[wellylug] ssh not playing ball

Ewen McNeill wellylug at ewen.mcneill.gen.nz
Mon Aug 30 21:13:47 NZST 2004 

In message <1093852968.18646.6.camel at munter>, Jamie Baddeley writes:
>I have a box that has decided it doesn't want to be friends anymore.

Perhaps you shouldn't have called it any nasty names :-)

>noc:~# ssh -vvv noc at wlgbk1
>[....]
>ssh_exchange_identification: Connection closed by remote host

That's the bit that matters (the rest, AFAICT, is standard debug output
when ssh is reading ssh v2 keys first trying them as if they're ssh v1
keys -- eg it happens on my own keys (which work just fine) if I use
"-vvv").

"ssh_exchange_identification: Connection closed by remote host" means a
TCP connection was established (you get a different message if the
connect() fails or times out), but was then dropped fairly early on in
the process.  Which in turn means that it's not the firewall rules
blocking the connection but something else.

The most likely suspects on a Debian system are:
- blocked by /etc/hosts.allow and /etc/hosts.deny (ie, TCP wrappers)

- out of some resource which prevents spawning a sshd process to handle
  the incoming connection (normally I'd not say that this was likely but
  you report other network services being unavailable -- and I've tried
  the same connection as you and it disconnects faster than I'd expect
  TCP wrappers to do so)

- it's unable to access some important resource (eg, authentication
  database) because it's not there any more or because the disk isn't
  readable -- but the "disk not readable" case normally also results in
  a longer delay

Assuming that it's not blocked in /etc/hosts.allow or /etc/hosts.deny
the most likely resources to run out of are:
(a) ram/swap
(b) process ids
(c) disk space (eg, /tmp)

Typically you see disk space exhaustion later on in the exchange when it
tries to create authentication sockets or X sockets and you can avoid
that by adding -a (no authentication forwarding) and -x (no X
forwarding) to the command line.  Which didn't help when I tried it.

So my best guess at this stage is that something has caused it to
exhaust either its ram of its process ids.  Examining log messages from
the system (eg, whichever machine it syslogs to) may tell you more about
what is going on.

Ewen

More information about the wellylug mailing list