[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: a dh keys question?

Karen Lewellen wrote:
> 1.
> I am not using Linux, but an ssh client compiled from a combination of 
> tools, Linux and otherwise, including putty.
> I have been very firm in not stating that I use Linux at all.

Kind of a bad move, what with this being a Debian (Linux) mailing list.
Lot of wasted effort would've been saved.

> In fact the first sentence of my question stated that while the issue is 
> complex, the question, where dh keys are generated, was simple.

They're generated on the fly at the time of connection.  The server and
client each (should) have a "moduli" file somewhere, where they can seed
the DH key generation from (in whichever version of Debian I'm running
on this test box, it happens to be /etc/ssh/moduli)

> 2. I can state firmly that the port number  has absolutely a great  deal 
> to do with my issue.

You can say that til you're blue in the face, it doesn't make you
correct though.  As I said before, the selection of a standard vs.
nonstandard port for ssh (or, any service for that matter) has no
bearing on the Diffie-Hellman Key Exchange portion of the handshake.

> best evidence?  your getting this e-mail at all.

I assume you mean to imply that you're ssh'd into some remote host and
it just so happens to be running a service on a nonstandard port.  See
above for the refutation of this claim.

> I am writing using a shell service that uses Ubuntu 16.04 as its 
> platform...same as dreamhost.
> we do not use port 22 here, and I can use my ssh client to reach my 
> workspace..doing such as we speak..
> Likewise  an associate who hosts their  own servers created a temp account 
> for   me, using port 4460...worked perfectly.
> I respect other factors might  be involved, but my goal is the swiftest 
> solution that lets us move our services from dreamhost somewhere else to 
> which I can ssh from my desktop/
> If choosing a location with a port other than 22 solves the issue, it is 
> good enough for me.

The thing is, it's NOT the selection of the port that's making it work
(or not) - it's a difference between your SSH client and the server's
acceptable range for key moduli.  

For Openssh 6.7p1
  DH_GRP_MIN  1024
  DH_GRP_MAX  8192


For Openssh 7.4
  DH_GRP_MIN 2048
  DH_GRP_MIN 8192

Since you're running a series of ssh clients (? ... or a amalgamation of
all of them ...?), it's up to you to check the various changelogs of
them to see if you need updates (or if they've been abandoned or ... )


-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281
Reply to: