[Freeipa-users] ssh_exchange_identification: Connection closed by remote host

Sumit Bose sbose at redhat.com
Fri Aug 28 15:35:20 UTC 2015 

On Fri, Aug 28, 2015 at 05:10:31PM +0200, Roberto Cornacchia wrote:
> Hi,
> 
> I have two hosts, "photon" and "hadron", and an LDAP user "roberto".
> The user can login successfully on both machines.
> 
> The SSH pub key is uploaded
> .
> Running "sss_ssh_authorizedkeys roberto" from both clients returns the same
> key.
> 
> Port 22 is open on both clients, sshd is running on both clients.
> 
> On both client, /etc/ssh/ssh_config is:
> Host *
> GlobalKnownHostsFile /var/lib/sss/pubconf/known_hosts
> PubkeyAuthentication yes
> ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h
> GSSAPIAuthentication yes
> 
> On both clients, /etc/ssh/sshs_config is:
> KerberosAuthentication no
> PubkeyAuthentication yes
> UsePAM yes
> AuthorizedKeysCommand /usr/bin/sss_ssh_authorizedkeys
> GSSAPIAuthentication yes
> AuthorizedKeysCommandUser nobody
> 
> 
> However, ssh from hadron to photon works, the other way around doesn't:
> 
> roberto at photon $ ssh -vv hadron
> OpenSSH_6.9p1, OpenSSL 1.0.1k-fips 8 Jan 2015
> debug1: Reading configuration data /etc/ssh/ssh_config
> debug1: /etc/ssh/ssh_config line 56: Applying options for *
> debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p
> 22 hadron
> debug1: permanently_drop_suid: 1172000006
> debug1: identity file /home/roberto/.ssh/id_rsa type 1
> debug1: key_load_public: No such file or directory
> debug1: identity file /home/roberto/.ssh/id_rsa-cert type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /home/roberto/.ssh/id_dsa type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /home/roberto/.ssh/id_dsa-cert type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /home/roberto/.ssh/id_ecdsa type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /home/roberto/.ssh/id_ecdsa-cert type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /home/roberto/.ssh/id_ed25519 type -1
> debug1: key_load_public: No such file or directory
> debug1: identity file /home/roberto/.ssh/id_ed25519-cert type -1
> debug1: Enabling compatibility mode for protocol 2.0
> debug1: Local version string SSH-2.0-OpenSSH_6.9
> *ssh_exchange_identification: Connection closed by remote host*
> 
> 
> If I include a few other cases, this is the summary:
> - photon to hadron FAILS
> - photon to photon SUCCEEDS
> - photon to ipa server SUCCEEDS
> - photon to (non-ipa-client) FAILS before asking password (no keypair
> suthentication expected here)
> 
> - hadron to photon SUCCEEDS
> - hadron to hadron FAILS
> - hadron to ipa server SUCCEEDS
> - hadron to (non-ipa-client) FAILS before asking password (no keypair
> suthentication expected here)
> 
> I know that the error above is quite generic, so I don't expect someone can
> point out the exact cause, but perhaps someone can help me debug this? What
> could I look at?

Do you have any HBAC rules for hadron activated on the IPA server?

If not, can you activate sshd debug logging on hadron by setting
LogLevel to DEBUG3 in sshd_config and restarting sshd? Maybe they have
some useful information.

HTH

bye,
Sumit

> 
> Thanks,
> Roberto

> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list