versions of those commands. Your local network engineers can help confirm & fix.
The giveaway dans ce cas is that ssh -vvv $remote_hostname gets to this point:
debug1: identity file /home/ddickinson/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.6
...pauses for 60s (or whatever timeout), then:
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535
Case C -- ProxyCommand
Some kinds of failures of le ProxyCommand that votre local ssh delegates to can aussi fail in unhelpful ways. Check for tout "proxy" ou "tunnel" related options in le output of:
ssh -G $remote_hostname
Case D -- ControlPath / ControlMaster
(h/t @shockburner) these ssh client config options can be wonderful quand they work, mais may make debugging more painful quand they fail. Check for those values in le output of:
ssh -G $remote_hostname
If Control Path/Master is configured, does le directory exist? Is it writable?
Cleanup open ControlPaths:
ssh -O exit $remote_hostname
Cherchez stray/zombie ControlPaths:
ps -x -o 'pid,command' | grep -E '\bssh:? ' | grep -v grep
kill -s HUP <process id found above>
Delete tout stray socket files depuis ControlPath locations you found above.
(about le grep pattern, : can appear in control-path-ed process names, et le trailing space keeps it depuis accidentally matching ssh-agent processes)
