Can't login anymore: Read from socket failed: Connection reset by peer
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
openssh (Debian) |
Fix Released
|
Unknown
|
|||
openssh (Ubuntu) |
Invalid
|
Critical
|
Unassigned | ||
Bug Description
After todays update to
1:5.7p1-1ubuntu1
I cannot login to SOME (!) of my servers. Example of a server failing:
~$ ssh -v root@mail
OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/hildeb/
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to mail [141.42.202.200] port 22.
debug1: Connection established.
debug1: identity file /home/hildeb/
debug1: identity file /home/hildeb/
debug1: identity file /home/hildeb/
debug1: Checking blacklist file /usr/share/
debug1: Checking blacklist file /etc/ssh/
debug1: identity file /home/hildeb/
debug1: identity file /home/hildeb/
debug1: identity file /home/hildeb/
debug1: Remote protocol version 1.99, remote software version OpenSSH_5.5p1 Debian-6
debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_
debug1: expecting SSH2_MSG_
Read from socket failed: Connection reset by peer
There is NOTHING in daemon.log, auth.log or syslog on the server I'm trying to connect to.
Example of a server NOT failing:
$ ssh -v root@netsight
OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/hildeb/
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to netsight [10.47.2.222] port 22.
debug1: Connection established.
debug1: identity file /home/hildeb/
debug1: identity file /home/hildeb/
debug1: identity file /home/hildeb/
debug1: Checking blacklist file /usr/share/
debug1: Checking blacklist file /etc/ssh/
debug1: identity file /home/hildeb/
debug1: identity file /home/hildeb/
debug1: identity file /home/hildeb/
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6
debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_
debug1: expecting SSH2_MSG_
debug1: SSH2_MSG_
debug1: expecting SSH2_MSG_
debug1: Server host key: RSA 18:ce:76:
debug1: Host 'netsight' is known and matches the RSA host key.
debug1: Found key in /home/hildeb/
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_
debug1: SSH2_MSG_
debug1: Authentications that can continue: publickey,
debug1: Next authentication method: publickey
debug1: Offering DSA public key: /home/hildeb/
debug1: Server accepts key: pkalg ssh-dss blen 433
debug1: Authentication succeeded (publickey).
Authenticated to netsight ([10.47.2.222]:22).
debug1: channel 0: new [client-session]
debug1: Requesting <email address hidden>
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LC_MESSAGES = en_US.utf8
debug1: Sending env LANG = de_DE.UTF-8
ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: openssh-client 1:5.7p1-1ubuntu1
ProcVersionSign
Uname: Linux 2.6.37-12-generic x86_64
Architecture: amd64
Date: Thu Jan 27 09:13:15 2011
ProcEnviron:
LANGUAGE=en_US:en
LANG=de_DE.UTF-8
LC_MESSAGES=
SHELL=/bin/bash
RelatedPackageV
ssh-askpass N/A
libpam-ssh N/A
keychain N/A
ssh-askpass-gnome 1:5.7p1-1ubuntu1
SSHClientVersion: OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
SourcePackage: openssh
Ralf Hildebrandt (ralf-hildebrandt) wrote : | #1 |
Colin Watson (cjwatson) wrote : Re: [Bug 708493] [NEW] cannot login anymore: Read from socket failed: Connection reset by peer | #2 |
Changed in openssh (Ubuntu): | |
status: | New → Incomplete |
Ralf Hildebrandt (ralf-hildebrandt) wrote : Re: cannot login anymore: Read from socket failed: Connection reset by peer | #3 |
$ ssh -vvv root@mail
OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/hildeb/
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to mail [141.42.202.200] port 22.
debug1: Connection established.
debug1: identity file /home/hildeb/
debug1: identity file /home/hildeb/
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/hildeb/
debug1: Checking blacklist file /usr/share/
debug1: Checking blacklist file /etc/ssh/
debug1: identity file /home/hildeb/
debug1: identity file /home/hildeb/
debug1: identity file /home/hildeb/
debug1: Remote protocol version 1.99, remote software version OpenSSH_5.5p1 Debian-6
debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "mail" from file "/home/
debug3: load_hostkeys: found key type RSA in file /home/hildeb/
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: <email address hidden>,<email address hidden>,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-
debug2: kex_parse_kexinit: <email address hidden>,<email address hidden>
debug2: kex_parse_kexinit: aes128-
debug2: kex_parse_kexinit: aes128-
Ralf Hildebrandt (ralf-hildebrandt) wrote : | #4 |
$ ssh -vvv root@netsight
OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/hildeb/
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to netsight [10.47.2.222] port 22.
debug1: Connection established.
debug1: identity file /home/hildeb/
debug1: identity file /home/hildeb/
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/hildeb/
debug1: Checking blacklist file /usr/share/
debug1: Checking blacklist file /etc/ssh/
debug1: identity file /home/hildeb/
debug1: identity file /home/hildeb/
debug1: identity file /home/hildeb/
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6
debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "netsight" from file "/home/
debug3: load_hostkeys: found key type RSA in file /home/hildeb/
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: <email address hidden>,<email address hidden>,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-
debug2: kex_parse_kexinit: <email address hidden>,<email address hidden>
debug2: kex_parse_kexinit: aes128-
debug2: kex_parse_kexinit: aes128-
Ralf Hildebrandt (ralf-hildebrandt) wrote : | #5 |
mail:~# /usr/sbin/sshd -p22222 -ddd
debug2: load_server_config: filename /etc/ssh/
debug2: load_server_config: done config len = 639
debug2: parse_server_
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug1: sshd version OpenSSH_5.5p1 Debian-6
debug1: Checking blacklist file /usr/share/
debug1: Checking blacklist file /etc/ssh/
debug1: private host key: #0 type 0 RSA1
debug3: Not a RSA1 key file /etc/ssh/
debug1: read PEM private key done: type RSA
debug1: Checking blacklist file /usr/share/
debug1: Checking blacklist file /etc/ssh/
debug1: private host key: #1 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/
debug1: read PEM private key done: type DSA
debug1: Checking blacklist file /usr/share/
debug1: Checking blacklist file /etc/ssh/
debug1: private host key: #2 type 2 DSA
debug1: rexec_argv[
debug1: rexec_argv[
debug1: rexec_argv[
debug3: oom_adjust_setup
Set /proc/self/oom_adj from 0 to -17
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22222 on 0.0.0.0.
Server listening on 0.0.0.0 port 22222.
socket: Address family not supported by protocol
Generating 768 bit RSA key.
RSA key generation complete.
*** now I'm trying to log in on port 22222 ***
debug3: fd 4 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 7 config len 639
debug...
description: | updated |
Changed in openssh (Ubuntu): | |
status: | Incomplete → New |
Ralf Hildebrandt (ralf-hildebrandt) wrote : | #6 |
Sooo, I found this. All the failing systems have
ii libssl1.0.0 1.0.0c-2 SSL shared libraries
installed (I compiled Postfix against openssl-1.0.0, that's why it's installed), yet their sshd is not linked against libssl1.0.0:
mail:~# ldd /usr/sbin/sshd
linux-gate.so.1 => (0xb774f000)
libwrap.so.0 => /lib/libwrap.so.0 (0xb76c2000)
libpam.so.0 => /lib/libpam.so.0 (0xb76b6000)
libselinux.so.1 => /lib/libselinux
libcrypto.so.0.9.8 => /usr/lib/
libutil.so.1 => /lib/i686/
libz.so.1 => /usr/lib/libz.so.1 (0xb752a000)
libcrypt.so.1 => /lib/i686/
libgssapi_
libkrb5.so.3 => /usr/lib/
libcom_err.so.2 => /lib/libcom_
libc.so.6 => /lib/i686/
libnsl.so.1 => /lib/i686/
libdl.so.2 => /lib/i686/
/lib/ld-linux.so.2 (0xb7750000)
libk5crypto.so.3 => /usr/lib/
libkrb5support
libkeyutils.so.1 => /lib/libkeyutil
libresolv.so.2 => /lib/i686/
libpthread.so.0 => /lib/i686/
The verbose output indicates this immediately before failure:
...
debug1: sending SSH2_MSG_
debug1: expecting SSH2_MSG_
Read from socket failed: Connection reset by peer
ECDH being elliptical curve diffie hellman -- but one needs openssl-1.0.0 (or at least 0.9.9) for that.
Since sshd is not linked against 1.0.0, it cannot handle ECC (elliptical curve cryptography) at all.
But the real question is: Why is ECC being used if ONE of the two sides doesn't support it?!
Ralf Hildebrandt (ralf-hildebrandt) wrote : | #7 |
But I found that it also fails against a host withOUT openssl-1.0.0:
debug2: kex_parse_kexinit: none,<email address hidden>
debug2: kex_parse_kexinit: none,<email address hidden>
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_
debug1: expecting SSH2_MSG_
Read from socket failed: Connection reset by peer
Ralf Hildebrandt (ralf-hildebrandt) wrote : | #8 |
So I ran sshd on the target machine in a debugger:
# gdb /usr/sbin/sshd
GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://
warning: The current binary is a PIE (Position Independent Executable), which
GDB does NOT currently support. Most debugger features will fail if used
in this session.
Reading symbols from /usr/sbin/
(gdb) set args -dddd -p22222
(gdb) run
Starting program: /usr/sbin/sshd -dddd -p22222
debug2: load_server_config: filename /etc/ssh/
debug2: load_server_config: done config len = 637
debug2: parse_server_
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug3: /etc/ssh/
debug1: sshd version OpenSSH_5.5p1 Debian-6
debug1: Checking blacklist file /usr/share/
debug1: Checking blacklist file /etc/ssh/
debug1: private host key: #0 type 0 RSA1
debug3: Not a RSA1 key file /etc/ssh/
debug1: read PEM private key done: type RSA
debug1: Checking blacklist file /usr/share/
debug1: Checking blacklist file /etc/ssh/
debug1: private host key: #1 type 1 RSA
debug3: Not a R...
Colin Watson (cjwatson) wrote : | #9 |
FWIW the OpenSSH configure script indicates that ECC only needs OpenSSL 0.9.8g.
I think this GDB session is probably a red herring due to the way sshd re-execs itself.
Ralf Hildebrandt (ralf-hildebrandt) wrote : Re: [Bug 708493] Re: cannot login anymore: Read from socket failed: Connection reset by peer | #10 |
* Colin Watson <email address hidden>:
> FWIW the OpenSSH configure script indicates that ECC only needs OpenSSL
> 0.9.8g.
> I think this GDB session is probably a red herring due to the way sshd
> re-execs itself.
Yup.
So what is the problem here. I cannot see any obvious error.
--
Ralf Hildebrandt
Geschäftsbereich IT | Abteilung Netzwerk
Charité - Universitätsmedizin Berlin
Campus Benjamin Franklin
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
<email address hidden> | http://
Ralf Hildebrandt (ralf-hildebrandt) wrote : Re: cannot login anymore: Read from socket failed: Connection reset by peer | #11 |
Repeated login attempts to the same machine yield different results:
$ ssh -vv <email address hidden>
OpenSSH_5.8p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to albatross.
debug1: Connection established.
debug1: identity file /home/hildeb/
debug1: identity file /home/hildeb/
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /home/hildeb/
debug1: Checking blacklist file /usr/share/
debug1: Checking blacklist file /etc/ssh/
debug1: identity file /home/hildeb/
debug1: identity file /home/hildeb/
debug1: identity file /home/hildeb/
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6
debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
Read from socket failed: Connection reset by peer
but a second later:
$ ssh -vv <email address hidden>
OpenSSH_5.8p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to albatross.
debug1: Connection established.
debug1: identity file /home/hildeb/
debug1: identity file /home/hildeb/
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /home/hildeb/
debug1: Checking blacklist file /usr/share/
debug1: Checking blacklist file /etc/ssh/
debug1: identity file /home/hildeb/
debug1: identity file /home/hildeb/
debug1: identity file /home/hildeb/
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6
debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-
debug2: kex_parse_kexinit: <email address hidden>,<email address hidden>
Ralf Hildebrandt (ralf-hildebrandt) wrote : | #12 |
downgrading openssh-client from 1:5.8p1-1ubuntu1 to 1:5.5p1-4ubuntu5 makes the problem go away.
Oren Held (oren-held) wrote : | #13 |
Seems to be the same case as
- Debian sid: http://
- Arch Linux https:/
I'll try to report it to upstream
Oren Held (oren-held) wrote : | #14 |
I suspect (but not sure) it's related to https:/
Oren Held (oren-held) wrote : | #15 |
I was most probably mistaken in the above assumption. sorry.
Serge Hallyn (serge-hallyn) wrote : | #16 |
Marking as confirmed based on the linked debian bug.
Changed in openssh (Ubuntu): | |
status: | New → Confirmed |
importance: | Undecided → Critical |
Serge Hallyn (serge-hallyn) wrote : | #17 |
Upstream bug posts the following as a solution:
http://
Note that it implies that removing your ecdsa keys would allow ssh to succeed.
Oren Held (oren-held) wrote : | #18 |
Serge: I am really not sure this is related to ecdsa bug. Last time I checked (about a week ago) the bug still existed even in upstream. See the "connection reset by peer" discussions in mailing list: http://
In comment #14 I though it's related and immediately corrected myself.
Oren Held (oren-held) wrote : | #19 |
Also, I'll re-post the available workarounds as I collected from other reports of this bug:
1. shortening the list of ciphers by -c aes128-ctr to command line
2. adding to ~/.ssh/config: HostKeyAlgorithms <email address hidden>,<email address hidden>,<email address hidden>,<email address hidden>
Colin Watson (cjwatson) wrote : | #20 |
I agree that that patch can't be relevant. Ralf has HostbasedAuthen
Colin Watson (cjwatson) wrote : | #21 |
On the upstream thread, I wondered if the MTU might be relevant. That would certainly be one explanation for a bug that's apparently sensitive to packet length.
Changed in openssh (Debian): | |
status: | Unknown → New |
Ralf Hildebrandt (ralf-hildebrandt) wrote : Re: [Bug 708493] Re: cannot login anymore: Read from socket failed: Connection reset by peer | #22 |
* Colin Watson <email address hidden>:
> On the upstream thread, I wondered if the MTU might be relevant. That
> would certainly be one explanation for a bug that's apparently sensitive
> to packet length.
I'm having this problem in the local LAN and via DSL (from home)
--
Ralf Hildebrandt
Geschäftsbereich IT | Abteilung Netzwerk
Charité - Universitätsmedizin Berlin
Campus Benjamin Franklin
Hindenburgdamm 30 | D-12203 Berlin
Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
<email address hidden> | http://
Colin Watson (cjwatson) wrote : | #23 |
I'm afraid that doesn't answer the question ...
mehmet demir (mdemir85) wrote : Re: cannot login anymore: Read from socket failed: Connection reset by peer | #24 |
i have the same problem in my ubuntu (upgraded 10.10 to 11.04).
when i connect with that => ssh A.B.X.X no problem.
but when i try connect to => ssh A.(B+1).X.X , i gets error that "Read from socket failed: Connection reset by peer"
then i install putty (apt-get install putty) when i use putty for ssh connections there is no problem.
Luis Armando Medina (lamedina) wrote : | #25 |
My temporal solution:
wget http://
sudo dpkg -i openssh-
Before:
$ ssh -p 2121 infra@200.57.XX.XX
Read from socket failed: Connection reset by peer
After:
$ ssh -p 2121 infra@200.57.XX.XX
The authenticity of host '[200.57.
RSA key fingerprint is 69:b6..
Are you sure you want to continue connecting (yes/no)? yes
and ssh works fine.
This is not a solution to this bug, just an option for ssh works immediately
Schplurtz le déboulonné (schplurtz) wrote : | #26 |
In my case it was due to an Intrusion Detection System
I have exactly the same problem. upgrade to 11.04 then ssh to the university I work won't work any more. both client and server say "connection reset by peer", limiting the cipher length have it work. Details ares here :
http://
Solution :
The Intrusion Detection System detects one of the TCP packets as :
and then it sends two reset packets to both the client and server. each of them then says : "connection reset by peer"
The security man removed the rule on the IDS, and then ssh works again ! magic.
Oren Held (oren-held) wrote : | #27 |
Schplurtz: can you share what type of IDS it was? From what I hear, it sounds like Cisco equipment.
Schplurtz le déboulonné (schplurtz) wrote : | #28 |
Hello
The security man answered :
> This is the IDS embeded in a fire check point
So, no cisco. But what would be different if it were a CISCO, JUNIPER, or ACME ? The fact that a third party is analysing and wrongly -- or perhaps too much strictly, (or even rightly)-- identifying a packet from a openssh>=5.7 client to a openssh<5.7 server as an ssh protocol violation and is resetting the connection seems enough to me. The inconvenient of third parties is that you don't control them. I mean, It seems there's not much that can be done, except, perhaps packaging an "openssh-
Schplurtz
Brownout (brownout) wrote : | #29 |
> But what would be different if it were a CISCO, JUNIPER, or ACME?
The idea is to identify common conditions and reproducing the behavior you described, as any other bug,
No offense, but your analysis alone is not enough to declare the problem solved.
antrecu (antrecu-yahoo) wrote : | #30 |
Hi,
Im experiencing the same issue described here but whats more weird is that switching ISPs seems to fix my problem when i ssh my servers, i mean, i have two internet service providers, with service provider A, ssh doesnt work and i get the Read from socket failed: Connection reset by peer error, when using internet service provider B, the issue is not present and i can ssh any server. Let me know if i can run some tests that can fix this bug.
antrecu (antrecu-yahoo) wrote : | #31 |
i must confirm that is not a IPS restriction or something, because i can ssh using both ISPs using windows or putty on linux or ssh clients on iPhone.
esodan (esodan-gmail) wrote : | #32 |
I have the same problem with sourceforge.net service. My machine have a dual boot from Federa 15 and Ubutu. On Fedora I can use ssh with no problems but on Ubuntu 11.10 I can't use ssh. This is my debug from ssh -vvv:
ssh -vvv -t <email address hidden>
OpenSSH_5.8p1 Debian-7ubuntu1, OpenSSL 1.0.0e 6 Sep 2011
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to shell.sourcefor
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/esodan/
debug1: Checking blacklist file /usr/share/
debug1: Checking blacklist file /etc/ssh/
debug1: identity file /home/esodan/
debug1: identity file /home/esodan/
debug1: identity file /home/esodan/
debug1: identity file /home/esodan/
debug1: identity file /home/esodan/
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "shell.
debug3: load_hostkeys: loaded 0 keys
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-
debug2: kex_parse_kexinit: <email address hidden>
Clint Byrum (clint-fewbar) wrote : Re: [Bug 708493] Re: cannot login anymore: Read from socket failed: Connection reset by peer | #33 |
Is it possible that the new OpenSSL dropped support for your key encryption?
Can you paste just the first 3 lines of your private key file, with the
BEGIN, Proc-Type and DEK-Info lines?
(Warning, I do not know if this will leak sensitive info, if you are
unsure, do not paste it).
Also can you try generating a new key and see if that is able to be used?
Excerpts from esodan's message of Thu Oct 20 15:28:11 UTC 2011:
> I have the same problem with sourceforge.net service. My machine have a
> dual boot from Federa 15 and Ubutu. On Fedora I can use ssh with no
> problems but on Ubuntu 11.10 I can't use ssh. This is my debug from ssh
> -vvv:
>
> ssh -vvv -t <email address hidden>
> OpenSSH_5.8p1 Debian-7ubuntu1, OpenSSL 1.0.0e 6 Sep 2011
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to shell.sourcefor
> debug1: Connection established.
> debug3: Incorrect RSA1 identifier
> debug3: Could not load "/home/
> debug2: key_type_from_name: unknown key type '-----BEGIN'
> debug3: key_read: missing keytype
> debug2: key_type_from_name: unknown key type 'Proc-Type:'
> debug3: key_read: missing keytype
> debug2: key_type_from_name: unknown key type 'DEK-Info:'
> debug3: key_read: missing keytype
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug2: key_type_from_name: unknown key type '-----END'
> debug3: key_read: missing keytype
> debug1: identity file /home/esodan/
> debug1: Checking blacklist file /usr/share/
> debug1: Checking blacklist file /etc/ssh/
> debug1: identity file /home/esodan/
> debug1: identity file /home/esodan/
> debug1: identity file /home/esodan/
> debug1: identity file /home/esodan/
> debug1: identity file /home/esodan/
> debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
> debug1: match: OpenSSH_5.3 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-
> debug2: fd 3 sett...
Oren Held (oren-held) wrote : Re: cannot login anymore: Read from socket failed: Connection reset by peer | #34 |
esodan, clint, if it is the same problem, then no need to research it from the beginning.
Check out my post at http://
esodan (esodan-gmail) wrote : | #35 |
This is the header of my private key:
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,
After "AES-128-CBC," theres a large hex number. First what is that number for? Do you require it too?
esodan (esodan-gmail) wrote : | #36 |
I'm trying to use sourceforge.net ssh server, but my great problem is GIT, I can't pull or push code. I don't know how to collect debug information of git trying to use ssh to connect to git.gnome.org. Any hint?
Paul Hsu (pochun-hsu) wrote : | #37 |
Hi when I try to 'git clone' some repository.
I encounter the same problem.
-------
git clone <email address hidden>
Cloning into somerepository...
Read from socket failed: Connection reset by peer
fatal: The remote end hung up unexpectedly
-------
Does any one have some work around for 'git clone'?
Kacper Z (wobk) wrote : | #38 |
Anybody have solution?
debug1: match: OpenSSH_4.7p1 Debian-8ubuntu3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-
...
SSH2_MSG_KEXINIT sent
Connection closed by 87.X.X.X
David Young (dove-young) wrote : | #39 |
Workaroud found here solved my problem
Shortening the cipher list (‘ssh -c aes256-ctr’)
GoncaloP (goncalop) wrote : | #40 |
I'm in the same situation, and shortening the cipher list didn't help. I've tried via terminal with ‘ssh -c aes256-ctr host’ and by editing /etc/ssh/
Jerry Quinn (jlquinn) wrote : | #41 |
ssh -c 3des-cbc host
seems to work around this problem for me for now. +1 to fixing this ASAP?
Jerry Quinn (jlquinn) wrote : | #42 |
Alternatively, I moved 3des-cbc to the front of the Ciphers list in $HOME/.ssh/config
Will this bite me someday?
summary: |
- cannot login anymore: Read from socket failed: Connection reset by peer + Can't login anymore: Read from socket failed: Connection reset by peer |
Ryan Harper (raharper) wrote : | #43 |
ssh -c 3des-cbc host also works for me as well. And adding this to my ssh config makes it automatic
Host *
Ciphers 3des-cbc
btw, this is only a problem through my cisco openconnect VPN. Different VPNs don't have this issue.
Nicolas Michel (nicolas-michel) wrote : | #44 |
I have the same problem here. Only on one remote host:
sylock@
OpenSSH_6.0p1 Debian-3ubuntu1, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /home/sylock/
debug1: /home/sylock/
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to XXXXXX[172.24.6.18] port 22.
debug1: Connection established.
debug1: identity file /home/sylock/
debug1: identity file /home/sylock/
debug1: identity file /home/sylock/
debug1: identity file /home/sylock/
debug1: identity file /home/sylock/
debug1: identity file /home/sylock/
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1
debug1: match: OpenSSH_5.1 pat OpenSSH_5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "fsmal989" from file "/home/
debug3: load_hostkeys: found key type RSA in file /home/sylock/
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: <email address hidden>,<email address hidden>,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-
debug2: kex_parse_kexinit: <email address hidden>,<email address hidden>
debug2: kex_parse_kexinit: aes128-
debug2: kex_parse_kexinit: aes128-
debug2: kex_parse_kexinit: hmac-md5,
debug2: kex_parse_kexinit: hmac-md5,
debug2: kex_parse_kexinit: none,<email address hidden>,zlib
debug2: kex_parse_kexinit: none,<email address hidden>,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-
Gary Salisbury (gary-r-salisbury) wrote : Re: [Bug 708493] Re: Can't login anymore: Read from socket failed: Connection reset by peer | #45 |
Use dropbear ....
On 21 December 2012 15:27, Nicolas Michel <email address hidden> wrote:
> I have the same problem here. Only on one remote host:
>
> sylock@
> OpenSSH_6.0p1 Debian-3ubuntu1, OpenSSL 1.0.1c 10 May 2012
> debug1: Reading configuration data /home/sylock/
> debug1: /home/sylock/
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: /etc/ssh/ssh_config line 19: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to XXXXXX[172.24.6.18] port 22.
> debug1: Connection established.
> debug1: identity file /home/sylock/
> debug1: identity file /home/sylock/
> debug1: identity file /home/sylock/
> debug1: identity file /home/sylock/
> debug1: identity file /home/sylock/
> debug1: identity file /home/sylock/
> debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1
> debug1: match: OpenSSH_5.1 pat OpenSSH_5*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-
> debug2: fd 3 setting O_NONBLOCK
> debug3: load_hostkeys: loading entries for host "fsmal989" from file
> "/home/
> debug3: load_hostkeys: found key type RSA in file
> /home/sylock/
> debug3: load_hostkeys: loaded 1 keys
> debug3: order_hostkeyalgs: prefer hostkeyalgs:
> <email address hidden>,<email address hidden>,ssh-rsa
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> ecdh-sha2-
> debug2: kex_parse_kexinit: <email address hidden>,
> <email address hidden>,ssh-rsa,
> <email address hidden>,
> <email address hidden>,
> <email address hidden>,<email address hidden>,
> <email address hidden>
> ,ecdsa-
> debug2: kex_parse_kexinit:
> aes128-
> <email address hidden>
> debug2: kex_parse_kexinit:
> aes128-
> <email address hidden>
> debug2: kex_parse_kexinit: hmac-md5,
> ,hmac-sha2-
> <email address hidden>
> debug2: kex_parse_kexinit: hmac-md5,
> ,hmac-sha2-
> <email address hidden>
> debug2: kex_parse_kexinit: none,<email address hidden>,zlib
> debug2: kex_parse_kexinit: none,<email address hidden>,zlib
> debug2: kex_parse_kexinit:
> debug2: ...
Andrew Schulman (andrex) wrote : | #46 |
Multiple commenters (#19, #43) have posted the workaround. In my ~/ssh/.config I now have
Host *
# Workaround for the dreaded 'connection reset by peer' bug, openssh >=5.7:
Ciphers aes128-
and I no longer see this problem.
Gary Salisbury (gary-r-salisbury) wrote : | #47 |
It's not really an answer, this bug has been around in ssh for a year or so
already ...
dropbear doesn't have this issue or older versions of ssh ... they don't
crash , it should have been fixed by now.
On 21 December 2012 18:44, Andrew Schulman
<email address hidden>wrote:
> Multiple commenters (#19, #43) have posted the workaround. In my
> ~/ssh/.config I now have
>
> Host *
> # Workaround for the dreaded 'connection reset by peer' bug, openssh >=5.7:
> Ciphers aes128-
>
> and I no longer see this problem.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> Can't login anymore: Read from socket failed: Connection reset by peer
>
> Status in “openssh” package in Ubuntu:
> Confirmed
> Status in “openssh” package in Debian:
> New
>
> Bug description:
> After todays update to
> 1:5.7p1-1ubuntu1
> I cannot login to SOME (!) of my servers. Example of a server failing:
>
> ~$ ssh -v root@mail
> OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
> debug1: Reading configuration data /home/hildeb/
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to mail [141.42.202.200] port 22.
> debug1: Connection established.
> debug1: identity file /home/hildeb/
> debug1: identity file /home/hildeb/
> debug1: identity file /home/hildeb/
> debug1: Checking blacklist file /usr/share/
> debug1: Checking blacklist file /etc/ssh/
> debug1: identity file /home/hildeb/
> debug1: identity file /home/hildeb/
> debug1: identity file /home/hildeb/
> debug1: Remote protocol version 1.99, remote software version
> OpenSSH_5.5p1 Debian-6
> debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_
> debug1: expecting SSH2_MSG_
> Read from socket failed: Connection reset by peer
>
> There is NOTHING in daemon.log, auth.log or syslog on the server I'm
> trying to connect to.
>
> Example of a server NOT failing:
>
> $ ssh -v root@netsight
> OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
> debug1: Reading configuration data /home/hildeb/
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to netsight [10.47.2.222] port 22.
> debug1: Connection established.
> debug1: identity file /home/hildeb/
> debug1: identity file /home/hildeb/
> debug1: identity file /home/hildeb/
> debug1: Checking blacklist file /usr/share...
Nicolas Michel (nicolas-michel) wrote : | #48 |
I know the workaround. But we're here on a bug report platform ... I posted to say "hey, the problem is still here in 12.04!"
Best regards,
Nicolas
scuba (scubuntu) wrote : | #49 |
I've studied the thread and tried the workaround suggestions. The problem persists in 12.04.2!
Regards
SCUBA
scuba (scubuntu) wrote : | #50 |
Hi,
I've managed to solve the issue... purge openssh-server on server machine, then reinstall -- worked for me.
Regards
SCUBA
Steve Brown (jpgeek) wrote : | #51 |
Howdy,
I know that in my case, this was definitely an MTU problem, and it exhibits exactly the behavior stated above.
to test this, call
ping -M do -s 1500 <host>
If it goes through, this is probably not your issue. If it does not, try lowering the -s value until it does go through. If the value that you find is lower than the MTU on your interface, this is likely the problem.
The solution would be to change your MTU size on the interface. You can check this with
ifconfig
and set it with
sudo ifconfig <interface> mtu 1000
Shondhi Singhal (shondhi-singhal) wrote : | #52 |
Hi
I am facing the same problem. I have tried manys mentioned on the net to solve but nothing seem to work.
When I called:
ping -M do -s 1500 ubuntu
This is what I recieved in output-
PING ubuntu (127.0.1.1) 1500(1528) bytes of data.
1508 bytes from ubuntu (127.0.1.1): icmp_req=1 ttl=64 time=0.052 ms
1508 bytes from ubuntu (127.0.1.1): icmp_req=2 ttl=64 time=0.037 ms
1508 bytes from ubuntu (127.0.1.1): icmp_req=3 ttl=64 time=0.030 ms
1508 bytes from ubuntu (127.0.1.1): icmp_req=4 ttl=64 time=0.039 ms
Command- ssh -c 3des-cbc host
Output- * Documentation: https:/
Last login: Thu Apr 11 22:10:40 2013 from localhost
But when I enter the command-
git clone <email address hidden>
Output is- Cloning into 'Hello'...
Read from socket failed: Connection reset by peer
fatal: The remote end hung up unexpectedly
Kindly, guide me.
Changed in openssh (Ubuntu): | |
assignee: | nobody → Irfan Fauzan (irfan-it2988) |
Srdjan Grubor (sgnn7) wrote : | #53 |
My cases of this bug (though it seems like there are different ones with similar symptoms) happen each time I reset a 14.04 VM to an older state from a hard shutdown. Localhost ssh connections fail as well with same output.
Workaround for me is regenerating the host keys (sudo rm /etc/ssh/host_* && sudo ssh-keygen -A) each time I revert the VM. Changing the cipher/kex does not seem to change the outcome.
I wonder if some junk gets written to the keys in bad shutdowns. I'll see If I can debug the output of the sshd.
Client log below:
$ ssh root@redacted -vvvv
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.56.101 [192.168.56.101] port 22.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/
debug1: identity file /home/sg/
debug1: identity file /home/sg/
debug1: identity file /home/sg/
debug1: identity file /home/sg/
debug1: identity file /home/sg/
debug1: identity file /home/sg/
debug1: identity file /home/sg/
debug1: identity file /home/sg/
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6p1 Ubuntu-2ubuntu1
debug1: match: OpenSSH_6.6p1 Ubuntu-2ubuntu1 pat OpenSSH_
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "192.168.56.101" from file "/home/
debug3: load_hostkeys: found key type ECDSA in file /home/sg/
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: <email address hidden>,<email address hidden>,<email address hidden>
debug2: compat_
debug2: Compat: skipping algorithm "<email address hidden>"
debug2: compat_
debug1: SSH2_MSG_KEXINIT sent
Read from socket failed: Connection reset by peer
Srdjan Grubor (sgnn7) wrote : | #56 |
Well, at least in my case, I found that all the sshd host keys were truncated. I'm guessing that the hard shutdown of the VM was the cause but I'm not 100% sure.
Jeremy Melanson (jmelanson) wrote : | #57 |
I figured out a temporary workaround. Edit your ~/.ssh/config, and add the line:
Ciphers aes128-cbc
I haven't done any real debugging, but there looks like there could be a problem with ciphers bigger than 128-bits. My Cisco devices are complaining about DH length when I use AES192 or AES256. AES128 works fine.
It's not ideal, but it could help for the time-being.
Yrjö Selänne (yselnne) wrote : | #58 |
This has now been bountied :
Good Luck 'Guesy ' and others.
This is just a note of a bounty made and shouldn't change the spirit of fixing bugs. Thank-you.
Brian Morton (rokclimb15) wrote : | #59 |
This worked for me:
ssh -v admin@172.16.3.253 -o KexAlgorithms=
source:
Mike (0x656b694d) wrote : | #60 |
Hello,
Not sure it is the same problem here, but I cannot connect to my machine if go through NAT.
If I connect directly from LAN everything works, but if I use the external IP, then I get connection reset after debug1: SSH2_MSG_KEXINIT sent.
Client and server is the same machine. I tried to set MTU to 1400 and 400 with no effect, also changed the net.ipv4.tcp_rmem setting and tried different cipher algorithms with no luck.
Linux 3.16.0-31-generic #41-Ubuntu
Ubuntu 14.10
Gary Salisbury (gary-r-salisbury) wrote : | #61 |
Use dbclient ...
On 20 February 2015 at 19:07, Mike <email address hidden> wrote:
> Hello,
> Not sure it is the same problem here, but I cannot connect to my machine
> if go through NAT.
> If I connect directly from LAN everything works, but if I use the external
> IP, then I get connection reset after debug1: SSH2_MSG_KEXINIT sent.
>
> Client and server is the same machine. I tried to set MTU to 1400 and
> 400 with no effect, also changed the net.ipv4.tcp_rmem setting and tried
> different cipher algorithms with no luck.
>
> Linux 3.16.0-31-generic #41-Ubuntu
> Ubuntu 14.10
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> Can't login anymore: Read from socket failed: Connection reset by peer
>
> Status in openssh package in Ubuntu:
> Confirmed
> Status in openssh package in Debian:
> New
>
> Bug description:
> After todays update to
> 1:5.7p1-1ubuntu1
> I cannot login to SOME (!) of my servers. Example of a server failing:
>
> ~$ ssh -v root@mail
> OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
> debug1: Reading configuration data /home/hildeb/
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to mail [141.42.202.200] port 22.
> debug1: Connection established.
> debug1: identity file /home/hildeb/
> debug1: identity file /home/hildeb/
> debug1: identity file /home/hildeb/
> debug1: Checking blacklist file /usr/share/
> debug1: Checking blacklist file /etc/ssh/
> debug1: identity file /home/hildeb/
> debug1: identity file /home/hildeb/
> debug1: identity file /home/hildeb/
> debug1: Remote protocol version 1.99, remote software version
> OpenSSH_5.5p1 Debian-6
> debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_
> debug1: expecting SSH2_MSG_
> Read from socket failed: Connection reset by peer
>
> There is NOTHING in daemon.log, auth.log or syslog on the server I'm
> trying to connect to.
>
> Example of a server NOT failing:
>
> $ ssh -v root@netsight
> OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
> debug1: Reading configuration data /home/hildeb/
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to netsight [10.47.2.222] port 22.
> debug1: Connection established.
> debug1: identity file /home/hildeb/
> debug1: identity file /home/hildeb/
> debug1: identity file /home/hildeb/
> debug1: Checking ...
Mike (0x656b694d) wrote : | #62 |
Thanks, but a specific client is not an option. I need to connect with any
client from different systems. The flow I described is for problem
isolation only. Putty cannot connect either.
On Fri Feb 20 2015 at 18:31:15 Gary Salisbury <email address hidden>
wrote:
> Use dbclient ...
>
> On 20 February 2015 at 19:07, Mike <email address hidden> wrote:
>
> > Hello,
> > Not sure it is the same problem here, but I cannot connect to my machine
> > if go through NAT.
> ...
Gary Salisbury (gary-r-salisbury) wrote : | #63 |
Did this used to work .... ?
This bug is due to a ssh version change ...
Sounds like you may have a firewall issue, if you are trying to connect via
a nated connection for the 1st time.
Use tcpdump on your server ... and analyze the traffic on port 22
Compare the traffic, when you connect locally and then via the nated
connection.
Use the verbose settings of ssh to get more information .... before posting
again ..
On 20 February 2015 at 20:25, Mike <email address hidden> wrote:
> Thanks, but a specific client is not an option. I need to connect with any
> client from different systems. The flow I described is for problem
> isolation only. Putty cannot connect either.
>
> On Fri Feb 20 2015 at 18:31:15 Gary Salisbury <email address hidden>
> wrote:
>
> > Use dbclient ...
> >
> > On 20 February 2015 at 19:07, Mike <email address hidden> wrote:
> >
> > > Hello,
> > > Not sure it is the same problem here, but I cannot connect to my
> machine
> > > if go through NAT.
> > ...
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> Can't login anymore: Read from socket failed: Connection reset by peer
>
> Status in openssh package in Ubuntu:
> Confirmed
> Status in openssh package in Debian:
> New
>
> Bug description:
> After todays update to
> 1:5.7p1-1ubuntu1
> I cannot login to SOME (!) of my servers. Example of a server failing:
>
> ~$ ssh -v root@mail
> OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
> debug1: Reading configuration data /home/hildeb/
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to mail [141.42.202.200] port 22.
> debug1: Connection established.
> debug1: identity file /home/hildeb/
> debug1: identity file /home/hildeb/
> debug1: identity file /home/hildeb/
> debug1: Checking blacklist file /usr/share/
> debug1: Checking blacklist file /etc/ssh/
> debug1: identity file /home/hildeb/
> debug1: identity file /home/hildeb/
> debug1: identity file /home/hildeb/
> debug1: Remote protocol version 1.99, remote software version
> OpenSSH_5.5p1 Debian-6
> debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_
> debug1: expecting SSH2_MSG_
> Read from socket failed: Connection reset by peer
>
> There is NOTHING in daemon.log, auth.log or syslog on the server I'm
> trying to connect to.
>
> Example of a server NOT failing:
>
> $ ssh -v root@netsight
> OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
> debug1: Reading configuration ...
Gary Salisbury (gary-r-salisbury) wrote : | #64 |
Why are you testing a NATED address from the same server ( client and
server ) ?
Do you get the same problem when connecting via the NATED address from the
outside network ... using a different client machine from outside ?
On 20 February 2015 at 20:43, Gary Salisbury <email address hidden>
wrote:
> Did this used to work .... ?
>
> This bug is due to a ssh version change ...
>
> Sounds like you may have a firewall issue, if you are trying to connect
> via a nated connection for the 1st time.
>
> Use tcpdump on your server ... and analyze the traffic on port 22
>
> Compare the traffic, when you connect locally and then via the nated
> connection.
>
> Use the verbose settings of ssh to get more information .... before
> posting again ..
>
>
>
>
>
>
>
>
>
> On 20 February 2015 at 20:25, Mike <email address hidden> wrote:
>
>> Thanks, but a specific client is not an option. I need to connect with any
>> client from different systems. The flow I described is for problem
>> isolation only. Putty cannot connect either.
>>
>> On Fri Feb 20 2015 at 18:31:15 Gary Salisbury <email address hidden>
>> wrote:
>>
>> > Use dbclient ...
>> >
>> > On 20 February 2015 at 19:07, Mike <email address hidden> wrote:
>> >
>> > > Hello,
>> > > Not sure it is the same problem here, but I cannot connect to my
>> machine
>> > > if go through NAT.
>> > ...
>>
>> --
>> You received this bug notification because you are subscribed to the bug
>> report.
>> https:/
>>
>> Title:
>> Can't login anymore: Read from socket failed: Connection reset by peer
>>
>> Status in openssh package in Ubuntu:
>> Confirmed
>> Status in openssh package in Debian:
>> New
>>
>> Bug description:
>> After todays update to
>> 1:5.7p1-1ubuntu1
>> I cannot login to SOME (!) of my servers. Example of a server failing:
>>
>> ~$ ssh -v root@mail
>> OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
>> debug1: Reading configuration data /home/hildeb/
>> debug1: Reading configuration data /etc/ssh/ssh_config
>> debug1: Applying options for *
>> debug1: Connecting to mail [141.42.202.200] port 22.
>> debug1: Connection established.
>> debug1: identity file /home/hildeb/
>> debug1: identity file /home/hildeb/
>> debug1: identity file /home/hildeb/
>> debug1: Checking blacklist file /usr/share/
>> debug1: Checking blacklist file /etc/ssh/
>> debug1: identity file /home/hildeb/
>> debug1: identity file /home/hildeb/
>> debug1: identity file /home/hildeb/
>> debug1: Remote protocol version 1.99, remote software version
>> OpenSSH_5.5p1 Debian-6
>> debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
>> debug1: Enabling compatibility mode for protocol 2.0
>> debug1: Local version string SSH-2.0-
>> debug1: SSH2_MSG_KEXINIT sent
>> debug1: SSH2_MSG_KEXINIT received
>> debug1: kex: server->client aes128-ctr hmac-md5 none
>> debug1: kex: client->server aes128-ctr hmac-md5 none
>> debug1: SSH2_MSG_KEX...
tags: | added: oneiric precise |
Changed in openssh (Ubuntu): | |
assignee: | Irfan Fauzan (irfan-it2988) → nobody |
status: | Confirmed → Triaged |
Mike (0x656b694d) wrote : | #65 |
Thank you for the suggestions Gary. I realized that my problem is caused by the router firmware. Basically, they introduced loopback blocking and I couldn't connect from the same network even using the external IP.
Gary Salisbury (gary-r-salisbury) wrote : | #66 |
:) ...
In the IT world it takes time to analyze a problem well !!
Congrats ...
Happy Easter !!
On 4 April 2015 at 13:06, Mike <email address hidden> wrote:
> Thank you for the suggestions Gary. I realized that my problem is caused
> by the router firmware. Basically, they introduced loopback blocking and
> I couldn't connect from the same network even using the external IP.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https:/
>
> Title:
> Can't login anymore: Read from socket failed: Connection reset by peer
>
> Status in openssh package in Ubuntu:
> Triaged
> Status in openssh package in Debian:
> New
>
> Bug description:
> After todays update to
> 1:5.7p1-1ubuntu1
> I cannot login to SOME (!) of my servers. Example of a server failing:
>
> ~$ ssh -v root@mail
> OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
> debug1: Reading configuration data /home/hildeb/
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to mail [141.42.202.200] port 22.
> debug1: Connection established.
> debug1: identity file /home/hildeb/
> debug1: identity file /home/hildeb/
> debug1: identity file /home/hildeb/
> debug1: Checking blacklist file /usr/share/
> debug1: Checking blacklist file /etc/ssh/
> debug1: identity file /home/hildeb/
> debug1: identity file /home/hildeb/
> debug1: identity file /home/hildeb/
> debug1: Remote protocol version 1.99, remote software version
> OpenSSH_5.5p1 Debian-6
> debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_
> debug1: expecting SSH2_MSG_
> Read from socket failed: Connection reset by peer
>
> There is NOTHING in daemon.log, auth.log or syslog on the server I'm
> trying to connect to.
>
> Example of a server NOT failing:
>
> $ ssh -v root@netsight
> OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
> debug1: Reading configuration data /home/hildeb/
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to netsight [10.47.2.222] port 22.
> debug1: Connection established.
> debug1: identity file /home/hildeb/
> debug1: identity file /home/hildeb/
> debug1: identity file /home/hildeb/
> debug1: Checking blacklist file /usr/share/
> debug1: Checking blacklist file /etc/ssh/
> debug1: identity file /home/hildeb/
> debug1: identity file /...
cybernet (cybernet2u) wrote : | #67 |
no resolution ?
Pedro Acácio (pedro-acacio92) wrote : | #68 |
Hi guys.
Without apparent reason suddenly I wasn't enable to make a ssh connection with my production server. When run a ssh -v I get "expecting SSH2_MSG_
I uncommented lines beginning with "Ciphers ......." and "MACs ........".
Thanks!
Changed in openssh (Ubuntu): | |
assignee: | nobody → Divya Shettar (shettar-divya) |
assignee: | Divya Shettar (shettar-divya) → nobody |
Simon Quigley (tsimonq2) wrote : | #69 |
Sorry folks, but as part of the bug clean up ahead of 16.04 LTS I'm marking this as invalid because it affects an Ubuntu release which is now unsupported. If you can still recreate this bug in a supported release please do open a new bug and we can triage it for consideration in the 16.04 LTS development cycle.
Changed in openssh (Ubuntu): | |
status: | Triaged → Invalid |
Changed in openssh (Debian): | |
status: | New → Fix Released |
Can you:
* try with 'ssh -vvv' for both these machines and post both outputs
* on the failing machine, bring up a server with '/usr/sbin/sshd -ddd'
(on a spare port if you can't stop the main server) and post the
output from when you attempt to connect to it
Thanks!