Alessandro Lomonaco
2016-Feb-25 09:48 UTC
OpenSSH 6.6 - DH_GEX group out of range: 1536 !< 1024 !< 8192 [I]
Classification: For internal use only Hi all, recently we've moved from OpenSSH 6.2 to OpenSSH 6.6. Since we moved we have got problems with some sftp connection. When we connect to some hosts we receive this error: DH_GEX group out of range: 1536 !< 1024 !< 8192 Couldn't read packet: Connection reset by peer Our OS is: SUSE Linux Enterprise Server 11 SP4 We've read that is a known issue: https://www.novell.com/support/kb/doc.php?id=7016904 We've tried to use this workaround: put in /etc/ssh_config this line: KexAlgorithms diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 It works for some sftp connection, but not all. Can you help us ? Can you explains us why some connection work and other not ? Kind regards, Alessandro Lomonaco ____________________________________________________ Alessandro Lomonaco Erptech S.p.A. | External Consultant DB Consorzio S. Cons. a r. l. GT Production EMEA Piazza del Calendario, 3, 20126 Milano, Italy Tel. +39 02 4024-3742 Email alessandro.lomonaco at db.com -- Informationen (einschlie?lich Pflichtangaben) zu einzelnen, innerhalb der EU t?tigen Gesellschaften und Zweigniederlassungen des Konzerns Deutsche Bank finden Sie unter http://www.deutsche-bank.de/de/content/pflichtangaben.htm. Diese E-Mail enth?lt vertrauliche und/ oder rechtlich gesch?tzte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrt?mlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet. Please refer to http://www.db.com/en/content/eu_disclosures.htm for information (including mandatory corporate particulars) on selected Deutsche Bank branches and group companies registered or incorporated in the European Union. This e-mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this e-mail in error) please notify the sender immediately and delete this e-mail. Any unauthorized copying, disclosure or distribution of the material in this e-mail is strictly forbidden.
Tomas Kuthan
2016-Feb-25 10:30 UTC
OpenSSH 6.6 - DH_GEX group out of range: 1536 !< 1024 !< 8192 [I]
On 02/25/16 10:48, Alessandro Lomonaco wrote:> Classification: For internal use only > > Hi all, > > recently we've moved from OpenSSH 6.2 to OpenSSH 6.6. Since we moved we > have got problems with some sftp connection. > > When we connect to some hosts we receive this error: > > DH_GEX group out of range: 1536 !< 1024 !< 8192 > Couldn't read packet: Connection reset by peer > > Our OS is: SUSE Linux Enterprise Server 11 SP4 > > We've read that is a known issue: > https://www.novell.com/support/kb/doc.php?id=7016904 > > We've tried to use this workaround: put in /etc/ssh_config this line: > > KexAlgorithms > diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1Well, you didn't follow the instructions in the article. It recommends to use diffie-hellman-group14-sha1 only. This is unnecessarily limiting though. AFAIK you can remove groups with primes < 1536 from your moduli file and continue using diffie-hellman-group-exchange-sha256 and diffie-hellman-group-exchange-sha1. You really should not be using diffie-hellman-group1-sha1; it is believed attackers with nation state resources can tap ssh connections negotiated with diffie-hellman-group1-sha1 [1]. Tomas [1] https://weakdh.org/> > It works for some sftp connection, but not all. > > Can you help us ? Can you explains us why some connection work and other > not ? > > Kind regards, > Alessandro Lomonaco > > ____________________________________________________ > > > > Alessandro Lomonaco > Erptech S.p.A. | External Consultant > > DB Consorzio S. Cons. a r. l. > GT Production EMEA > Piazza del Calendario, 3, 20126 Milano, Italy > Tel. +39 02 4024-3742 > Email alessandro.lomonaco at db.com > >