# ssh_exchange_identification: Connection closed by remote hos

## Moriah

I am having a new problem lately with several machines.  When I try to log into them with ssh, I get the following error: 

```

rj@gehazi ~ $ ssh root@192.168.1.1

ssh_exchange_identification: Connection closed by remote host

rj@gehazi ~ $ 

```

It started with a windoze xp box running cygwin that I couldn't log into, but now I am also seeing it on gentoo boxes, so I assume it is something newly updated in openssh, which s used on both of those platforms.  This is extremely critical, since I have to manage these boxes remotely.  Also, my nightly backup process relies on an ssh login to start things up, so all the affected machines fail to get backed up.

Any idea what was changed that is causing this?

----------

## Hu

Does the debug output enabled by -v show anything useful?

----------

## Moriah

Here's what I get:

```

rj@gehazi ~ $ ssh -v root@192.168.1.1 

OpenSSH_5.6p1, OpenSSL 1.0.0c 2 Dec 2010

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Connecting to 192.168.1.1 [192.168.1.1] port 22.

debug1: Connection established.

debug1: identity file /home/rj/.ssh/id_rsa type -1

debug1: identity file /home/rj/.ssh/id_rsa-cert type -1

debug1: identity file /home/rj/.ssh/id_dsa type -1

debug1: identity file /home/rj/.ssh/id_dsa-cert type -1

ssh_exchange_identification: Connection closed by remote host

rj@gehazi ~ $ 

```

Which is not too clear as to which end of the connection the id_* files are at that it is referring to.     :Confused: 

Trying to ssh to another machine, I get:

```

rj@gehazi ~ $ ssh -v root@esther

OpenSSH_5.6p1, OpenSSL 1.0.0c 2 Dec 2010

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Connecting to esther [192.168.1.21] port 22.

debug1: Connection established.

debug1: identity file /home/rj/.ssh/id_rsa type -1

debug1: identity file /home/rj/.ssh/id_rsa-cert type -1

debug1: identity file /home/rj/.ssh/id_dsa type -1

debug1: identity file /home/rj/.ssh/id_dsa-cert type -1

ssh_exchange_identification: Connection closed by remote host

rj@gehazi ~ $ 

```

The first machine at 192.168.1.1 is a linux router/firewall.  The second is a WinXP laptop with cygwin.

----------

## Moriah

And I also got:

```

rj@gehazi ~ $ ssh -v root@esther

OpenSSH_5.6p1, OpenSSL 1.0.0c 2 Dec 2010

debug1: Reading configuration data /etc/ssh/ssh_config

debug1: Connecting to esther [192.168.1.21] port 22.

debug1: Connection established.

debug1: identity file /home/rj/.ssh/id_rsa type 1

debug1: identity file /home/rj/.ssh/id_rsa-cert type -1

debug1: identity file /home/rj/.ssh/id_dsa type -1

debug1: identity file /home/rj/.ssh/id_dsa-cert type -1

debug1: Remote protocol version 2.0, remote software version OpenSSH_5.0

debug1: match: OpenSSH_5.0 pat OpenSSH*

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_5.6

debug1: SSH2_MSG_KEXINIT sent

Read from socket failed: Connection reset by peer

rj@gehazi ~ $ 

```

So the behavior varies.    :Shocked: 

----------

## Hu

Try turning up the debugging level further, or try using it on the server instead.  Also, check the server logs.

----------

## Moriah

This is interesting:

```

rj@gehazi ~/.ssh $ ssh -vv root@192.168.1.1 

OpenSSH_5.6p1, OpenSSL 1.0.0c 2 Dec 2010

debug1: Reading configuration data /etc/ssh/ssh_config

debug2: ssh_connect: needpriv 0

debug1: Connecting to 192.168.1.1 [192.168.1.1] port 22.

debug1: Connection established.

debug2: key_type_from_name: unknown key type '-----BEGIN'

debug2: key_type_from_name: unknown key type '-----END'

debug1: identity file /home/rj/.ssh/id_rsa type 1

debug1: identity file /home/rj/.ssh/id_rsa-cert type -1

debug1: identity file /home/rj/.ssh/id_dsa type -1

debug1: identity file /home/rj/.ssh/id_dsa-cert type -1

ssh_exchange_identification: Connection closed by remote host

rj@gehazi ~/.ssh $ 

```

What's with the "key type"?

----------

## cach0rr0

just tested on my system, that output about 'unknown key type' doesnt look too abnormal

```

OpenSSH_5.8p1-hpn13v10, OpenSSL 1.0.0d 8 Feb 2011

debug1: Reading configuration data /etc/ssh/ssh_config

debug2: ssh_connect: needpriv 0

debug1: Connecting to 192.168.1.1 [192.168.1.1] port 22.

debug1: Connection established.

debug2: key_type_from_name: unknown key type '-----BEGIN'

debug2: key_type_from_name: unknown key type 'Proc-Type:'

debug2: key_type_from_name: unknown key type 'DEK-Info:'

debug2: key_type_from_name: unknown key type '-----END'

debug1: identity file .ssh/id_dsa type 2

debug1: identity file .ssh/id_dsa-cert type -1

debug1: Remote protocol version 2.0, remote software version dropbear_0.52

debug1: no match: dropbear_0.52

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_5.8p1-hpn13v10

debug2: fd 3 setting O_NONBLOCK

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug1: AUTH STATE IS 0

```

note that this is just a small snippet from a much longer bit of output, on a successful connection. 

By any chance do you have any content filtering appliances in-house? 

I've seen this happen with a specific vendor's web filter, as it hooks into the tap port on a switch, gets a copy of all packets, sends a reset to block this that or the other. One of its available policies, is to block off unknown keys; I was on a client's site where they had this particular filter deployed, and saw this precise issue (they ended up having to whitelist my IP). 

Anyway, as rubbish as this may sound, can you telnet to the SSH port? Does it allow the connection, but then only kill it off once you start typing?

----------

## Moriah

Here goes:

```

rj@gehazi ~ $ telnet 192.168.1.1 22

Trying 192.168.1.1...

Connected to 192.168.1.1.

Escape character is '^]'.

Connection closed by foreign host.

rj@gehazi ~ $ 

```

I never typed anything except the return key after the telnet command.

Also, no filtering devices other than the iptables firewall on my gentoo laptop between me and 192.168.1.1, which is a gentoo based NATting choke firewall between my LAN and my DMZ.

Nothing has changed except what may have gotten changed by a routine gentoo update.  I also get the same problem ssh-ing to one of the win xp-pro laptops that runs cygwin.

My gentoo laptop is not the only box that cannot ssh into the winxp laptop.  My backup server also has this problem, but works fine with other machines.

Really frustrating!

----------

## cach0rr0

yeah, that's really really really absurd

you should at least get the version string

```

ricker ~ # telnet localhost 22

Trying 127.0.0.1...

Connected to localhost.

Escape character is '^]'.

SSH-2.0-OpenSSH_5.8p1-hpn13v10

```

and ive pretty well ruled out any sort of content filters for you, by the by, dont think it's anything networking related. 

</ideas>

----------

## Moriah

I just tried several times this morning,  Look at this:

```

rj@moses ~ $ ssh -Y root@esther

Connection closed by 192.168.1.21

rj@moses ~ $ ssh -Y root@esther

Connection closed by 192.168.1.21

rj@moses ~ $ ping esther

PING esther (192.168.1.21) 56(84) bytes of data.

64 bytes from esther (192.168.1.21): icmp_req=1 ttl=128 time=3.37 ms

64 bytes from esther (192.168.1.21): icmp_req=2 ttl=128 time=0.956 ms

64 bytes from esther (192.168.1.21): icmp_req=3 ttl=128 time=0.988 ms

64 bytes from esther (192.168.1.21): icmp_req=4 ttl=128 time=0.993 ms

^C

--- esther ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 3003ms

rtt min/avg/max/mdev = 0.956/1.576/3.370/1.036 ms

rj@moses ~ $ ssh -Y root@esther

Connection closed by 192.168.1.21

rj@moses ~ $ ssh -Y root@esther

ssh_exchange_identification: Connection closed by remote host

rj@moses ~ $ ssh -Y root@esther

root@esther's password: 

Last login: Mon Mar 14 07:34:30 2011 from 192.168.1.88

Fanfare!!!

You are successfully logged in to this server!!!

root@esther ~

$ 

```

That was all done one attempt after another.  There is something really strange going on here!

----------

