Can't login anymore: Read from socket failed: Connection reset by peer

Bug #708493 reported by Ralf Hildebrandt
196
This bug affects 37 people
Affects Status Importance Assigned to Milestone
openssh (Debian)
Fix Released
Unknown
openssh (Ubuntu)
Invalid
Critical
Unassigned
Nominated for Precise by Alberto Salvia Novella

Bug Description

After todays update to
1:5.7p1-1ubuntu1
I cannot login to SOME (!) of my servers. Example of a server failing:

~$ ssh -v root@mail
OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/hildeb/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to mail [141.42.202.200] port 22.
debug1: Connection established.
debug1: identity file /home/hildeb/.ssh/id_rsa type -1
debug1: identity file /home/hildeb/.ssh/id_rsa-cert type -1
debug1: identity file /home/hildeb/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: identity file /home/hildeb/.ssh/id_dsa-cert type -1
debug1: identity file /home/hildeb/.ssh/id_ecdsa type -1
debug1: identity file /home/hildeb/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_5.5p1 Debian-6
debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.7p1 Debian-1ubuntu1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
Read from socket failed: Connection reset by peer

There is NOTHING in daemon.log, auth.log or syslog on the server I'm trying to connect to.

Example of a server NOT failing:

$ ssh -v root@netsight
OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/hildeb/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to netsight [10.47.2.222] port 22.
debug1: Connection established.
debug1: identity file /home/hildeb/.ssh/id_rsa type -1
debug1: identity file /home/hildeb/.ssh/id_rsa-cert type -1
debug1: identity file /home/hildeb/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: identity file /home/hildeb/.ssh/id_dsa-cert type -1
debug1: identity file /home/hildeb/.ssh/id_ecdsa type -1
debug1: identity file /home/hildeb/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6
debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.7p1 Debian-1ubuntu1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
debug1: Server host key: RSA 18:ce:76:c7:7c:f4:98:94:28:8f:62:4a:31:e8:5b:c9
debug1: Host 'netsight' is known and matches the RSA host key.
debug1: Found key in /home/hildeb/.ssh/known_hosts:56
debug1: ssh_rsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: publickey
debug1: Offering DSA public key: /home/hildeb/.ssh/id_dsa
debug1: Server accepts key: pkalg ssh-dss blen 433
debug1: Authentication succeeded (publickey).
Authenticated to netsight ([10.47.2.222]:22).
debug1: channel 0: new [client-session]
debug1: Requesting <email address hidden>
debug1: Entering interactive session.
debug1: Sending environment.
debug1: Sending env LC_MESSAGES = en_US.utf8
debug1: Sending env LANG = de_DE.UTF-8

ProblemType: Bug
DistroRelease: Ubuntu 11.04
Package: openssh-client 1:5.7p1-1ubuntu1
ProcVersionSignature: Ubuntu 2.6.37-12.26-generic 2.6.37
Uname: Linux 2.6.37-12-generic x86_64
Architecture: amd64
Date: Thu Jan 27 09:13:15 2011
ProcEnviron:
 LANGUAGE=en_US:en
 LANG=de_DE.UTF-8
 LC_MESSAGES=en_US.utf8
 SHELL=/bin/bash
RelatedPackageVersions:
 ssh-askpass N/A
 libpam-ssh N/A
 keychain N/A
 ssh-askpass-gnome 1:5.7p1-1ubuntu1
SSHClientVersion: OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
SourcePackage: openssh

Revision history for this message
Ralf Hildebrandt (ralf-hildebrandt) wrote :
Revision history for this message
Colin Watson (cjwatson) wrote : Re: [Bug 708493] [NEW] cannot login anymore: Read from socket failed: Connection reset by peer

Can you:

  * try with 'ssh -vvv' for both these machines and post both outputs

  * on the failing machine, bring up a server with '/usr/sbin/sshd -ddd'
    (on a spare port if you can't stop the main server) and post the
    output from when you attempt to connect to it

Thanks!

James Page (james-page)
Changed in openssh (Ubuntu):
status: New → Incomplete
Revision history for this message
Ralf Hildebrandt (ralf-hildebrandt) wrote : Re: cannot login anymore: Read from socket failed: Connection reset by peer
Download full text (5.1 KiB)

$ ssh -vvv root@mail
OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/hildeb/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to mail [141.42.202.200] port 22.
debug1: Connection established.
debug1: identity file /home/hildeb/.ssh/id_rsa type -1
debug1: identity file /home/hildeb/.ssh/id_rsa-cert type -1
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/hildeb/.ssh/id_dsa" as a RSA1 public key
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/hildeb/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: identity file /home/hildeb/.ssh/id_dsa-cert type -1
debug1: identity file /home/hildeb/.ssh/id_ecdsa type -1
debug1: identity file /home/hildeb/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 1.99, remote software version OpenSSH_5.5p1 Debian-6
debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.7p1 Debian-1ubuntu1
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "mail" from file "/home/hildeb/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/hildeb/.ssh/known_hosts:67
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: <email address hidden>,<email address hidden>,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: <email address hidden>,<email address hidden>,ssh-rsa,<email address hidden>,<email address hidden>,<email address hidden>,<email address hidden>,<email address hidden>,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<email address hidden>
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-c...

Read more...

Revision history for this message
Ralf Hildebrandt (ralf-hildebrandt) wrote :
Download full text (9.5 KiB)

$ ssh -vvv root@netsight
OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /home/hildeb/.ssh/config
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to netsight [10.47.2.222] port 22.
debug1: Connection established.
debug1: identity file /home/hildeb/.ssh/id_rsa type -1
debug1: identity file /home/hildeb/.ssh/id_rsa-cert type -1
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/hildeb/.ssh/id_dsa" as a RSA1 public key
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/hildeb/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: identity file /home/hildeb/.ssh/id_dsa-cert type -1
debug1: identity file /home/hildeb/.ssh/id_ecdsa type -1
debug1: identity file /home/hildeb/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6
debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.7p1 Debian-1ubuntu1
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "netsight" from file "/home/hildeb/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/hildeb/.ssh/known_hosts:56
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: <email address hidden>,<email address hidden>,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: <email address hidden>,<email address hidden>,ssh-rsa,<email address hidden>,<email address hidden>,<email address hidden>,<email address hidden>,<email address hidden>,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<email address hidden>
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,c...

Read more...

Revision history for this message
Ralf Hildebrandt (ralf-hildebrandt) wrote :
Download full text (3.4 KiB)

mail:~# /usr/sbin/sshd -p22222 -ddd
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 639
debug2: parse_server_config: config /etc/ssh/sshd_config len 639
debug3: /etc/ssh/sshd_config:5 setting Port 22
debug3: /etc/ssh/sshd_config:9 setting Protocol 2,1
debug3: /etc/ssh/sshd_config:11 setting HostKey /etc/ssh/ssh_host_key
debug3: /etc/ssh/sshd_config:13 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: /etc/ssh/sshd_config:14 setting HostKey /etc/ssh/ssh_host_dsa_key
debug3: /etc/ssh/sshd_config:16 setting UsePrivilegeSeparation yes
debug3: /etc/ssh/sshd_config:19 setting KeyRegenerationInterval 3600
debug3: /etc/ssh/sshd_config:20 setting ServerKeyBits 768
debug3: /etc/ssh/sshd_config:23 setting SyslogFacility AUTH
debug3: /etc/ssh/sshd_config:24 setting LogLevel INFO
debug3: /etc/ssh/sshd_config:27 setting LoginGraceTime 600
debug3: /etc/ssh/sshd_config:28 setting PermitRootLogin yes
debug3: /etc/ssh/sshd_config:29 setting StrictModes yes
debug3: /etc/ssh/sshd_config:31 setting RSAAuthentication yes
debug3: /etc/ssh/sshd_config:32 setting PubkeyAuthentication yes
debug3: /etc/ssh/sshd_config:36 setting IgnoreRhosts yes
debug3: /etc/ssh/sshd_config:38 setting RhostsRSAAuthentication no
debug3: /etc/ssh/sshd_config:40 setting HostbasedAuthentication no
debug3: /etc/ssh/sshd_config:45 setting PermitEmptyPasswords no
debug3: /etc/ssh/sshd_config:51 setting PasswordAuthentication no
debug3: /etc/ssh/sshd_config:63 setting X11Forwarding yes
debug3: /etc/ssh/sshd_config:64 setting X11DisplayOffset 10
debug3: /etc/ssh/sshd_config:65 setting PrintMotd no
debug3: /etc/ssh/sshd_config:66 setting PrintLastLog yes
debug3: /etc/ssh/sshd_config:67 setting TCPKeepAlive yes
debug3: /etc/ssh/sshd_config:73 setting Subsystem sftp /usr/lib/openssh/sftp-server
debug3: /etc/ssh/sshd_config:75 setting UsePAM yes
debug1: sshd version OpenSSH_5.5p1 Debian-6
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
debug1: private host key: #0 type 0 RSA1
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
debug1: private host key: #1 type 1 RSA
debug3: Not a RSA1 key file /etc/ssh/ssh_host_dsa_key.
debug1: read PEM private key done: type DSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: private host key: #2 type 2 DSA
debug1: rexec_argv[0]='/usr/sbin/sshd'
debug1: rexec_argv[1]='-p22222'
debug1: rexec_argv[2]='-ddd'
debug3: oom_adjust_setup
Set /proc/self/oom_adj from 0 to -17
debug2: fd 3 setting O_NONBLOCK
debug1: Bind to port 22222 on 0.0.0.0.
Server listening on 0.0.0.0 port 22222.
socket: Address family not supported by protocol
Generating 768 bit RSA key.
RSA key generation complete.

*** now I'm trying to log in on port 22222 ***

debug3: fd 4 is not O_NONBLOCK
debug1: Server will not fork when running in debugging mode.
debug3: send_rexec_state: entering fd = 7 config len 639
debug...

Read more...

description: updated
Changed in openssh (Ubuntu):
status: Incomplete → New
Revision history for this message
Ralf Hildebrandt (ralf-hildebrandt) wrote :

Sooo, I found this. All the failing systems have

ii libssl1.0.0 1.0.0c-2 SSL shared libraries

installed (I compiled Postfix against openssl-1.0.0, that's why it's installed), yet their sshd is not linked against libssl1.0.0:

mail:~# ldd /usr/sbin/sshd
 linux-gate.so.1 => (0xb774f000)
 libwrap.so.0 => /lib/libwrap.so.0 (0xb76c2000)
 libpam.so.0 => /lib/libpam.so.0 (0xb76b6000)
 libselinux.so.1 => /lib/libselinux.so.1 (0xb769a000)
 libcrypto.so.0.9.8 => /usr/lib/i686/cmov/libcrypto.so.0.9.8 (0xb7542000)
 libutil.so.1 => /lib/i686/cmov/libutil.so.1 (0xb753e000)
 libz.so.1 => /usr/lib/libz.so.1 (0xb752a000)
 libcrypt.so.1 => /lib/i686/cmov/libcrypt.so.1 (0xb74f8000)
 libgssapi_krb5.so.2 => /usr/lib/libgssapi_krb5.so.2 (0xb74c8000)
 libkrb5.so.3 => /usr/lib/libkrb5.so.3 (0xb7416000)
 libcom_err.so.2 => /lib/libcom_err.so.2 (0xb7413000)
 libc.so.6 => /lib/i686/cmov/libc.so.6 (0xb72cd000)
 libnsl.so.1 => /lib/i686/cmov/libnsl.so.1 (0xb72b6000)
 libdl.so.2 => /lib/i686/cmov/libdl.so.2 (0xb72b1000)
 /lib/ld-linux.so.2 (0xb7750000)
 libk5crypto.so.3 => /usr/lib/libk5crypto.so.3 (0xb728e000)
 libkrb5support.so.0 => /usr/lib/libkrb5support.so.0 (0xb7287000)
 libkeyutils.so.1 => /lib/libkeyutils.so.1 (0xb7284000)
 libresolv.so.2 => /lib/i686/cmov/libresolv.so.2 (0xb7270000)
 libpthread.so.0 => /lib/i686/cmov/libpthread.so.0 (0xb7256000)

The verbose output indicates this immediately before failure:

...
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
Read from socket failed: Connection reset by peer

ECDH being elliptical curve diffie hellman -- but one needs openssl-1.0.0 (or at least 0.9.9) for that.
Since sshd is not linked against 1.0.0, it cannot handle ECC (elliptical curve cryptography) at all.

But the real question is: Why is ECC being used if ONE of the two sides doesn't support it?!

Revision history for this message
Ralf Hildebrandt (ralf-hildebrandt) wrote :

But I found that it also fails against a host withOUT openssl-1.0.0:

debug2: kex_parse_kexinit: none,<email address hidden>
debug2: kex_parse_kexinit: none,<email address hidden>
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
Read from socket failed: Connection reset by peer

Revision history for this message
Ralf Hildebrandt (ralf-hildebrandt) wrote :
Download full text (4.5 KiB)

So I ran sshd on the target machine in a debugger:

# gdb /usr/sbin/sshd
GNU gdb (GDB) 7.0.1-debian
Copyright (C) 2009 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu".
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>...

warning: The current binary is a PIE (Position Independent Executable), which
GDB does NOT currently support. Most debugger features will fail if used
in this session.

Reading symbols from /usr/sbin/sshd...(no debugging symbols found)...done.
(gdb) set args -dddd -p22222
(gdb) run
Starting program: /usr/sbin/sshd -dddd -p22222
debug2: load_server_config: filename /etc/ssh/sshd_config
debug2: load_server_config: done config len = 637
debug2: parse_server_config: config /etc/ssh/sshd_config len 637
debug3: /etc/ssh/sshd_config:5 setting Port 22
debug3: /etc/ssh/sshd_config:9 setting Protocol 2
debug3: /etc/ssh/sshd_config:11 setting HostKey /etc/ssh/ssh_host_key
debug3: /etc/ssh/sshd_config:13 setting HostKey /etc/ssh/ssh_host_rsa_key
debug3: /etc/ssh/sshd_config:14 setting HostKey /etc/ssh/ssh_host_dsa_key
debug3: /etc/ssh/sshd_config:16 setting UsePrivilegeSeparation yes
debug3: /etc/ssh/sshd_config:19 setting KeyRegenerationInterval 3600
debug3: /etc/ssh/sshd_config:20 setting ServerKeyBits 768
debug3: /etc/ssh/sshd_config:23 setting SyslogFacility AUTH
debug3: /etc/ssh/sshd_config:24 setting LogLevel INFO
debug3: /etc/ssh/sshd_config:27 setting LoginGraceTime 600
debug3: /etc/ssh/sshd_config:28 setting PermitRootLogin yes
debug3: /etc/ssh/sshd_config:29 setting StrictModes yes
debug3: /etc/ssh/sshd_config:31 setting RSAAuthentication yes
debug3: /etc/ssh/sshd_config:32 setting PubkeyAuthentication yes
debug3: /etc/ssh/sshd_config:36 setting IgnoreRhosts yes
debug3: /etc/ssh/sshd_config:38 setting RhostsRSAAuthentication no
debug3: /etc/ssh/sshd_config:40 setting HostbasedAuthentication no
debug3: /etc/ssh/sshd_config:45 setting PermitEmptyPasswords no
debug3: /etc/ssh/sshd_config:51 setting PasswordAuthentication yes
debug3: /etc/ssh/sshd_config:62 setting X11Forwarding yes
debug3: /etc/ssh/sshd_config:63 setting X11DisplayOffset 10
debug3: /etc/ssh/sshd_config:64 setting PrintMotd no
debug3: /etc/ssh/sshd_config:65 setting PrintLastLog yes
debug3: /etc/ssh/sshd_config:66 setting TCPKeepAlive yes
debug3: /etc/ssh/sshd_config:72 setting Subsystem sftp /usr/lib/openssh/sftp-server
debug3: /etc/ssh/sshd_config:74 setting UsePAM yes
debug1: sshd version OpenSSH_5.5p1 Debian-6
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
debug1: private host key: #0 type 0 RSA1
debug3: Not a RSA1 key file /etc/ssh/ssh_host_rsa_key.
debug1: read PEM private key done: type RSA
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-1024
debug1: private host key: #1 type 1 RSA
debug3: Not a R...

Read more...

Revision history for this message
Colin Watson (cjwatson) wrote :

FWIW the OpenSSH configure script indicates that ECC only needs OpenSSL 0.9.8g.

I think this GDB session is probably a red herring due to the way sshd re-execs itself.

Revision history for this message
Ralf Hildebrandt (ralf-hildebrandt) wrote : Re: [Bug 708493] Re: cannot login anymore: Read from socket failed: Connection reset by peer

* Colin Watson <email address hidden>:
> FWIW the OpenSSH configure script indicates that ECC only needs OpenSSL
> 0.9.8g.
> I think this GDB session is probably a red herring due to the way sshd
> re-execs itself.

Yup.

So what is the problem here. I cannot see any obvious error.

--
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  <email address hidden> | http://www.charite.de

Revision history for this message
Ralf Hildebrandt (ralf-hildebrandt) wrote : Re: cannot login anymore: Read from socket failed: Connection reset by peer
Download full text (5.5 KiB)

Repeated login attempts to the same machine yield different results:

$ ssh -vv <email address hidden>
OpenSSH_5.8p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to albatross.python.org [82.94.164.166] port 22.
debug1: Connection established.
debug1: identity file /home/hildeb/.ssh/id_rsa type -1
debug1: identity file /home/hildeb/.ssh/id_rsa-cert type -1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /home/hildeb/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: identity file /home/hildeb/.ssh/id_dsa-cert type -1
debug1: identity file /home/hildeb/.ssh/id_ecdsa type -1
debug1: identity file /home/hildeb/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6
debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8p1 Debian-1ubuntu1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
Read from socket failed: Connection reset by peer

but a second later:

$ ssh -vv <email address hidden>
OpenSSH_5.8p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to albatross.python.org [82.94.164.166] port 22.
debug1: Connection established.
debug1: identity file /home/hildeb/.ssh/id_rsa type -1
debug1: identity file /home/hildeb/.ssh/id_rsa-cert type -1
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug2: key_type_from_name: unknown key type '-----END'
debug1: identity file /home/hildeb/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
debug1: identity file /home/hildeb/.ssh/id_dsa-cert type -1
debug1: identity file /home/hildeb/.ssh/id_ecdsa type -1
debug1: identity file /home/hildeb/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.5p1 Debian-6
debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8p1 Debian-1ubuntu1
debug2: fd 3 setting O_NONBLOCK
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: <email address hidden>,<email address hidden>,ssh-rsa,<email address hidden>,ecdsa-sha2-...

Read more...

Revision history for this message
Ralf Hildebrandt (ralf-hildebrandt) wrote :

downgrading openssh-client from 1:5.8p1-1ubuntu1 to 1:5.5p1-4ubuntu5 makes the problem go away.

Revision history for this message
Oren Held (oren-held) wrote :

Seems to be the same case as
- Debian sid: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=613505
- Arch Linux https://bugs.archlinux.org/task/22897?project=1

I'll try to report it to upstream

Revision history for this message
Oren Held (oren-held) wrote :

I suspect (but not sure) it's related to https://bugzilla.mindrot.org/show_bug.cgi?id=1858

Revision history for this message
Oren Held (oren-held) wrote :

I was most probably mistaken in the above assumption. sorry.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Marking as confirmed based on the linked debian bug.

Changed in openssh (Ubuntu):
status: New → Confirmed
importance: Undecided → Critical
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

Upstream bug posts the following as a solution:

http://hg.mindrot.org/openssh/rev/138961506b91

Note that it implies that removing your ecdsa keys would allow ssh to succeed.

Revision history for this message
Oren Held (oren-held) wrote :

Serge: I am really not sure this is related to ecdsa bug. Last time I checked (about a week ago) the bug still existed even in upstream. See the "connection reset by peer" discussions in mailing list: http://lists.mindrot.org/pipermail/openssh-unix-dev/2011-February/thread.html

In comment #14 I though it's related and immediately corrected myself.

Revision history for this message
Oren Held (oren-held) wrote :

Also, I'll re-post the available workarounds as I collected from other reports of this bug:

1. shortening the list of ciphers by -c aes128-ctr to command line
2. adding to ~/.ssh/config: HostKeyAlgorithms <email address hidden>,<email address hidden>,<email address hidden>,<email address hidden>,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss

Revision history for this message
Colin Watson (cjwatson) wrote :

I agree that that patch can't be relevant. Ralf has HostbasedAuthentication turned off.

Revision history for this message
Colin Watson (cjwatson) wrote :

On the upstream thread, I wondered if the MTU might be relevant. That would certainly be one explanation for a bug that's apparently sensitive to packet length.

Changed in openssh (Debian):
status: Unknown → New
Revision history for this message
Ralf Hildebrandt (ralf-hildebrandt) wrote : Re: [Bug 708493] Re: cannot login anymore: Read from socket failed: Connection reset by peer

* Colin Watson <email address hidden>:
> On the upstream thread, I wondered if the MTU might be relevant. That
> would certainly be one explanation for a bug that's apparently sensitive
> to packet length.

I'm having this problem in the local LAN and via DSL (from home)

--
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  <email address hidden> | http://www.charite.de

Revision history for this message
Colin Watson (cjwatson) wrote :

I'm afraid that doesn't answer the question ...

Revision history for this message
mehmet demir (mdemir85) wrote : Re: cannot login anymore: Read from socket failed: Connection reset by peer

i have the same problem in my ubuntu (upgraded 10.10 to 11.04).
when i connect with that => ssh A.B.X.X no problem.
but when i try connect to => ssh A.(B+1).X.X , i gets error that "Read from socket failed: Connection reset by peer"

then i install putty (apt-get install putty) when i use putty for ssh connections there is no problem.

Revision history for this message
Luis Armando Medina (lamedina) wrote :

My temporal solution:

wget http://mirror.pnl.gov/ubuntu//pool/main/o/openssh/openssh-client_5.5p1-4ubuntu5_i386.deb
sudo dpkg -i openssh-client_5.5p1-4ubuntu5_i386.deb

Before:

$ ssh -p 2121 infra@200.57.XX.XX
Read from socket failed: Connection reset by peer

After:

$ ssh -p 2121 infra@200.57.XX.XX
The authenticity of host '[200.57.XX.XX]:2121 ([200.57.XX.XX]:2121)' can't be established.
RSA key fingerprint is 69:b6...............................................................87:01.
Are you sure you want to continue connecting (yes/no)? yes

and ssh works fine.

This is not a solution to this bug, just an option for ssh works immediately

Revision history for this message
Schplurtz le déboulonné (schplurtz) wrote :

In my case it was due to an Intrusion Detection System
I have exactly the same problem. upgrade to 11.04 then ssh to the university I work won't work any more. both client and server say "connection reset by peer", limiting the cipher length have it work. Details ares here :

http://schplurtz.free.fr/wiki/envrac/reseau-bizbiz-ssh

Solution :
The Intrusion Detection System detects one of the TCP packets as :

           Malformed Key exchange init Message - SSH protocol violation

and then it sends two reset packets to both the client and server. each of them then says : "connection reset by peer"

The security man removed the rule on the IDS, and then ssh works again ! magic.

Revision history for this message
Oren Held (oren-held) wrote :

Schplurtz: can you share what type of IDS it was? From what I hear, it sounds like Cisco equipment.

Revision history for this message
Schplurtz le déboulonné (schplurtz) wrote :

Hello

The security man answered :

> This is the IDS embeded in a fire check point

So, no cisco. But what would be different if it were a CISCO, JUNIPER, or ACME ? The fact that a third party is analysing and wrongly -- or perhaps too much strictly, (or even rightly)-- identifying a packet from a openssh>=5.7 client to a openssh<5.7 server as an ssh protocol violation and is resetting the connection seems enough to me. The inconvenient of third parties is that you don't control them. I mean, It seems there's not much that can be done, except, perhaps packaging an "openssh-client-old".

Schplurtz

Revision history for this message
Brownout (brownout) wrote :

> But what would be different if it were a CISCO, JUNIPER, or ACME?
The idea is to identify common conditions and reproducing the behavior you described, as any other bug,
No offense, but your analysis alone is not enough to declare the problem solved.

Revision history for this message
antrecu (antrecu-yahoo) wrote :

Hi,
Im experiencing the same issue described here but whats more weird is that switching ISPs seems to fix my problem when i ssh my servers, i mean, i have two internet service providers, with service provider A, ssh doesnt work and i get the Read from socket failed: Connection reset by peer error, when using internet service provider B, the issue is not present and i can ssh any server. Let me know if i can run some tests that can fix this bug.

Revision history for this message
antrecu (antrecu-yahoo) wrote :

i must confirm that is not a IPS restriction or something, because i can ssh using both ISPs using windows or putty on linux or ssh clients on iPhone.

Revision history for this message
esodan (esodan-gmail) wrote :
Download full text (5.6 KiB)

I have the same problem with sourceforge.net service. My machine have a dual boot from Federa 15 and Ubutu. On Fedora I can use ssh with no problems but on Ubuntu 11.10 I can't use ssh. This is my debug from ssh -vvv:

ssh -vvv -t <email address hidden>
OpenSSH_5.8p1 Debian-7ubuntu1, OpenSSL 1.0.0e 6 Sep 2011
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to shell.sourceforge.net [216.34.181.119] port 22.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/esodan/.ssh/id_rsa" as a RSA1 public key
debug2: key_type_from_name: unknown key type '-----BEGIN'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'Proc-Type:'
debug3: key_read: missing keytype
debug2: key_type_from_name: unknown key type 'DEK-Info:'
debug3: key_read: missing keytype
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug3: key_read: missing whitespace
debug2: key_type_from_name: unknown key type '-----END'
debug3: key_read: missing keytype
debug1: identity file /home/esodan/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
debug1: identity file /home/esodan/.ssh/id_rsa-cert type -1
debug1: identity file /home/esodan/.ssh/id_dsa type -1
debug1: identity file /home/esodan/.ssh/id_dsa-cert type -1
debug1: identity file /home/esodan/.ssh/id_ecdsa type -1
debug1: identity file /home/esodan/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
debug1: match: OpenSSH_5.3 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "shell.sourceforge.net" from file "/home/esodan/.ssh/known_hosts"
debug3: load_hostkeys: loaded 0 keys
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: <email address hidden>,ecdsa-sha2-nistp384-cert-v01@openss...

Read more...

Revision history for this message
Clint Byrum (clint-fewbar) wrote : Re: [Bug 708493] Re: cannot login anymore: Read from socket failed: Connection reset by peer
Download full text (11.5 KiB)

Is it possible that the new OpenSSL dropped support for your key encryption?

Can you paste just the first 3 lines of your private key file, with the
BEGIN, Proc-Type and DEK-Info lines?

(Warning, I do not know if this will leak sensitive info, if you are
 unsure, do not paste it).

Also can you try generating a new key and see if that is able to be used?

Excerpts from esodan's message of Thu Oct 20 15:28:11 UTC 2011:
> I have the same problem with sourceforge.net service. My machine have a
> dual boot from Federa 15 and Ubutu. On Fedora I can use ssh with no
> problems but on Ubuntu 11.10 I can't use ssh. This is my debug from ssh
> -vvv:
>
> ssh -vvv -t <email address hidden>
> OpenSSH_5.8p1 Debian-7ubuntu1, OpenSSL 1.0.0e 6 Sep 2011
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to shell.sourceforge.net [216.34.181.119] port 22.
> debug1: Connection established.
> debug3: Incorrect RSA1 identifier
> debug3: Could not load "/home/esodan/.ssh/id_rsa" as a RSA1 public key
> debug2: key_type_from_name: unknown key type '-----BEGIN'
> debug3: key_read: missing keytype
> debug2: key_type_from_name: unknown key type 'Proc-Type:'
> debug3: key_read: missing keytype
> debug2: key_type_from_name: unknown key type 'DEK-Info:'
> debug3: key_read: missing keytype
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug3: key_read: missing whitespace
> debug2: key_type_from_name: unknown key type '-----END'
> debug3: key_read: missing keytype
> debug1: identity file /home/esodan/.ssh/id_rsa type 1
> debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-2048
> debug1: Checking blacklist file /etc/ssh/blacklist.RSA-2048
> debug1: identity file /home/esodan/.ssh/id_rsa-cert type -1
> debug1: identity file /home/esodan/.ssh/id_dsa type -1
> debug1: identity file /home/esodan/.ssh/id_dsa-cert type -1
> debug1: identity file /home/esodan/.ssh/id_ecdsa type -1
> debug1: identity file /home/esodan/.ssh/id_ecdsa-cert type -1
> debug1: Remote protocol version 2.0, remote software version OpenSSH_5.3
> debug1: match: OpenSSH_5.3 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.8p1 Debian-7ubuntu1
> debug2: fd 3 sett...

Revision history for this message
Oren Held (oren-held) wrote : Re: cannot login anymore: Read from socket failed: Connection reset by peer

esodan, clint, if it is the same problem, then no need to research it from the beginning.
Check out my post at http://www.held.org.il/blog/2011/05/the-myterious-case-of-broken-ssh-client-connection-reset-by-peer/ , it tries to shed light on what's happening.

Revision history for this message
esodan (esodan-gmail) wrote :

This is the header of my private key:

Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,

After "AES-128-CBC," theres a large hex number. First what is that number for? Do you require it too?

Revision history for this message
esodan (esodan-gmail) wrote :

I'm trying to use sourceforge.net ssh server, but my great problem is GIT, I can't pull or push code. I don't know how to collect debug information of git trying to use ssh to connect to git.gnome.org. Any hint?

Revision history for this message
Paul Hsu (pochun-hsu) wrote :

Hi when I try to 'git clone' some repository.
I encounter the same problem.
-------------------------------------
git clone <email address hidden>:someone/somerepository.git
Cloning into somerepository...
Read from socket failed: Connection reset by peer
fatal: The remote end hung up unexpectedly
-------------------------------------
Does any one have some work around for 'git clone'?

Revision history for this message
Kacper Z (wobk) wrote :

Anybody have solution?
debug1: match: OpenSSH_4.7p1 Debian-8ubuntu3 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.5p1 Debian-4ubuntu6
...
SSH2_MSG_KEXINIT sent
Connection closed by 87.X.X.X

Revision history for this message
David Young (dove-young) wrote :

Workaroud found here solved my problem

Shortening the cipher list (‘ssh -c aes256-ctr’)

http://www.held.org.il/blog/2011/05/the-myterious-case-of-broken-ssh-client-connection-reset-by-peer/

Revision history for this message
GoncaloP (goncalop) wrote :

I'm in the same situation, and shortening the cipher list didn't help. I've tried via terminal with ‘ssh -c aes256-ctr host’ and by editing /etc/ssh/ssh_config, and removing some ciphers off the cipher list. Same result. This bug is now almost a year old. Being critical, I get the feeling it's not having development at all, although it cripples SSH to a halt. Can someone provide a solution for this?

Revision history for this message
Jerry Quinn (jlquinn) wrote :

ssh -c 3des-cbc host

seems to work around this problem for me for now. +1 to fixing this ASAP?

Revision history for this message
Jerry Quinn (jlquinn) wrote :

Alternatively, I moved 3des-cbc to the front of the Ciphers list in $HOME/.ssh/config
Will this bite me someday?

Evan Peck (colors)
summary: - cannot login anymore: Read from socket failed: Connection reset by peer
+ Can't login anymore: Read from socket failed: Connection reset by peer
Revision history for this message
Ryan Harper (raharper) wrote :

ssh -c 3des-cbc host also works for me as well. And adding this to my ssh config makes it automatic

Host *
   Ciphers 3des-cbc

btw, this is only a problem through my cisco openconnect VPN. Different VPNs don't have this issue.

Revision history for this message
Nicolas Michel (nicolas-michel) wrote :
Download full text (5.9 KiB)

I have the same problem here. Only on one remote host:

sylock@sylock-vmware:~$ ssh -vvv XXXXXX
OpenSSH_6.0p1 Debian-3ubuntu1, OpenSSL 1.0.1c 10 May 2012
debug1: Reading configuration data /home/sylock/.ssh/config
debug1: /home/sylock/.ssh/config line 1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to XXXXXX[172.24.6.18] port 22.
debug1: Connection established.
debug1: identity file /home/sylock/.ssh/id_rsa type -1
debug1: identity file /home/sylock/.ssh/id_rsa-cert type -1
debug1: identity file /home/sylock/.ssh/id_dsa type -1
debug1: identity file /home/sylock/.ssh/id_dsa-cert type -1
debug1: identity file /home/sylock/.ssh/id_ecdsa type -1
debug1: identity file /home/sylock/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1
debug1: match: OpenSSH_5.1 pat OpenSSH_5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-3ubuntu1
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "fsmal989" from file "/home/sylock/.ssh/known_hosts"
debug3: load_hostkeys: found key type RSA in file /home/sylock/.ssh/known_hosts:269
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: <email address hidden>,<email address hidden>,ssh-rsa
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: kex_parse_kexinit: <email address hidden>,<email address hidden>,ssh-rsa,<email address hidden>,<email address hidden>,<email address hidden>,<email address hidden>,<email address hidden>,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<email address hidden>
debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,<email address hidden>
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<email address hidden>,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,<email address hidden>,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<email address hidden>,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,<email address hidden>,hmac-sha1-96,hmac-md5-96
debug2: kex_parse_kexinit: none,<email address hidden>,zlib
debug2: kex_parse_kexinit: none,<email address hidden>,zlib
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: kex_parse_kexinit: diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman...

Read more...

Revision history for this message
Gary Salisbury (gary-r-salisbury) wrote : Re: [Bug 708493] Re: Can't login anymore: Read from socket failed: Connection reset by peer
Download full text (11.7 KiB)

Use dropbear ....

On 21 December 2012 15:27, Nicolas Michel <email address hidden> wrote:

> I have the same problem here. Only on one remote host:
>
> sylock@sylock-vmware:~$ ssh -vvv XXXXXX
> OpenSSH_6.0p1 Debian-3ubuntu1, OpenSSL 1.0.1c 10 May 2012
> debug1: Reading configuration data /home/sylock/.ssh/config
> debug1: /home/sylock/.ssh/config line 1: Applying options for *
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: /etc/ssh/ssh_config line 19: Applying options for *
> debug2: ssh_connect: needpriv 0
> debug1: Connecting to XXXXXX[172.24.6.18] port 22.
> debug1: Connection established.
> debug1: identity file /home/sylock/.ssh/id_rsa type -1
> debug1: identity file /home/sylock/.ssh/id_rsa-cert type -1
> debug1: identity file /home/sylock/.ssh/id_dsa type -1
> debug1: identity file /home/sylock/.ssh/id_dsa-cert type -1
> debug1: identity file /home/sylock/.ssh/id_ecdsa type -1
> debug1: identity file /home/sylock/.ssh/id_ecdsa-cert type -1
> debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1
> debug1: match: OpenSSH_5.1 pat OpenSSH_5*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_6.0p1 Debian-3ubuntu1
> debug2: fd 3 setting O_NONBLOCK
> debug3: load_hostkeys: loading entries for host "fsmal989" from file
> "/home/sylock/.ssh/known_hosts"
> debug3: load_hostkeys: found key type RSA in file
> /home/sylock/.ssh/known_hosts:269
> debug3: load_hostkeys: loaded 1 keys
> debug3: order_hostkeyalgs: prefer hostkeyalgs:
> <email address hidden>,<email address hidden>,ssh-rsa
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug2: kex_parse_kexinit:
> ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
> debug2: kex_parse_kexinit: <email address hidden>,
> <email address hidden>,ssh-rsa,
> <email address hidden>,
> <email address hidden>,
> <email address hidden>,<email address hidden>,
> <email address hidden>
> ,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-dss
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
> <email address hidden>
> debug2: kex_parse_kexinit:
> aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,
> <email address hidden>
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<email address hidden>
> ,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,
> <email address hidden>,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: hmac-md5,hmac-sha1,<email address hidden>
> ,hmac-sha2-256,hmac-sha2-256-96,hmac-sha2-512,hmac-sha2-512-96,hmac-ripemd160,
> <email address hidden>,hmac-sha1-96,hmac-md5-96
> debug2: kex_parse_kexinit: none,<email address hidden>,zlib
> debug2: kex_parse_kexinit: none,<email address hidden>,zlib
> debug2: kex_parse_kexinit:
> debug2: ...

Revision history for this message
Andrew Schulman (andrex) wrote :

Multiple commenters (#19, #43) have posted the workaround. In my ~/ssh/.config I now have

Host *
# Workaround for the dreaded 'connection reset by peer' bug, openssh >=5.7:
Ciphers aes128-ctr,aes192-ctr,aes256-ctr

and I no longer see this problem.

Revision history for this message
Gary Salisbury (gary-r-salisbury) wrote :
Download full text (5.9 KiB)

It's not really an answer, this bug has been around in ssh for a year or so
already ...
dropbear doesn't have this issue or older versions of ssh ... they don't
crash , it should have been fixed by now.

On 21 December 2012 18:44, Andrew Schulman
<email address hidden>wrote:

> Multiple commenters (#19, #43) have posted the workaround. In my
> ~/ssh/.config I now have
>
> Host *
> # Workaround for the dreaded 'connection reset by peer' bug, openssh >=5.7:
> Ciphers aes128-ctr,aes192-ctr,aes256-ctr
>
> and I no longer see this problem.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/708493
>
> Title:
> Can't login anymore: Read from socket failed: Connection reset by peer
>
> Status in “openssh” package in Ubuntu:
> Confirmed
> Status in “openssh” package in Debian:
> New
>
> Bug description:
> After todays update to
> 1:5.7p1-1ubuntu1
> I cannot login to SOME (!) of my servers. Example of a server failing:
>
> ~$ ssh -v root@mail
> OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
> debug1: Reading configuration data /home/hildeb/.ssh/config
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to mail [141.42.202.200] port 22.
> debug1: Connection established.
> debug1: identity file /home/hildeb/.ssh/id_rsa type -1
> debug1: identity file /home/hildeb/.ssh/id_rsa-cert type -1
> debug1: identity file /home/hildeb/.ssh/id_dsa type 2
> debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
> debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
> debug1: identity file /home/hildeb/.ssh/id_dsa-cert type -1
> debug1: identity file /home/hildeb/.ssh/id_ecdsa type -1
> debug1: identity file /home/hildeb/.ssh/id_ecdsa-cert type -1
> debug1: Remote protocol version 1.99, remote software version
> OpenSSH_5.5p1 Debian-6
> debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.7p1 Debian-1ubuntu1
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> Read from socket failed: Connection reset by peer
>
> There is NOTHING in daemon.log, auth.log or syslog on the server I'm
> trying to connect to.
>
> Example of a server NOT failing:
>
> $ ssh -v root@netsight
> OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
> debug1: Reading configuration data /home/hildeb/.ssh/config
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to netsight [10.47.2.222] port 22.
> debug1: Connection established.
> debug1: identity file /home/hildeb/.ssh/id_rsa type -1
> debug1: identity file /home/hildeb/.ssh/id_rsa-cert type -1
> debug1: identity file /home/hildeb/.ssh/id_dsa type 2
> debug1: Checking blacklist file /usr/share...

Read more...

Revision history for this message
Nicolas Michel (nicolas-michel) wrote :

I know the workaround. But we're here on a bug report platform ... I posted to say "hey, the problem is still here in 12.04!"

Best regards,
Nicolas

Revision history for this message
scuba (scubuntu) wrote :

I've studied the thread and tried the workaround suggestions. The problem persists in 12.04.2!

Regards

SCUBA

Revision history for this message
scuba (scubuntu) wrote :

Hi,

I've managed to solve the issue... purge openssh-server on server machine, then reinstall -- worked for me.

Regards

SCUBA

Revision history for this message
Steve Brown (jpgeek) wrote :

Howdy,

I know that in my case, this was definitely an MTU problem, and it exhibits exactly the behavior stated above.

to test this, call
ping -M do -s 1500 <host>
If it goes through, this is probably not your issue. If it does not, try lowering the -s value until it does go through. If the value that you find is lower than the MTU on your interface, this is likely the problem.

The solution would be to change your MTU size on the interface. You can check this with
ifconfig
and set it with
sudo ifconfig <interface> mtu 1000

Revision history for this message
Shondhi Singhal (shondhi-singhal) wrote :

Hi

I am facing the same problem. I have tried manys mentioned on the net to solve but nothing seem to work.

When I called:

ping -M do -s 1500 ubuntu

This is what I recieved in output-
PING ubuntu (127.0.1.1) 1500(1528) bytes of data.
1508 bytes from ubuntu (127.0.1.1): icmp_req=1 ttl=64 time=0.052 ms
1508 bytes from ubuntu (127.0.1.1): icmp_req=2 ttl=64 time=0.037 ms
1508 bytes from ubuntu (127.0.1.1): icmp_req=3 ttl=64 time=0.030 ms
1508 bytes from ubuntu (127.0.1.1): icmp_req=4 ttl=64 time=0.039 ms

Command- ssh -c 3des-cbc host
Output- * Documentation: https://help.ubuntu.com/
Last login: Thu Apr 11 22:10:40 2013 from localhost

But when I enter the command-

git clone <email address hidden>:Shondhi/Hello.git

Output is- Cloning into 'Hello'...
Read from socket failed: Connection reset by peer
fatal: The remote end hung up unexpectedly

Kindly, guide me.

Changed in openssh (Ubuntu):
assignee: nobody → Irfan Fauzan (irfan-it2988)
Revision history for this message
Srdjan Grubor (sgnn7) wrote :

My cases of this bug (though it seems like there are different ones with similar symptoms) happen each time I reset a 14.04 VM to an older state from a hard shutdown. Localhost ssh connections fail as well with same output.

Workaround for me is regenerating the host keys (sudo rm /etc/ssh/host_* && sudo ssh-keygen -A) each time I revert the VM. Changing the cipher/kex does not seem to change the outcome.

I wonder if some junk gets written to the keys in bad shutdowns. I'll see If I can debug the output of the sshd.

Client log below:
$ ssh root@redacted -vvvv
OpenSSH_6.6.1, OpenSSL 1.0.1f 6 Jan 2014
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to 192.168.56.101 [192.168.56.101] port 22.
debug1: Connection established.
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/sg/.ssh/id_rsa" as a RSA1 public key
debug1: identity file /home/sg/.ssh/id_rsa type 1
debug1: identity file /home/sg/.ssh/id_rsa-cert type -1
debug1: identity file /home/sg/.ssh/id_dsa type -1
debug1: identity file /home/sg/.ssh/id_dsa-cert type -1
debug1: identity file /home/sg/.ssh/id_ecdsa type -1
debug1: identity file /home/sg/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/sg/.ssh/id_ed25519 type -1
debug1: identity file /home/sg/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1p1 Ubuntu-2ubuntu2
debug1: Remote protocol version 2.0, remote software version OpenSSH_6.6p1 Ubuntu-2ubuntu1
debug1: match: OpenSSH_6.6p1 Ubuntu-2ubuntu1 pat OpenSSH_6.5*,OpenSSH_6.6* compat 0x14000000
debug2: fd 3 setting O_NONBLOCK
debug3: load_hostkeys: loading entries for host "192.168.56.101" from file "/home/sg/.ssh/known_hosts"
debug3: load_hostkeys: found key type ECDSA in file /home/sg/.ssh/known_hosts:87
debug3: load_hostkeys: loaded 1 keys
debug3: order_hostkeyalgs: prefer hostkeyalgs: <email address hidden>,<email address hidden>,<email address hidden>,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521
debug2: compat_kex_proposal: original KEX proposal: <email address hidden>,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug2: Compat: skipping algorithm "<email address hidden>"
debug2: compat_kex_proposal: compat KEX proposal: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
debug1: SSH2_MSG_KEXINIT sent
Read from socket failed: Connection reset by peer

Revision history for this message
Srdjan Grubor (sgnn7) wrote :

Well, at least in my case, I found that all the sshd host keys were truncated. I'm guessing that the hard shutdown of the VM was the cause but I'm not 100% sure.

Revision history for this message
Jeremy Melanson (jmelanson) wrote :

I figured out a temporary workaround. Edit your ~/.ssh/config, and add the line:
Ciphers aes128-cbc

I haven't done any real debugging, but there looks like there could be a problem with ciphers bigger than 128-bits. My Cisco devices are complaining about DH length when I use AES192 or AES256. AES128 works fine.

It's not ideal, but it could help for the time-being.

Revision history for this message
Yrjö Selänne (yselnne) wrote :

This has now been bountied :

https://www.bountysource.com/issues/1033630-can-t-login-anymore-read-from-socket-failed-connection-reset-by-peer

Good Luck 'Guesy ' and others.

This is just a note of a bounty made and shouldn't change the spirit of fixing bugs. Thank-you.

Revision history for this message
Brian Morton (rokclimb15) wrote :

This worked for me:

ssh -v admin@172.16.3.253 -o KexAlgorithms=diffie-hellman-group14-sha1

source:

http://stackoverflow.com/questions/25341773/cisco-ssh-key-exchange-fails-from-ubuntu-14-04-client-dh-key-range-mismatch

Revision history for this message
Mike (0x656b694d) wrote :

Hello,
Not sure it is the same problem here, but I cannot connect to my machine if go through NAT.
If I connect directly from LAN everything works, but if I use the external IP, then I get connection reset after debug1: SSH2_MSG_KEXINIT sent.

Client and server is the same machine. I tried to set MTU to 1400 and 400 with no effect, also changed the net.ipv4.tcp_rmem setting and tried different cipher algorithms with no luck.

Linux 3.16.0-31-generic #41-Ubuntu
Ubuntu 14.10

Revision history for this message
Gary Salisbury (gary-r-salisbury) wrote :
Download full text (5.9 KiB)

Use dbclient ...

On 20 February 2015 at 19:07, Mike <email address hidden> wrote:

> Hello,
> Not sure it is the same problem here, but I cannot connect to my machine
> if go through NAT.
> If I connect directly from LAN everything works, but if I use the external
> IP, then I get connection reset after debug1: SSH2_MSG_KEXINIT sent.
>
> Client and server is the same machine. I tried to set MTU to 1400 and
> 400 with no effect, also changed the net.ipv4.tcp_rmem setting and tried
> different cipher algorithms with no luck.
>
> Linux 3.16.0-31-generic #41-Ubuntu
> Ubuntu 14.10
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/708493
>
> Title:
> Can't login anymore: Read from socket failed: Connection reset by peer
>
> Status in openssh package in Ubuntu:
> Confirmed
> Status in openssh package in Debian:
> New
>
> Bug description:
> After todays update to
> 1:5.7p1-1ubuntu1
> I cannot login to SOME (!) of my servers. Example of a server failing:
>
> ~$ ssh -v root@mail
> OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
> debug1: Reading configuration data /home/hildeb/.ssh/config
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to mail [141.42.202.200] port 22.
> debug1: Connection established.
> debug1: identity file /home/hildeb/.ssh/id_rsa type -1
> debug1: identity file /home/hildeb/.ssh/id_rsa-cert type -1
> debug1: identity file /home/hildeb/.ssh/id_dsa type 2
> debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
> debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
> debug1: identity file /home/hildeb/.ssh/id_dsa-cert type -1
> debug1: identity file /home/hildeb/.ssh/id_ecdsa type -1
> debug1: identity file /home/hildeb/.ssh/id_ecdsa-cert type -1
> debug1: Remote protocol version 1.99, remote software version
> OpenSSH_5.5p1 Debian-6
> debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.7p1 Debian-1ubuntu1
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> Read from socket failed: Connection reset by peer
>
> There is NOTHING in daemon.log, auth.log or syslog on the server I'm
> trying to connect to.
>
> Example of a server NOT failing:
>
> $ ssh -v root@netsight
> OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
> debug1: Reading configuration data /home/hildeb/.ssh/config
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to netsight [10.47.2.222] port 22.
> debug1: Connection established.
> debug1: identity file /home/hildeb/.ssh/id_rsa type -1
> debug1: identity file /home/hildeb/.ssh/id_rsa-cert type -1
> debug1: identity file /home/hildeb/.ssh/id_dsa type 2
> debug1: Checking ...

Read more...

Revision history for this message
Mike (0x656b694d) wrote :

Thanks, but a specific client is not an option. I need to connect with any
client from different systems. The flow I described is for problem
isolation only. Putty cannot connect either.

On Fri Feb 20 2015 at 18:31:15 Gary Salisbury <email address hidden>
wrote:

> Use dbclient ...
>
> On 20 February 2015 at 19:07, Mike <email address hidden> wrote:
>
> > Hello,
> > Not sure it is the same problem here, but I cannot connect to my machine
> > if go through NAT.
> ...

Revision history for this message
Gary Salisbury (gary-r-salisbury) wrote :
Download full text (6.3 KiB)

Did this used to work .... ?

This bug is due to a ssh version change ...

Sounds like you may have a firewall issue, if you are trying to connect via
a nated connection for the 1st time.

Use tcpdump on your server ... and analyze the traffic on port 22

Compare the traffic, when you connect locally and then via the nated
connection.

Use the verbose settings of ssh to get more information .... before posting
again ..

On 20 February 2015 at 20:25, Mike <email address hidden> wrote:

> Thanks, but a specific client is not an option. I need to connect with any
> client from different systems. The flow I described is for problem
> isolation only. Putty cannot connect either.
>
> On Fri Feb 20 2015 at 18:31:15 Gary Salisbury <email address hidden>
> wrote:
>
> > Use dbclient ...
> >
> > On 20 February 2015 at 19:07, Mike <email address hidden> wrote:
> >
> > > Hello,
> > > Not sure it is the same problem here, but I cannot connect to my
> machine
> > > if go through NAT.
> > ...
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/708493
>
> Title:
> Can't login anymore: Read from socket failed: Connection reset by peer
>
> Status in openssh package in Ubuntu:
> Confirmed
> Status in openssh package in Debian:
> New
>
> Bug description:
> After todays update to
> 1:5.7p1-1ubuntu1
> I cannot login to SOME (!) of my servers. Example of a server failing:
>
> ~$ ssh -v root@mail
> OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
> debug1: Reading configuration data /home/hildeb/.ssh/config
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to mail [141.42.202.200] port 22.
> debug1: Connection established.
> debug1: identity file /home/hildeb/.ssh/id_rsa type -1
> debug1: identity file /home/hildeb/.ssh/id_rsa-cert type -1
> debug1: identity file /home/hildeb/.ssh/id_dsa type 2
> debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
> debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
> debug1: identity file /home/hildeb/.ssh/id_dsa-cert type -1
> debug1: identity file /home/hildeb/.ssh/id_ecdsa type -1
> debug1: identity file /home/hildeb/.ssh/id_ecdsa-cert type -1
> debug1: Remote protocol version 1.99, remote software version
> OpenSSH_5.5p1 Debian-6
> debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.7p1 Debian-1ubuntu1
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> Read from socket failed: Connection reset by peer
>
> There is NOTHING in daemon.log, auth.log or syslog on the server I'm
> trying to connect to.
>
> Example of a server NOT failing:
>
> $ ssh -v root@netsight
> OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
> debug1: Reading configuration ...

Read more...

Revision history for this message
Gary Salisbury (gary-r-salisbury) wrote :
Download full text (6.8 KiB)

Why are you testing a NATED address from the same server ( client and
server ) ?

Do you get the same problem when connecting via the NATED address from the
outside network ... using a different client machine from outside ?

On 20 February 2015 at 20:43, Gary Salisbury <email address hidden>
wrote:

> Did this used to work .... ?
>
> This bug is due to a ssh version change ...
>
> Sounds like you may have a firewall issue, if you are trying to connect
> via a nated connection for the 1st time.
>
> Use tcpdump on your server ... and analyze the traffic on port 22
>
> Compare the traffic, when you connect locally and then via the nated
> connection.
>
> Use the verbose settings of ssh to get more information .... before
> posting again ..
>
>
>
>
>
>
>
>
>
> On 20 February 2015 at 20:25, Mike <email address hidden> wrote:
>
>> Thanks, but a specific client is not an option. I need to connect with any
>> client from different systems. The flow I described is for problem
>> isolation only. Putty cannot connect either.
>>
>> On Fri Feb 20 2015 at 18:31:15 Gary Salisbury <email address hidden>
>> wrote:
>>
>> > Use dbclient ...
>> >
>> > On 20 February 2015 at 19:07, Mike <email address hidden> wrote:
>> >
>> > > Hello,
>> > > Not sure it is the same problem here, but I cannot connect to my
>> machine
>> > > if go through NAT.
>> > ...
>>
>> --
>> You received this bug notification because you are subscribed to the bug
>> report.
>> https://bugs.launchpad.net/bugs/708493
>>
>> Title:
>> Can't login anymore: Read from socket failed: Connection reset by peer
>>
>> Status in openssh package in Ubuntu:
>> Confirmed
>> Status in openssh package in Debian:
>> New
>>
>> Bug description:
>> After todays update to
>> 1:5.7p1-1ubuntu1
>> I cannot login to SOME (!) of my servers. Example of a server failing:
>>
>> ~$ ssh -v root@mail
>> OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
>> debug1: Reading configuration data /home/hildeb/.ssh/config
>> debug1: Reading configuration data /etc/ssh/ssh_config
>> debug1: Applying options for *
>> debug1: Connecting to mail [141.42.202.200] port 22.
>> debug1: Connection established.
>> debug1: identity file /home/hildeb/.ssh/id_rsa type -1
>> debug1: identity file /home/hildeb/.ssh/id_rsa-cert type -1
>> debug1: identity file /home/hildeb/.ssh/id_dsa type 2
>> debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
>> debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
>> debug1: identity file /home/hildeb/.ssh/id_dsa-cert type -1
>> debug1: identity file /home/hildeb/.ssh/id_ecdsa type -1
>> debug1: identity file /home/hildeb/.ssh/id_ecdsa-cert type -1
>> debug1: Remote protocol version 1.99, remote software version
>> OpenSSH_5.5p1 Debian-6
>> debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
>> debug1: Enabling compatibility mode for protocol 2.0
>> debug1: Local version string SSH-2.0-OpenSSH_5.7p1 Debian-1ubuntu1
>> debug1: SSH2_MSG_KEXINIT sent
>> debug1: SSH2_MSG_KEXINIT received
>> debug1: kex: server->client aes128-ctr hmac-md5 none
>> debug1: kex: client->server aes128-ctr hmac-md5 none
>> debug1: SSH2_MSG_KEX...

Read more...

madbiologist (me-again)
tags: added: oneiric precise
Changed in openssh (Ubuntu):
assignee: Irfan Fauzan (irfan-it2988) → nobody
status: Confirmed → Triaged
Revision history for this message
Mike (0x656b694d) wrote :

Thank you for the suggestions Gary. I realized that my problem is caused by the router firmware. Basically, they introduced loopback blocking and I couldn't connect from the same network even using the external IP.

Revision history for this message
Gary Salisbury (gary-r-salisbury) wrote :
Download full text (5.7 KiB)

:) ...

In the IT world it takes time to analyze a problem well !!

Congrats ...

Happy Easter !!

On 4 April 2015 at 13:06, Mike <email address hidden> wrote:

> Thank you for the suggestions Gary. I realized that my problem is caused
> by the router firmware. Basically, they introduced loopback blocking and
> I couldn't connect from the same network even using the external IP.
>
> --
> You received this bug notification because you are subscribed to the bug
> report.
> https://bugs.launchpad.net/bugs/708493
>
> Title:
> Can't login anymore: Read from socket failed: Connection reset by peer
>
> Status in openssh package in Ubuntu:
> Triaged
> Status in openssh package in Debian:
> New
>
> Bug description:
> After todays update to
> 1:5.7p1-1ubuntu1
> I cannot login to SOME (!) of my servers. Example of a server failing:
>
> ~$ ssh -v root@mail
> OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
> debug1: Reading configuration data /home/hildeb/.ssh/config
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to mail [141.42.202.200] port 22.
> debug1: Connection established.
> debug1: identity file /home/hildeb/.ssh/id_rsa type -1
> debug1: identity file /home/hildeb/.ssh/id_rsa-cert type -1
> debug1: identity file /home/hildeb/.ssh/id_dsa type 2
> debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
> debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
> debug1: identity file /home/hildeb/.ssh/id_dsa-cert type -1
> debug1: identity file /home/hildeb/.ssh/id_ecdsa type -1
> debug1: identity file /home/hildeb/.ssh/id_ecdsa-cert type -1
> debug1: Remote protocol version 1.99, remote software version
> OpenSSH_5.5p1 Debian-6
> debug1: match: OpenSSH_5.5p1 Debian-6 pat OpenSSH*
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_5.7p1 Debian-1ubuntu1
> debug1: SSH2_MSG_KEXINIT sent
> debug1: SSH2_MSG_KEXINIT received
> debug1: kex: server->client aes128-ctr hmac-md5 none
> debug1: kex: client->server aes128-ctr hmac-md5 none
> debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
> debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
> Read from socket failed: Connection reset by peer
>
> There is NOTHING in daemon.log, auth.log or syslog on the server I'm
> trying to connect to.
>
> Example of a server NOT failing:
>
> $ ssh -v root@netsight
> OpenSSH_5.7p1 Debian-1ubuntu1, OpenSSL 0.9.8o 01 Jun 2010
> debug1: Reading configuration data /home/hildeb/.ssh/config
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: Applying options for *
> debug1: Connecting to netsight [10.47.2.222] port 22.
> debug1: Connection established.
> debug1: identity file /home/hildeb/.ssh/id_rsa type -1
> debug1: identity file /home/hildeb/.ssh/id_rsa-cert type -1
> debug1: identity file /home/hildeb/.ssh/id_dsa type 2
> debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-1024
> debug1: Checking blacklist file /etc/ssh/blacklist.DSA-1024
> debug1: identity file /home/hildeb/.ssh/id_dsa-cert type -1
> debug1: identity file /...

Read more...

Revision history for this message
cybernet (cybernet2u) wrote :

no resolution ?

Revision history for this message
Pedro Acácio (pedro-acacio92) wrote :

Hi guys.

Without apparent reason suddenly I wasn't enable to make a ssh connection with my production server. When run a ssh -v I get "expecting SSH2_MSG_KEX_ECDH_REPLY connection closed". After spend a lot of time looking for a solution, I solve my problem just uncommenting two lines in my /etc/ssh/ssh_config file.

I uncommented lines beginning with "Ciphers ......." and "MACs ........".

Thanks!

Changed in openssh (Ubuntu):
assignee: nobody → Divya Shettar (shettar-divya)
assignee: Divya Shettar (shettar-divya) → nobody
Revision history for this message
Simon Quigley (tsimonq2) wrote :

Sorry folks, but as part of the bug clean up ahead of 16.04 LTS I'm marking this as invalid because it affects an Ubuntu release which is now unsupported. If you can still recreate this bug in a supported release please do open a new bug and we can triage it for consideration in the 16.04 LTS development cycle.

Changed in openssh (Ubuntu):
status: Triaged → Invalid
Changed in openssh (Debian):
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.