openssh unix dev - Aug 2003 - ssh_exchange_identification: Connection closed by remote host

Hello,

I encountered the following problem while I typing "ssh -v
<host_name>"

"
hkmarmmspd:/export/home/hkcheung> ssh -v hkmauat
OpenSSH_3.6.1p1, SSH protocols 1.5/2.0, OpenSSL 0x0090701f
debug1: Reading configuration data /usr/local/etc/ssh_config
debug1: Rhosts Authentication disabled, originating port will not be trusted.
debug1: Connecting to hkmauat [172.28.68.52] port 22.
debug1: Connection established.
debug1: identity file /export/home/hkcheung/.ssh/identity type -1
debug1: identity file /export/home/hkcheung/.ssh/id_rsa type -1
debug1: identity file /export/home/hkcheung/.ssh/id_dsa type -1
ssh_exchange_identification: Connection closed by remote host
debug1: Calling cleanup 0x2c95c(0x0)
hkmarmmspd:/export/home/hkcheung> 

".

Strangly, sometime the problem is not occurred.

Can someone give me some advices.

Thanks!

chkbrian wrote:
> I encountered the following problem while I typing "ssh -v
<host_name>"
[snip]
> ssh_exchange_identification: Connection closed by remote host
You should specify your platform and OpenSSH version, but this is almost
certainly due to tcpwrappers configuration.

Add the following line to hosts.allow:
sshd: ALL

It may be in /etc or /usr/local/etc.

Alternatively you could rebuild sshd without "--with-tcp-wrappers".

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Earlier, it was said:

chkbrian wrote:
 >> I encountered the following problem while I typing "ssh -v 
 >><host_name>"
 >>[snip]
 >> ssh_exchange_identification: Connection closed by remote host

 >You should specify your platform and OpenSSH version, but this is
 > almost certainly due to tcpwrappers configuration.
 >
 >Add the following line to hosts.allow:
 >sshd: ALL
 >
 >It may be in /etc or /usr/local/etc.
 >
 >Alternatively you could rebuild sshd without
"--with-tcp-wrappers".



I think I am experiencing the same problem.  I found the following error 
in my logs:

Cannot release PAM authentication

I found a report from October 2002 with a similar problem.  The solution 
there was to re-create the user accounts.  I tried adding an account to 
my server and I can ssh to the new account, but not to my existing account.

I am running RedHat 9.0 with openssh 3.5.  I have tried connecting from 
a RedHat 8.0 box running openshh 3.4 and a tru64 box also with openssh 
3.4, with the same results:  I can login to the new account, but not to 
my existing account.

The problem is not with tcp wrappers, as I can login to one account, but 
not another.  I have tried deleting my ssh keys, my host keys, and 
rebooting my system, none of which has made any difference.

Is there anything else I can check?  I can send any log information that 
you need.

   Alfred Hovdestad
   System Administrator
   University of Saskatchewan

The problem was occurred due to incorrect setting of hosts.allow for tcpwrapper.
We have two interface with different Ip address. Only one interface/ ip address
was granted access right via hosts.allow.

However, always while we want to ssh to hkmauat, the interface/ip address not in
hosts.allow was used. So the access was not successful. If the granted
interface/ip address was in used, the access was okay. So, the problem is not
occurred sometime.

Now, we have modify the hosts.allow in hkmauat to include two interface/ip
address and the problem is resolved.

Thanks.


-----Original message-----
From:Darren Tucker <dtucker at zip.com.au>
To:chkbrian at hongkong.com
Cc:openssh-unix-dev at mindrot.org
Date:Wed, 06 Aug 2003 17:33:44 +1000
Subject:Re: ssh_exchange_identification: Connection closed by remote host

chkbrian wrote:
> I encountered the following problem while I typing "ssh -v
<host_name>"
[snip]
> ssh_exchange_identification: Connection closed by remote host
You should specify your platform and OpenSSH version, but this is almost
certainly due to tcpwrappers configuration.

Add the following line to hosts.allow:
sshd: ALL

It may be in /etc or /usr/local/etc.

Alternatively you could rebuild sshd without "--with-tcp-wrappers".

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Alfred Hovdestad wrote:
> I am running RedHat 9.0 with openssh 3.5.  I have tried connecting from
> a RedHat 8.0 box running openshh 3.4 and a tru64 box also with openssh
> 3.4, with the same results:  I can login to the new account, but not to
> my existing account.
Perhaps your password are expiring?
> The problem is not with tcp wrappers, as I can login to one account, but
> not another.  I have tried deleting my ssh keys, my host keys, and
> rebooting my system, none of which has made any difference.
> 
> Is there anything else I can check?  I can send any log information that
> you need.
Yes, you need to post the *server* side debugging, ie:

/path/to/sshd -ddd -p 2022

then in another window:

ssh -p 2022 servername

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

This has taken far too long to get to you, and I apologize for that.

There are four attachments included:

client.working
client.notworking
server.working
server.notworking

I am running RedHat 9.0 on both systems with all of the latest patches 
from RedHat.  The current rpm for openssh is openssh-3.5p1-6.9.  I have 
PAM configured to use kerberos for password authentication.  The only 
difference in the two scenarios is the Kerberos server.  We have a two 
kerberos servers, one a Windows Domain Controller and the other a Sun.

If I use the Windows DC for Kerberos authentication, I can login at the 
console, I can generate a kerberos ticket (kinit), but I cannot login 
with ssh.

If I use the Sun for kerberos authentication, I can login at the 
console, I can generate a kerberos ticket (kinit), and I can login with ssh.

If I downgrade to the previous rpm from RedHat (openssh-3.5p1-6), I can 
login with ssh to the server.  If it would help, I can also generate the 
log file for the previous version.

If you require more information, please let me know.

     Alfred Hovdestad
     System Administrator
     University of Saskatchewan
     RHCE: 807200142604340


Darren Tucker wrote:
> Alfred Hovdestad wrote:
> 
>>I am running RedHat 9.0 with openssh 3.5.  I have tried connecting from
>>a RedHat 8.0 box running openshh 3.4 and a tru64 box also with openssh
>>3.4, with the same results:  I can login to the new account, but not to
>>my existing account.
> 
> 
> Perhaps your password are expiring?
> 
> 
>>The problem is not with tcp wrappers, as I can login to one account, but
>>not another.  I have tried deleting my ssh keys, my host keys, and
>>rebooting my system, none of which has made any difference.
>>
>>Is there anything else I can check?  I can send any log information that
>>you need.
> 
> 
> Yes, you need to post the *server* side debugging, ie:
> 
> /path/to/sshd -ddd -p 2022
> 
> then in another window:
> 
> ssh -p 2022 servername
> 
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: client.working
Url:
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030906/eb0498fc/attachment.ksh
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: client.notworking
Url:
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030906/eb0498fc/attachment-0001.ksh
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: server.working
Url:
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030906/eb0498fc/attachment-0002.ksh
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: server.notworking
Url:
http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20030906/eb0498fc/attachment-0003.ksh

Alfred Hovdestad wrote:
[snip]
> I am running RedHat 9.0 on both systems with all of the latest patches
> from RedHat.  The current rpm for openssh is openssh-3.5p1-6.9.  I have
> PAM configured to use kerberos for password authentication.  The only
> difference in the two scenarios is the Kerberos server.  We have a two
> kerberos servers, one a Windows Domain Controller and the other a Sun.
> 
> If I use the Windows DC for Kerberos authentication, I can login at the
> console, I can generate a kerberos ticket (kinit), but I cannot login
> with ssh.
> 
> If I use the Sun for kerberos authentication, I can login at the
> console, I can generate a kerberos ticket (kinit), and I can login with
ssh.
> 
> If I downgrade to the previous rpm from RedHat (openssh-3.5p1-6), I can
> login with ssh to the server.  If it would help, I can also generate the
> log file for the previous version.
It sounds like you need to ask Redhat about this one.  Both packages use
the same base OpenSSH version with (presumably) different patches.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.