Hi Guys:
I have openssh-7.2_p2 installed my my linux box and putty-0.67. Putty works fine so we’ll leave that.
Open ssh trhows the following error when I try and connect to a WR41/44:
jserink@jserinki7 ~ $ ssh -p 22222 mskroot@192.168.173.1Received disconnect from 192.168.173.1 port 22222:3: Protocol error: no matching DH grp found
Disconnected from 192.168.173.1 port 22222
So I tried this:
jserink@jserinki7 ~ $ ssh -p 22222 -o KexAlgorithms=+diffie-hellman-group1-sha1 mskroot@192.168.173.1
Received disconnect from 192.168.173.1 port 22222:3: Protocol error: no matching DH grp found
Disconnected from 192.168.173.1 port 22222
Same error.
So I tried this:
jserink@jserinki7 ~ $ ssh -p 22222 -o KexAlgorithms=curve25519-sha256@libssh.org mskroot@192.168.173.1
Unable to negotiate with 192.168.173.1 port 22222: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
But the error message says to try something that has already failed.
I;'ve enabled all the auth and cyphers in teh ssh setup.
I ticked the DEBUG box but have no idea where to find the debug information.
Any help would be appriciated.
Cheers,
john
Hi John
if you have enabled Debug on SSH you can see the output on a serial or telnet session
DEBUG 0 (from cli)
DEBUG T (From Telnet )
If you are using port 2222 are you using a diffrent instance of the SSH server how have you got this configured
if you try to connect to the normal ssh server on port 22 what happens
could you send in the bit of the SSH configuration
regards
James
Ok, will look at the telnet output.
I changed the ssh port to 22222 as port 22 gets continually probes, switch the port to 22222 solves that.
Cheers,
John
Here is the debug:
SSH: state machine state 5
SSH: got SSH2_MSG_KEX_DH_GEX_REQUEST msg
SSH: DH_GEX_REQUEST, bad parameters: their min 2048 > our max
SSH: their max 8192 < our min 1024
From here:
https://www.novell.com/support/kb/doc.php?id=7016904
A change was made to the openssh package, dealing with Diffie-Hellman Group Exchange. Previously, keys of size 1024 - 8192 could be exchanged. The minimum was raised to 1536 for added security and to avoid the “logjam” vulnerability. However, if used with some 3rd party ssh implementations which only support 1024, failure will occur. Ideally, the 3rd party ssh configuration or code should be updated to use larger key sizes.
I will try a FW update and see if that fixes it.
The DH group exchange max of 1024 on teh Digi is not longer accepted by the openssh client.
Cheers,
John
This works:
ssh -1 -p 22222 mskroot@192.168.173.1
What this does is FORCE using ssh V1 rather than version 2 and the connectin goes thorugh.
It should be noted that Digi’s implementation of sshV2 no longer works with openssh.
Also, updating the FW to the latest 5.2.14.5 (Apr 26 2016 11:51:34) BROKE the ssh debug output on teh telnet. Its not there anymore.
Cheers,
John
Try to create a new PRIVSSH.pem file with larger bit size
from cli
genkey 2048 privssh.pem
and try to connect
Did you try to build a new certificate
Yes, built a new one with 2048 bits, no change using sshV2. Still had to use sshV1.
Cheers,
John
Hi John
could you please create a support case with Tech support as this is a BUG and needs to be fixed
regards
James