Solve ssh_exchange_identification connection closed by remote host

I’ve encountered this error message on a CentOS 7 system, the next day after i’ve enrolled it in freeIPA. Until then, SSH from it to other hosts worked fine.

Running the SSH in verbose shows :

[root@my-test-server .ssh]# ssh root@10.10.10.2 -vvvvvvv
OpenSSH_6.6.1, OpenSSL 1.0.1e-fips 11 Feb 2013
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 60: Applying options for *
debug1: Executing proxy command: exec /usr/bin/sss_ssh_knownhostsproxy -p 22 10.10.10.2
debug1: permanently_set_uid: 0/0
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1
debug1: permanently_drop_suid: 0
ssh_exchange_identification: Connection closed by remote host

From the log we can see executing proxy command causes a connection to 10.10.10.2

To solve this edit /etc/ssh/ssh_config and comment the following line

#ProxyCommand /usr/bin/sss_ssh_knownhostsproxy -p %p %h

Other solutions include :
– too many SSH sessions
– check /etc/hosts.deny and /etc/hosts.allow
– after an upgrade to glibc or openssl, you may have missing dependencies
– corrupted fingerprint / keys (recreate ~/.ssh/authorized_keys)

Leave a Reply

Your email address will not be published.

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.