Home / server / Questions / 583355
Accepted
nitins
Asked: 2014-03-21 01:54:51 +0800 CST

SSH issues: Read from socket failed: Connection reset by peer

  • 772

I compiled OpenSSH_6.6p1 on one of our server. I am able login via SSH to the upgraded server. But I am not able to connect to other servers running OpenSSH_6.6p1 or OpenSSH_5.8 from this. While connecting I am getting an error as below.

Read from socket failed: Connection reset by peer

On the destination server in the logs, I am seeing it as below.

sshd: fatal: Read from socket failed: Connection reset by peer [preauth]

I tried specifying the cipher_spec [ ssh -c aes128-ctr destination-server ] as mentioned in ssh 'connection reset by peer' problem since 5.8p1 (archived version) and was able to connect. How can configure ssh to use the cipher by default? Why is the cipher required here?

linux

5 Answers

  1. Best Answer

    The problem sounds like a server-side bug. When the client sends the list of ciphers the openssh server probably expects to be able to read the list in a single system call.

    If the list of supported ciphers is longer than can be transmitted in one packet, the server may get fewer bytes in the first call than it expected. The correct behavior on the server would be to perform another call to get the rest of the bytes. But from the problem description it appears, the server instead closes the connection when it did not get the full list of ciphers at once. When the next packet from the client arrives, the server will send a connection reset to the client.

    Configuring the client to use a shorter list of ciphers would then work around the bug. The openssh client will look for the list of ciphers in the following places:

    1. On the command line using either -c cipher_spec or -o Ciphers=cipher_spec
    2. In ~/.ssh/config by specifying Ciphers cipher_spec in the relevant host section or before the first host.
    3. In /etc/ssh/ssh_config using the same format as ~/.ssh/config
    4. A default list built into the client at compile time.

    The two configuration files are respectively per-user and system-wide settings. Using Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc like Eric suggested should work fine.

    • 9

  2. You can specify cipher in ssh config file (/etc/ssh/ssh_config or similar, depends on $PREFIX etc). Any option you pass to ssh client on command line can be set in ssh (client) config file.

    Here is the relevant line (just uncomment):

    #   Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
    • 4

  3. My way to fix it, hope it helps someone : 

    # Recreate host keys
sudo rm /etc/ssh/ssh_host_*
sudo ssh-keygen -A

# Re-install SSh
sudo apt-get --reinstall install openssh-server openssh-client

    Edit sshd_config by adding a value

    add :  MaxAuthTries 3

    Edit ssh_config by uncommenting a value

    Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
    • 4

  4. Resolved this issue by modifying below file permissions to 600.

    /etc/ssh/ssh_host_dsa_key
    /etc/ssh/ssh_host_rsa_key
    /etc/ssh/ssh_host_ecdsa_key

    Also modified the permission for all other files inside '/etc/ssh/' to 644. All files files must be owned by 'root'.

    Below are the complete set of commands to assign proper permissions for all the files under '/etc/ssh' directory:

    chown root:root /etc/ssh/* chmod 644 /etc/ssh/*
    chmod 600 /etc/ssh/ssh_host_dsa_key
    chmod 600 /etc/ssh/ssh_host_rsa_key
    chmod 600 /etc/ssh/ssh_host_ecdsa_key

    • 0

  5. My problem that had the exact same symptoms you are seeing was due to truncated host keys. Try recreating them with:

    sudo rm /etc/ssh/ssh_host_*
sudo ssh-keygen -A
    • -1