ProxyJump: Connection reset by peer

Eduardo Suarez eduardo at itccanarias.org
Fri Aug 30 18:14:00 AEST 2024


Hi, I'm using ProxyJump via a local sshd (in a separate network namespace) to
connect to a remote host. It works fine the first time, but if I connect
several times in a row in a short period of time, I suddenly get a "Connection
reset by peer" error. This happens to be reproducible. If I wait a few seconds
(let's say 15 seconds), the connection is restored.

I have tried to debug the issue, but I'm not able to find the root cause.

These are the logs, with inline excerpts of the most relevant parts:

- local ssh client: https://dpaste.org/8ucke/raw

  debug1: Local version string SSH-2.0-OpenSSH_9.8
  kex_exchange_identification: Connection closed by remote host
  Connection closed by UNKNOWN port 65535

- local ssh proxy command ([60bc::2]): https://dpaste.org/jxzZv/raw

  debug3: receive packet: type 91
  debug2: channel_input_open_confirmation: channel 0: callback start
  debug2: channel_input_open_confirmation: channel 0: callback done
  debug2: channel 0: open confirm rwindow 2097152 rmax 32768
  debug3: receive packet: type 96
  debug2: channel 0: rcvd eof

- local intermediate sshd (localproxy, [60bc::1], 10.140.38.21):
  https://dpaste.org/v4hr2/raw

  debug3: send packet: type 91
  debug2: channel 0: read failed rfd 6 maxlen 32768: Connection reset by peer
  debug2: channel 0: read failed
  debug2: chan_shutdown_read: channel 0: (i0 o0 sock 6 wfd 6 efd -1 [closed])
  debug2: channel 0: input open -> drain
  debug2: channel 0: ibuf empty
  debug2: channel 0: send eof
  debug3: send packet: type 96

- remote sshd (target.gbdcs.net, 10.140.225.49): https://dpaste.org/fUhVN/raw

  debug3: send packet: type 20 [preauth]
  debug1: SSH2_MSG_KEXINIT sent [preauth]
  Connection reset by 10.140.38.21 port 51068 [preauth]
  debug1: do_cleanup [preauth]

So I figure out that the order of the events could be the following:

- The remote sshd sends a SSH2_MSG_KEXINIT to the local ssh client.
- For some reason the intermediate sshd cannot read from the input file
  descriptor.
- The intermediate sshd starts closing the connection.
- The local ssh proxy command receives the EOF from the intermediate sshd and
  closes the connection.
- A reset is sent to the remote sshd by the intermediate sshd, so the remote sshd
  closes the connection.
- The local ssh client receives the reset and closes the connection.
- The link from the local ssh client to the local ssh proxy command is closed.

What do you think about it?

Besides, I have been looking at the source code of OpenSSH, and the message:

  debug2: channel 0: read failed rfd 6 maxlen 32768: Connection reset by peer

may come from

https://github.com/openssh/openssh-portable/blob/05f2b141cfcc60c7cdedf9450d2b9d390c19eaad/channels.c#L2143

  debug2("channel %d: read failed rfd %d maxlen %zu: %s",
		c->self, c->rfd, maxlen, ssh_err(r));

However, I can't find then the 'Connection reset by peer' string in 'ssherr.c':

https://github.com/openssh/openssh-portable/blob/master/ssherr.c

Where does the string 'Connection reset by peer' come from?

I'm running locally OpenSSH 9.8p1, and remotely OpenSSH 8.7p1.

My ~/.ssh/config contains:

  Match host target.gbdcs.net
    ProxyJump localproxy
    User esuarez

Some details have been omited for brevity. If you need more information or some
more tests, please let me know.

Thanks in advance,
-Eduardo



More information about the openssh-unix-dev mailing list