Re: OpenSSH 6.6 - DH_GEX group out of range: 1536 !< 1024 !< 8192 [I]

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 





On 02/25/16 10:48, Alessandro Lomonaco wrote:
Classification: For internal use only

Hi all,

recently we've moved from OpenSSH 6.2 to OpenSSH 6.6. Since we moved we
have got problems with some sftp connection.

When we connect to some hosts we receive this error:

DH_GEX group out of range: 1536 !< 1024 !< 8192
Couldn't read packet: Connection reset by peer

Our OS is:  SUSE Linux Enterprise Server 11 SP4

We've read that is a known issue:
https://www.novell.com/support/kb/doc.php?id=7016904

We've tried to use this workaround: put in /etc/ssh_config this line:

KexAlgorithms
diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

Well, you didn't follow the instructions in the article. It recommends to use diffie-hellman-group14-sha1 only.

This is unnecessarily limiting though. AFAIK you can remove groups with primes < 1536 from your moduli file and continue using diffie-hellman-group-exchange-sha256 and diffie-hellman-group-exchange-sha1.

You really should not be using diffie-hellman-group1-sha1; it is believed attackers with nation state resources can tap ssh connections negotiated with diffie-hellman-group1-sha1 [1].

Tomas

[1] https://weakdh.org/


It works for some sftp connection, but not all.

Can you help us ? Can you explains us why some connection work and other
not ?

Kind regards,
Alessandro Lomonaco

____________________________________________________



Alessandro Lomonaco
Erptech S.p.A. | External Consultant

DB Consorzio S. Cons. a r. l.
GT Production EMEA
Piazza del Calendario, 3, 20126 Milano, Italy
Tel. +39 02 4024-3742
Email alessandro.lomonaco@xxxxxx



_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux