GS-2210 ssh fails on MacOS openssh "ssh_dispatch_run_fatal: Connection to 10.0.99.250 port 22: DH

warwickt
warwickt Posts: 101  Ally Member
edited April 14 in Switch
Greetings Zyxel_tw, ssh (openssh) to a zyxel gs2210 (V4.30) on known port 22 via Apple MacOS (OSX) V10.12,x + causes this error :

macpro:~ warwick$ ssh [email protected]

ssh_dispatch_run_fatal: Connection to 10.0.99.250 port 22: DH GEX group out of range


Cause
: too few bit settings for  DH (Diffie Hellman) 


Workaround
: use -o in cli as: "-oKexAlgorithms=diffie-hellman-group1-sha1"

ssh -oKexAlgorithms=diffie-hellman-group1-sha1 [email protected] 


Request:

  • maybe you could resolve upstream in the gs2210  in next V4.5x ?

Diagnostics : via ssh -vv

macpro:~ warwick$ ssh -vv [email protected]

OpenSSH_7.4p1, LibreSSL 2.5.0

debug1: Reading configuration data /etc/ssh/ssh_config

debug2: resolving "10.0.99.250" port 22

debug2: ssh_connect_direct: needpriv 0

debug1: Connecting to 10.0.99.250 [10.0.99.250] port 22.

debug1: Connection established.

debug1: key_load_public: No such file or directory

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_7.4

debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1

debug1: match: OpenSSH_3.9p1 pat OpenSSH_3.* compat 0x01000000

debug2: fd 3 setting O_NONBLOCK

debug1: Authenticating to 10.0.99.250:22 as 'admin'

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: local client KEXINIT proposal

debug2: KEX algorithms: curve25519-sha256,[email protected],ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c

debug2: host key algorithms: [email protected],rsa-sha2-512,rsa-sha2-256,ssh-rsa,[email protected],[email protected],[email protected],[email protected],ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519

debug2: ciphers ctos: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc

debug2: ciphers stoc: [email protected],aes128-ctr,aes192-ctr,aes256-ctr,[email protected],[email protected],aes128-cbc,aes192-cbc,aes256-cbc

debug2: MACs ctos: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: MACs stoc: [email protected],[email protected],[email protected],[email protected],[email protected],[email protected],[email protected],hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: compression ctos: none,[email protected],zlib

debug2: compression stoc: none,[email protected],zlib

debug2: languages ctos: 

debug2: languages stoc: 

debug2: first_kex_follows 0 

debug2: reserved 0 

debug2: peer server KEXINIT proposal

debug2: KEX algorithms: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: host key algorithms: ssh-rsa,ssh-dss

debug2: ciphers ctos: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr

debug2: ciphers stoc: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,[email protected],aes128-ctr,aes192-ctr,aes256-ctr

debug2: MACs ctos: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96

debug2: MACs stoc: hmac-md5,hmac-sha1,hmac-ripemd160,[email protected],hmac-sha1-96,hmac-md5-96

debug2: compression ctos: none,zlib

debug2: compression stoc: none,zlib

debug2: languages ctos: 

debug2: languages stoc: 

debug2: first_kex_follows 0 

debug2: reserved 0 

debug1: kex: algorithm: diffie-hellman-group-exchange-sha1

debug1: kex: host key algorithm: ssh-rsa

debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none

debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<7680<8192) sent

debug1: got SSH2_MSG_KEX_DH_GEX_GROUP

ssh_dispatch_run_fatal: Connection to 10.0.99.250 port 22: DH GEX group out of range

macpro:~ warwick$ 

HTH

Warwick
Hong Kong 

Comments

  • JasonTsai
    JasonTsai Posts: 104  Zyxel Employee
    Hi @warwickt,

    Openssh starts using "sha2" in the recent version, so you will see the error message and use the workaround to use "sha1" to access the switch.
    It will be enhanced in the firmware version V4.50 on GS2210 series.

    Note: Because of the security concern, firmware V4.50 will support "sha2" but no longer support "sha1".

    Hope it helps.
    Jason
  • newtype
    newtype Posts: 29  Freshman Member
    @Zyxel_Jason sounds good, when is your V4.50 ?
  • JasonTsai
    JasonTsai Posts: 104  Zyxel Employee
    Hi @newtype,

    The firmware version V4.50 for GS2210 will be released around the end of February.

    Hope it helps.
    Jason
  • Zyxel_Albert
    Zyxel_Albert Posts: 36  Zyxel Employee
    Hi @warwickt,

    We have a good news for you. The firmware version V4.50 for GS2210 release schedule is accelerated to the week of 1/29/2018. Hope you like the Chinese New Year present and happy new year. 

    Zyxel Switch Team
  • warwickt
    warwickt Posts: 101  Ally Member
    Hi Zyxel_Albert, thanks mate! thats sounds good. Looking forward to the CNY gift!..

    Thanks again Zyxel lads!.

    Warwick
    Hong Kong