简体繁体 English

怎么修？ “kex_exchange_identification：读取：连接由对等方重置”

[英]How to fix? "kex_exchange_identification: read: Connection reset by peer"

原文 2021-09-30 14:28:21 7 12 ssh/ gitlab-ci/ pipeline/ scp/ sshd

I want to copy data with scp in GitLab pipeline using PRIVATE_KEY error is:我想使用 PRIVATE_KEY 错误在 GitLab 管道中使用scp复制数据是：

kex_exchange_identification: read: Connection reset by peer
Connection reset by x.x.x.x port 22
lost connection

pipeline log:管道日志：

$ mkdir -p ~/.ssh
$ echo "$SSH_PRIVATE_KEY" | tr -d '\r' > ~/.ssh/id_rsa
$ chmod 600 ~/.ssh/id_rsa
$ eval "$(ssh-agent -s)"
Agent pid 22

$ ssh-add ~/.ssh/id_rsa
Identity added: /root/.ssh/id_rsa (/root/.ssh/id_rsa)

$ ssh-keyscan -H $IP >> ~/.ssh/known_hosts
# x.x.x.x:22 SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10
# x.x.x.x:22 SSH-2.0-OpenSSH_7.2p2 Ubuntu-4ubuntu2.10

$ scp -rv api.yml root@$IP:/home/services/test/
Executing: program /usr/bin/ssh host x.x.x.x, user root, command scp -v -r -t /home/services/test/

OpenSSH_8.6p1, OpenSSL 1.1.1l  24 Aug 2021
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Authenticator provider $SSH_SK_PROVIDER did not resolve; disabling
debug1: Connecting to x.x.x.x [x.x.x.x] port 22.
debug1: Connection established.
debug1: identity file /root/.ssh/id_rsa type -1
debug1: identity file /root/.ssh/id_rsa-cert type -1
debug1: identity file /root/.ssh/id_dsa type -1
debug1: identity file /root/.ssh/id_dsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa type -1
debug1: identity file /root/.ssh/id_ecdsa-cert type -1
debug1: identity file /root/.ssh/id_ecdsa_sk type -1
debug1: identity file /root/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /root/.ssh/id_ed25519 type -1
debug1: identity file /root/.ssh/id_ed25519-cert type -1
debug1: identity file /root/.ssh/id_ed25519_sk type -1
debug1: identity file /root/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /root/.ssh/id_xmss type -1
debug1: identity file /root/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.6
kex_exchange_identification: read: Connection reset by peer
Connection reset by x.x.x.x port 22
lost connection

12 个解决方案

kex_exchange_identification: read: Connection reset by peer

When an ssh client connects to an ssh server, the server starts by sending a version string to the client.当 ssh 客户端连接到 ssh 服务器时，服务器首先向客户端发送版本字符串。 The error that you're getting means that the TCP connection from the client to the server was "abnormally closed" while the client was waiting for this data from the server, in other words immediately after the TCP connection was opened.您收到的错误意味着从客户端到服务器的 TCP 连接“异常关闭”，而客户端正在等待来自服务器的此数据，换句话说，在 TCP 连接打开后立即。

As a practical matter, it's likely to mean one of two things:实际上，它可能意味着以下两种情况之一：

The ssh server process malfunctioned (crashed), or perhaps it detected some serious issue causing it to exit immediately. ssh 服务器进程出现故障（崩溃），或者它可能检测到一些严重问题导致它立即退出。
Some firewall is interfering with connections to the ssh server.某些防火墙正在干扰与 ssh 服务器的连接。

It looks like the ssh-keyscan program was able to connect to the server and get a version string without an error.看起来 ssh-keyscan 程序能够连接到服务器并获得版本字符串而没有错误。 So the ssh server process is apparently able to talk to a client without crashing.因此 ssh 服务器进程显然能够与客户端通信而不会崩溃。

You should talk the administrators of this xxxx host and the network that it's attached to, to see if they can identify the problem from their end.您应该与此 xxxx 主机的管理员及其所连接的网络交谈，看看他们是否可以从他们的角度识别问题。 It's possible that something--a firewall, or the ssh server process itself--is seeing the multiple connections, first from the ssh-keyscan process, then by the scp program, as an intrusion attempt.有可能是防火墙或 ssh 服务器进程本身看到了多个连接，首先是来自 ssh-keyscan 进程，然后是 scp 程序，作为入侵尝试。 And it's blocking the second connection attempt.它阻止了第二次连接尝试。

I met this issue after I changed my Apple ID password, so I updated my Apple ID and restart my Mac, it works now.我在更改 Apple ID 密码后遇到了这个问题，所以我更新了我的 Apple ID 并重新启动了我的 Mac，它现在可以工作了。

mac:release jianzhang$ git pull origin master
kex_exchange_identification: read: Connection reset by peer
Connection reset by 20.205.243.166 port 22
fatal: Could not read from remote repository.

Please make sure you have the correct access rights
and the repository exists.

I had the same problem.我有同样的问题。 I rebooted the server, then it was all good.我重新启动了服务器，然后一切都很好。

Same issue with me:和我一样的问题：

ex_exchange_identification: Connection closed by remote host

Try sudo scp .试试sudo scp 。

I suggest to check the routing table for one possibility.我建议检查路由表的一种可能性。 In my case on Ubuntu20, I added a local network routing entry to recover when I got the same error message when connecting to the server using ssh.就我在 Ubuntu20 上的情况而言，当我使用 ssh 连接到服务器时收到相同的错误消息时，我添加了一个本地网络路由条目以进行恢复。 It had disappeared unexpectedly, leaving only the default route.不知不觉就消失了，只留下默认路由。

user@hostname:~$ route -n Kernel IP routing table Destination     Gateway  
Genmask         Flags Metric Ref    Use Iface
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0 enp1s0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0 enp1s0  # <= disappeared

It seemed as if ack was being filtered by an incomplete routing table although first syn passed.尽管第一个 syn 通过了，但似乎 ack 被不完整的路由表过滤了。

Similar to @naoki-ogawa I had a problem with my routing table in my case I had an extra route for my local network.与@naoki-ogawa 类似，我的路由表有问题，我的本地网络有一条额外的路由。

# route
Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
default         RT-AX92U-3E20   0.0.0.0         UG    100    0        0 eno1
link-local      0.0.0.0         255.255.0.0     U     1000   0        0 virbr1
192.168.50.0    RT-AX92U-3E20   255.255.255.0   UG    10     0        0 eno1
192.168.50.0    0.0.0.0         255.255.255.0   U     100    0        0 eno1

I simply removed the gateway on the local network (192.168.50.0)我只是删除了本地网络上的网关（192.168.50.0）

route del 192.168.50.0/24 via 192.168.50.1

Problem resolved.问题已解决。

You can try the VPN or if you have been using it before, try to turn it off and connect it again If you don't have a budget for a VPN, you can try ProtonVPN which is free.您可以尝试 VPN，或者如果您以前使用过，请尝试将其关闭并重新连接如果您没有 VPN 的预算，您可以尝试免费的ProtonVPN 。 It worked for me when I faced the same problem.当我遇到同样的问题时，它对我有用。

Try to check if open ssh server is up and running in the server side.尝试检查打开的 ssh 服务器是否已启动并在服务器端运行。 Try checking the sshd config.尝试检查 sshd 配置。 It worked this way for me.它对我来说是这样的。 Good luck.祝你好运。

TL;DR: find the server side process listen to ssh port and kill it, then restart ssh service, should solve this problem. TL;DR：找到服务器端进程监听ssh端口并杀死它，然后重新启动ssh服务，应该可以解决这个问题。

On the client side:在客户端：

$ ssh account@ip -pPORT
kex_exchange_identification: read: Connection reset by peer

I tried on the server side我在服务器端试过

$ service ssh status
[ ok ] sshd is running.
$ service ssh restart
[ ok ] Restarting OpenBSD Secure Shell server: sshd.

but the client side ssh command still fail with the same kex_exchange_identification error但客户端 ssh 命令仍然失败，出现相同的kex_exchange_identification错误

then I stop ssh service on the server side然后我在服务器端停止 ssh 服务

# service ssh stop
[ ok ] Stopping OpenBSD Secure Shell server: sshd.

and the following client side ssh command still fail with the same kex_exchange_identification error, it's strange, if no process listen the PORT, it should be the error Connection refused和下面的客户端ssh命令仍然失败，同样的kex_exchange_identification错误，很奇怪，如果没有进程监听端口，应该是错误Connection refused

it could be the process on the server side listen to ssh PORT is dead, even a restart / stop service do not work.可能是服务器端的进程监听 ssh 端口已死，即使重新启动/停止服务也不起作用。 so to find the process, and kill it may solve the problem.所以找到进程并杀死它可能会解决问题。

the PORT here is ssh Port defined in server /etc/ssh/sshd_config, default is 22
# netstat -ap | grep PORT
tcp        0      0 0.0.0.0:PORT            0.0.0.0:*               LISTEN      
8359/sshd
tcp6       0      0 [::]:PORT               [::]:*                  LISTEN      
8359/sshd
# kill 8359
# netstat -ap | grep PORT
no result
# service ssh start
[ ok ] Starting OpenBSD Secure Shell server: sshd.
# netstat -ap | grep PORT
tcp        0      0 0.0.0.0:PORT            0.0.0.0:*               LISTEN      31418/sshd: /usr/sb
tcp6       0      0 [::]:PORT              [::]:*                  LISTEN      31418/sshd: /usr/sb

the following client side ssh command succeed.以下客户端 ssh 命令成功。

For those who came across this page after upgrading a FreeBSD machine to 13.1 and then trying to ssh into it, see https://bugs.freebsd.org/bugzilla//show_bug.cgi?id=263489 .对于那些在将 FreeBSD 机器升级到 13.1 然后尝试 ssh 进入它之后遇到此页面的人，请参阅https://bugs.freebsd.org/bugzilla//show_bug.cgi?id=263489 。 After the upgrade, the previous sshd daemon (OpenSSH < 8.2) is still running with new configs (OpenSSH >= 8.2).升级后，之前的 sshd 守护进程 (OpenSSH < 8.2) 仍在使用新配置 (OpenSSH >= 8.2) 运行。 The solution is to stop and then restart the sshd daemon.解决方案是停止然后重新启动 sshd 守护进程。 The FreeBSD 13.1 release notes now mention this and after 13.1, the freebsd-update script will automatically restart the daemon. FreeBSD 13.1 发行说明现在提到了这一点，在 13.1 之后，freebsd-update 脚本将自动重启守护进程。

I had this error today when I was trying to use my Dell Laptop running Description: Ubuntu 20.04.5 LTS and trying to SSH into a Raspberry Pi.我今天在尝试使用运行Description: Ubuntu 20.04.5 LTS并尝试将 SSH 放入 Raspberry Pi 的戴尔笔记本电脑时出现此错误。 When I was on my Home Wifi.network and tried to SSH into the pi (also on my home wifi.network) I got the error: `$ ssh pi@10.0.0.200 kex_exchange_identification: read: Connection reset by peer'当我在我的家庭 Wifi.network 上并尝试将 SSH 连接到 pi（也在我的家庭 wifi.network 上）时，我收到错误消息：`$ ssh pi@10.0.0.200 kex_exchange_identification: read: Connection reset by peer'

However, when I switched my Ubuntu Laptop over to a mobile hotspot, the error disappeared, and I was able to SSH without issue.但是，当我将 Ubuntu 笔记本电脑切换到移动热点时，错误消失了，我可以毫无问题地连接到 SSH。 Will update this post as soon as I figure out how to resolve the root cause.一旦我弄清楚如何解决根本原因，就会更新这篇文章。

EDIT: Issue resolved (but full reason unclear).编辑：问题已解决（但原因不明）。 I followed the instructions to change my DNS server here to 8.8.8.8 and 8.8.4.4.我按照说明将我的 DNS 服务器更改为 8.8.8.8 和 8.8.4.4。

After about 5 mins had elapsed, I was able to use SSH from my command line terminal just fine.大约 5 分钟后，我就可以从我的命令行终端使用 SSH 了。

Error错误

kex_exchange_identification: read: Connection reset by peer Connection reset by xxxx port 22 kex_exchange_identification：读取：对等连接重置 xxxx 端口 22 连接

I have an Ubuntu 20.04 host and 2 rhel8 VMs running on VMware.我有一个 Ubuntu 20.04 主机和 2 个运行在 VMware 上的 rhel8 虚拟机。 I login into the 2 VMs from my ubuntu terminal.我从我的 ubuntu 终端登录到 2 个虚拟机。 I use ethe.net and WiFi connections.我使用 ethe.net 和 WiFi 连接。 Every time I try to login into a VM after rebooting it I get the error:每次我在重启后尝试登录虚拟机时，都会收到错误消息：

Restarting the sshd service will not solve the problem.重启sshd服务也不能解决问题。 Sometimes, the problem would be resolved if I physically disconnected and reconnected the ethe.net cable.有时，如果我断开并重新连接 ethe.net 电缆，问题就会得到解决。

Finally I turned off my WiFi connection with: nmcli conn down <name_of_wifi_connection> or turning it off from settings and this gave me a permanent solution.最后我关闭了我的 WiFi 连接：nmcli conn down <name_of_wifi_connection> 或从设置中关闭它，这给了我一个永久的解决方案。

Both my ethe.net and wifi connections (static connections) had the same ip address so I think the VMs were rejecting 2 "suspicious" similar connections.我的 ethe.net 和 wifi 连接（静态连接）都有相同的 ip 地址，所以我认为虚拟机拒绝了 2 个“可疑”的相似连接。

Same issue with me: I have fixed the issue by doing below steps我也有同样的问题：我已经通过以下步骤解决了这个问题

edit file "etc/hosts.allow" .编辑文件"etc/hosts.allow" 。 Command to do so "sudo nano /etc/hosts.allow" .执行此操作的命令"sudo nano /etc/hosts.allow" 。
At end update value of ALL key to ALL like ALL: ALL .最后将 ALL 键的值更新为 ALL，如ALL: ALL 。 Save the file and try again.保存文件并重试。

Basically ALL might be set to something else therefore while establishing ssh connection to the host, it is expecting that the request should come from the IP starting from 10. .基本上 ALL 可能会设置为其他值，因此在建立与主机的 ssh 连接时，预计请求应该来自 IP 从 10 开始。 .* if ALL set to ALL: 10. . .* 如果 ALL 设置为ALL: 10. . . Therefore by replacing 10. with ALL, you are allowing connection from everywhere.因此，通过将 10. 替换为 ALL，您允许从任何地方进行连接。