# PuTTY ssh connections reset



## henrixd (Jul 2, 2012)

My server is FreeBSD 9.0-RELEASE-p3

Only PuTTY client connections are reset (mobile, Windows and Linux). Only error I get is 
	
	



```
Server unexpectedly closed network connection
```
 No changes in server logs.

I copied most of the configurations from the old server a few months ago and it has been working properly, with PuTTY clients too. I don't think anything relevant is changed (clearly something has). I am still able to login to the old server.

I did try it with 
	
	



```
PasswordAuthentication yes
```
 and an old server sshd_config file, but it doesn't seem to go that far. I can't solve this on my own, so please help.

sshd_config

```
VersionAddendum
Protocol 2
HostKey /etc/ssh/ssh_host_ecdsa_key
PermitRootLogin no
RSAAuthentication yes
PubkeyAuthentication yes
AuthorizedKeysFile      .ssh/authorized_keys
PasswordAuthentication no
PermitEmptyPasswords no
ChallengeResponseAuthentication no
AllowGroups wheel sshlogins sftponly
X11Forwarding no
AllowTcpForwarding no
ClientAliveInterval 180
Subsystem       sftp    /usr/libexec/sftp-server
Banner /etc/welcomemsg
Match Group sftpchroot
        ForceCommand internal-sftp
        ChrootDirectory /usr/home/sftp/%u
```


```
# tcpdump -ni msk0
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on msk0, link-type EN10MB (Ethernet), capture size 65535 bytes
21:40:00.679009 IP client.42123 > server.22: Flags [S], seq 1929173397, win 14600, options [mss 1460,sackOK,TS val 13285194 ecr 0,nop,wscale 6], length 0
21:40:00.679123 IP server.22 > client.42123: Flags [S.], seq 746307799, ack 1929173398, win 0, options [mss 1460], length 0
21:40:00.861507 IP client.42123 > server.22: Flags [.], ack 1, win 14600, length 0
21:40:00.861626 IP server.22 > client.42123: Flags [.], ack 1, win 65535, length 0
21:40:00.881470 IP server.22 > client.42123: Flags [P.], seq 1:33, ack 1, win 65535, length 32
21:40:01.112514 IP client.42123 > server.22: Flags [.], ack 33, win 14600, length 0
21:40:01.113199 IP client.42123 > server.22: Flags [P.], seq 1:44, ack 33, win 14600, length 43
21:40:01.115821 IP server.22 > client.42123: Flags [P.], seq 33:897, ack 44, win 65535, length 864
21:40:01.120104 IP client.42123 > server.22: Flags [P.], seq 44:556, ack 33, win 14600, length 512
21:40:01.120998 IP client.42123 > server.22: Flags [P.], seq 556:684, ack 33, win 14600, length 128
21:40:01.121026 IP server.22 > client.42123: Flags [.], ack 684, win 65535, length 0
21:40:01.125083 IP server.22 > client.42123: Flags [F.], seq 897, ack 684, win 65535, length 0
21:40:01.506220 IP client.42123 > server.22: Flags [P.], seq 684:700, ack 897, win 15552, length 16
21:40:01.506310 IP server.22 > client.42123: Flags [R], seq 746308696, win 0, length 0
21:40:01.562704 IP client.42123 > server.22: Flags [F.], seq 700, ack 898, win 15552, length 0
21:40:01.562734 IP server.22 > client.42123: Flags [R], seq 746308697, win 0, length 0
```

This works well:


```
# ssh -v server
OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to server [xxx.xxx.xxx.xxx] port 22.
debug1: Connection established.
debug1: identity file /home/user/.ssh/id_rsa type -1
debug1: identity file /home/user/.ssh/id_rsa-cert type -1
debug1: identity file /home/user/.ssh/id_dsa type -1
debug1: identity file /home/user/.ssh/id_dsa-cert type -1
debug1: identity file /home/user/.ssh/id_ecdsa type -1
debug1: identity file /home/user/.ssh/id_ecdsa-cert type -1
debug1: Remote protocol version 2.0, remote software version OpenSSH_5.8p2_hpn13v11
debug1: match: OpenSSH_5.8p2_hpn13v11 pat OpenSSH*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.9p1 Debian-5ubuntu1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: sending SSH2_MSG_KEX_ECDH_INIT
debug1: expecting SSH2_MSG_KEX_ECDH_REPLY
debug1: Server host key: ECDSA bd:91:ba:50:cc:17:94:44:49:2f:98:38:bb:b5:73:1c
debug1: Host 'server' is known and matches the ECDSA host key.
debug1: Found key in /home/user/.ssh/known_hosts:1
debug1: ssh_ecdsa_verify: signature correct
debug1: SSH2_MSG_NEWKEYS sent
debug1: expecting SSH2_MSG_NEWKEYS
debug1: SSH2_MSG_NEWKEYS received
debug1: Roaming not allowed by server
debug1: SSH2_MSG_SERVICE_REQUEST sent
debug1: SSH2_MSG_SERVICE_ACCEPT received
```


----------



## henrixd (Jul 3, 2012)

These might help more.

Command

```
sshd -ddd -p 2022 -h /etc/ssh/ssh_host_ecdsa_key
```

PuTTY output

```
debug2: mac_setup: found hmac-sha1
debug1: kex: client->server aes256-ctr hmac-sha1 none
debug2: mac_setup: found hmac-sha1
debug1: kex: server->client aes256-ctr hmac-sha1 none
no hostkey alg
```

OpenSSH Client output

```
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug1: expecting SSH2_MSG_KEX_ECDH_INIT
debug3: mm_key_sign entering
debug3: mm_request_send entering: type 4
debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN
debug3: mm_request_receive_expect entering: type 5
debug3: mm_request_receive entering
```


```
# ssh-keyscan server
# server SSH-2.0-OpenSSH_5.8p2_hpn13v11
no hostkey alg
```

So there is my error, not so sure how to fix it.


----------



## fullauto (Jul 3, 2012)

I had this problem also.  Any chance you are running PF or anyother stateful packet filter?  I figured my problem to be the flush of the firewall states. As soon as I stopped flushing the firewall states, the problem went away.


----------



## henrixd (Jul 4, 2012)

I did fix this by not passing ssh_host_ecdsa_key to sshd. I don't know if PuTTY should work with it or not.


----------

