2

Hi i am trying to connect to an sftp server but it keeps failing with this error: DH GEX group out of range

this is the verbose log... looking around i found that the problem has to do with the key size

OpenSSH_7.4p1 Ubuntu-10, OpenSSL 1.0.2g  1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to **** [****] port 22.
debug1: Connection established.
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Ubuntu-10
debug1: Remote protocol version 2.0, remote software version XFB.Gateway Windows
debug1: no match: XFB.Gateway Windows
debug1: Authenticating to ****:22 as 'User'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha1
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes256-ctr MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes256-ctr MAC: hmac-sha1 compression: none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<8192<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
ssh_dispatch_run_fatal: Connection to **** port 22: DH GEX group out of range
Couldn't read packet: Connection reset by peer

the following solution as suggested here didn't work:

-o KexAlgorithms=diffie-hellman-group-exchange-sha1 -o HostKeyAlgorithms=+ssh-dss

I also tried this option as suggested here

KexDHMin=1024

but i get this error

command-line: line 0: Bad configuration option: kexdhmin

any idea about what i can do to fix it?

davide bubz
  • 121
  • 1
  • 6

1 Answers1

2

You are connecting with a new OpenSSH that bumped minimal DH group size to 2048 (which is not standard, but there is no reason why the server should not accept that) to some ancient windows implementation (XFB.Gateway Windows). That is probably some commercial software, so you should get in touch with your vendor so he will fix it.

There is no configuration option to select this minimum DH group size, so you might have some luck using different key exchange algorithm, if that server supports one. It will be visible from the debug log with -vvv switches.

Jakuje
  • 9,715
  • 2
  • 42
  • 45
  • Do you know if there is any other ssh client for ubuntu that supports lower DH group size? – davide bubz May 31 '17 at 07:47
  • [Software recommendation](http://softwarerecs.stackexchange.com/) are off topic here and also it is not part of the original question. – Jakuje May 31 '17 at 07:50
  • Meh I asked for a way to fix it, another client is not a solution for you? I already moved the answer how many times do I have to do this? Don't you think it would be useful to someone with the same problem? This rules just do more damage than anything to this site in my opinion – davide bubz May 31 '17 at 11:28
  • Another client is obviously a possible solution, but I am not going tell you which one might work for you, but I don't know which one is it (searching for ssh clients can not be too hard). I would rather search for different server, since OpenSSH is quite standard. – Jakuje May 31 '17 at 11:34
  • In a perfect world I could ask to update the server but I do not live in a perfect world – davide bubz May 31 '17 at 11:36