[Freeipa-users] ssh_exchange_identification: Connection closed by remote host

Alexander Bokovoy abokovoy at redhat.com
Fri Aug 28 15:28:48 UTC 2015 

On Fri, 28 Aug 2015, Roberto Cornacchia wrote:
>Hi,
>
>I have two hosts, "photon" and "hadron", and an LDAP user "roberto".
>The user can login successfully on both machines.
>
>The SSH pub key is uploaded
>.
>Running "sss_ssh_authorizedkeys roberto" from both clients returns the same
>key.
>
>Port 22 is open on both clients, sshd is running on both clients.
>
>On both client, /etc/ssh/ssh_config is:
>Host *
>GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
>PubkeyAuthentication yes
>ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
>GSSAPIAuthentication yes
>
>On both clients, /etc/ssh/sshs_config is:
>KerberosAuthentication no
>PubkeyAuthentication yes
>UsePAM yes
>AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
>GSSAPIAuthentication yes
>AuthorizedKeysCommandUser nobody
>
>
>However, ssh from hadron to photon works, the other way around doesn't:
>
>roberto at photon $ ssh -vv hadron
>OpenSSH_6.9p1, OpenSSL 1.0.1k-fips 8 Jan 2015
>debug1: Reading configuration data /etc/ssh/ssh_config
>debug1: /etc/ssh/ssh_config line 56: Applying options for *
>debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p
>22 hadron
>debug1: permanently_drop_suid: 1172000006
>debug1: identity file /home/roberto/.ssh/id_rsa type 1
>debug1: key_load_public: No such file or directory
>debug1: identity file /home/roberto/.ssh/id_rsa-cert type -1
>debug1: key_load_public: No such file or directory
>debug1: identity file /home/roberto/.ssh/id_dsa type -1
>debug1: key_load_public: No such file or directory
>debug1: identity file /home/roberto/.ssh/id_dsa-cert type -1
>debug1: key_load_public: No such file or directory
>debug1: identity file /home/roberto/.ssh/id_ecdsa type -1
>debug1: key_load_public: No such file or directory
>debug1: identity file /home/roberto/.ssh/id_ecdsa-cert type -1
>debug1: key_load_public: No such file or directory
>debug1: identity file /home/roberto/.ssh/id_ed25519 type -1
>debug1: key_load_public: No such file or directory
>debug1: identity file /home/roberto/.ssh/id_ed25519-cert type -1
>debug1: Enabling compatibility mode for protocol 2.0
>debug1: Local version string SSH-2.0-OpenSSH_6.9
>*ssh_exchange_identification: Connection closed by remote host*
>
>
>If I include a few other cases, this is the summary:
>- photon to hadron FAILS
>- photon to photon SUCCEEDS
>- photon to ipa server SUCCEEDS
>- photon to (non-ipa-client) FAILS before asking password (no keypair
>suthentication expected here)
>
>- hadron to photon SUCCEEDS
>- hadron to hadron FAILS
>- hadron to ipa server SUCCEEDS
>- hadron to (non-ipa-client) FAILS before asking password (no keypair
>suthentication expected here)
>
>I know that the error above is quite generic, so I don't expect someone can
>point out the exact cause, but perhaps someone can help me debug this? What
>could I look at?
Launch the following command under root:
  /usr/bin/sss_ssh_knownhostsproxy --debug 10 -p 22 hadron
  echo $?
and see what it returns

You also will get debug output from the run in syslog or journaldb, like:
Aug 28 15:25:37 m1.example.com sss_ssh_knownhostsproxy[17049]: sss_ssh_get_ent() failed (2): No such file or directory
Aug 28 15:25:37 m1.example.com sss_ssh_knownhostsproxy[17049]: connect() failed (113): No route to host

-- 
/ Alexander Bokovoy

More information about the Freeipa-users mailing list