Unauthenticated openssh sessions closed by remote host

At work we recently had a problem with ssh connections being closed unexpectedly on a fresh machine dedicated to cvs hosting. The problem was turned over to our server support team, but they didn't have any luck finding a fix. Well yesterday, we teamed up and dedicated ourselves to solving the problem, and I'm blogging our fix since I had very little luck finding an easy answer to this problem. I found plenty of people experiencing similar problems and the solutions offered were sound, but our problem was different even though my error message looked identical to theirs.

The problem manifest itself when trying to open multiple concurrent sessions on the machine. Once you had about 7 or 8 open, but anauthenticated, sessions open the machine would start actively closing the connections. The following message was received on the client side:

ssh_exchange_identification: Connection closed by remote host

It may seem strange to be opening so many sessions at once and then expecting to have them sit waiting for you to enter your login credentials individually. However, that's essentially what our Integrated Development Environment does and it was in fact causing users to see this message.

I ran ssh with the -v option to see if there were any descriptive debug messages that might help me out. Here is the (edited) output of that command:

ssh -v hostname
OpenSSH_versionnumber, OpenSSL versionnumber releasedate
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to hostname [ip.address] port 22.
debug1: Connection established.
debug1: identity file /home/username/.ssh/identity type -1
debug1: identity file /home/username/.ssh/id_rsa type 1
debug1: identity file /home/username/.ssh/id_dsa type -1
debug1: loaded 3 keys
ssh_exchange_identification: Connection closed by remote host

I was able to find several sources on the Internet where people were seeing the exact same error message and debug output as above. None of their solutions helped me solve my problem though, becase they pointed to such fixes as increasing the values of /proc/sys/net/core/netdev_max_backlog and /proc/sys/net/core/somaxconn or adding things to /etc/hosts.deny and /etc/hosts.allow. As you can see from the debug output above, I was getting a connection established on port 22, and so I was relatively sure the linux networking subsystem itself wasn't the culprit. Another suggestion I saw had to do with permissions of /var and /var/empty, but the permissions on this host were fine in that regard.

I finally was able to find the solution, which lay in the /etc/ssh/sshd_config file after all. I had our administrator change the value of the property MaxStartups from the default to 20, like so.

MaxStartups 20

This property's meaning is explained in the sshd_config manpage as:

     MaxStartups
     Specifies the maximum number of concurrent unauthenticated con-
     nections to the sshd daemon.  Additional connections will be
     dropped until authentication succeeds or the LoginGraceTime
     expires for a connection. The default is 10.

     Alternatively, random early drop can be enabled by specifying the
     three colon separated values ``start:rate:full'' (e.g.,
     "10:30:60").  sshd will refuse connection attempts with a proba-
     bility of ``rate/100'' (30%) if there are currently ``start''
     (10) unauthenticated connections. The probability increases lin-
     early and all connection attempts are refused if the number of
     unauthenticated connections reaches ``full'' (60).

After restarting sshd, we were able to get our test case to pass and subsequently, our IDE is now able to perform cvs operations in the way it knows how without bringing the ssh daemon to its knees.

Terribly Boring "I'm Still Here" Post

Yes, it's true. I'm still here.

It's been a while since I've posted because I've recently undergone yet another job change and relocation. In a crazy turn of events, I'm back at my original company and living extremely close to my old house. Anyway, I've got a lot things that I'm eager to blog about, but with the packing, moving, unpacking and Cox's seeming inability to get Internet installed on the first try (if they miss another install appointment, I'm probably gonna walk away), I haven't had the chair time for it. Hopefully, I'll be back on here contributing at least one post a week in the very near future.

Forrest

Head First Humanity

Most of you have heard of the Head First books. They are a series of technical books about programming that are written in a completely different style than, well, pretty much all other programming books I've read. They are meant to be engaging in a more holistic approach. Anyway, to keep from getting too far off topic, suffice it to say these books are either loved or hated by the members of the community. There seems to be quite a bit of emotion attached to them, because they are so radically different than all the other Java books out there.

This series was co-founded by a lady named Kathy Sierra, who was an author of several of the books and also maintains a blog called Creating Passionate Users. Ms. Sierra has found herself drawing more and more fame of late, and with the fame has come quite a bit of criticism. There's nothing wrong with criticism of course, but what is wrong is that some people have elevated their disapproval to the point of wishing her death.

Did you get that?

Her death!

For what reason? Well that's an interesting question, and one that Kathy herself isn't quite sure of:

What started the wave of threats? Is it a reaction to a specific post or topic on your blog or were the threats made out of the blue? That is the million-dollar question. I have had critics for a long time. Obviously the more visibility you have, the more critics you have, but it did turn much nastier the last few weeks than ever before.

For some reason [contributors to meankids.org site] really hate me. I asked one of them why. He said it is because I am just so optimistic. They are about rage, and if you are optimistic and positive you are part of the problem. It spun out of control kind of like a mob or crowd. Meankids was supposed to be a place where they could be as nasty as possible. It was like a feeding frenzy. Once they started down that path of anything goes, they weren't going to stop. Who crosses that line and makes comments like that as an adult? These aren't kids on MySpace. Anyone who is unstable enough to actually say these things, then I don't want to take a chance.

-ComputerWorld Interview

So what did they say? If you're interested, the most recent post on her blog details some of the things that were said, features an offensive digitally altered picture of Kathy, and explains her reaction to the undeserved hatred. To summarize, she's terrified. She's not leaving her house, she's canceled her speaking engagements and has suspended her blogging indefinitely. Personally, I can't say that I blame her one bit. I've seen some people say things like "...I don't think I agree with any parallelism drawn between verbal [and] physical abuse...I can't even see how they are similar" (1) and I just have to say that is complete crap. One is every bit as wrong as the other, and I agree with Kathy whole heartedly when she says "it's the threat itself that inflicts the damage." I've personally been in terror for my life before because of someone's inflammatory threats and I can attest that the threats seem to have every bit as much effect. Possibly more, because they can instill so much fear that you find yourself constantly paranoid, unable to sleep, unable to even leave your lights on at night for fear of indicating that you are at home.

These actions are horrible. This is an atrocity that makes me cringe. Something has to be done about this. The community should be taking steps to ensure this kind of thing doesn't happen. I am in no way advocating that we discourage free speech, mind you, but I am saying that we should make it so socially unacceptable for this kind of thing to happen (as in, illegal threats) that it simply stops happening. I'm sure that the people who threatened her will be taken care of by the proper authorities, but the things Kathy are going through right now will never leave her. So anyway, not that my voice counts for much, but I'm casting my support for Kathy and for others who want to figure out how to fix this. You know, maybe it can't be fixed. But at the very least we should be trying to encourage free speech while making sure anonymous stupidity in the form of violent and sexual threats is squashed flat.

Dell, I Stand Corrected

Well, I posted this entry about Dell not listening to their customers on the IdeaStorm website...and they've gone and actually listened. Good for you Dell. Really, bravo. I've cast my vote on the linuxsurvey, and you should too. I know it may seem like I just can't be pleased, but there is one thing about this survey that is concerning: there is no security measure at all to prevent ballot stuffing. So please (and not that you would,) don't take the survey more than once.

P.S. In related news, OpenOffice.org has written a letter to Dell asking for OOo preinstalled on their systems. Go IdeaStorm!

Become an Unofficial MIT Grad

This just in: MIT to offer all courses online by the end of the year. I didn't realize it until today, but they've already made quite a few of their courses available online through the OpenCourseWare website. If only I had a whole lot of free time on my hands...

New Language Features in C# 3.0

Just read this blog entry about three of the new language features in C# 3.0, and I hate to say it, but Microsoft is getting it right. In my short three months developing in C#, I have internally wished for a solution to each of the problems these features attempt to solve. Though they are simply syntactic sugar, I think they will each contribute greatly to reducing the tedium of typing in such a wordy language (although C# in my experience is still less wordy than Java). Maybe history will repeat itself and we'll see these features make it into Java 7. Much like generics, auto-boxing and variable arity made the leap from C# 2.0 into Java 5.

Tikal Eclipse

You may have heard that Tikal Eclipse was released this week. I gave it a download and it seems pretty nice. Think of it as Automatic Updates (almost), or apt-get (closer) for eclipse. I think this distribution fills a real need in the eclipse community, as updates and installation of plugins have not been quite as easy as they could. It also bundles several plugins for C++, Python, Perl, and PHP development within eclipse, if you are the omniglot type. It's good enough that I think I might actually use it, which is more than I can say for EasyEclipse.