OpenSSH 6.6 - DH_GEX group out of range: 1536 !< 1024 !< 8192 [I]

Tomas Kuthan tomas.kuthan at oracle.com
Thu Feb 25 21:30:52 AEDT 2016



On 02/25/16 10:48, Alessandro Lomonaco wrote:
> Classification: For internal use only
>
> Hi all,
>
> recently we've moved from OpenSSH 6.2 to OpenSSH 6.6. Since we moved we
> have got problems with some sftp connection.
>
> When we connect to some hosts we receive this error:
>
> DH_GEX group out of range: 1536 !< 1024 !< 8192
> Couldn't read packet: Connection reset by peer
>
> Our OS is:  SUSE Linux Enterprise Server 11 SP4
>
> We've read that is a known issue:
> https://www.novell.com/support/kb/doc.php?id=7016904
>
> We've tried to use this workaround: put in /etc/ssh_config this line:
>
> KexAlgorithms
> diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

Well, you didn't follow the instructions in the article. It recommends 
to use diffie-hellman-group14-sha1 only.

This is unnecessarily limiting though. AFAIK you can remove groups with 
primes < 1536 from your moduli file and continue using 
diffie-hellman-group-exchange-sha256 and diffie-hellman-group-exchange-sha1.

You really should not be using diffie-hellman-group1-sha1; it is 
believed attackers with nation state resources can tap ssh connections 
negotiated with diffie-hellman-group1-sha1 [1].

Tomas

[1] https://weakdh.org/

>
> It works for some sftp connection, but not all.
>
> Can you help us ? Can you explains us why some connection work and other
> not ?
>
> Kind regards,
> Alessandro Lomonaco
>
> ____________________________________________________
>
>
>
> Alessandro Lomonaco
> Erptech S.p.A. | External Consultant
>
> DB Consorzio S. Cons. a r. l.
> GT Production EMEA
> Piazza del Calendario, 3, 20126 Milano, Italy
> Tel. +39 02 4024-3742
> Email alessandro.lomonaco at db.com
>
>



More information about the openssh-unix-dev mailing list