On 02/25/16 10:48, Alessandro Lomonaco wrote:
Classification: For internal use only Hi all, recently we've moved from OpenSSH 6.2 to OpenSSH 6.6. Since we moved we have got problems with some sftp connection. When we connect to some hosts we receive this error: DH_GEX group out of range: 1536 !< 1024 !< 8192 Couldn't read packet: Connection reset by peer Our OS is: SUSE Linux Enterprise Server 11 SP4 We've read that is a known issue: https://www.novell.com/support/kb/doc.php?id=7016904 We've tried to use this workaround: put in /etc/ssh_config this line: KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1
Well, you didn't follow the instructions in the article. It recommends to use diffie-hellman-group14-sha1 only.
This is unnecessarily limiting though. AFAIK you can remove groups with primes < 1536 from your moduli file and continue using diffie-hellman-group-exchange-sha256 and diffie-hellman-group-exchange-sha1.
You really should not be using diffie-hellman-group1-sha1; it is believed attackers with nation state resources can tap ssh connections negotiated with diffie-hellman-group1-sha1 [1].
Tomas [1] https://weakdh.org/
It works for some sftp connection, but not all. Can you help us ? Can you explains us why some connection work and other not ? Kind regards, Alessandro Lomonaco ____________________________________________________ Alessandro Lomonaco Erptech S.p.A. | External Consultant DB Consorzio S. Cons. a r. l. GT Production EMEA Piazza del Calendario, 3, 20126 Milano, Italy Tel. +39 02 4024-3742 Email alessandro.lomonaco@xxxxxx
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev