Ssh – Meaning of “Connection closed by xxx [preauth]” in sshd logs

authenticationlogsssh

We have a Windows batch script, which connects automatically to a linux server via PLINK (putty). There is NO public private key authentication, the user and the password are in
the script.

On our linux server we have several sshd log entries (/var/log/messages):

sshd[7645]: Connection closed by xxx [preauth]

What could be the cause for such a message?
"preauth" supposably means "pre authentication"?

Sometimes in the entry, "closed by" has the ip address of the windows client, another time there is the ip address of the linux server in "closed by". Does anybody know the differency betweend client ip address and host ip address in the message?

Best Answer

The sshd server will disconnect if the client doesn't try to authenticate in a certain period of time, as documented in the -g option.

 -g login_grace_time
         Gives the grace time for clients to authenticate themselves
         (default 120 seconds).  If the client fails to authenticate
         the user within this many seconds, the server disconnects
         and exits.  A value of zero indicates no limit.

So I suspect if you see the server IP in the logs with this message, the connection was closed because no authentication attempt occurred within this grace time. When you see the client IP, it means the user closed their client (or the script terminated) without making an authentication attempt.

Related Solutions

SSH – SSH Passwordless Authentication Doesn’t Work

In CentOS 6, there is a bug that prevents ssh RSA authentication from working as desired if selinux is in Enforcing mode.

You can disable selinux, or you can try the workaround below:

restorecon -R -v ~$USER/.ssh

Ssh – Remote SSH Tunnel not working with certificates

The -v option will gives you more information on the client side.

plink.exe -v -R *:62050:127.0.0.1:9000 user@host -i ./np.ppk
Looking up host "host"
Connecting to 135.x.x.x port 22
Server version: SSH-2.0-OpenSSH_5.1
Using SSH protocol version 2
We claim version: SSH-2.0-PuTTY_Release_0.63
...
Opened main channel
Requesting remote port *:62050 forward to 127.0.0.1:9000
Remote port forwarding from *:62050 enabled              <---<<<
Allocated pty (ospeed 38400bps, ispeed 38400bps)
Started a shell/command
...

If you didn't manage to find the answer with plink verbose mode. Open sshd in debug mode on another port (or ask the root administrator to do that).
No need to stop the regular sshd deamon.

# /usr/sbin/sshd -dd -p  2222
debug2: load_server_config: filename /opt/ssh/etc/sshd_config
debug2: load_server_config: done config len = 514
debug2: parse_server_config: config /opt/ssh/etc/sshd_config len 514
debug1: Config token is port
debug1: Config token is protocol
debug1: Config token is hostkey
debug1: Config token is hostkey
....

Then connect to that sshd instance with plink option -P

plink.exe -v -P 2222 -R *:62050:127.0.0.1:9000 user@host -i ./np.ppk

You will have the debug information of both end.

EDIT

The solution is in man sshd at the "AUTHORIZED_KEYS FILE FORMAT" chapter.

It is likely that the no-port-forwarding option has been associated to your key but that no global option has been set.

 no-port-forwarding
         Forbids TCP forwarding when this key is used for authentication.  Any port forward requests by the client will return
         an error.  This might be used, e.g. in connection with the command option.

You should have access to your home ~/.ssh/authorized_keys , edit the file and remove that option.

Sometimes the authorized_keys are centralized in a protected directory in that case you will not be able to change it.

Best Answer

Related Solutions

SSH – SSH Passwordless Authentication Doesn’t Work

Ssh – Remote SSH Tunnel not working with certificates

EDIT

Related Question