Disclaimer: This article may contain information about third-party products. Such information is for reference only. Alibaba Cloud does not make any guarantee, express or implied, with respect to the performance and reliability of third-party products, as well as potential impacts of operations on the products.
Problem description
When you use SSH to connect to an ECS instance of Linux, the secure logs of the client or server may display information similar to the following. In this case, you may fail to log on to the ECS instance.
- Read from socket failed: Connection reset by peer.
- Connection closed by 192.X.X.1.
- sshd error: could not load host key.
- fatal: No supported key exchange algorithms [preauth].
- DSA host key for 192.X.X.1 has changed and you have requested strict checking.
- Host key verification failed.
- ssh_exchange_identification: read: Connection reset by peer.
Cause
The common cause of this problem is that the sshd daemon process cannot load the correct SSH host key because the key file related to the SSH service is abnormal, as shown below.
Note: The following table describes the causes of common issues. You can analyze the causes based on the actual scenario.
- The related key file is abnormal, such as file corruption, deletion, or tampering.
- The permissions of related key files are incorrectly configured, and the data cannot be read correctly.
Solution
Alibaba Cloud reminds you that:
- Before you perform operations that may cause risks, such as modifying instance configurations or data, we recommend that you check the disaster recovery and fault tolerance capabilities of the instances to ensure data security.
- If you modify the configurations and data of instances including but not limited to ECS and RDS instances, we recommend that you create snapshots or enable RDS log backup.
- If you have authorized or submitted security information such as the logon account and password in the Alibaba Cloud Management console, we recommend that you modify such information in a timely manner.
To resolve this issue, check or modify the following configurations based on different situations.
Check File permissions
The SSH service checks the permissions for the relevant key files. For example, the default permission for a private key is 600. If this policy is configured to 777, the other user has the permission to read or modify the file. The SSH service considers the configuration to be a security risk, causing the client to fail to connect.
- Log on to the instance and run the following command to restore the default permissions of related files:
cd /etc/ssh/
chmod 600 ssh_host_*
chmod 644 *.pub - Run the ll command to check that the file permissions are correct.
total 156
-rw-------. 1 root root 125811 Nov 23 2013 moduli
-rw-r--r--. 1 root root 2047 Nov 23 2013 ssh_config
-rw------- 1 root root 3639 May 16 11:43 sshd_config
-rw------- 1 root root 668 May 20 23:31 ssh_host_dsa_key
-rw-r--r-- 1 root root 590 May 20 23:31 ssh_host_dsa_key.pub
-rw------- 1 root root 963 May 20 23:31 ssh_host_key
-rw-r--r-- 1 root root 627 May 20 23:31 ssh_host_key.pub
-rw------- 1 root root 1675 May 20 23:31 ssh_host_rsa_key
-rw-r--r-- 1 root root 382 May 20 23:31 ssh_host_rsa_key.pub
Check File validity
- If you refer to the preceding steps, you cannot connect to the instance normally after you modify the related file permissions. The SSH service automatically rebuilds the lost key file when it starts. Run the following commands in sequence to confirm that the ssh_host_* file exists.
cd /etc/ssh/
The following command output is returned.
lltotal 156 -rw-------. 1 root root 125811 Nov 23 2013 moduli -rw-r--r--. 1 root root 2047 Nov 23 2013 ssh_config -rw------- 1 root root 3639 May 16 11:43 sshd_config -rw------- 1 root root 672 May 20 23:08 ssh_host_dsa_key -rw-r--r-- 1 root root 590 May 20 23:08 ssh_host_dsa_key.pub -rw------- 1 root root 963 May 20 23:08 ssh_host_key -rw-r--r-- 1 root root 627 May 20 23:08 ssh_host_key.pub -rw------- 1 root root 1675 May 20 23:08 ssh_host_rsa_key -rw-r--r-- 1 root root 382 May 20 23:08 ssh_host_rsa_key.pub
- Run the following command to delete the relevant files:
rm -rf ssh_host_*
Note: for Ubuntu or Debain, you can run the following command to delete related files:
sudo rm -r /etc/ssh/ssh*key - Run the ll command to confirm that the file is deleted successfully.
total 132 -rw-------. 1 root root 125811 Nov 23 2013 moduli -rw-r--r--. 1 root root 2047 Nov 23 2013 ssh_config -rw------- 1 root root 3639 May 16 11:43 sshd_config
- Run the following command to restart the SSH service and the related files will be automatically generated.
service sshd restart
Note: for Ubuntu or Debain, you can run the following command to restart SSH:
sudo dpkg-reconfigure openssh-server - Run the ll command to confirm that the ssh_host_* file is generated.
total 156 -rw-------. 1 root root 125811 Nov 23 2013 moduli -rw-r--r--. 1 root root 2047 Nov 23 2013 ssh_config -rw------- 1 root root 3639 May 16 11:43 sshd_config -rw------- 1 root root 668 May 20 23:16 ssh_host_dsa_key -rw-r--r-- 1 root root 590 May 20 23:16 ssh_host_dsa_key.pub -rw------- 1 root root 963 May 20 23:16 ssh_host_key -rw-r--r-- 1 root root 627 May 20 23:16 ssh_host_key.pub -rw------- 1 root root 1671 May 20 23:16 ssh_host_rsa_key -rw-r--r-- 1 root root 382 May 20 23:16 ssh_host_rsa_key.pub
References
If the problem persists, seeguidelines for troubleshooting failure to remotely log on to a Linux instance through SSH for further troubleshooting and analysis.
Application scope
- Elastic Compute Service