Home/Support/Support Forum/SSH to WR41 from Linux
Welcome to Digi Forum, where you can ask questions and receive answers from other members of the community.

SSH to WR41 from Linux

0 votes
Hi Guys:

I have openssh-7.2_p2 installed my my linux box and putty-0.67. Putty works fine so we'll leave that.

Open ssh trhows the following error when I try and connect to a WR41/44:
jserink@jserinki7 ~ $ ssh -p 22222 mskroot@192.168.173.1Received disconnect from 192.168.173.1 port 22222:3: Protocol error: no matching DH grp found
Disconnected from 192.168.173.1 port 22222

So I tried this:
jserink@jserinki7 ~ $ ssh -p 22222 -o KexAlgorithms=+diffie-hellman-group1-sha1 mskroot@192.168.173.1
Received disconnect from 192.168.173.1 port 22222:3: Protocol error: no matching DH grp found
Disconnected from 192.168.173.1 port 22222

Same error.
So I tried this:
jserink@jserinki7 ~ $ ssh -p 22222 -o KexAlgorithms=curve25519-sha256@libssh.org mskroot@192.168.173.1
Unable to negotiate with 192.168.173.1 port 22222: no matching key exchange method found. Their offer: diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1

But the error message says to try something that has already failed.

I;'ve enabled all the auth and cyphers in teh ssh setup.

I ticked the DEBUG box but have no idea where to find the debug information.

Any help would be appriciated.

Cheers,
john
asked May 10, 2016 in Digi TransPort Cellular by jserink New to the Community (45 points)

Please log in or register to answer this question.

4 Answers

0 votes
Hi John

if you have enabled Debug on SSH you can see the output on a serial or telnet session

DEBUG 0 (from cli)
DEBUG T (From Telnet )

If you are using port 2222 are you using a diffrent instance of the SSH server how have you got this configured

if you try to connect to the normal ssh server on port 22 what happens

could you send in the bit of the SSH configuration

regards

James
answered May 11, 2016 by James.Wilson Veteran of the Digi Community (1,225 points)
0 votes
Ok, will look at the telnet output.
I changed the ssh port to 22222 as port 22 gets continually probes, switch the port to 22222 solves that.

Cheers,
John
answered May 11, 2016 by jserink New to the Community (45 points)
0 votes
Here is the debug:
SSH: state machine state 5
SSH: got SSH2_MSG_KEX_DH_GEX_REQUEST msg
SSH: DH_GEX_REQUEST, bad parameters: their min 2048 > our max
SSH: their max 8192 < our min 1024


From here:
https://www.novell.com/support/kb/doc.php?id=7016904
A change was made to the openssh package, dealing with Diffie-Hellman Group Exchange. Previously, keys of size 1024 - 8192 could be exchanged. The minimum was raised to 1536 for added security and to avoid the "logjam" vulnerability. However, if used with some 3rd party ssh implementations which only support 1024, failure will occur. Ideally, the 3rd party ssh configuration or code should be updated to use larger key sizes.

I will try a FW update and see if that fixes it.
The DH group exchange max of 1024 on teh Digi is not longer accepted by the openssh client.

Cheers,
John
answered May 11, 2016 by jserink New to the Community (45 points)
Try to create a new PRIVSSH.pem file with larger bit size

from cli

genkey 2048 privssh.pem

and try to connect
0 votes
This works:
ssh -1 -p 22222 mskroot@192.168.173.1

What this does is FORCE using ssh V1 rather than version 2 and the connectin goes thorugh.

It should be noted that Digi's implementation of sshV2 no longer works with openssh.

Also, updating the FW to the latest 5.2.14.5 (Apr 26 2016 11:51:34) BROKE the ssh debug output on teh telnet. Its not there anymore.

Cheers,
John
answered May 11, 2016 by jserink New to the Community (45 points)
Did you try to build a new certificate
Yes, built a new one with 2048 bits, no change using sshV2. Still had to use sshV1.

Cheers,
John
Hi John

could you please create a support case with Tech support as this is a BUG and needs to be fixed

regards

James
...