# ssh deamon: ssh_exchange_identification problem

## Watson

Hi,

after a pretty long time, I installed gentoo some day ago again. Unfortunatly, I cant get sshd to run again. I tried diffrent configurations, even installed pam and openssh again (thought the problem might be caused by an update of pam) but sshd continued to give me the following output:

 *Quote:*   

> 
> 
> me@gbox ~ $ ssh -v localhost
> 
> OpenSSH_4.3p2, OpenSSL 0.9.8c 05 Sep 2006
> ...

 

I wonder why the sshd does not ask for a password because my configuration should not require a keypair:

 *Quote:*   

> 
> 
> #	$OpenBSD: sshd_config,v 1.73 2005/12/06 22:38:28 reyk Exp $
> 
> # This is the sshd server system-wide configuration file.  See
> ...

 

Hope someone here can help me with this.

Regards,

WatsonLast edited by Watson on Mon Sep 18, 2006 4:49 pm; edited 2 times in total

----------

## rwvo

Did openssl by any chance get upgraded after the last openssh upgrade? This caused similar problems for me (sshd links to openssh, but revdep-rebuild didn't pick up the dependency). The solution in this case was to re-emerge openssh.

Ah: did you restart sshd after the upgrade (/etc/init.d/sshd restart)? I sometimes forget such trivial things...

----------

## Watson

I reemerged pam and openssh but without success. I also restarted the sshd after the installation. I'll try to reemerge openssl now, but I guess this wont work either   :Crying or Very sad: 

----------

## taiger

 *rwvo wrote:*   

> Did openssl by any chance get upgraded after the last openssh upgrade? This caused similar problems for me (sshd links to openssh, but revdep-rebuild didn't pick up the dependency). The solution in this case was to re-emerge openssh.
> 
> Ah: did you restart sshd after the upgrade (/etc/init.d/sshd restart)? I sometimes forget such trivial things...

 

Work for me,

tnx

----------

## Watson

Unfortunatly, it didnt help me    :Sad: 

Does someone have an idea how to solve this problem?

----------

## josh

I was having the exact same problem when I got in to work this morning. Then I found this post. I recompiled openssl and _then_ recompiled openssh and then restarted sshd. works fine now.

----------

## Watson

got it. forgot emerge --sync before emerging openssl and openssh again ^^

----------

## Watson

dammit! the problem isn't solved at all. I just saw that openssl got an update, whereas openssh did not. But now, after emergeing the updates and restarting the ssh deamon, everything is the same:

 *Quote:*   

> ssh -v localhost
> 
> OpenSSH_4.3p2, OpenSSL 0.9.8c 05 Sep 2006
> 
> debug1: Reading configuration data /etc/ssh/ssh_config
> ...

 

----------

## josh

Upgrading openssl wasn't enough for me. I then had to re-emerge openssh before it worked.

----------

## dem1an

 *josh wrote:*   

> I was having the exact same problem when I got in to work this morning. Then I found this post. I recompiled openssl and _then_ recompiled openssh and then restarted sshd. works fine now.

 

Ditto.  I was having the same problem on my box as well and this this worked perfectly for me.

----------

## wynn

If your openssl update was from 0.9.7k to 0.9.8c or 0.9.8c-r1 then you should have

```
"You must re-compile all packages that are linked against"

"OpenSSL 0.9.7 by using revdep-rebuild from gentoolkit:"

"# revdep-rebuild --library libssl.so.0.9.7"

"# revdep-rebuild --library libcrypto.so.0.9.7"

"After this, you can delete /usr/$(get_libdir)/libssl.so.0.9.7"

"and /usr/$(get_libdir)/libcrypto.so.0.9.7"
```

The best way to run it is not separately as above but as

```
revdep-rebuild --library "lib\(crypto\|ssl\).so.0.9.7"
```

 and you might like to add "--ignore --pretend" to avert surprises   :Smile: 

----------

## Watson

Argh, thats impossible! Thought now it would run because I really updated ssl from the version installed by stage-1 of the minimal-2006.1 gentoo cd.

redep-rebuild installed some stuff like ldap and tells me now that everything is done but it still does not work. Dammit  :Sad: 

But I guess this was one reason for the error, so at least this one is out of the world now. Thanks!

----------

## Watson

OK, I wrote a script to bring it all in order, but it still doesnt help   :Sad:  :

```
#!/bin/bash

/etc/init.d/sshd stop

rm -rf /etc/ssh

revdep-rebuild --library "lib\(crypto\|ssl\).so.0.9.7"

rm /usr/lib/libssl.so.0.9.7

rm /usr/lib/libcrypto.so.0.9.7

emerge openssl openssh

/etc/init.d/sshd start

```

----------

## fr3akX

try 

```
rm -Rvf ~/.ssh
```

somtimes it helps

----------

## Watson

doesnt help either. I don't understand why the ssh deamon does not ask for a password after failing to get a valid keypair:

 *Quote:*   

> 
> 
> debug1: identity file /home/weng/.ssh/identity type -1
> 
> debug1: identity file /home/weng/.ssh/id_rsa type -1
> ...

 

----------

## wynn

I had "ssh_exchange_identification: Connection closed by remote host" this morning after upgrading to openssl-0.9.8c-r2, however, josh's solution worked.

Looking at the log, there are two entries from pam_unix which match the attempted ssh login attempt: the first says "session opened" at 11:22:15 and the second "session closed" at 11:24:40.

Perhaps pam with openssl is part of the problem?

Otherwise, does the log on the remote host show anything useful?

----------

## someone19

I'm still having this exact same problem, sorry to bring up such an old topic, but I have tried everything posted here, and still am getting the exact same output as posted above with ssh -v user@localhost.

I have not updated any config files since the lastest round of updates to openssl and openssh.  I think etc-update added a slew of comments to the end of /etc/ssh/sshd_config automagically.

if I do it from the localmachine or from my XP box on the localnet I get the same results.  This happened after the 0.9.8x upgrades.

Thanks in advance.

----------

## wynn

After the latest openssl, did you do

```
revdep-rebuild --library="lib\(crypto\|ssl\).so.0.9.7"
```

After doing this, remove the old 0.9.7 files which might only be symlinks like (from memory)

```
lrwxrwxrwx 1 root root     18 Sep 19 11:30 libcrypto.so -> libcrypto.so.0.9.7

lrwxrwxrwx 1 root root     15 Sep 19 11:30 libssl.so -> libssl.so.0.9.7
```

and restart sshd

```
/etc/init.d/sshd restart
```

----------

## someone19

 *wynn wrote:*   

> After the latest openssl, did you do
> 
> ```
> revdep-rebuild --library="lib\(crypto\|ssl\).so.0.9.7"
> ```
> ...

 

Yes, I did all of the above, including '/etc/init.d/sshd restart', then tried from cygwin, then localhost, then rm ~/.ssh/known_hosts from both boxes. still same results.

then I 'FEATURES=-ccache emerge -av openssl openssh' and tried all forms of ssh tried above.

this is my router, and I normally ssh into it.  the only form of control I have now is webmin and cygwin/x (shudder)

Thanks for the quick reply.

----------

## josh

I know this has been iterated a couple of times. But I tried a few different things on this post before I found the solution that worked for me. It had to be done in _this_ order:

emerge openssl

emerge openssh

/etc/init.d/sshd restart

Again, not to beat a dead horse, but I had to do it _exactly_ this way. The other ways didnt' work for me. YMMV. For example; on my computer at home the openssl upgrade went seemlessly. This only happened on my work comptuer.

Maybe even try moving your entire ~/.ssh directory.

----------

## kashani

Couple of notes on this. 

openssl changes fairly significantly between numbered versions. 0.9.6 to 0.9.7 had many of the same problems that 0.9.7 to 0.9.8 had. Once you're fully on a version the mini updates with the letters, 0.9.7i to 0.9.7j, shouldn't give you any problems.

Doing the following should work fine for everyone.

emerge -u openssl

revdep-rebuild --library libssl.so.0.9.7

revdep-rebuild --library libcrypto.so.0.9.7

That should handle most of it. However people in x86 land got hit with another issue. openssl-0.9.8c-r1 added the sse2 flag which when enabled breaks the openssl ABI. So if you installed 0.9.8c and then updated to the sse2 enabled code you need to rebuild anything that linked to the ssl libs again. If you don't have sse2 in /etc/make.conf or where ever you don't need to do anything.

kashani

----------

## someone19

 *josh wrote:*   

> 
> 
> emerge openssl
> 
> emerge openssh
> ...

 

Ok, I emerged openssl and then openssh seperatly

/etc/init.d/sshd restart

went to my XP box running cygwin and deleted the ~/.ssh dir as confirmed below:

Geo@george ~

$ cd .ssh

bash: cd: .ssh: No such file or directory

Geo@george ~

$ ssh -v george@192.168.1.1

OpenSSH_4.3p2, OpenSSL 0.9.8b 04 May 2006

debug1: Connecting to 192.168.1.1 [192.168.1.1] port 22.

debug1: Connection established.

debug1: identity file /home/Geo/.ssh/identity type -1

debug1: identity file /home/Geo/.ssh/id_rsa type -1

debug1: identity file /home/Geo/.ssh/id_dsa type -1

ssh_exchange_identification: Connection closed by remote host

with exact same results in xterm trying to connect to localhost

----------

## someone19

 *kashani wrote:*   

> 
> 
> Doing the following should work fine for everyone.
> 
> emerge -u openssl
> ...

 

I have not updated any flags since 0.9.7.  I ran a revdep-rebuild on both ssl and crypto and then deleted 0.9.7 as suggested above in the manner listed above.

things broke after a reboot after the upgrades from 0.9.7 to 0.9.8c-r2 (with several updates but no /etc/init.d/sshd restarts)

----------

## someone19

Solved!

Portscan created a /etc/hosts.deny and ssh would deny the connection based on that information.  moving that file to a different filename solved my issues.  Thanks to everyone's input.

----------

## mikegpitt

Just saying that I had this problem this past week as well after an openssl update.  Solved it using the above solution:

```
emerge openssl openssh

etc-update

/etc/init.d/sshd restart
```

----------

## gigs94

One other thing that causes this problem is having /etc/hosts.allow blocking ssh.

----------

## Ramblurr

 *dem1an wrote:*   

>  *josh wrote:*   I was having the exact same problem when I got in to work this morning. Then I found this post. I recompiled openssl and _then_ recompiled openssh and then restarted sshd. works fine now. 
> 
> Ditto.  I was having the same problem on my box as well and this this worked perfectly for me.

 

Thought I would chime in that this worked for me too.

----------

