DH Key negotiation in OpenSSH.
Balaraman, Srinath
srinath_balaraman at mentor.com
Sat Sep 15 15:03:51 EST 2007
Thanks a lot Damien. Adjusting the LoginGraceTime solved my problem.
Srinath
-----Original Message-----
From: Damien Miller [mailto:djm at mindrot.org]
Sent: Friday, September 14, 2007 4:49 AM
To: Balaraman, Srinath
Cc: openssh-unix-dev at mindrot.org
Subject: Re: DH Key negotiation in OpenSSH.
On Thu, 13 Sep 2007, Balaraman, Srinath wrote:
> Hello All,
>
> I am trying to run an SSH client from an embedded Coldfire platform
> connecting to a Linux machine running OpenSSH v 3.9 p1. The DH Key
> negotiation on this Coldfire platform takes about 10 minutes before
> which the ssh daemon on the Linux box kicks this client out.
>
> I am trying to find out if there is a way to configure the ssh server
> daemon to "not kick out" any client no matter how long they take to
> respond?
You can adjust LoginGraceTime on the server, but if you have a NAT
between you and the server you might run afoul of expiring NAT states.
{Client,Server}AliveInterval won't help here, as IIRC they kick in after
key exchange.
There is a patch to add a faster, less secure key exchange method at
https://bugzilla.mindrot.org/b/1314 but we are loath to add more KEX
methods - these are direct increases in pre-auth attack surface.
-d
More information about the openssh-unix-dev
mailing list