SSH to WR41 from Linux

Question

Hi Guys:

I have openssh-7.2_p2 installed my my linux box and putty-0.67. Putty works fine so we'll leave that.

Open ssh trhows the following error when I try and connect to a WR41/44:
jserink@jserinki7 ~ $ ssh -p 22222 mskroot@192.168.173.1Received disconnect from 192.168.173.1 port 22222:3: Protocol error: no matching DH grp found
Disconnected from 192.168.173.1 port 22222

So I tried this:
jserink@jserinki7 ~ $ ssh -p 22222 -o KexAlgorithms=+diffie-hellman-group1-sha1 mskroot@192.168.173.1
Received disconnect from 192.168.173.1 port 22222:3: Protocol error: no matching DH grp found
Disconnected from 192.168.173.1 port 22222

Same error.
So I tried this:
jserink@jserinki7 ~ $ ssh -p 22222 -o KexAlgorithms=curve25519-sha256@libssh.org mskroot@192.168.173.1
Unable to negotiate with 192.168.173.1 port 22222: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

But the error message says to try something that has already failed.

I;'ve enabled all the auth and cyphers in teh ssh setup.

I ticked the DEBUG box but have no idea where to find the debug information.

Any help would be appriciated.

Cheers,
john

Answer 1

Hi John

if you have enabled Debug on SSH you can see the output on a serial or telnet session

DEBUG 0 (from cli)
DEBUG T (From Telnet )

If you are using port 2222 are you using a diffrent instance of the SSH server how have you got this configured

if you try to connect to the normal ssh server on port 22 what happens

could you send in the bit of the SSH configuration

regards

James

Answer 2

Ok, will look at the telnet output.
I changed the ssh port to 22222 as port 22 gets continually probes, switch the port to 22222 solves that.

Cheers,
John

Answer 3

Here is the debug:
SSH: state machine state 5
SSH: got SSH2_MSG_KEX_DH_GEX_REQUEST msg
SSH: DH_GEX_REQUEST, bad parameters: their min 2048 > our max
SSH: their max 8192 < our min 1024


From here:
https://www.novell.com/support/kb/doc.php?id=7016904
A change was made to the openssh package, dealing with Diffie-Hellman Group Exchange. Previously, keys of size 1024 - 8192 could be exchanged. The minimum was raised to 1536 for added security and to avoid the "logjam" vulnerability. However, if used with some 3rd party ssh implementations which only support 1024, failure will occur. Ideally, the 3rd party ssh configuration or code should be updated to use larger key sizes.

I will try a FW update and see if that fixes it.
The DH group exchange max of 1024 on teh Digi is not longer accepted by the openssh client.

Cheers,
John

Comments

Try to create a new PRIVSSH.pem file with larger bit size

from cli

genkey 2048 privssh.pem

and try to connect

Answer 4

This works:
ssh -1 -p 22222 mskroot@192.168.173.1

What this does is FORCE using ssh V1 rather than version 2 and the connectin goes thorugh.

It should be noted that Digi's implementation of sshV2 no longer works with openssh.

Also, updating the FW to the latest 5.2.14.5 (Apr 26 2016 11:51:34) BROKE the ssh debug output on teh telnet. Its not there anymore.

Cheers,
John

Comments

Did you try to build a new certificate

---

Yes, built a new one with 2048 bits, no change using sshV2. Still had to use sshV1.

Cheers,
John

---

Hi John

could you please create a support case with Tech support as this is a BUG and needs to be fixed

regards

James