Stack Exchange Network
Stack Exchange network consists of 183 Q&A communities including
Stack Overflow
, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers.
Visit Stack Exchange
Server Fault is a question and answer site for system and network administrators. It only takes a minute to sign up.
Sign up to join this community
Teams
Q&A for work
Connect and share knowledge within a single location that is structured and easy to search.
Learn more about Teams
Questions seeking
installation, configuration or diagnostic help
must include
the desired end state, the specific problem or error, sufficient information about the configuration and environment to reproduce it, and attempted solutions
. Questions without
a clear problem statement
are not useful to other readers and are unlikely to get good answers.
Closed
3 years ago
.
We have a server on Amazon EC2 running SSH is on a standard (22) port.
I placed my public key at the
<username>/.ssh/authorized_keys
file.
The fun thing is that yesterday it was working great! But today, I don't know what happened! I just can't log in.
ssh -vvvv servername
is stuck on
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
I got someone to confirm that my public key is there.
I added a new public key from another computer (windows 7 + putty) and I was able to log in. This other computer with Win7 is on the same LAN which means that the external IP is the same.
My private key works for other servers but not with this.
–
–
–
Change the network interface MTU to solve it. This is a bug for ubuntu 14.04.
This worked for me:
sudo ip li set mtu 1200 dev wlan0
sudo ifconfig wlan0 mtu 1200
ssh fails to connect to VPN host - hangs at 'expecting SSH2_MSG_KEX_ECDH_REPLY'
–
–
–
In my case, I have no permission to lower the MTU size. And manually specifying the Cipher does not work.
I am able to connect after shortening the MACs list by specifying one, e.g.:
ssh -o MACs=hmac-sha2-256 <HOST>
–
–
–
–
–
Same exact problem here to access a dedicated server at the online.net datacenter.
Theres no problem after a reboot, no need to change MTU, ssh connection works for 1-3 weeks, then appears this exact same bug , blocking on KEXINIT, no more possible to connect the ssh server.
It could be some kind of sshd bug, but its necessarily triggered by some nework stuff happening after 1-3 weeks, I reproduced this exact problem many times with many different servers on this network, some say it could be related to a cisco bug, possibly related with some DPI options.
That problem never happened with other servers I manage in other datacenters, and that have the exact same distro, config and sshd version .
if you dont want to reboot every 10 days because the datacenter firewalls ( or other network tweaks ) is doing weird stuff :
first connect with one of those client side workarounds :
workaround 1, lowering your local, client side MTU :
ip li set mtu 1400 dev wlan0
( 1400 should be enough but you can try to use lower values if needed )
workaround 2, specifying the chosen cypher for the ssh connection :
ssh -c [email protected] host
(or try with any another available cypher )
Both of those client side workarounds made it for me, I could connect and save my uptime; but you want to fix this server-side, forever, so you dont have to ask every client to locally tweak their MTU.
On gentoo i just added :
mtu_eth0="1400"
in /etc/conf.d/net
( same mtu option should be available somewhere in your preferred distro network config file )
I ve set the mtu to 1400, but 1460 is probably enough in most cases.
another helping workaround could be to use the following iptables rules to manage fragmentation :
# /sbin/iptables -I OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
# /sbin/ip6tables -I OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
( but I personaly didnt need this one until now )
also note that the symptoms of this problem can also be :
debug1: SSH2_MSG_KEXINIT sent
not just
debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY
edit march 2016 :
lowering the mtu to 1400 on the server most always work, but I recently had the case where mtu was already lowered to 1400 on the server and the problem reappeared, and the client also had to lower mtu to 1400.
The problem also appeared on web login forms waiting for the page to reload until saying "the server have reset the connection", also fixed after the client set the mtU to 1400.
related links :
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1254085
http://www.held.org.il/blog/2011/05/the-myterious-case-of-broken-ssh-client-connection-reset-by-peer/
https://nowhere.dk/articles/natty-narwhal-problems-connecting-to-servers-behind-cisco-firewalls-using-ssh
https://stackoverflow.com/questions/2419412/ssh-connection-stop-at-debug1-ssh2-msg-kexinit-sent
http://www.1-script.com/forums/ssh/ssh-hang-after-ssh2-msg-kexinit-sent-10616-.htm
http://www.snailbook.com/faq/mtu-mismatch.auto.html
–
–
I had the same problem after I upgraded my Ubuntu client machine. I solved my problem by reducing the size of the line "Ciphers" in /etc/ssh/ssh_config. It also works if you specify the cypher in the command line (ex: ssh -c username@hostname)
Tip from here:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/708493/comments/39
Changing the KexAlgorithm worked for me, and might be an option where you don't have the system rights to change MTU settings. This might also be one for the OpenSSH crew to address. e.g.
ssh -o KexAlgorithms=ecdh-sha2-nistp521 [email protected]
I started having this issue today, on Windows (ssh distributed with Git) and Ubuntu.
It appears to be a bug on OpenSSH, there is a issue on LauchPad.
It worked for me on Windows forcing the 3des-cbc cipher and the key on Ubuntu.
–
