SSH works in putty but not terminal

24

10

When I try to ssh this in a terminal: ssh username@sub.domain.com I get the following error:
Connection closed by 69.163.227.82

When I use putty, I am able to connect to the server. Why is this happening, and how can I get this to work in a terminal?

ssh -v username@sub.domain.com

OpenSSH_6.0p1 (CentrifyDC build 5.1.0-472) (CentrifyDC build 5.1.0-472), OpenSSL 0.9.8w 23 Apr 2012
debug1: Reading configuration data /etc/centrifydc/ssh/ssh_config
debug1: /etc/centrifydc/ssh/ssh_config line 52: Applying options for *
debug1: Connecting to sub.domain.com [69.163.227.82] port 22.
debug1: Connection established.
debug1: identity file /home/ryannaddy/.ssh/id_rsa type -1
debug1: identity file /home/ryannaddy/.ssh/id_rsa-cert type -1
debug1: identity file /home/ryannaddy/.ssh/id_dsa type -1
debug1: identity file /home/ryannaddy/.ssh/id_dsa-cert type -1
debug1: identity file /home/ryannaddy/.ssh/id_ecdsa type -1
debug1: identity file /home/ryannaddy/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.1p1 Debian-5
debug1: match: OpenSSH_5.1p1 Debian-5 pat OpenSSH_5*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.0
debug1: Miscellaneous failure
Cannot resolve network address for KDC in requested realm

debug1: Miscellaneous failure
Cannot resolve network address for KDC in requested realm

debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
Connection closed by 69.163.227.82

Get Off My Lawn

Posted 2013-03-20T13:41:11.873

Reputation: 1 003

What does ssh -v username@sub.domain.com show? – James Sneeringer – 2013-03-20T13:58:01.503

I updated the main question. Also the server should ask for a password, there are no ssh keys required to login. – Get Off My Lawn – 2013-03-20T14:10:11.867

Did you change any settings from default in PuTTY? – Kruug – 2013-03-20T14:15:44.803

Also, have you tried user@domain.com? Leave out the sub. – Kruug – 2013-03-20T14:16:21.777

@Kruug all putty settings were left as the defaults, and yes I have tried a few combinations: domain.com, subdomain.com, user@domain.com, user@sub.domain.com, 69.163.227.82, user@69.163.227.82 – Get Off My Lawn – 2013-03-20T14:24:02.137

Try ssh -vvv user@69.163.227.82. That should give more detailed output. – Kruug – 2013-03-20T14:29:01.900

1You're using Centrify's build of OpenSSH, which implies your system is AD-integrated. Active Directory uses Kerberos, and OpenSSH is complaining that it can't find the Kerberos KDC, so it's bailing out. What does your /etc/krb5.conf look like? – James Sneeringer – 2013-03-20T14:33:10.670

@JamesSneeringer it has work related stuff in it is that safe to post? – Get Off My Lawn – 2013-03-20T14:58:51.333

@Ryan If you don't know, better to err on the side of caution and not post. Look in it for places where your realm is specified. Make sure all of the KDC's specified for your realm resolve, and many sure their IP addresses properly reverse-resolve as well. This example krb5.conf may help.

– James Sneeringer – 2013-03-20T15:08:27.313

Answers

23

Solution found for me via the following URL: http://www.held.org.il/blog/2011/05/the-myterious-case-of-broken-ssh-client-connection-reset-by-peer/

It even does a pretty good job of explaining what is going on.

Ultimately, I added the following to /etc/ssh/ssh_config:

Host *
SendEnv LANG LC_*
HashKnownHosts yes
GSSAPIAuthentication yes
GSSAPIDelegateCredentials no
Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc
HostKeyAlgorithms ssh-rsa,ssh-dss
MACs hmac-md5,hmac-sha1,hmac-ripemd160

Neither Ciphers, or HostKeyAlgorithms worked on their own, pretty sure MACs put me over the top to get this to work, but I can't be sure, put many hours into getting this solved. I hope this can at least help somebody else.

Edit: This (sometimes) fixes the problem, but probably not in the way you want. --jcwenger

These settings appear to (as a side effect) change the way the ssh client emits packets, and happen to cause it to emit smaller packets. This isn't fixing the problem; it just, sometimes, makes it so that the real problem (MTU fragmentation interacting with stupid firewall rule implementations) isn't triggered.

The correct solution is to set an MTU that works end to end.

Having to manually set MTU to a smaller number to ensure no fragmentation occurs isn't any cleaner (we as users shouldn't have to manually take steps to counter problems caused by our network teams)... but it's at least directly dealing with the actual cause in a reliable and provable way, rather than screwing up SSH's cipher settings in a way that, as a side effect, when the stars align, happens to cause it to not make big packets.

Also, SSH isn't the only thing that makes big packets. Setting MTU keeps the same thing from happening to other protocols too.

mattw

Posted 2013-03-20T13:41:11.873

Reputation: 581

All of these patches are treating the symptom and not the cause. Reducing cipher size has the potential to prevent MTU fragmentation... which is the real problem, brought up by @jagguli below. – jcwenger – 2015-03-09T15:42:34.760

Adding the line "HostKeyAlgorithms ssh-rsa,ssh-dss" into /etc/ssh/ssh_config fixed my issue with not being able to SSH into a Zyxel modem. All the other lines in the above tetbox were already in place on my machine. Thank you for the tip! – Jeff Wright – 2016-02-16T18:40:14.690

5thanks, in my case just the last line MACs hmac-md5,hmac-sha1,hmac-ripemd160 was enough – Tombart – 2013-12-10T22:14:17.127

I had a problem with github - git pull / git push - nothing happened. Tried ssh -T -v git@github.com and got the same error. Used this to solve it. Thank you! – Jason – 2014-01-09T23:21:07.023

I had a similar problem and tried this solution. One side effect is that any connection to a known host would then accuse a host key change. – lfagundes – 2014-02-28T15:18:59.683

8

This worked for me ...

ifconfig eth0 mtu 576

http://fred-web.blogspot.com.au/2012/10/ssh-hang-on-expecting.html

jagguli

Posted 2013-03-20T13:41:11.873

Reputation: 209

6

This fixed the MTU issue without having to hardcode some value, it will fix it for ssh and any other protocol effected by this. As root run the following:

echo 2 > /proc/sys/net/ipv4/tcp_mtu_probing

You can read more about the issue and solution here and here.

Marwan Alsabbagh

Posted 2013-03-20T13:41:11.873

Reputation: 161

Explanation: "It turns out that the kernel /proc file system provides an easy way to enable and disable TCP MTU Probing by changing a value in the ‘file’ /proc/sys/net/ipv4/tcp_mtu_probing. A value of 0 = disabled; 1 = enabled when a black hole router is detected; 2 = always enabled." – Jorj – 2018-12-27T15:28:45.423

1

I was able to solve this issue by forcing to use IPv4 with

ssh -4 username@host.xyz

Since I'm on a Mac I don't know what are the MTU settings here or how to change them, but thought that others may benefit from this.

Bruno Kim

Posted 2013-03-20T13:41:11.873

Reputation: 111

That option forces ssh to use IP4 only. I am on Mac too and it did NOT solve my issue. – Jorj – 2018-12-27T15:25:59.897

1

Did some looking and found the following suggestion here:

Try making sure the following line in your /etc/ssh/ssh_config (NOT sshd_config) is NOT commented out:

Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc

You also might try reverting that file back to the default and trying again, i.e. uninstall and reinstall openssh-client IIRC the name of the package.

LawrenceC

Posted 2013-03-20T13:41:11.873

Reputation: 63 487

That didn't fix it :( – Get Off My Lawn – 2013-03-20T15:04:12.910

1

Change the network interface MTU to solve it. This is a bug for ubuntu 14.04.

This worked for me:

sudo ip li set mtu 1200 dev wlan0

Or:

sudo ifconfig wlan0 mtu 1200

ssh fails to connect to VPN host - hangs at 'expecting SSH2_MSG_KEX_ECDH_REPLY'

shgnInc

Posted 2013-03-20T13:41:11.873

Reputation: 375

0

I started having this issue today, on Windows (ssh distributed with Git) and Ubuntu.

It appears to be a bug on OpenSSH, there is a issue on LauchPad.

It worked for me on Windows forcing the 3des-cbc cipher and the key on Ubuntu.

LawfulHacker

Posted 2013-03-20T13:41:11.873

Reputation: 101

0

A bit of a necro here, but I encountered this on OpenSSH_7.8p1, on Linux. The introduction of DSCP marking in recent releases of OpenSSH seems to be tripping up in VMware NAT (Bridged networking was mentioned to be fine in the below links).

You can work around this for now by adding/setting the following to /etc/ssh/ssh_config:

IPQoS lowdelay throughput

Additional factors would be that PuTTY (or other distinct SSH clients) may not be encountering the issue from the same host, and your MTU so far checks out. i.e.:

ping -M do -s 1472 your-ssh-server

These posts were of particular helpfulness and got me to where I needed to be:

https://groups.google.com/forum/#!topic/opensshunixdev/5FK67SCpPg8 https://groups.google.com/forum/#!topic/opensshunixdev/uNd48nGOe7A

Kachunkachunk

Posted 2013-03-20T13:41:11.873

Reputation: 1

-2

ssh -c aes256-ctr works fine;

udara

Posted 2013-03-20T13:41:11.873

Reputation: 1

Why do you believe that this command will solve the problem? – Scott – 2018-03-02T17:51:18.397

Asked: 2013-03-20T13:41:11.873

Viewed: 31 141 times

Active: 2018-09-18T23:22:04.397