unable to establish ssh connection to EC2 Windows 2003 Server- no data exchanged after TCP handshake

Posted on 2009-05-10
Last Modified: 2012-05-06
I get the following error after 5 seconds of starting Putty trying to connect to a Windows 2003 server hosted on Amazon EC2.
"Server unexpectedly closed network connection"

This is happening on just one client->server combination. I am attaching all the data - before
that, let me state what the problem is NOT.

1. Not a firewall issue ( I can ssh from the same client to all other servers in the same EC2 group )
2. Not a key issue ( I can ssh from a different client to the same server with the same key )

On the network, after the initial TCP handshake, nothing happens for 5 seconds
( verified on both client and server ). Then the server resets the TCP connection.
No data is exchanged. The SSH protocol version packet which is supposed to
arrive from the server after the connection establishment is never sent.

The config files on the server are as below-

$ cat /etc/hosts.allow
# hosts.allow   This file describes the names of the hosts which are
#               allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.
#               CYGWIN note: if you use a software firewall (such
#               as ZoneAlarm or the "Windows Firewall" in Windows
#               XP), you must also open a 'hole' at the proper
#               port for the services you enable below.
ALL : localhost : allow
sshd: ALL

$ cat /etc/hosts.deny
# hosts.deny    This file describes the names of the hosts which are
#               *not* allowed to use the local INET services, as decided
#               by the '/usr/sbin/tcpd' server.

$ cat /etc/sshd_config
#       $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $

# This is the sshd server system-wide configuration file.  See
# sshd_config(5) for more information.

# This sshd was compiled with PATH=/bin:/usr/sbin:/sbin:/usr/bin

# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented.  Uncommented options change a
# default value.

Port 22
#AddressFamily any
#ListenAddress ::

# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2

# HostKey for protocol version 1
#HostKey /etc/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh_host_rsa_key
#HostKey /etc/ssh_host_dsa_key

# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024

# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
#LogLevel INFO

# Authentication:

#LoginGraceTime 2m
#PermitRootLogin yes
StrictModes no
#MaxAuthTries 6
#MaxSessions 10

#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile     .ssh/authorized_keys

# For this to work you will also need host keys in /etc/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes

# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no

# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes

# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no

# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes

# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication.  Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no

#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#UseDNS yes
#PidFile /var/run/
#MaxStartups 10
#PermitTunnel no
#ChrootDirectory none

# no default banner path
#Banner none

# override default of no subsystems
Subsystem       sftp    /usr/sbin/sftp-server

# Example of overriding settings on a per-user basis
#Match User anoncvs
#       X11Forwarding no
#       AllowTcpForwarding no
#       ForceCommand cvs server

There is nothing in the /var/log/sshd.log.
Question by:TheJoeShmoe
  • 5
  • 3
LVL 33

Expert Comment

ID: 24352859
I am confused..
you said it is a windows 2003 server, yet proceed to detail a linux configuration.
something must be incorrect...

If it really is a windows 2003 server, then you need to connect to it via RDP as by default no sshd is installed on windows images.


Author Comment

ID: 24361054
I have installed Cygwin on the Windows 2003 Server. Surely that was apparent from the multiple places where the word "CYGWIN" can be found in my problem statement?
LVL 33

Expert Comment

ID: 24362000
meh, was not apparent to me, seemed like standard conf notes.
sorry, I can't help here :( never ran sshd out of cygwin
Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

LVL 33

Expert Comment

ID: 24362002
try to install a windows native sshd - they actually work pretty well

Author Comment

ID: 24362268
It is a native sshd, if by native you mean Win32 app.
And it works fine against clients on other machines.
I was looking for some insight on why a ssh server would not send the Server protocol
packet after the tcp handshake.
LVL 33

Expert Comment

ID: 24362609
try to install a fresh putty on a different PC to eliminate client side problems.


Accepted Solution

TheJoeShmoe earned 0 total points
ID: 24618941
I found the problem and note it here if it helps anyone in future. I had given up and
found the problem quite accidentally while examining the Windows system event
log ( C:\windows\system32\eventvwr.msc ).

There were many red error messages from "sshd". Each one had the following
text =
"can't verify hostname: gethostbyname(".
 And some other stuff.

In my hosts.allow file, I had allowed ALL for sshd, so it was not a simple denial
issue. The problem was that sshd was trying to call gethostbyname() on the
above host ( which I assume is my ISP's machine ) and failing. I added it to
the /etc/hosts file as follows -

and everything works fine. So it was not a firewall or other clientside issue,
as I had suspected, nor a key issue ( all these were eliminated by my tests
as possible problem causes as explained in my problem statement ). It was
something in my ISP that was causing the problem. When I connected through
other ISPs to the same server, everything was working fine.

Hope this helps someone.
LVL 33

Expert Comment

ID: 24619699
I recommend PAQ and refund in order for the solution to be helpful to others in the future

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

We all know how boring and exhausting it is to transfer huge web projects developed locally to a webserver simply via FTP. The File Transfer Protocol is a really nice solution if you need to transfer small amounts of files, but if you're plannin…
When it comes to security, there are always trade-offs between security and convenience/ease of administration. This article examines some of the main pros and cons of using key authentication vs password authentication for hosting an SFTP server.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…

820 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question