Re: a dh keys question?

To: debian-user@lists.debian.org
Subject: Re: a dh keys question?
From: Dan Purgert <dan@djph.net>
Date: Wed, 1 Aug 2018 10:17:09 -0000 (UTC)
Message-id: <[🔎] slrnpm3255.krt.dan@xps-linux.djph.net>
References: <Pine.LNX.4.64.1807311128590.26432@server2.shellworld.net> <20180731155743.jex75ctoeot43g57@randomstring.org> <[🔎] bf53281f-e7c1-e511-68bc-0a1c059e8aec@walnut.gen.nz>

Richard Hector wrote:
> On 01/08/18 03:57, Dan Ritter wrote:
>> On Tue, Jul 31, 2018 at 11:38:34AM -0400, Karen Lewellen wrote:
>>> I have a problem now where each place I try to visit using my ssh
>>> client, and my sftp one, I am getting a dh key exchange failure.
>>> using the -v command  is not shedding light on the issue. I am using
>>> the same client now to reach another  service, but here  we use a
>>> different port from port 22. the error started on the 29th of June,
>>> and the company providing my dsl service did claim to have a service
>>> issue on that day. However they do not speak Linux let alone
>>> anything else Unusual.
>>> Thoughts?
>>
>> Are you having problems SSHing to all servers that you try, or
>> just to one in particular?
>>
>> If it's just one, and that one uses a port other than 22, it's
>> likely that your DSL company started filtering that port on the
>> 29th.
>
> If it was a simple port filtering issue, then you'd get something like
> 'Connection Refused' or 'Destination unreachable' or 'Connection timed
> out' - you wouldn't get as far as dh key exchange.
>
> I'm not an expert in this, so might have some details wrong, but I think
> the gist of it is right. Happy to be corrected.

Precisely.  DH failures are typically because one end or the other is
trying to use an "out of bounds" keysize.  E.g. you have a SSH 7.x
client, and the server is 6.0 or lower.

The error message is _probably_ something like this, right (note - may
require "ssh -vv" in order to see):

   debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1536<3072<8192) sent
   debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
   DH_GEX group out of range: 1536 !< 1024 !< 8192`

The likely cause is that you're trying to use the KexAlgorithm
"diffie-hellman-group-exchange-sha256". 

A simple check to make things work is running the ssh command as 

  ssh -oKexAlgorithms="diffie-hellman-group14-sha1" you@host

This WILL limit you to the single KexAlgorithm noted, but we're only
using it to force a cipher that pretty much will go through.

-- 
|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Reply to:

Follow-Ups:
- Re: a dh keys question?
  - From: Karen Lewellen <klewellen@shellworld.net>

References:
- Re: a dh keys question?
  - From: Richard Hector <richard@walnut.gen.nz>

Prev by Date: Re: how to prevent security update installation during stretch installation
Next by Date: Re[2]: Set the MTU on the interface
Previous by thread: Re: a dh keys question?
Next by thread: Re: a dh keys question?
Index(es):
- Date
- Thread