[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: a dh keys question?

There is no error at all in any way shape or form that I am given indicating that there is a key range overflow. I have successfully reached locations with various editions of openssh, including in the 7 plus range...on a different port. There are some indications likewise that my isp indeed blocked port 22 and 21 access for what they consider non standard applications i. e. Linux, which is not on my desktop, or DOS, which is on my desktop.
i cannot update what does not exist for me.
I can however invest resources  where the solution  I have discovered does exist.

On Thu, 2 Aug 2018, Dan Purgert wrote:

Karen Lewellen wrote:
I am not using Linux, but an ssh client compiled from a combination of
tools, Linux and otherwise, including putty.
I have been very firm in not stating that I use Linux at all.

Kind of a bad move, what with this being a Debian (Linux) mailing list.
Lot of wasted effort would've been saved.

In fact the first sentence of my question stated that while the issue is
complex, the question, where dh keys are generated, was simple.

They're generated on the fly at the time of connection.  The server and
client each (should) have a "moduli" file somewhere, where they can seed
the DH key generation from (in whichever version of Debian I'm running
on this test box, it happens to be /etc/ssh/moduli)

2. I can state firmly that the port number  has absolutely a great  deal
to do with my issue.

You can say that til you're blue in the face, it doesn't make you
correct though.  As I said before, the selection of a standard vs.
nonstandard port for ssh (or, any service for that matter) has no
bearing on the Diffie-Hellman Key Exchange portion of the handshake.

best evidence?  your getting this e-mail at all.

I assume you mean to imply that you're ssh'd into some remote host and
it just so happens to be running a service on a nonstandard port.  See
above for the refutation of this claim.

I am writing using a shell service that uses Ubuntu 16.04 as its
platform...same as dreamhost.
we do not use port 22 here, and I can use my ssh client to reach my
workspace..doing such as we speak..
Likewise  an associate who hosts their  own servers created a temp account
for   me, using port 4460...worked perfectly.
I respect other factors might  be involved, but my goal is the swiftest
solution that lets us move our services from dreamhost somewhere else to
which I can ssh from my desktop/
If choosing a location with a port other than 22 solves the issue, it is
good enough for me.

The thing is, it's NOT the selection of the port that's making it work
(or not) - it's a difference between your SSH client and the server's
acceptable range for key moduli.

For Openssh 6.7p1
 DH_GRP_MIN  1024
 DH_GRP_MAX  8192

For Openssh 7.4
 DH_GRP_MIN 2048
 DH_GRP_MIN 8192

Since you're running a series of ssh clients (? ... or a amalgamation of
all of them ...?), it's up to you to check the various changelogs of
them to see if you need updates (or if they've been abandoned or ... )

|_|O|_| Registered Linux user #585947
|_|_|O| Github: https://github.com/dpurgert
|O|O|O| PGP: 05CA 9A50 3F2E 1335 4DC5  4AEE 8E11 DDF3 1279 A281

Reply to: