Hi i am trying to connect to an sftp server but it keeps failing with this error: DH GEX group out of range
this is the verbose log… looking around i found that the problem has to do with the key size
OpenSSH_7.4p1 Ubuntu-10, OpenSSL 1.0.2g 1 Mar 2016
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to **** [****] port 22.
debug1: Connection established.
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_7.4p1 Ubuntu-10
debug1: Remote protocol version 2.0, remote software version XFB.Gateway Windows
debug1: no match: XFB.Gateway Windows
debug1: Authenticating to ****:22 as 'User'
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: algorithm: diffie-hellman-group-exchange-sha1
debug1: kex: host key algorithm: ssh-rsa
debug1: kex: server->client cipher: aes256-ctr MAC: hmac-sha1 compression: none
debug1: kex: client->server cipher: aes256-ctr MAC: hmac-sha1 compression: none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<8192<8192) sent
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
ssh_dispatch_run_fatal: Connection to **** port 22: DH GEX group out of range
Couldn't read packet: Connection reset by peer
the following solution as suggested here didn't work:
-o KexAlgorithms=diffie-hellman-group-exchange-sha1 -o HostKeyAlgorithms=+ssh-dss
I also tried this option as suggested here
KexDHMin=1024
but i get this error
command-line: line 0: Bad configuration option: kexdhmin
any idea about what i can do to fix it?
Best Answer
You are connecting with a new OpenSSH that bumped minimal DH group size to 2048 (which is not standard, but there is no reason why the server should not accept that) to some ancient windows implementation (
XFB.Gateway Windows
). That is probably some commercial software, so you should get in touch with your vendor so he will fix it.There is no configuration option to select this minimum DH group size, so you might have some luck using different key exchange algorithm, if that server supports one. It will be visible from the debug log with
-vvv
switches.