Ubuntu

Can't login anymore: Read from socket failed: Connection reset by peer

Reported by Ralf Hildebrandt on 2011-01-27
148
This bug affects 26 people
Affects Status Importance Assigned to Milestone
openssh (Debian)
New
Unknown
openssh (Ubuntu)
Critical
Unassigned

Bug Description

After todays update to
1:5.7p1-1ubuntu1
I cannot login to SOME (!) of my servers. Example of a server failing:

~$ ssh -v root@mail
OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/hildeb/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to mail [141.42.202.200] port 22.
debug1: Connection established.
debug1: identity file /home/hildeb/.ssh/id_rsa type -1
debug1: identity file /home/hildeb/.ssh/id_rsa-cert type -1
debug1: identity file /home/hildeb/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: identity file /home/hildeb/.ssh/id_dsa-cert type -1
debug1: identity file /home/hildeb/.ssh/id_ecdsa type -1
debug1: identity file /home/hildeb/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_5.5p1 Debian-6
debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.7p1 Debian-1ubuntu1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
Read from socket failed: Connection reset by peer

There is NOTHING in daemon.log, auth.log or syslog on the server I'm trying to connect to.

Example of a server NOT failing:

$ ssh -v root@netsight
OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/hildeb/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to netsight [10.47.2.222] port 22.
debug1: Connection established.
debug1: identity file /home/hildeb/.ssh/id_rsa type -1
debug1: identity file /home/hildeb/.ssh/id_rsa-cert type -1
debug1: identity file /home/hildeb/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: identity file /home/hildeb/.ssh/id_dsa-cert type -1
debug1: identity file /home/hildeb/.ssh/id_ecdsa type -1
debug1: identity file /home/hildeb/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6
debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.7p1 Debian-1ubuntu1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 18:ce:76:c7:7c:f4:98:94:28:8f:62:4a:31:e8:5b:c9
debug1: Host 'netsight' is known and matches the RSA host key.
debug1: Found key in /home/hildeb/.ssh/known_hosts:56
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering DSA public key: /home/hildeb/.ssh/id_dsa
debug1: Server accepts key: pkalg ssh-dss blen 433
debug1: Authentication succeeded (publickey).
Authenticated to netsight ([10.47.2.222]:22).
debug1: channel 0: new [client-session]
debug1: Requesting <email address hidden>
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LC_MESSAGES = en_US.utf8
debug1: Sending env LANG = de_DE.UTF-8

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: openssh-client 1:5.7p1-1ubuntu1
ProcVersionSignature: Ubuntu 2.6.37-12.26-generic 2.6.37
Uname: Linux 2.6.37-12-generic x86_64
Architecture: amd64
Date: Thu Jan 27 09:13:15 2011
ProcEnviron:
 LANGUAGE=en_US:en
 LANG=de_DE.UTF-8
 LC_MESSAGES=en_US.utf8
 SHELL=/bin/bash
RelatedPackageVersions:
 ssh-askpass N/A
 libpam-ssh N/A
 keychain N/A
 ssh-askpass-gnome 1:5.7p1-1ubuntu1
SSHClientVersion: OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
SourcePackage: openssh

Can you:

  * try with 'ssh -vvv' for both these machines and post both outputs

  * on the failing machine, bring up a server with '/usr/sbin/sshd -ddd'
    (on a spare port if you can't stop the main server) and post the
    output from when you attempt to connect to it

Thanks!

James Page (james-page) on 2011-01-27
Changed in openssh (Ubuntu):
status: New → Incomplete
Download full text (5.1 KiB)

$ ssh -vvv root@mail
OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/hildeb/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to mail [141.42.202.200] port 22.
debug1: Connection established.
debug1: identity file /home/hildeb/.ssh/id_rsa type -1
debug1: identity file /home/hildeb/.ssh/id_rsa-cert type -1
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/hildeb/.ssh/id_dsa" as a RSA1 public key
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/hildeb/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: identity file /home/hildeb/.ssh/id_dsa-cert type -1
debug1: identity file /home/hildeb/.ssh/id_ecdsa type -1
debug1: identity file /home/hildeb/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_5.5p1 Debian-6
debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.7p1 Debian-1ubuntu1
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "mail" from file "/home/hildeb/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/hildeb/.ssh/known_hosts:67
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: <email address hidden>,<email address hidden>,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: <email address hidden>,<email address hidden>,ssh-rsa,<email address hidden>,<email address hidden>,<email address hidden>,<email address hidden>,<email address hidden>,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<email address hidden>
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-c...

Read more...

Download full text (9.5 KiB)

$ ssh -vvv root@netsight
OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/hildeb/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to netsight [10.47.2.222] port 22.
debug1: Connection established.
debug1: identity file /home/hildeb/.ssh/id_rsa type -1
debug1: identity file /home/hildeb/.ssh/id_rsa-cert type -1
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/hildeb/.ssh/id_dsa" as a RSA1 public key
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/hildeb/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: identity file /home/hildeb/.ssh/id_dsa-cert type -1
debug1: identity file /home/hildeb/.ssh/id_ecdsa type -1
debug1: identity file /home/hildeb/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6
debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.7p1 Debian-1ubuntu1
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "netsight" from file "/home/hildeb/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/hildeb/.ssh/known_hosts:56
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: <email address hidden>,<email address hidden>,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: <email address hidden>,<email address hidden>,ssh-rsa,<email address hidden>,<email address hidden>,<email address hidden>,<email address hidden>,<email address hidden>,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<email address hidden>
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c...

Read more...

Download full text (3.4 KiB)

mail:~# /usr/sbin/sshd -p22222 -ddd
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 639
debug2: parse_server_config: config /etc/ssh/sshd_config len 639
debug3: /etc/ssh/sshd_config:5 setting Port 22
debug3: /etc/ssh/sshd_config:9 setting Protocol 2,1
debug3: /etc/ssh/sshd_config:11 setting HostKey /etc/ssh/ssh_host_key
debug3: /etc/ssh/sshd_config:13 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: /etc/ssh/sshd_config:14 setting HostKey /etc/ssh/ssh_host_dsa_key
debug3: /etc/ssh/sshd_config:16 setting UsePrivilegeSeparation yes
debug3: /etc/ssh/sshd_config:19 setting KeyRegenerationInterval 3600
debug3: /etc/ssh/sshd_config:20 setting ServerKeyBits 768
debug3: /etc/ssh/sshd_config:23 setting SyslogFacility AUTH
debug3: /etc/ssh/sshd_config:24 setting LogLevel INFO
debug3: /etc/ssh/sshd_config:27 setting LoginGraceTime 600
debug3: /etc/ssh/sshd_config:28 setting PermitRootLogin yes
debug3: /etc/ssh/sshd_config:29 setting StrictModes yes
debug3: /etc/ssh/sshd_config:31 setting RSAAuthentication yes
debug3: /etc/ssh/sshd_config:32 setting PubkeyAuthentication yes
debug3: /etc/ssh/sshd_config:36 setting IgnoreRhosts yes
debug3: /etc/ssh/sshd_config:38 setting RhostsRSAAuthentication no
debug3: /etc/ssh/sshd_config:40 setting HostbasedAuthentication no
debug3: /etc/ssh/sshd_config:45 setting PermitEmptyPasswords no
debug3: /etc/ssh/sshd_config:51 setting PasswordAuthentication no
debug3: /etc/ssh/sshd_config:63 setting X11Forwarding yes
debug3: /etc/ssh/sshd_config:64 setting X11DisplayOffset 10
debug3: /etc/ssh/sshd_config:65 setting PrintMotd no
debug3: /etc/ssh/sshd_config:66 setting PrintLastLog yes
debug3: /etc/ssh/sshd_config:67 setting TCPKeepAlive yes
debug3: /etc/ssh/sshd_config:73 setting Subsystem sftp /usr/lib/openssh/sftp-server
debug3: /etc/ssh/sshd_config:75 setting UsePAM yes
debug1: sshd version OpenSSH_5.5p1 Debian-6
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
debug1: private host key: #0 type 0 RSA1
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
debug1: private host key: #1 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: private host key: #2 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-p22222'
debug1: rexec_argv[2]='-ddd'
debug3: oom_adjust_setup
Set /proc/self/oom_adj from 0 to -17
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22222 on 0.0.0.0.
Server listening on 0.0.0.0 port 22222.
socket: Address family not supported by protocol
Generating 768 bit RSA key.
RSA key generation complete.

*** now I'm trying to log in on port 22222 ***

debug3: fd 4 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 7 config len 639
debug...

Read more...

description: updated
Changed in openssh (Ubuntu):
status: Incomplete → New

Sooo, I found this. All the failing systems have

ii libssl1.0.0 1.0.0c-2 SSL shared libraries

installed (I compiled Postfix against openssl-1.0.0, that's why it's installed), yet their sshd is not linked against libssl1.0.0:

mail:~# ldd /usr/sbin/sshd
 linux-gate.so.1 => (0xb774f000)
 libwrap.so.0 => /lib/libwrap.so.0 (0xb76c2000)
 libpam.so.0 => /lib/libpam.so.0 (0xb76b6000)
 libselinux.so.1 => /lib/libselinux.so.1 (0xb769a000)
 libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb7542000)
 libutil.so.1 => /lib/i686/cmov/libutil.so.1 (0xb753e000)
 libz.so.1 => /usr/lib/libz.so.1 (0xb752a000)
 libcrypt.so.1 => /lib/i686/cmov/libcrypt.so.1 (0xb74f8000)
 libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0xb74c8000)
 libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0xb7416000)
 libcom_err.so.2 => /lib/libcom_err.so.2 (0xb7413000)
 libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb72cd000)
 libnsl.so.1 => /lib/i686/cmov/libnsl.so.1 (0xb72b6000)
 libdl.so.2 => /lib/i686/cmov/libdl.so.2 (0xb72b1000)
 /lib/ld-linux.so.2 (0xb7750000)
 libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0xb728e000)
 libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0xb7287000)
 libkeyutils.so.1 => /lib/libkeyutils.so.1 (0xb7284000)
 libresolv.so.2 => /lib/i686/cmov/libresolv.so.2 (0xb7270000)
 libpthread.so.0 => /lib/i686/cmov/libpthread.so.0 (0xb7256000)

The verbose output indicates this immediately before failure:

...
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
Read from socket failed: Connection reset by peer

ECDH being elliptical curve diffie hellman -- but one needs openssl-1.0.0 (or at least 0.9.9) for that.
Since sshd is not linked against 1.0.0, it cannot handle ECC (elliptical curve cryptography) at all.

But the real question is: Why is ECC being used if ONE of the two sides doesn't support it?!

But I found that it also fails against a host withOUT openssl-1.0.0:

debug2: kex_parse_kexinit: none,<email address hidden>
debug2: kex_parse_kexinit: none,<email address hidden>
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
Read from socket failed: Connection reset by peer

Download full text (4.5 KiB)

So I ran sshd on the target machine in a debugger:

# gdb /usr/sbin/sshd
GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...

warning: The current binary is a PIE (Position Independent Executable), which
GDB does NOT currently support. Most debugger features will fail if used
in this session.

Reading symbols from /usr/sbin/sshd...(no debugging symbols found)...done.
(gdb) set args -dddd -p22222
(gdb) run
Starting program: /usr/sbin/sshd -dddd -p22222
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 637
debug2: parse_server_config: config /etc/ssh/sshd_config len 637
debug3: /etc/ssh/sshd_config:5 setting Port 22
debug3: /etc/ssh/sshd_config:9 setting Protocol 2
debug3: /etc/ssh/sshd_config:11 setting HostKey /etc/ssh/ssh_host_key
debug3: /etc/ssh/sshd_config:13 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: /etc/ssh/sshd_config:14 setting HostKey /etc/ssh/ssh_host_dsa_key
debug3: /etc/ssh/sshd_config:16 setting UsePrivilegeSeparation yes
debug3: /etc/ssh/sshd_config:19 setting KeyRegenerationInterval 3600
debug3: /etc/ssh/sshd_config:20 setting ServerKeyBits 768
debug3: /etc/ssh/sshd_config:23 setting SyslogFacility AUTH
debug3: /etc/ssh/sshd_config:24 setting LogLevel INFO
debug3: /etc/ssh/sshd_config:27 setting LoginGraceTime 600
debug3: /etc/ssh/sshd_config:28 setting PermitRootLogin yes
debug3: /etc/ssh/sshd_config:29 setting StrictModes yes
debug3: /etc/ssh/sshd_config:31 setting RSAAuthentication yes
debug3: /etc/ssh/sshd_config:32 setting PubkeyAuthentication yes
debug3: /etc/ssh/sshd_config:36 setting IgnoreRhosts yes
debug3: /etc/ssh/sshd_config:38 setting RhostsRSAAuthentication no
debug3: /etc/ssh/sshd_config:40 setting HostbasedAuthentication no
debug3: /etc/ssh/sshd_config:45 setting PermitEmptyPasswords no
debug3: /etc/ssh/sshd_config:51 setting PasswordAuthentication yes
debug3: /etc/ssh/sshd_config:62 setting X11Forwarding yes
debug3: /etc/ssh/sshd_config:63 setting X11DisplayOffset 10
debug3: /etc/ssh/sshd_config:64 setting PrintMotd no
debug3: /etc/ssh/sshd_config:65 setting PrintLastLog yes
debug3: /etc/ssh/sshd_config:66 setting TCPKeepAlive yes
debug3: /etc/ssh/sshd_config:72 setting Subsystem sftp /usr/lib/openssh/sftp-server
debug3: /etc/ssh/sshd_config:74 setting UsePAM yes
debug1: sshd version OpenSSH_5.5p1 Debian-6
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
debug1: private host key: #0 type 0 RSA1
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
debug1: private host key: #1 type 1 RSA
debug3: Not a R...

Read more...

Colin Watson (cjwatson) wrote :

FWIW the OpenSSH configure script indicates that ECC only needs OpenSSL 0.9.8g.

I think this GDB session is probably a red herring due to the way sshd re-execs itself.

* Colin Watson <email address hidden>:
> FWIW the OpenSSH configure script indicates that ECC only needs OpenSSL
> 0.9.8g.
> I think this GDB session is probably a red herring due to the way sshd
> re-execs itself.

Yup.

So what is the problem here. I cannot see any obvious error.

--
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  <email address hidden> | http://www.charite.de

Download full text (5.5 KiB)

Repeated login attempts to the same machine yield different results:

$ ssh -vv <email address hidden>
OpenSSH_5.8p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to albatross.python.org [82.94.164.166] port 22.
debug1: Connection established.
debug1: identity file /home/hildeb/.ssh/id_rsa type -1
debug1: identity file /home/hildeb/.ssh/id_rsa-cert type -1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /home/hildeb/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: identity file /home/hildeb/.ssh/id_dsa-cert type -1
debug1: identity file /home/hildeb/.ssh/id_ecdsa type -1
debug1: identity file /home/hildeb/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6
debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8p1 Debian-1ubuntu1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
Read from socket failed: Connection reset by peer

but a second later:

$ ssh -vv <email address hidden>
OpenSSH_5.8p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to albatross.python.org [82.94.164.166] port 22.
debug1: Connection established.
debug1: identity file /home/hildeb/.ssh/id_rsa type -1
debug1: identity file /home/hildeb/.ssh/id_rsa-cert type -1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /home/hildeb/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: identity file /home/hildeb/.ssh/id_dsa-cert type -1
debug1: identity file /home/hildeb/.ssh/id_ecdsa type -1
debug1: identity file /home/hildeb/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6
debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8p1 Debian-1ubuntu1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: <email address hidden>,<email address hidden>,ssh-rsa,<email address hidden>,ecdsa-sha2-...

Read more...

downgrading openssh-client from 1:5.8p1-1ubuntu1 to 1:5.5p1-4ubuntu5 makes the problem go away.

Oren Held (oren-held) wrote :

Seems to be the same case as
- Debian sid: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=613505
- Arch Linux https://bugs.archlinux.org/task/22897?project=1

I'll try to report it to upstream

Oren Held (oren-held) wrote :

I suspect (but not sure) it's related to https://bugzilla.mindrot.org/show_bug.cgi?id=1858

Oren Held (oren-held) wrote :

I was most probably mistaken in the above assumption. sorry.

Serge Hallyn (serge-hallyn) wrote :

Marking as confirmed based on the linked debian bug.

Changed in openssh (Ubuntu):
status: New → Confirmed
importance: Undecided → Critical
Serge Hallyn (serge-hallyn) wrote :

Upstream bug posts the following as a solution:

http://hg.mindrot.org/openssh/rev/138961506b91

Note that it implies that removing your ecdsa keys would allow ssh to succeed.

Oren Held (oren-held) wrote :

Serge: I am really not sure this is related to ecdsa bug. Last time I checked (about a week ago) the bug still existed even in upstream. See the "connection reset by peer" discussions in mailing list: http://lists.mindrot.org/pipermail/openssh-unix-dev/2011-February/thread.html

In comment #14 I though it's related and immediately corrected myself.

Oren Held (oren-held) wrote :

Also, I'll re-post the available workarounds as I collected from other reports of this bug:

1. shortening the list of ciphers by -c aes128-ctr to command line
2. adding to ~/.ssh/config: HostKeyAlgorithms <email address hidden>,<email address hidden>,<email address hidden>,<email address hidden>,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss

Colin Watson (cjwatson) wrote :

I agree that that patch can't be relevant. Ralf has HostbasedAuthentication turned off.

Colin Watson (cjwatson) wrote :

On the upstream thread, I wondered if the MTU might be relevant. That would certainly be one explanation for a bug that's apparently sensitive to packet length.

Changed in openssh (Debian):
status: Unknown → New

* Colin Watson <email address hidden>:
> On the upstream thread, I wondered if the MTU might be relevant. That
> would certainly be one explanation for a bug that's apparently sensitive
> to packet length.

I'm having this problem in the local LAN and via DSL (from home)

--
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  <email address hidden> | http://www.charite.de

Colin Watson (cjwatson) wrote :

I'm afraid that doesn't answer the question ...

i have the same problem in my ubuntu (upgraded 10.10 to 11.04).
when i connect with that => ssh A.B.X.X no problem.
but when i try connect to => ssh A.(B+1).X.X , i gets error that "Read from socket failed: Connection reset by peer"

then i install putty (apt-get install putty) when i use putty for ssh connections there is no problem.

My temporal solution:

wget http://mirror.pnl.gov/ubuntu//pool/main/o/openssh/openssh-client_5.5p1-4ubuntu5_i386.deb
sudo dpkg -i openssh-client_5.5p1-4ubuntu5_i386.deb

Before:

$ ssh -p 2121 infra@200.57.XX.XX
Read from socket failed: Connection reset by peer

After:

$ ssh -p 2121 infra@200.57.XX.XX
The authenticity of host '[200.57.XX.XX]:2121 ([200.57.XX.XX]:2121)' can't be established.
RSA key fingerprint is 69:b6...............................................................87:01.
Are you sure you want to continue connecting (yes/no)? yes

and ssh works fine.

This is not a solution to this bug, just an option for ssh works immediately

In my case it was due to an Intrusion Detection System
I have exactly the same problem. upgrade to 11.04 then ssh to the university I work won't work any more. both client and server say "connection reset by peer", limiting the cipher length have it work. Details ares here :

http://schplurtz.free.fr/wiki/envrac/reseau-bizbiz-ssh

Solution :
The Intrusion Detection System detects one of the TCP packets as :

           Malformed Key exchange init Message - SSH protocol violation

and then it sends two reset packets to both the client and server. each of them then says : "connection reset by peer"

The security man removed the rule on the IDS, and then ssh works again ! magic.

Oren Held (oren-held) wrote :

Schplurtz: can you share what type of IDS it was? From what I hear, it sounds like Cisco equipment.

Hello

The security man answered :

> This is the IDS embeded in a fire check point

So, no cisco. But what would be different if it were a CISCO, JUNIPER, or ACME ? The fact that a third party is analysing and wrongly -- or perhaps too much strictly, (or even rightly)-- identifying a packet from a openssh>=5.7 client to a openssh<5.7 server as an ssh protocol violation and is resetting the connection seems enough to me. The inconvenient of third parties is that you don't control them. I mean, It seems there's not much that can be done, except, perhaps packaging an "openssh-client-old".

Schplurtz

Brownout (brownout) wrote :

> But what would be different if it were a CISCO, JUNIPER, or ACME?
The idea is to identify common conditions and reproducing the behavior you described, as any other bug,
No offense, but your analysis alone is not enough to declare the problem solved.

antrecu (antrecu-yahoo) wrote :

Hi,
Im experiencing the same issue described here but whats more weird is that switching ISPs seems to fix my problem when i ssh my servers, i mean, i have two internet service providers, with service provider A, ssh doesnt work and i get the Read from socket failed: Connection reset by peer error, when using internet service provider B, the issue is not present and i can ssh any server. Let me know if i can run some tests that can fix this bug.

antrecu (antrecu-yahoo) wrote :

i must confirm that is not a IPS restriction or something, because i can ssh using both ISPs using windows or putty on linux or ssh clients on iPhone.

esodan (esodan-gmail) wrote :
Download full text (5.6 KiB)

I have the same problem with sourceforge.net service. My machine have a dual boot from Federa 15 and Ubutu. On Fedora I can use ssh with no problems but on Ubuntu 11.10 I can't use ssh. This is my debug from ssh -vvv:

ssh -vvv -t <email address hidden>
OpenSSH_5.8p1 Debian-7ubuntu1, OpenSSL 1.0.0e 6 Sep 2011
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to shell.sourceforge.net [216.34.181.119] port 22.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/esodan/.ssh/id_rsa" as a RSA1 public key
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/esodan/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/esodan/.ssh/id_rsa-cert type -1
debug1: identity file /home/esodan/.ssh/id_dsa type -1
debug1: identity file /home/esodan/.ssh/id_dsa-cert type -1
debug1: identity file /home/esodan/.ssh/id_ecdsa type -1
debug1: identity file /home/esodan/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "shell.sourceforge.net" from file "/home/esodan/.ssh/known_hosts"
debug3: load_hostkeys: loaded 0 keys
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: <email address hidden>,ecdsa-sha2-nistp384-cert-v01@openss...

Read more...

Download full text (11.5 KiB)

Is it possible that the new OpenSSL dropped support for your key encryption?

Can you paste just the first 3 lines of your private key file, with the
BEGIN, Proc-Type and DEK-Info lines?

(Warning, I do not know if this will leak sensitive info, if you are
 unsure, do not paste it).

Also can you try generating a new key and see if that is able to be used?

Excerpts from esodan's message of Thu Oct 20 15:28:11 UTC 2011:
> I have the same problem with sourceforge.net service. My machine have a
> dual boot from Federa 15 and Ubutu. On Fedora I can use ssh with no
> problems but on Ubuntu 11.10 I can't use ssh. This is my debug from ssh
> -vvv:
>
> ssh -vvv -t <email address hidden>
> OpenSSH_5.8p1 Debian-7ubuntu1, OpenSSL 1.0.0e 6 Sep 2011
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to shell.sourceforge.net [216.34.181.119] port 22.
> debug1: Connection established.
> debug3: Incorrect RSA1 identifier
> debug3: Could not load "/home/esodan/.ssh/id_rsa" as a RSA1 public key
> debug2: key_type_from_name: unknown key type '-----BEGIN'
> debug3: key_read: missing keytype
> debug2: key_type_from_name: unknown key type 'Proc-Type:'
> debug3: key_read: missing keytype
> debug2: key_type_from_name: unknown key type 'DEK-Info:'
> debug3: key_read: missing keytype
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug2: key_type_from_name: unknown key type '-----END'
> debug3: key_read: missing keytype
> debug1: identity file /home/esodan/.ssh/id_rsa type 1
> debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
> debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
> debug1: identity file /home/esodan/.ssh/id_rsa-cert type -1
> debug1: identity file /home/esodan/.ssh/id_dsa type -1
> debug1: identity file /home/esodan/.ssh/id_dsa-cert type -1
> debug1: identity file /home/esodan/.ssh/id_ecdsa type -1
> debug1: identity file /home/esodan/.ssh/id_ecdsa-cert type -1
> debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
> debug1: match: OpenSSH_5.3 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1
> debug2: fd 3 sett...

esodan, clint, if it is the same problem, then no need to research it from the beginning.
Check out my post at http://www.held.org.il/blog/2011/05/the-myterious-case-of-broken-ssh-client-connection-reset-by-peer/ , it tries to shed light on what's happening.

esodan (esodan-gmail) wrote :

This is the header of my private key:

Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,

After "AES-128-CBC," theres a large hex number. First what is that number for? Do you require it too?

esodan (esodan-gmail) wrote :

I'm trying to use sourceforge.net ssh server, but my great problem is GIT, I can't pull or push code. I don't know how to collect debug information of git trying to use ssh to connect to git.gnome.org. Any hint?

Paul Hsu (pochun-hsu) wrote :

Hi when I try to 'git clone' some repository.
I encounter the same problem.
-------------------------------------
git clone <email address hidden>:someone/somerepository.git
Cloning into somerepository...
Read from socket failed: Connection reset by peer
fatal: The remote end hung up unexpectedly
-------------------------------------
Does any one have some work around for 'git clone'?

Kacper Z (wobk) wrote :

Anybody have solution?
debug1: match: OpenSSH_4.7p1 Debian-8ubuntu3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu6
...
SSH2_MSG_KEXINIT sent
Connection closed by 87.X.X.X

David Young (dove-young) wrote :

Workaroud found here solved my problem

Shortening the cipher list (‘ssh -c aes256-ctr’)

http://www.held.org.il/blog/2011/05/the-myterious-case-of-broken-ssh-client-connection-reset-by-peer/

GoncaloP (goncalop) wrote :

I'm in the same situation, and shortening the cipher list didn't help. I've tried via terminal with ‘ssh -c aes256-ctr host’ and by editing /etc/ssh/ssh_config, and removing some ciphers off the cipher list. Same result. This bug is now almost a year old. Being critical, I get the feeling it's not having development at all, although it cripples SSH to a halt. Can someone provide a solution for this?

Jerry Quinn (jlquinn) wrote :

ssh -c 3des-cbc host

seems to work around this problem for me for now. +1 to fixing this ASAP?

Jerry Quinn (jlquinn) wrote :

Alternatively, I moved 3des-cbc to the front of the Ciphers list in $HOME/.ssh/config
Will this bite me someday?

Evan Peck (colors) on 2012-01-16
summary: - cannot login anymore: Read from socket failed: Connection reset by peer
+ Can't login anymore: Read from socket failed: Connection reset by peer
Ryan Harper (raharper) wrote :

ssh -c 3des-cbc host also works for me as well. And adding this to my ssh config makes it automatic

Host *
   Ciphers 3des-cbc

btw, this is only a problem through my cisco openconnect VPN. Different VPNs don't have this issue.

Download full text (5.9 KiB)

I have the same problem here. Only on one remote host:

sylock@sylock-vmware:~$ ssh -vvv XXXXXX
OpenSSH_6.0p1 Debian-3ubuntu1, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /home/sylock/.ssh/config
debug1: /home/sylock/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to XXXXXX[172.24.6.18] port 22.
debug1: Connection established.
debug1: identity file /home/sylock/.ssh/id_rsa type -1
debug1: identity file /home/sylock/.ssh/id_rsa-cert type -1
debug1: identity file /home/sylock/.ssh/id_dsa type -1
debug1: identity file /home/sylock/.ssh/id_dsa-cert type -1
debug1: identity file /home/sylock/.ssh/id_ecdsa type -1
debug1: identity file /home/sylock/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1
debug1: match: OpenSSH_5.1 pat OpenSSH_5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-3ubuntu1
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "fsmal989" from file "/home/sylock/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/sylock/.ssh/known_hosts:269
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: <email address hidden>,<email address hidden>,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: <email address hidden>,<email address hidden>,ssh-rsa,<email address hidden>,<email address hidden>,<email address hidden>,<email address hidden>,<email address hidden>,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<email address hidden>
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<email address hidden>
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<email address hidden>,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,<email address hidden>,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<email address hidden>,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,<email address hidden>,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,<email address hidden>,zlib
debug2: kex_parse_kexinit: none,<email address hidden>,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman...

Read more...

Download full text (11.7 KiB)

Use dropbear ....

On 21 December 2012 15:27, Nicolas Michel <email address hidden> wrote:

> I have the same problem here. Only on one remote host:
>
> sylock@sylock-vmware:~$ ssh -vvv XXXXXX
> OpenSSH_6.0p1 Debian-3ubuntu1, OpenSSL 1.0.1c 10 May 2012
> debug1: Reading configuration data /home/sylock/.ssh/config
> debug1: /home/sylock/.ssh/config line 1: Applying options for *
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: /etc/ssh/ssh_config line 19: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to XXXXXX[172.24.6.18] port 22.
> debug1: Connection established.
> debug1: identity file /home/sylock/.ssh/id_rsa type -1
> debug1: identity file /home/sylock/.ssh/id_rsa-cert type -1
> debug1: identity file /home/sylock/.ssh/id_dsa type -1
> debug1: identity file /home/sylock/.ssh/id_dsa-cert type -1
> debug1: identity file /home/sylock/.ssh/id_ecdsa type -1
> debug1: identity file /home/sylock/.ssh/id_ecdsa-cert type -1
> debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1
> debug1: match: OpenSSH_5.1 pat OpenSSH_5*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-3ubuntu1
> debug2: fd 3 setting O_NONBLOCK
> debug3: load_hostkeys: loading entries for host "fsmal989" from file
> "/home/sylock/.ssh/known_hosts"
> debug3: load_hostkeys: found key type RSA in file
> /home/sylock/.ssh/known_hosts:269
> debug3: load_hostkeys: loaded 1 keys
> debug3: order_hostkeyalgs: prefer hostkeyalgs:
> <email address hidden>,<email address hidden>,ssh-rsa
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: <email address hidden>,
> <email address hidden>,ssh-rsa,
> <email address hidden>,
> <email address hidden>,
> <email address hidden>,<email address hidden>,
> <email address hidden>
> ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
> <email address hidden>
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
> <email address hidden>
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<email address hidden>
> ,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,
> <email address hidden>,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<email address hidden>
> ,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,
> <email address hidden>,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,<email address hidden>,zlib
> debug2: kex_parse_kexinit: none,<email address hidden>,zlib
> debug2: kex_parse_kexinit:
> debug2: ...

Andrew Schulman (andrex) wrote :

Multiple commenters (#19, #43) have posted the workaround. In my ~/ssh/.config I now have

Host *
# Workaround for the dreaded 'connection reset by peer' bug, openssh >=5.7:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr

and I no longer see this problem.

Download full text (5.9 KiB)

It's not really an answer, this bug has been around in ssh for a year or so
already ...
dropbear doesn't have this issue or older versions of ssh ... they don't
crash , it should have been fixed by now.

On 21 December 2012 18:44, Andrew Schulman
<email address hidden>wrote:

> Multiple commenters (#19, #43) have posted the workaround. In my
> ~/ssh/.config I now have
>
> Host *
> # Workaround for the dreaded 'connection reset by peer' bug, openssh >=5.7:
> Ciphers aes128-ctr,aes192-ctr,aes256-ctr
>
> and I no longer see this problem.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/708493
>
> Title:
> Can't login anymore: Read from socket failed: Connection reset by peer
>
> Status in “openssh” package in Ubuntu:
> Confirmed
> Status in “openssh” package in Debian:
> New
>
> Bug description:
> After todays update to
> 1:5.7p1-1ubuntu1
> I cannot login to SOME (!) of my servers. Example of a server failing:
>
> ~$ ssh -v root@mail
> OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
> debug1: Reading configuration data /home/hildeb/.ssh/config
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to mail [141.42.202.200] port 22.
> debug1: Connection established.
> debug1: identity file /home/hildeb/.ssh/id_rsa type -1
> debug1: identity file /home/hildeb/.ssh/id_rsa-cert type -1
> debug1: identity file /home/hildeb/.ssh/id_dsa type 2
> debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
> debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
> debug1: identity file /home/hildeb/.ssh/id_dsa-cert type -1
> debug1: identity file /home/hildeb/.ssh/id_ecdsa type -1
> debug1: identity file /home/hildeb/.ssh/id_ecdsa-cert type -1
> debug1: Remote protocol version 1.99, remote software version
> OpenSSH_5.5p1 Debian-6
> debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.7p1 Debian-1ubuntu1
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> Read from socket failed: Connection reset by peer
>
> There is NOTHING in daemon.log, auth.log or syslog on the server I'm
> trying to connect to.
>
> Example of a server NOT failing:
>
> $ ssh -v root@netsight
> OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
> debug1: Reading configuration data /home/hildeb/.ssh/config
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to netsight [10.47.2.222] port 22.
> debug1: Connection established.
> debug1: identity file /home/hildeb/.ssh/id_rsa type -1
> debug1: identity file /home/hildeb/.ssh/id_rsa-cert type -1
> debug1: identity file /home/hildeb/.ssh/id_dsa type 2
> debug1: Checking blacklist file /usr/share...

Read more...

I know the workaround. But we're here on a bug report platform ... I posted to say "hey, the problem is still here in 12.04!"

Best regards,
Nicolas

scuba (scubuntu) wrote :

I've studied the thread and tried the workaround suggestions. The problem persists in 12.04.2!

Regards

SCUBA

scuba (scubuntu) wrote :

Hi,

I've managed to solve the issue... purge openssh-server on server machine, then reinstall -- worked for me.

Regards

SCUBA

Steve Brown (jpgeek) wrote :

Howdy,

I know that in my case, this was definitely an MTU problem, and it exhibits exactly the behavior stated above.

to test this, call
ping -M do -s 1500 <host>
If it goes through, this is probably not your issue. If it does not, try lowering the -s value until it does go through. If the value that you find is lower than the MTU on your interface, this is likely the problem.

The solution would be to change your MTU size on the interface. You can check this with
ifconfig
and set it with
sudo ifconfig <interface> mtu 1000

Hi

I am facing the same problem. I have tried manys mentioned on the net to solve but nothing seem to work.

When I called:

ping -M do -s 1500 ubuntu

This is what I recieved in output-
PING ubuntu (127.0.1.1) 1500(1528) bytes of data.
1508 bytes from ubuntu (127.0.1.1): icmp_req=1 ttl=64 time=0.052 ms
1508 bytes from ubuntu (127.0.1.1): icmp_req=2 ttl=64 time=0.037 ms
1508 bytes from ubuntu (127.0.1.1): icmp_req=3 ttl=64 time=0.030 ms
1508 bytes from ubuntu (127.0.1.1): icmp_req=4 ttl=64 time=0.039 ms

Command- ssh -c 3des-cbc host
Output- * Documentation: https://help.ubuntu.com/
Last login: Thu Apr 11 22:10:40 2013 from localhost

But when I enter the command-

git clone <email address hidden>:Shondhi/Hello.git

Output is- Cloning into 'Hello'...
Read from socket failed: Connection reset by peer
fatal: The remote end hung up unexpectedly

Kindly, guide me.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.