DH Key negotiation in OpenSSH.

Damien Miller djm at mindrot.org
Fri Sep 14 19:48:55 EST 2007

On Thu, 13 Sep 2007, Balaraman, Srinath wrote:

> Hello All,
> I am trying to run an SSH client from an embedded Coldfire platform
> connecting to a Linux machine running OpenSSH v 3.9 p1. The DH Key
> negotiation on this Coldfire platform takes about 10 minutes before
> which the ssh daemon on the Linux box kicks this client out. 
> I am trying to find out if there is a way to configure the ssh server
> daemon to "not kick out" any client no matter how long they take to
> respond?

You can adjust LoginGraceTime on the server, but if you have a NAT
between you and the server you might run afoul of expiring NAT states.
{Client,Server}AliveInterval won't help here, as IIRC they kick in after
key exchange.

There is a patch to add a faster, less secure key exchange method at
https://bugzilla.mindrot.org/b/1314 but we are loath to add more KEX
methods - these are direct increases in pre-auth attack surface.


More information about the openssh-unix-dev mailing list