Re: a dh keys question?

[Karen Lewellen <klewellen@shellworld.net>]

There is no error at all in any way shape or form that I am given 
indicating that there is a key range overflow.
I have successfully reached  locations with various editions of openssh, 
including in the 7 plus range...on a different port. 
There are some indications likewise  that my isp indeed blocked port 22 
and 
21 access for what they consider non standard applications i. e. Linux, 
which  is not on my desktop, or DOS, which is on my desktop.
i cannot update what does not exist for me.
I can however invest resources  where the solution  I have discovered does exist.
Karen



On Thu, 2 Aug 2018, Dan Purgert wrote:

> Karen Lewellen wrote:
> > 1.
> > I am not using Linux, but an ssh client compiled from a combination of
> > tools, Linux and otherwise, including putty.
> > I have been very firm in not stating that I use Linux at all.
>
> Kind of a bad move, what with this being a Debian (Linux) mailing list.
> Lot of wasted effort would've been saved.
>
> > In fact the first sentence of my question stated that while the issue is
> > complex, the question, where dh keys are generated, was simple.
>
> They're generated on the fly at the time of connection.  The server and
> client each (should) have a "moduli" file somewhere, where they can seed
> the DH key generation from (in whichever version of Debian I'm running
> on this test box, it happens to be /etc/ssh/moduli)
>
> > 2. I can state firmly that the port number  has absolutely a great  deal
> > to do with my issue.
>
> You can say that til you're blue in the face, it doesn't make you
> correct though.  As I said before, the selection of a standard vs.
> nonstandard port for ssh (or, any service for that matter) has no
> bearing on the Diffie-Hellman Key Exchange portion of the handshake.
>
> > best evidence?  your getting this e-mail at all.
>
> I assume you mean to imply that you're ssh'd into some remote host and
> it just so happens to be running a service on a nonstandard port.  See
> above for the refutation of this claim.
>
> > I am writing using a shell service that uses Ubuntu 16.04 as its
> > platform...same as dreamhost.
> > we do not use port 22 here, and I can use my ssh client to reach my
> > workspace..doing such as we speak..
> > Likewise  an associate who hosts their  own servers created a temp account
> > for   me, using port 4460...worked perfectly.
> > I respect other factors might  be involved, but my goal is the swiftest
> > solution that lets us move our services from dreamhost somewhere else to
> > which I can ssh from my desktop/
> > If choosing a location with a port other than 22 solves the issue, it is
> > good enough for me.
>
> The thing is, it's NOT the selection of the port that's making it work
> (or not) - it's a difference between your SSH client and the server's
> acceptable range for key moduli.
>
> For Openssh 6.7p1
>  DH_GRP_MIN  1024
>  DH_GRP_MAX  8192
>
>
> For Openssh 7.4
>  DH_GRP_MIN 2048
>  DH_GRP_MIN 8192
>
> Since you're running a series of ssh clients (? ... or a amalgamation of
> all of them ...?), it's up to you to check the various changelogs of
> them to see if you need updates (or if they've been abandoned or ... )
>
>
> --
> |_|O|_| Registered Linux user #585947
> |_|_|O| Github: https://github.com/dpurgert
> |O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281