0

I'm running Ubuntu 20.04 / OpenSSH_8.2p1 and have a client trying to connect but it's failing with error in auth.log like:

Nov 25 02:13:20 sshd[517621]: ssh_dispatch_run_fatal: Connection from 192.0.2.1 port 50127: DH GEX group out of range [preauth]

I did see a few other questions asking about this error:

https://serverfault.com/questions/786587/dh-gex-group-out-of-range/809082
https://serverfault.com/questions/729033/ssh-dh-gex-group-out-of-range
https://serverfault.com/questions/852666/sftp-connection-fails-with-dh-gex-group-out-of-range
https://serverfault.com/questions/920839/ssh-error-ssh-dispatch-run-fatal-connection-to-192-168-x-x-port-22-dh-gex-gro

But all of those questions relate to someone with a newer client trying to connect to an older server and receiving the error on the client end. The best solution in this case is probably to upgrade the client. In my case however, I have no control over the client and since I'm running a very new version, my assumption is that this has to do with the server version being newer than the client.

I'd like our server to accept their connections. Is there a directive I can adjust in /etc/ssh/sshd_config to allow older clients to connect? Or any other solution that doesn't involve asking the client to upgrade their version?

Eaten by a Grue
  • 282
  • 4
  • 22
  • 1
    You can't change DH_GRP_MIN without recompiling. _IF_ the client supports other (implemented) KEXes besides DHGEX, set `KexAlgorithms` to omit `diffie-hellman-group-exchange-(sha1,sha256)` but include at least one other algorithm supported by the client -- or if you have other clients as well, include algorithm(s) such that at least one is supported by every client. – dave_thompson_085 Nov 26 '20 at 05:44
  • @dave_thompson_085 - I don't have `KexAlgorithms` set but appears the default for my version is: `curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256` Do you know of a way to log what algorithms are supported by the client? Or which algorithm failed? I'm a bit unclear on what "out of range" even means in this context. – Eaten by a Grue Nov 26 '20 at 06:15
  • 1
    This indicates that the clients need to be upgraded. OpenSSH has deprecated some weak algorithms a while back and they are being removed. If you don't control the clients, then whoever does control them must fix this. – Michael Hampton Nov 26 '20 at 07:52
  • 1
    If you run `sshd` with enough `-v` options it will probably log this, although I haven't tested. IINM Ubuntu 20.04 uses systemd and I'm not quite sure how to set options there; the traditional platform-indedepent debugging advice is to temporarily stop the normal daemon and run from a terminal (as root). Alternatively get a network trace with tcpdump or similar; the first negotiation steps of SSH are sent and received in clear. The kex-alg that failed was (DH-)group-exchange(-sha256), nicknamed DHGEX, and what is out of range is the size settings sent by the client in that kex-alg. – dave_thompson_085 Nov 26 '20 at 19:38
  • @dave_thompson_085 - thanks. I found just changing LogLevel to DEBUG is getting me Kex Algos in auth.log. – Eaten by a Grue Nov 26 '20 at 22:19

0 Answers0