On Sat, 01 Mar 2014 22:24:46 +0000 mikep@xxxxxxxxxxxxxxx wrote: >Built 'openssh-SNAP-20140301' on Solaris 10 with 'gcc'; no errors; >'ssh' as 'root' now works (failed with 6.5p1). > >2 issues: > >In 'ssh_config', setting: > > KexAlgorithms diffie-hellman-group-exchange-sha256,diffie- >hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie- >hellman-group1-sha1 > >used to allow connections to Cisco routers to work, but now the >connection >attempt hangs. With the current version, any one of: > > KexAlgorithms diffie-hellman-group-exchange-sha1 > KexAlgorithms diffie-hellman-group14-sha1 > KexAlgorithms diffie-hellman-group1-sha1 > KexAlgorithms diffie-hellman-group14-sha1,diffie-hellman- >group1-sha1 > >works, but this hangs: > > KexAlgorithms diffie-hellman-group-exchange-sha1,diffie- >hellman-group14-sha1,diffie-hellman-group1-sha1 As of OpenSSH 6.5, the size of the requested DH group (in DH GEX) increased at every security level (per NIST SP 800-57). My guess is Cisco's sshd implementation is RFC4419 non-compliant. If this is the case, there's a *very* long thread on the ML which discusses the DG GEX change. Search for "3des cipher and DH group size" >On Sat, 1 Mar 2014, mancha wrote: > >> $ ./configure && make tests sysconfdir=$(pwd) >> >> This could be forced in the makefile's test target so it works >> automagically. > >'make tests', 'make tests sysconfdir=$PWD' and 'make tests >sysconfdir=/etc/ssh' all fail with: > Setting sysconfdir was a work-around for the dhgex.sh test. openssh-SNAP-20140302+ disables that test. --mancha _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
