Home/Support/Support Forum/Failing SSH connection from Cisco to Digi - invalid modulus length
Welcome to Digi Forum, where you can ask questions and receive answers from other members of the community.

Failing SSH connection from Cisco to Digi - invalid modulus length

0 votes
Dear Sir or Madam,

we experienced some issue with the Digi Passport 8 Port Integrated Console.
If we try to establish a SSH-Connection from a Cisco Device which is able to use a RSA key-size up to 4096 bits via Ethernet to the Digi device we get the following error.

device#ssh -l root xx.xx.xx.xx
[Connection to xx.xx.xx.xx aborted: error status 0]
device#
*Mar 1 01:07:02.819: SSH CLIENT0: protocol version id is - SSH-2.0-OpenSSH_5.6
*Mar 1 01:07:02.827: SSH CLIENT0: sent protocol version id SSH-2.0-Cisco-1.25
*Mar 1 01:07:02.827: SSH2 CLIENT 0: SSH2_MSG_KEXINIT sent
*Mar 1 01:07:02.852: SSH2 CLIENT 0: SSH2_MSG_KEXINIT received
*Mar 1 01:07:02.852: SSH2 CLIENT 0: kex: server->client enc:aes128-cbc mac:hmac-sha1
*Mar 1 01:07:02.852: SSH2 CLIENT 0: kex: client->server enc:aes128-cbc mac:hmac-sha1
*Mar 1 01:07:02.852: SSH2 CLIENT 0: Using kex_a
device#lgo = diffie-hellman-group-exchange-sha1
*Mar 1 01:07:02.861: SSH2 CLIENT 0: SSH2_MSG_KEX_DH_GEX_REQUEST sent
*Mar 1 01:07:02.861: SSH2 CLIENT 0: Range sent- 1024 < 2048 < 4096
*Mar 1 01:07:02.995: SSH2 CLIENT 0: SSH2_MSG_KEX_DH_GEX_GROUP received
*Mar 1 01:07:02.995: SSH2 CLIENT 0: Server has chosen 3192 -bit dh keys
*Mar 1 01:07:02.995: %SSH-3-INV_MOD: Invalid modulus length
*Mar 1 01:07:02.995: SSH CLIENT0: Session disconnected - error 0x00

If we force the Cisco device to use a higher key-size (only 4096 bits) we get the following error:

device#ssh -l root xx.xx.xx.xx
[Connection to xx.xx.xx.xx aborted: error status 0]
device#
*Mar 1 01:08:40.898: SSH CLIENT0: protocol version id is - SSH-2.0-OpenSSH_5.6
*Mar 1 01:08:40.898: SSH CLIENT0: sent protocol version id SSH-2.0-Cisco-1.25
*Mar 1 01:08:40.898: SSH2 CLIENT 0: SSH2_MSG_KEXINIT sent
*Mar 1 01:08:40.924: SSH2 CLIENT 0: SSH2_MSG_KEXINIT received
*Mar 1 01:08:40.932: SSH2 CLIENT 0: kex: server->client enc:aes128-cbc mac:hmac-sha1
*Mar 1 01:08:40.932: SSH2 CLIENT 0: kex: client->server enc:aes128-cbc mac:hmac-sha1
*Mar 1 01:08:40.932: SSH2 CLIENT 0: Using kex_a
device#lgo = diffie-hellman-group-exchange-sha1
*Mar 1 01:08:40.932: SSH2 CLIENT 0: SSH2_MSG_KEX_DH_GEX_REQUEST sent
*Mar 1 01:08:40.932: SSH2 CLIENT 0: Range sent- 4096 < 4096 < 4096
*Mar 1 01:08:41.024: SSH2 CLIENT 0: SSH2_MSG_KEX_DH_GEX_GROUP received
*Mar 1 01:08:41.024: %SSH-3-DH_GEX_RANGE_OUT: Server has chosen DH group size which is not in range 4096 !< 2048 !< 4096 , DH Group Exchange key negotiation failed
*Mar 1 01:08:41.024: SSH CLIENT0: Session disconnected - error 0x00

We found a solution in deleting the key-size 3190 in the ./etc/ssh/moduli file. By doing this workaround we are able to connect to the Digi Passport.
But after rebooting the Digi Passport, the moduli-file was restored to default.

The current firmware is: v1.4.4.3

I would be grateful for any help for this issue.

Kind regards
asked Feb 16, 2015 in Console Servers by rodichsv New to the Community (0 points)

Please log in or register to answer this question.

Contact a Digi expert and get started today! Contact Us
...