VPN MTU limit breaks ssh connection to openssh 6.2p2 server
Damien Miller
djm at mindrot.org
Fri Nov 8 13:54:16 EST 2013
On Thu, 7 Nov 2013, Ernst Kratschmer wrote:
> Dear openssh developer,
>
> I want to use a Win7 client with putty to access a Linux host running an
> openssh 6.2p2 through a VPN connection. These connection worked relatively
> flawless with all versions of openssh up until openssh 6.1p1. Since the
> openssh 6.2p2 upgrade the ssh connection fail consistently with a message:
> Network error, connection reset by peer. After inspecting the tcp
> transmission between the putty client and openssh server it appears that
> the maximum MTU limit of 1362 of the VPN connection, causes the server to
> break the 1460 byte cipher string into two packets. At that point the ssh
> client, putty or openssh, resets the connection.
>
> This was not a problem with openssh 6.1p1 since the cipher string was only
> 1106 bytes and therefore transmitted in one packet. Since I am stuck with
> the VPN MTU limit of 1362, I am hoping that you could help in some form to
> get the ssh connection working again by, e.g., limit the cipher string to
> less than 1322 bytes?
I don't think this is something we can fix in OpenSSH. You could work
around it by shrinking the list of ciphers/MACs/key exchange algorithms
that are offered using sshd_config's "Ciphers", "MACs" and "KexAlgorithms"
options.
-d
More information about the openssh-unix-dev
mailing list