FYI HEAD now refuses <1024 bit DH keys in group-exchange

Damien Miller djm at
Sat Oct 17 06:07:44 AEDT 2015


I just committed a change to HEAD that raises the minimum Diffie-Hellman
group size that the client will accept from 1024 to 2048 bits.
Connections to well-behaved servers should not be affected by this
change, but I've identified at least one case where a misconfigured
server can cause connection failure. The errors look like:

> ssh_dispatch_run_fatal: Connection to DH GEX group out of
> range

The problematic software is OpenSSH <3.9 or Sun_SSH (all versions).
It will use a fixed 1024 bit DH group as an implicit fallback if
/etc/ssh/moduli is missing, unreadable or empty.

Hopefully nobody is still using such an ancient OpenSSH (>10 years
old!), so the Sun_SSH case is more likely. If this change prevents you
from connecting to a server, then the workaround is to explicitly use
the weak diffie-hellman-group1-sha1 key exchange method to connect, i.e.

ssh -oKexAlgorithms=diffie-hellman-group1-sha1 user at host

Once you are logged in, restore a good /etc/ssh/moduli (you can copy
one from OpenSSH HEAD[1]), log out and try to log in again without the
KexAlgorithms option. It should work fine.

We always appreaciate reports from people who are able to test HEAD in
their environments and I'm particularly interested in reports of similar



More information about the openssh-unix-dev mailing list