GS-2210 ssh fails on MacOS openssh "ssh_dispatch_run_fatal: Connection to 10.0.99.250 port 22: DH

warwickt

Greetings Zyxel_tw, ssh (openssh) to a zyxel gs2210 (V4.30) on known port 22 via Apple MacOS (OSX) V10.12,x + causes this error :

macpro:~ warwick$ ssh admin@10.0.99.250

ssh_dispatch_run_fatal: Connection to 10.0.99.250 port 22: DH GEX group out of range

Cause: too few bit settings for  DH (Diffie Hellman) 


Workaround: use -o in cli as: "-oKexAlgorithms=diffie-hellman-group1-sha1"

ssh -oKexAlgorithms=diffie-hellman-group1-sha1 admin@10.0.99.250 

Request:

• maybe you could resolve upstream in the gs2210  in next V4.5x ?

Diagnostics : via ssh -vv

macpro:~ warwick$ ssh -vv admin@10.0.99.250

OpenSSH_7.4p1, LibreSSL 2.5.0

debug1: Reading configuration data /etc/ssh/ssh_config

debug2: resolving "10.0.99.250" port 22

debug2: ssh_connect_direct: needpriv 0

debug1: Connecting to 10.0.99.250 [10.0.99.250] port 22.

debug1: Connection established.

debug1: key_load_public: No such file or directory

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_7.4

debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1

debug1: match: OpenSSH_3.9p1 pat OpenSSH_3.* compat 0x01000000

debug2: fd 3 setting O_NONBLOCK

debug1: Authenticating to 10.0.99.250:22 as 'admin'

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: local client KEXINIT proposal

debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c

debug2: host key algorithms: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519

debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc

debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc

debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: compression ctos: none,zlib@openssh.com,zlib

debug2: compression stoc: none,zlib@openssh.com,zlib

debug2: languages ctos: 

debug2: languages stoc: 

debug2: first_kex_follows 0 

debug2: reserved 0 

debug2: peer server KEXINIT proposal

debug2: KEX algorithms: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: host key algorithms: ssh-rsa,ssh-dss

debug2: ciphers ctos: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr

debug2: ciphers stoc: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr

debug2: MACs ctos: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: MACs stoc: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: compression ctos: none,zlib

debug2: compression stoc: none,zlib

debug2: languages ctos: 

debug2: languages stoc: 

debug2: first_kex_follows 0 

debug2: reserved 0 

debug1: kex: algorithm: diffie-hellman-group-exchange-sha1

debug1: kex: host key algorithm: ssh-rsa

debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none

debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<7680<8192) sent

debug1: got SSH2_MSG_KEX_DH_GEX_GROUP

ssh_dispatch_run_fatal: Connection to 10.0.99.250 port 22: DH GEX group out of range

macpro:~ warwick$ 

HTH

Warwick
Hong Kong 

JasonTsai

Hi @warwickt,

Openssh starts using "sha2" in the recent version, so you will see the error message and use the workaround to use "sha1" to access the switch.
It will be enhanced in the firmware version V4.50 on GS2210 series.

Note: Because of the security concern, firmware V4.50 will support "sha2" but no longer support "sha1".

Hope it helps.

newtype

@Zyxel_Jason sounds good, when is your V4.50 ?

JasonTsai

Hi @newtype,

The firmware version V4.50 for GS2210 will be released around the end of February.

Hope it helps.

Zyxel_Albert

Hi @warwickt,

We have a good news for you. The firmware version V4.50 for GS2210 release schedule is accelerated to the week of 1/29/2018. Hope you like the Chinese New Year present and happy new year. 

Zyxel Switch Team

warwickt

Hi Zyxel_Albert, thanks mate! thats sounds good. Looking forward to the CNY gift!..

Thanks again Zyxel lads!.

Warwick
Hong Kong