Cannot SSH: debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY [closed]

ssh security linux amazon-ec2

We have a server XXX ON Amazon EC2.

SSH is running on a standard (22) port.

I placed my pubkey at the /.ssh/authorized_keys file

The fun thing is that YESTERDAY it was working great!

But today, I don't know what happened! I just can't log in.

ssh -vvvv servername

is stuck on

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

I checked my pubkey and it's there! (how I checked?? I asked the other guy to check)

and then I used another computer (windows 7 + putty) and placed my new pubkey. ANd what? I was able to log in! And that's another computer with Win7 is ont the same LAN which menas that the external IP is the same.

My private key works for other servers but not with this.

Please help!


Change the network interface MTU to solve it. This is a bug for ubuntu 14.04.

This worked for me:

sudo ip li set mtu 1200 dev wlan0

OR

sudo ifconfig wlan0 mtu 1200

ssh fails to connect to VPN host - hangs at 'expecting SSH2_MSG_KEX_ECDH_REPLY'


Same exact problem here to access a dedicated server at the online.net datacenter.

Theres no problem after a reboot, no need to change MTU, ssh connection works for 1-3 weeks, then appears this exact same bug , blocking on KEXINIT, no more possible to connect the ssh server.

It could be some kind of sshd bug, but its necessarily triggered by some nework stuff happening after 1-3 weeks, I reproduced this exact problem many times with many different servers on this network, some say it could be related to a cisco bug, possibly related with some DPI options.

That problem never happened with other servers I manage in other datacenters, and that have the exact same distro, config and sshd version .

if you dont want to reboot every 10 days because the datacenter firewalls ( or other network tweaks ) is doing weird stuff :

first connect with one of those client side workarounds :

workaround 1, lowering your local, client side MTU :

ip li set mtu 1400 dev wlan0

( 1400 should be enough but you can try to use lower values if needed )

workaround 2, specifying the chosen cypher for the ssh connection :

ssh -c [email protected] host

(or try with any another available cypher )

Both of those client side workarounds made it for me, I could connect and save my uptime; but you want to fix this server-side, forever, so you dont have to ask every client to locally tweak their MTU.

On gentoo i just added : 

mtu_eth0="1400"

in /etc/conf.d/net

( same mtu option should be available somewhere in your preferred distro network config file )

I ve set the mtu to 1400, but 1460 is probably enough in most cases.

another helping workaround could be to use the following iptables rules to manage fragmentation :

# /sbin/iptables -I OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

# /sbin/ip6tables -I OUTPUT -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu

( but I personaly didnt need this one until now )

also note that the symptoms of this problem can also be : 

debug1: SSH2_MSG_KEXINIT sent

not just 

debug1: expecting SSH2_MSG_KEX_DH_GEX_REPLY

edit march 2016 :

  • lowering the mtu to 1400 on the server most always work, but I recently had the case where mtu was already lowered to 1400 on the server and the problem reappeared, and the client also had to lower mtu to 1400.

  • The problem also appeared on web login forms waiting for the page to reload until saying "the server have reset the connection", also fixed after the client set the mtU to 1400.

    related links :

https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1254085

http://www.held.org.il/blog/2011/05/the-myterious-case-of-broken-ssh-client-connection-reset-by-peer/

https://nowhere.dk/articles/natty-narwhal-problems-connecting-to-servers-behind-cisco-firewalls-using-ssh

https://stackoverflow.com/questions/2419412/ssh-connection-stop-at-debug1-ssh2-msg-kexinit-sent

http://www.1-script.com/forums/ssh/ssh-hang-after-ssh2-msg-kexinit-sent-10616-.htm

http://www.snailbook.com/faq/mtu-mismatch.auto.html


In my case, I have no permission to lower the MTU size. And manually specifying the Cipher does not work.

I am able to connect after shortening the MACs list by specifying one, e.g.:

ssh -o MACs=hmac-sha2-256 <HOST>

I had the same problem after I upgraded my Ubuntu client machine. I solved my problem by reducing the size of the line "Ciphers" in /etc/ssh/ssh_config. It also works if you specify the cypher in the command line (ex: ssh -c username@hostname)

Tip from here:

https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/708493/comments/39


Changing the KexAlgorithm worked for me, and might be an option where you don't have the system rights to change MTU settings. This might also be one for the OpenSSH crew to address. e.g.

ssh -o KexAlgorithms=ecdh-sha2-nistp521 [email protected]

Related

Linux command line utility to resolve host names using /etc/hosts first
How do I tell if apache is running as prefork or worker?
When to use delaycompress option in logrotate?
Is there any way to get APT to install packages to my home directory?
Linux on VMware - why use partitioning?
How does SSO with Active Directory work whereby users are transparently logged in to an intranet web app?
Confidential Documentation and the role of the Sysadmin
nginx without server_name and using only static ip address?
When do DNS queries use TCP instead of UDP? [duplicate]
How useful is mounting /tmp noexec?
How can I detect if a server is using SNI for HTTPS?
How to verify an imported GPG key