The SSH key exchange phase fails when the remote server closes the connection before completing the identification handshake. This typically occurs due to network issues, firewall blocks, server overload, or configuration mismatches.
SSH connection happens in phases: first is the key exchange identification (KEX), where the client and server negotiate encryption algorithms and establish a secure channel. If the server closes the connection during this phase, it prevents any further communication. This error occurs before authentication even begins, making it a connectivity or server-side issue rather than an authentication problem.
On the server, check if your IP has been blocked by fail2ban or firewall rules:
# Check fail2ban status
sudo fail2ban-client status sshd
# Check hosts.deny and hosts.allow
sudo cat /etc/hosts.deny
sudo cat /etc/hosts.allow
# Check iptables rules (if using iptables)
sudo iptables -L -n | grep sshIf your IP is blocked, unblock it:
# Unblock IP from fail2ban
sudo fail2ban-client set sshd unbanip <your-ip>On your client machine, use verbose mode to see exactly where the connection fails:
ssh -vvv user@hostnameThe -vvv flag gives maximum verbosity. Look for the point where the connection closes and note what phase it's in. Share relevant log lines with the server administrator if needed.
On the server, check the SSH daemon logs to see why it closed the connection:
# For systemd-based systems
sudo journalctl -u sshd -n 50 --no-pager
# For syslog-based systems
sudo tail -n 50 /var/log/auth.log
sudo tail -n 50 /var/log/secureLook for messages like:
- "Too many authentication failures"
- "Received disconnect from"
- "Unable to load host key"
- "sshd: no more sessions"
These messages will indicate the exact cause.
On the server, ensure the SSH daemon is running and restart it:
# Check if sshd is running
sudo systemctl status sshd
# Restart the SSH daemon
sudo systemctl restart sshd
# Check for configuration errors before restarting
sudo sshd -tThe -t flag tests the configuration without starting the daemon. If it shows errors, fix them before restarting.
If the server was recently upgraded or its keys regenerated, your client's known_hosts file may be outdated:
# Remove old host key from known_hosts
ssh-keygen -R hostname
ssh-keygen -R 192.168.1.100
# Try connecting again (you'll be prompted to accept the new key)
ssh user@hostnameOn the server, check the SSH daemon configuration:
sudo nano /etc/ssh/sshd_configLook for the MaxStartups parameter (default is 10:30:60). If the server is receiving many concurrent connections, increase it:
MaxStartups 50:30:100This allows up to 50 simultaneous pending connections. After modifying, test and restart:
sudo sshd -t
sudo systemctl restart sshdIf host keys are missing or have incorrect permissions:
# Check host key permissions
sudo ls -la /etc/ssh/ssh_host_*
# Host keys should have these permissions:
# Private keys: 600 (-rw-------)
# Public keys: 644 (-rw-r--r--)
# Fix if needed
sudo chmod 600 /etc/ssh/ssh_host_*_key
sudo chmod 644 /etc/ssh/ssh_host_*_key.pubIf keys are corrupted or missing, regenerate them:
sudo ssh-keygen -A
sudo systemctl restart sshdIf you're connecting to an old SSH server that doesn't support modern algorithms, explicitly specify a compatible one:
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@hostnameWarning: Older algorithms are less secure. Use this only as a temporary workaround while upgrading the server.
Alternatively, check available algorithms:
ssh -Q kex # Key exchange algorithms
ssh -Q cipher # Cipher algorithms
ssh -Q mac # MAC algorithmsThe kex_exchange_identification error occurs at the very beginning of the SSH protocol handshake, making it distinct from authentication errors. This is important because it means the issue is not with your credentials but with establishing the encrypted channel itself.
Server-side library issues: After glibc or OpenSSL updates, sshd may not restart automatically. The daemon continues running with old libraries until restarted, which can cause key exchange failures. Always restart sshd after system library updates.
Network MTU issues: Some networks have MTU (Maximum Transmission Unit) problems that cause SSH key exchange packets to be dropped. If you suspect MTU issues, check with: tracepath -m 100 hostname and look for fragmentation.
Brute force attack defense: If the server has been under a brute force attack, the connection rate limiting (MaxStartups) may reject legitimate connections. Check server logs for attack patterns and consider temporarily increasing MaxStartups while the attack is ongoing.
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
How to fix SSH man-in-the-middle attack warning in SSH
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
How to fix "WARNING: UNPROTECTED PRIVATE KEY FILE!" in SSH
sign_and_send_pubkey: no mutual signature supported
How to fix "sign_and_send_pubkey: no mutual signature supported" in SSH
Bad owner or permissions on /home/user/.ssh/known_hosts
How to fix "Bad owner or permissions on known_hosts" in SSH
It is required that your private key files are NOT accessible by others.
How to fix "private key files are NOT accessible by others" in SSH