Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenSSH: Dev

ssh_exchange_identification: Connection closed by remote host

  

 
OpenSSH dev RSS feed   Index | Next | Previous | View Threaded


jon at rupture

Mar 16, 2001, 1:44 PM

Post #1 of 10 (11755 views)
Permalink
ssh_exchange_identification: Connection closed by remote host
hello,

i built an ssh 2.5.1p2 package for solaris. it's installed into
/usr/local (with sysconfdir=/etc) on an administrative host with write
access to /usr/local. other hosts nfs mount /usr/local. i had a
script copy the following files generated from the package install
into each host's /etc directory:

primes ssh_prng_cmds sshd_config ssh_config

then ran ssh-keygen (copied from the install target of the Makefile)
on each machine as well. i can ssh from the administrative host that
actually has the package installed to other hosts, but i cannot ssh
from the clients with nfs mounted /usr/local and copied /etc files.

i don't see any errors in the logs on the remote host - anyone see
what i'm doing wrong?


pluto# which ssh
/usr/local/bin/ssh
pluto# ssh -V
OpenSSH_2.5.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090600f
pluto# ssh jnathan [at] examplehos
ssh_exchange_identification: Connection closed by remote host
pluto# ssh -v -v -v jnathan [at] atlsnlb
OpenSSH_2.5.1p2, SSH protocols 1.5/2.0, OpenSSL 0x0090600f
debug: Reading configuration data /etc/ssh_config
debug: Rhosts Authentication disabled, originating port will not be
trusted.
debug: ssh_connect: getuid 0 geteuid 2 anon 1
debug: Connecting to atlsnlb1 [10.8.17.100] port 22.
debug: Connection established.
debug: identity file //.ssh/identity type 3
debug: identity file //.ssh/id_dsa type 3
ssh_exchange_identification: Connection closed by remote host
debug: Calling cleanup 0x45580(0x0)
debug: Calling cleanup 0x4b318(0x0)
debug: writing PRNG seed to file //.ssh/prng_seed
pluto#
pluto# uname -a
SunOS pluto 5.7 Generic_106541-14 sun4u sparc SUNW,Ultra-4
pluto# ls -al /etc/ssh*
-rw-r--r-- 1 root other 1085 Mar 16 16:16 /etc/ssh_config
-rw------- 1 root other 668 Mar 16 15:44
/etc/ssh_host_dsa_key
-rw-r--r-- 1 root other 600 Mar 16 15:44
/etc/ssh_host_dsa_key.pub
-rw------- 1 root other 525 Mar 16 15:43
/etc/ssh_host_key
-rw-r--r-- 1 root other 329 Mar 16 15:44
/etc/ssh_host_key.pub
-rw------- 1 root other 883 Mar 16 15:44
/etc/ssh_host_rsa_key
-rw-r--r-- 1 root other 220 Mar 16 15:44
/etc/ssh_host_rsa_key.pub
-rw-r--r-- 1 root other 1770 Mar 16 16:16
/etc/ssh_prng_cmds
-rw-r--r-- 1 root other 6 Mar 16 16:21 /etc/sshd.pid
-rw-r--r-- 1 root other 1432 Mar 16 16:16 /etc/sshd_config
pluto#

pluto#


thanks,
-jon

--
Jon Nathan
jon [at] rupture
http://www.rupture.net/~jon/


sxw at dcs

Mar 16, 2001, 4:57 PM

Post #2 of 10 (11646 views)
Permalink
Re: ssh_exchange_identification: Connection closed by remote host [In reply to]
> hello,
>
> i built an ssh 2.5.1p2 package for solaris.

Did you build with tcpwrappers enabled? - I've seen this error when trying
to ssh to a host that I wasn't in the hosts.allow file for.

If tcpwrappers is enabled, you'll need to add the sshd service to that
machine's hosts.allow file.

Cheers,

Simon.


alfred.hovdestad at usask

Aug 11, 2003, 10:28 AM

Post #3 of 10 (11646 views)
Permalink
Re: ssh_exchange_identification: Connection closed by remote host [In reply to]
Earlier, it was said:

chkbrian wrote:
>> I encountered the following problem while I typing "ssh -v
>><host_name>"
>>[snip]
>> ssh_exchange_identification: Connection closed by remote host

>You should specify your platform and OpenSSH version, but this is
> almost certainly due to tcpwrappers configuration.
>
>Add the following line to hosts.allow:
>sshd: ALL
>
>It may be in /etc or /usr/local/etc.
>
>Alternatively you could rebuild sshd without "--with-tcp-wrappers".



I think I am experiencing the same problem. I found the following error
in my logs:

Cannot release PAM authentication

I found a report from October 2002 with a similar problem. The solution
there was to re-create the user accounts. I tried adding an account to
my server and I can ssh to the new account, but not to my existing account.

I am running RedHat 9.0 with openssh 3.5. I have tried connecting from
a RedHat 8.0 box running openshh 3.4 and a tru64 box also with openssh
3.4, with the same results: I can login to the new account, but not to
my existing account.

The problem is not with tcp wrappers, as I can login to one account, but
not another. I have tried deleting my ssh keys, my host keys, and
rebooting my system, none of which has made any difference.

Is there anything else I can check? I can send any log information that
you need.

Alfred Hovdestad
System Administrator
University of Saskatchewan


chkbrian at hongkong

Aug 11, 2003, 6:37 PM

Post #4 of 10 (11635 views)
Permalink
Re: ssh_exchange_identification: Connection closed by remote host [In reply to]
The problem was occurred due to incorrect setting of hosts.allow for tcpwrapper. We have two interface with different Ip address. Only one interface/ ip address was granted access right via hosts.allow.

However, always while we want to ssh to hkmauat, the interface/ip address not in hosts.allow was used. So the access was not successful. If the granted interface/ip address was in used, the access was okay. So, the problem is not occurred sometime.

Now, we have modify the hosts.allow in hkmauat to include two interface/ip address and the problem is resolved.

Thanks.


-----Original message-----
From:Darren Tucker <dtucker [at] zip>
To:chkbrian [at] hongkong
Cc:openssh-unix-dev [at] mindrot
Date:Wed, 06 Aug 2003 17:33:44 +1000
Subject:Re: ssh_exchange_identification: Connection closed by remote host

chkbrian wrote:
> I encountered the following problem while I typing "ssh -v <host_name>"
[snip]
> ssh_exchange_identification: Connection closed by remote host

You should specify your platform and OpenSSH version, but this is almost
certainly due to tcpwrappers configuration.

Add the following line to hosts.allow:
sshd: ALL

It may be in /etc or /usr/local/etc.

Alternatively you could rebuild sshd without "--with-tcp-wrappers".

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


dtucker at zip

Aug 11, 2003, 11:40 PM

Post #5 of 10 (11642 views)
Permalink
Re: ssh_exchange_identification: Connection closed by remote host [In reply to]
Alfred Hovdestad wrote:
> I am running RedHat 9.0 with openssh 3.5. I have tried connecting from
> a RedHat 8.0 box running openshh 3.4 and a tru64 box also with openssh
> 3.4, with the same results: I can login to the new account, but not to
> my existing account.

Perhaps your password are expiring?

> The problem is not with tcp wrappers, as I can login to one account, but
> not another. I have tried deleting my ssh keys, my host keys, and
> rebooting my system, none of which has made any difference.
>
> Is there anything else I can check? I can send any log information that
> you need.

Yes, you need to post the *server* side debugging, ie:

/path/to/sshd -ddd -p 2022

then in another window:

ssh -p 2022 servername

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


alfred.hovdestad at usask

Aug 13, 2003, 8:45 AM

Post #6 of 10 (11636 views)
Permalink
Re: ssh_exchange_identification: Connection closed by remote host [In reply to]
There appears to be a problem interacting with our kerberos server. We
are using PAM with Kerberos authentication. Everything was working with
the previous version of openssh, but logins with the latest version of
openssh started failing.

I tried turning off kerberos authentication in PAM, and that worked. I
then tried pointing to a test kerberos server, and that also worked.
The only difference is that our main kerberos server is a Windows Domain
Controller, and our test kerberos server is a Sun.

I don't know how the interaction between openssh and kerberos changed in
the current version, but I have a workaround. If you would like a dump
of the logs, please let me know.

Alfred Hovdestad


Darren Tucker wrote:
> Alfred Hovdestad wrote:
>
>>I am running RedHat 9.0 with openssh 3.5. I have tried connecting from
>>a RedHat 8.0 box running openshh 3.4 and a tru64 box also with openssh
>>3.4, with the same results: I can login to the new account, but not to
>>my existing account.
>
>
> Perhaps your password are expiring?
>
>
>>The problem is not with tcp wrappers, as I can login to one account, but
>>not another. I have tried deleting my ssh keys, my host keys, and
>>rebooting my system, none of which has made any difference.
>>
>>Is there anything else I can check? I can send any log information that
>>you need.
>
>
> Yes, you need to post the *server* side debugging, ie:
>
> /path/to/sshd -ddd -p 2022
>
> then in another window:
>
> ssh -p 2022 servername
>


alfred.hovdestad at usask

Sep 6, 2003, 1:13 PM

Post #7 of 10 (11631 views)
Permalink
Re: ssh_exchange_identification: Connection closed by remote host [In reply to]
This has taken far too long to get to you, and I apologize for that.

There are four attachments included:

client.working
client.notworking
server.working
server.notworking

I am running RedHat 9.0 on both systems with all of the latest patches
from RedHat. The current rpm for openssh is openssh-3.5p1-6.9. I have
PAM configured to use kerberos for password authentication. The only
difference in the two scenarios is the Kerberos server. We have a two
kerberos servers, one a Windows Domain Controller and the other a Sun.

If I use the Windows DC for Kerberos authentication, I can login at the
console, I can generate a kerberos ticket (kinit), but I cannot login
with ssh.

If I use the Sun for kerberos authentication, I can login at the
console, I can generate a kerberos ticket (kinit), and I can login with ssh.

If I downgrade to the previous rpm from RedHat (openssh-3.5p1-6), I can
login with ssh to the server. If it would help, I can also generate the
log file for the previous version.

If you require more information, please let me know.

Alfred Hovdestad
System Administrator
University of Saskatchewan
RHCE: 807200142604340


Darren Tucker wrote:
> Alfred Hovdestad wrote:
>
>>I am running RedHat 9.0 with openssh 3.5. I have tried connecting from
>>a RedHat 8.0 box running openshh 3.4 and a tru64 box also with openssh
>>3.4, with the same results: I can login to the new account, but not to
>>my existing account.
>
>
> Perhaps your password are expiring?
>
>
>>The problem is not with tcp wrappers, as I can login to one account, but
>>not another. I have tried deleting my ssh keys, my host keys, and
>>rebooting my system, none of which has made any difference.
>>
>>Is there anything else I can check? I can send any log information that
>>you need.
>
>
> Yes, you need to post the *server* side debugging, ie:
>
> /path/to/sshd -ddd -p 2022
>
> then in another window:
>
> ssh -p 2022 servername
>
Attachments: client.working (0.66 KB)
  client.notworking (21 B)
  server.working (14.8 KB)
  server.notworking (5.80 KB)


dtucker at zip

Sep 6, 2003, 4:28 PM

Post #8 of 10 (11640 views)
Permalink
Re: ssh_exchange_identification: Connection closed by remote host [In reply to]
Alfred Hovdestad wrote:
[snip]
> I am running RedHat 9.0 on both systems with all of the latest patches
> from RedHat. The current rpm for openssh is openssh-3.5p1-6.9. I have
> PAM configured to use kerberos for password authentication. The only
> difference in the two scenarios is the Kerberos server. We have a two
> kerberos servers, one a Windows Domain Controller and the other a Sun.
>
> If I use the Windows DC for Kerberos authentication, I can login at the
> console, I can generate a kerberos ticket (kinit), but I cannot login
> with ssh.
>
> If I use the Sun for kerberos authentication, I can login at the
> console, I can generate a kerberos ticket (kinit), and I can login with ssh.
>
> If I downgrade to the previous rpm from RedHat (openssh-3.5p1-6), I can
> login with ssh to the server. If it would help, I can also generate the
> log file for the previous version.

It sounds like you need to ask Redhat about this one. Both packages use
the same base OpenSSH version with (presumably) different patches.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


maf at appgate

Feb 14, 2008, 10:55 PM

Post #9 of 10 (11641 views)
Permalink
Re: ssh_exchange_identification: Connection closed by remote host [In reply to]
In my experience this error is typically really a network problem. Try
doing manual telnet to port 22 on the server. This should show you the
server ssh version (i.e. the initial identification) like
"SSH-2.0-OpenSSH_4.3p2 Debian-7ubuntu1"

If it does not then there is your problem.

/MaF
--
Martin Forssen <maf [at] appgate> Development Manager
Phone: +46 31 7744361 AppGate Network Security AB
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


jamie.beverly at yahoo

Sep 1, 2009, 10:24 PM

Post #10 of 10 (9804 views)
Permalink
Re: ssh_exchange_identification: Connection closed by remote host [In reply to]
I frequently see this error when / goes away, e.g. hdd failure.

Sent from my iPhone

On Sep 1, 2009, at 9:36 PM, Tim Rice <tim [at] multitalents> wrote:

On Tue, 1 Sep 2009, petesea [at] bigfoot wrote:

I'm randomly getting the following error on a server from various remote
hosts:

ssh_exchange_identification: Connection closed by remote host

The server is running OpenSSH 4.5p1 w/GSSAPI Key Exchange patch. The hosts
connecting to it should all be using OpenSSH 5.0p1 w/GSSAPI Key Exchange patch
and using gssapi-keyex authentication.

Normally, when I've seen this error, it means access to the SSH port is
blocked by TCP wrappers or something like that, but I'm sure that's not the
case here since /etc/hosts.allow and /etc/hosts.deny haven't changed for quite
some time. Also, the failures are random from many different remote hosts and
I can try a connection from a host right after it's failed and it will work.

I've seen this with DNS failures when my hosts.allow entry is a domain
rather than an IP.

Under what other conditions might I get this error and how can I track down
what's causing it?

--
Tim Rice Multitalents (707) 887-1469
tim [at] multitalents


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

OpenSSH dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.