Debugging SSH Connection Stuck at “Local version string” Between Mac and Ubuntu


5 views

When attempting to SSH from a MacBook (running OpenSSH 7.6) to an Ubuntu server, the connection establishes but hangs indefinitely at the "Local version string SSH-2.0-OpenSSH_7.6" message. The verbose output (-vvv) shows successful TCP connection establishment but fails during the SSH protocol handshake.

Key observations from the debugging attempt:

  • Works fine when both machines are on the same WiFi network
  • Fails when the MacBook is on a different network
  • Firewall is confirmed disabled on Ubuntu (sudo ufw status)
  • SSH service is running (systemctl status sshd)

The verbose output reveals several important clues:

debug2: ssh_connect_direct: needpriv 0
debug1: Connection established.
debug1: Local version string SSH-2.0-OpenSSH_7.6

This indicates the connection is failing during the initial protocol version exchange phase. Possible causes include:

  1. Network filtering at the router level
  2. MTU size issues causing packet fragmentation
  3. Incompatible encryption algorithms between client and server

1. Test Basic Connectivity

First verify basic network connectivity:

# Check if port 22 is reachable
nc -zv <server_ip> 22

# Alternative using telnet
telnet <server_ip> 22

2. Check SSH Configuration

On the Ubuntu server, examine the SSH daemon configuration:

sudo nano /etc/ssh/sshd_config

Look for these critical settings:

Protocol 2
LoginGraceTime 120
PermitRootLogin prohibit-password

3. Force Specific Encryption Algorithms

Try connecting with specific cipher algorithms:

ssh -vvv -oKexAlgorithms=diffie-hellman-group-exchange-sha256 \
          -oCiphers=aes256-ctr \
          -oMACs=hmac-sha2-256 \
          <username>@<ip>

4. MTU Troubleshooting

Test with reduced MTU size:

# On MacOS:
sudo ifconfig en0 mtu 1200

# Then retry SSH connection

For persistent issues, consider these advanced steps:

Packet Capture Analysis

On the Ubuntu server:

sudo tcpdump -i eth0 -nn -s 0 port 22 -w ssh_debug.pcap

SSH Daemon Logs

Check detailed logs on the server:

sudo journalctl -u ssh --no-pager -n 50

If standard SSH continues to fail, try these alternatives:

Using Mosh

Mosh handles network changes better:

brew install mosh  # On Mac
mosh <username>@<ip>

SSH Through Proxy

For restrictive networks:

ssh -o ProxyCommand="nc -X connect -x proxy:3128 %h %p" <username>@<ip>

When establishing an SSH connection, the protocol goes through several phases before reaching the authentication stage. The debug output shows the connection freezing exactly after exchanging version strings:

debug1: Local version string SSH-2.0-OpenSSH_7.6

This indicates the TCP connection is established but the SSH protocol negotiation isn't progressing beyond the initial version exchange.

First, verify basic network connectivity:

# Test basic connectivity
ping <server_ip>

# Check if port 22 is accessible
telnet <server_ip> 22
nc -zv <server_ip> 22

If these work but SSH still hangs, we're dealing with an SSH-specific issue rather than general network problems.

On your Ubuntu server, verify these critical SSH settings:

# Check SSHD configuration
sudo grep -E 'Protocol|VersionAddendum' /etc/ssh/sshd_config

# Expected output should contain:
Protocol 2
# VersionAddendum (if present) shouldn't contain problematic characters

Use these advanced SSH client options for deeper diagnostics:

# Try different cipher specifications
ssh -vvv -oCiphers=aes128-ctr,aes192-ctr,aes256-ctr user@host

# Test with disabled packet encryption
ssh -vvv -oNoneEnabled=yes -oNoneSwitch=yes user@host

The fact it works on the same network but fails remotely suggests possible middleware interference:

  • Corporate firewalls might inspect/modify SSH traffic
  • NAT devices could mangle TCP packets
  • MTU mismatches may cause fragmentation issues

Try adjusting MTU settings:

# On Mac client
sudo ifconfig en0 mtu 1400

For persistent cases, capture network traffic:

# On client (requires Wireshark or tcpdump)
tcpdump -i any -s0 -w ssh_debug.pcap port 22

# On server
sudo tcpdump -i eth0 -s0 -w ssh_server.pcap port 22

Analyze the packet capture to see where the handshake fails.

If standard SSH fails, try these alternatives:

# Use socat as tunnel
socat TCP4-LISTEN:2222,fork TCP4:server_ip:22

# Test with different SSH implementations
brew install mosh
mosh user@server_ip