Re: OpenSSH: cause of random kex_exchange_identification errors?
On Wednesday, February 2, 2022 9:44:32 AM EST Vincent Lefevre wrote:
> When I want to connect with SSH (ssh/scp) to some machine, I sometimes
> get errors, either
>
> kex_exchange_identification: Connection closed by remote host
>
> or
>
> kex_exchange_identification: read: Connection reset by peer
>
> immediately after the connection attempt. This happens randomly,
> and there are some periods where this happens quite often. The
> client machine doesn't seem to matter, and this issue also even
> occurs from machines on the local network.
>
> With ssh -vvv, the output ends with
>
> debug1: Local version string SSH-2.0-OpenSSH_8.7p1 Debian-4
> kex_exchange_identification: read: Connection reset by peer
> Connection reset by [...] port 22
>
> In the source, this corresponds to function kex_exchange_identification
> in kex.c:
>
> len = atomicio(read, ssh_packet_get_connection_in(ssh),
> &c, 1);
> if (len != 1 && errno == EPIPE) {
> error_f("Connection closed by remote host");
> r = SSH_ERR_CONN_CLOSED;
> goto out;
> } else if (len != 1) {
> oerrno = errno;
> error_f("read: %.100s", strerror(errno));
> r = SSH_ERR_SYSTEM_ERROR;
> goto out;
> }
>
> so either with EPIPE or with ECONNRESET, and this apparently occurs
> before the exchange of banners.
>
> I could reproduce the issue with telnet, which gives
>
> [...]
> Escape character is '^]'.
> Connection closed by foreign host.
>
> while one normally has
>
> SSH-2.0-OpenSSH_7.9p1 Debian-10+deb10u2
>
> just after the "Escape character..." line.
>
> Note that this is different from a "Connection refused". Here, the
> connection is accepted, but immediately closed.
>
> The admin of the machine could see nothing particular in the logs.
> He eventually modified the MaxStartups value, but this did not
> solve the issue (but AFAIK, if this were the cause, there would
> have been something about it in the logs). The machine has enough
> available memory.
>
> Any idea about the possible cause of these random errors?
When I change something, like rebooting the rpi4 running my big Sheldon
lathe, from debian buster to debian bullseye, the keyfile changes, and I
get an explicit error telling me to run ssh-keygen to remove the
offending key, which I do, and the next attempt then works as it auto-
registers the new key. But this machine is bullseye, and the stretch
before it, didn't have a self advising failure. The update was forced on
me, a nearly new 2T main drive died in the night losing everything, so I
threw money at it and now I'm booting from a 500G SSD, and 4 1T SSD's are
in a raid10 as /home of 2T capacity. One spinning rust drive remains,
amanda's morgue. I've put smaller SSD's in all my machines now, and the
only problem I've had was on the pi where I'm using usb3 to sata cables
to mount work drives, and an off-brand cable died, replaced the cable wth
a startech brand and the SSD as good, didn't lose a byte. They are about
6x faster than spinning rust, putting new life in old machines. Working
on that fast storage, I can rebuild a v5.16.2-rt12 realtime preempt-rt
kernel in armhf flavor for the rpi4 in around 20 minutes. The first time
I did that on spinning rust and a rpi3, took 13+ hours. And I'm still
running that older kernel on a rpi4. With a full xfc4 gui, it runs until
I cause a power failure by unplugging it. It has a small ups, and
because my now passed wife had COPD, needed a dependable oxygen supply,
there is a 20kw generac in the back yard that starts in about 4 seconds.
FWIW, we've not yet been able to make linuxcnc build on a bullseye
system, boost::python in the 3.9.2 version of python is a total
showstopper. The same calls in buster, work fine with python 3.7.
Probably more than you wanted to know.
Cheers, Gene Heskett.
--
"There are four boxes to be used in defense of liberty:
soap, ballot, jury, and ammo. Please use in that order."
-Ed Howdershelt (Author, 1940)
If we desire respect for the law, we must first make the law respectable.
- Louis D. Brandeis
Genes Web page <http://geneslinuxbox.net:6309/gene>
Reply to: