How to solve ssh_exchange_identification: connection closed by remote host

#

How to solve ssh_exchange_identification: connection closed by remote host

  • 0 comments Nick Rose
  • 05 Jul 2022
Welcome to our Knowledge Base
Table of Contents
< All Topics
Print
Posted
Updated
ByNick Rose

Sometimes, you may encounter errors when connecting to a remote system or server over the SSH protocol. A common error that you are likely to bump into is the ssh_exchange_identification: Connection closed by remote host error which can be downright frustrating. The error is also synonymous with the error: ssh_exchange_identification: read: Connection reset by peer.

Here’s a snippet to get a sense of what the error looks like.

The error stops you right in your tracks from logging into the remote system. Without any intervention, a user cannot have access to the remote system. Thankfully, there are a couple of fixes that can be applied to resolve this issue.

In this tutorial, we explore various workarounds that can help resolve this error.

1. Check the TCP wrapper files – hosts.allow & hosts.deny

One of the most probable causes for this error is server restrictions. This mostly like culprit is the TCP wrapper files which comprise the /etc/hosts.allow and /etc/ hosts.deny configuration files. These configuration files provide a mechanism for filtering incoming network traffic and determine which clients are allowed or denied access.

By default, without editing both files, all clients are usually granted access. If you encounter an issue logging in, try and look closer at both files.

To allow access to a remote host, specify its IP address and service daemon in the /etc/hosts.allow configuration file. For example, to allow SSH access to hosts in the 192.168.2.0 subnet, add the following daemon-client pair. To the left, we have the daemon – in this case, sshd and to the right, we have the IP subnet 192.168.2.*

sshd: 192.168.2.*

To allow all a single client, specify its IP address only as shown. This will only allow the client access to the server using SSH and deny any other client access.

sshd: 192.168.2.5

To allow all hosts SSH access, add the lines:

sshd: ALL

If there are no entries specified in the /etc/hosts.allow configuration file, head over to the /etc/hosts.deny configuration file and check if any entries are specified.

Clients specified in the /etc/hosts.deny configuration file are denied entry to the server and in my case, all SSH connections were denied access as you can see below in the daemon-client pair.

The solution was to simply remove the entry and restart the SSH daemon.

$ sudo systemctl restart sshd

2. Adjust connection limit in the SSH configuration file

Another possible fix is to increase the number of concurrent unauthenticated SSH connections. This is specified by the MaxStartups attribute in the SSH configuration files whose default value is 10. This should be okay in most cases.

You can verify this by checking the SSH configuration file as follows:

$ cat /etc/ssh/sshd_config | grep MaxStartups

However, if you are still having an issue, consider setting the attribute to a higher value.

3. Remove the remote host’s SSH public keys on the client & try reconnecting

When a user connects to a remote host or server via SSH for the first time, the public key of the remote system is saved in the ~.ssh/known_hosts file in the client’s system

The known_hosts file on the client allows the client to authenticate the server while the authorized_keys on the server authenticates the client.

To resolve the ssh_exchange_identification error, delete the public key of the server which is stored in the known_hosts file, and try reconnecting once again. This has proven to work especially if the server’s public key on the known_hosts file is corrupted.

So, open the known_hosts file using your favorite text editor and delete the public key. Save and exit. Then finally initiate an SSH connection to the server to save its public key yet again in the known_hosts file.

4. Install missing dependencies

The error could also be attributed to missing dependencies or libraries that are required by the SSH service. In that case, you might consider fixing any broken packages as shown on Ubuntu / Debian systems.

$ sudo apt-get upgrade -f

For RHEL / CentOS systems, simply upgrade the system to correct any unmet dependencies or address broken packages.

$ sudo yum update

Once done, be sure to reboot your server and try, once again, reconnecting.

Conclusion

We have highlighted flour solutions that can come in handy to resolve the ssh_exchange_identification error. We hope you are more enlightened and can easily troubleshoot the issue.

Categories