Re: ssh "kex_exchange_identification: Connection closed by remote host"
On Tue, Nov 12, 2019 at 08:52:58PM +1100, Darren Tucker wrote:
> On Tue, 12 Nov 2019 at 20:47, Darren Tucker wrote:
> > I got this on the second try although the log is not very helpful.
> > I'd suggest checking your MaxStartups setting in sshd_config and
> > comparing the settings to the numbers of connections you have.
>
> Confirmed that exceeding MaxStartups matches the observed behaviour.
> It'll produce the following log message but only at LogLevel verbose
> or higher:
>
> drop connection #1 from [127.0.0.1]:45006 on [127.0.0.1]:2022 past MaxStartups
The SSH protocol does actually allow text prior to the protocol banner
exchange (RFC4253 section 4.2) so doing something like this is actually
protocol compliant, although our client only shows it at LogLevel
debug1.
$ ssh -v -p 2022 localhost
[...]
debug1: Connecting to localhost [127.0.0.1] port 2022.
debug1: fd 3 clearing O_NONBLOCK
debug1: Connection established.
[...]
debug1: Local version string SSH-2.0-OpenSSH_8.1
debug1: kex_exchange_identification: banner line 0: exceeded MaxStartups
kex_exchange_identification: Connection closed by remote host
Index: sshd.c
===
RCS file: /cvs/src/usr.bin/ssh/sshd.c,v
retrieving revision 1.539
diff -u -p -r1.539 sshd.c
--- sshd.c 31 Oct 2019 21:23:19 - 1.539
+++ sshd.c 12 Nov 2019 10:29:15 -
@@ -1098,6 +1098,7 @@ server_accept_loop(int *sock_in, int *so
if (drop_connection(startups) == 1) {
char *laddr = get_local_ipaddr(*newsock);
char *raddr = get_peer_ipaddr(*newsock);
+ char msg[] = "Exceeded MaxStartups\r\n";
verbose("drop connection #%d from [%s]:%d "
"on [%s]:%d past MaxStartups", startups,
@@ -1105,6 +1106,7 @@ server_accept_loop(int *sock_in, int *so
laddr, get_local_port(*newsock));
free(laddr);
free(raddr);
+ write(*newsock, msg, strlen(msg));
close(*newsock);
continue;
}
--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
Re: ssh "kex_exchange_identification: Connection closed by remote host"
On Tue, 12 Nov 2019 at 20:47, Darren Tucker wrote: > I got this on the second try although the log is not very helpful. > I'd suggest checking your MaxStartups setting in sshd_config and > comparing the settings to the numbers of connections you have. Confirmed that exceeding MaxStartups matches the observed behaviour. It'll produce the following log message but only at LogLevel verbose or higher: drop connection #1 from [127.0.0.1]:45006 on [127.0.0.1]:2022 past MaxStartups -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: ssh "kex_exchange_identification: Connection closed by remote host"
On Tue, 12 Nov 2019 at 20:31, Darren Tucker wrote: [..] > I'd start by cranking up the client side log level (LogLevel debug3 in > ~/.ssh/config) and use CVS_RSH="ssh -E logfile" or ssh -y to send the > logs to syslog. > > Is this a public mirror, and if so which one? bleh, it doesn't support spaces, at least not in the obvious way, so something like $ cat ~/bin/ssh-with-logging #!/bin/sh exec ssh -vvv -E /tmp/ssh.log $@ $ CVS_RSH=~/bin/ssh-with-logging cvs -d anon...@anoncvs.spacehopper.org:/cvs up -dPA I got this on the second try although the log is not very helpful. I'd suggest checking your MaxStartups setting in sshd_config and comparing the settings to the numbers of connections you have. $ CVS_RSH=~/bin/ssh-with-logging cvs -d anon...@anoncvs.spacehopper.org:/cvs co src cvs [checkout aborted]: end of file from server (consult above messages if any) $ cat /tmp/ssh.log OpenSSH_8.1, LibreSSL 3.0.2 debug1: Reading configuration data /home/dtucker/.ssh/config debug1: /home/dtucker/.ssh/config line 1: Applying options for * debug1: /home/dtucker/.ssh/config line 3: Deprecated option "useroaming" debug3: kex names ok: [diffie-hellman-group1-sha1,diffie-hellman-group14-sha1] debug2: checking match for 'Host gate' host anoncvs.spacehopper.org originally anoncvs.spacehopper.org debug3: /home/dtucker/.ssh/config line 99: not matched 'Host "anoncvs.spacehopper.org"' debug2: match not found debug3: kex names ok: [curve25519-sha...@libssh.org,ecdh-sha2-nistp256] debug3: kex names ok: [ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256] debug3: kex names ok: [diffie-hellman-group1-sha1] debug3: kex names ok: [diffie-hellman-group14-sha1,diffie-hellman-group1-sha1] debug1: /home/dtucker/.ssh/config line 394: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: Applying options for * debug1: Security key provider $SSH_SK_PROVIDER did not resolve; disabling debug2: resolving "anoncvs.spacehopper.org" port 22 debug2: ssh_connect_direct debug1: Connecting to anoncvs.spacehopper.org [195.95.187.28] port 22. debug2: fd 4 setting O_NONBLOCK debug1: fd 4 clearing O_NONBLOCK debug1: Connection established. debug3: timeout: 29385 ms remain after connect debug1: identity file /home/dtucker/.ssh/id_rsa type 0 debug1: identity file /home/dtucker/.ssh/id_rsa-cert type -1 debug1: identity file /home/dtucker/.ssh/id_dsa type 1 debug1: identity file /home/dtucker/.ssh/id_dsa-cert type -1 debug1: identity file /home/dtucker/.ssh/id_ecdsa type 2 debug1: identity file /home/dtucker/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/dtucker/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/dtucker/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/dtucker/.ssh/id_ed25519 type 3 debug1: identity file /home/dtucker/.ssh/id_ed25519-cert type -1 debug1: identity file /home/dtucker/.ssh/id_xmss type -1 debug1: identity file /home/dtucker/.ssh/id_xmss-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_8.1 kex_exchange_identification: Connection closed by remote host -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Re: ssh "kex_exchange_identification: Connection closed by remote host"
On Tue, 12 Nov 2019 at 20:06, Stuart Henderson wrote: > Occasionally I see this when connecting to anoncvs on my mirror, > > $ cvs -d $CVSROOT di > kex_exchange_identification: Connection closed by remote host > cvs [diff aborted]: end of file from server (consult above messages if any) > > On the server side, this is logged: > > sshd[13009]: error: kex_exchange_identification: read: Connection reset by > peer > > And others have reported it too. I haven't noticed it with e.g. http/https > connections to the server. > > Does anyone have advice about tracking it down? I'd start by cranking up the client side log level (LogLevel debug3 in ~/.ssh/config) and use CVS_RSH="ssh -E logfile" or ssh -y to send the logs to syslog. Is this a public mirror, and if so which one? -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
