The SSH key exchange process is interrupted when the remote server closes the connection before authentication can complete. This typically indicates network issues, firewall blocking, server overload, or security restrictions.
This error occurs during the SSH key exchange (KEX) phase, which is the first critical step of establishing a secure connection. The 'read: Connection reset by peer' message means the remote SSH server intentionally closed the TCP connection before the client could finish the key exchange handshake. This can happen for several reasons: the server may be rejecting your IP address, under heavy load, misconfigured, or your network may have a firewall blocking the connection.
First verify that the remote server is reachable:
ping <server-ip>
traceroute <server-ip>
telnet <server-ip> 22If ping fails or traceroute hangs, you have a network connectivity issue. If telnet connects and immediately disconnects, the SSH server is running but rejecting your connection.
From the server (if you have local access or another login method), check fail2ban status:
sudo fail2ban-client status sshd
sudo fail2ban-client set sshd unbanip <your-ip>If your IP appears in the 'Banned IP list', unban it using the second command. This is the most common cause of this error.
If you have local server access or another login method:
sudo systemctl status ssh
sudo systemctl status sshdIf the service is inactive:
sudo systemctl start sshOr if using older init systems:
sudo service ssh startOn the server, verify port 22 is open:
sudo iptables -L -n | grep 22
sudo ufw statusOn the client, check if your firewall or ISP is blocking outbound SSH:
telnet <server-ip> 22If using a cloud provider (AWS, Azure, GCP), check the security group or firewall rules to ensure inbound TCP 22 is allowed from your IP.
From the server:
ls -la /etc/ssh/ssh_host_*You should see files like ssh_host_rsa_key, ssh_host_ed25519_key, etc. If they are missing or the directory is empty, regenerate them:
sudo ssh-keygen -A
sudo systemctl restart sshRun your SSH command with increased verbosity:
ssh -vvv user@hostnameThe output will show exactly where the connection fails. Look for lines like:
- 'SSH2_MSG_KEXINIT sent' - if you see this and then 'Connection reset', the server is dropping you during KEX
- 'Authentications that can continue' - you got past KEX, so the issue is authentication
If the server is under heavy load:
sudo grep MaxStartups /etc/ssh/sshd_configDefault is 10:30:60 (max 10 concurrent unauthenticated connections). If your server has high traffic:
# In /etc/ssh/sshd_config:
MaxStartups 30:60:120
# Then restart:
sudo systemctl restart sshAttempt the connection:
- From a different ISP or network
- Through a VPN
- Via a bastion/jump host (if available)
If it works through a VPN but not your normal connection, your ISP may be interfering with SSH traffic. Try connecting to a non-standard SSH port (if your server supports it):
ssh -p 2222 user@hostnameEnsure compatibility by running the latest SSH implementations:
# On client (macOS/Linux):
ssh -V
# On server, update OpenSSH:
sudo apt update && sudo apt install openssh-server openssh-client
# or
sudo yum update openssh-clients openssh-serverAfter updating the server, restart SSH:
sudo systemctl restart sshIf the server's host key has changed or you're getting conflicting entries:
ssh-keygen -R <server-ip>
ssh-keygen -R <hostname>Then try connecting again. You will get a prompt to accept the new host key.
Key Exchange Algorithm Mismatches: If the client and server support different key exchange algorithms, KEX will fail. Check sshd_config for 'KexAlgorithms' and ensure your client supports at least one. Use ssh -Q kex to see your client's supported algorithms.
Rootless SSH Servers: Some sandboxed or containerized SSH setups may have restrictions. Verify the SSH process has appropriate network capabilities.
TCP Wrappers: Even if iptables allows SSH, /etc/hosts.allow and /etc/hosts.deny can block connections:
cat /etc/hosts.deny
cat /etc/hosts.allowIf your IP is in 'deny', add it to 'allow':
# /etc/hosts.allow
sshd: <your-ip>Intermittent Failures: If this only happens occasionally, check system logs during failure:
sudo tail -f /var/log/auth.log # Debian/Ubuntu
sudo tail -f /var/log/secure # RHEL/CentOS
sudo log stream --predicate 'eventMessage contains[cd] sshd' --info # macOSSomeone could be eavesdropping on you right now (man-in-the-middle attack)!
How to fix SSH man-in-the-middle attack warning in SSH
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@ @ WARNING: UNPROTECTED PRIVATE KEY FILE! @ @@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
How to fix "WARNING: UNPROTECTED PRIVATE KEY FILE!" in SSH
sign_and_send_pubkey: no mutual signature supported
How to fix "sign_and_send_pubkey: no mutual signature supported" in SSH
Bad owner or permissions on /home/user/.ssh/known_hosts
How to fix "Bad owner or permissions on known_hosts" in SSH
It is required that your private key files are NOT accessible by others.
How to fix "private key files are NOT accessible by others" in SSH