GS-2210 ssh fails on MacOS openssh "ssh_dispatch_run_fatal: Connection to 10.0.99.250 port 22: DH

warwickt
warwickt Posts: 111  Ally Member
5 Answers First Comment Friend Collector Third Anniversary
edited August 2022 in Switch
Greetings Zyxel_tw, ssh (openssh) to a zyxel gs2210 (V4.30) on known port 22 via Apple MacOS (OSX) V10.12,x + causes this error :

macpro:~ warwick$ ssh admin@10.0.99.250

ssh_dispatch_run_fatal: Connection to 10.0.99.250 port 22: DH GEX group out of range


Cause
: too few bit settings for  DH (Diffie Hellman) 


Workaround
: use -o in cli as: "-oKexAlgorithms=diffie-hellman-group1-sha1"

ssh -oKexAlgorithms=diffie-hellman-group1-sha1 admin@10.0.99.250 


Request:

  • maybe you could resolve upstream in the gs2210  in next V4.5x ?

Diagnostics : via ssh -vv

macpro:~ warwick$ ssh -vv admin@10.0.99.250

OpenSSH_7.4p1, LibreSSL 2.5.0

debug1: Reading configuration data /etc/ssh/ssh_config

debug2: resolving "10.0.99.250" port 22

debug2: ssh_connect_direct: needpriv 0

debug1: Connecting to 10.0.99.250 [10.0.99.250] port 22.

debug1: Connection established.

debug1: key_load_public: No such file or directory

debug1: Enabling compatibility mode for protocol 2.0

debug1: Local version string SSH-2.0-OpenSSH_7.4

debug1: Remote protocol version 1.99, remote software version OpenSSH_3.9p1

debug1: match: OpenSSH_3.9p1 pat OpenSSH_3.* compat 0x01000000

debug2: fd 3 setting O_NONBLOCK

debug1: Authenticating to 10.0.99.250:22 as 'admin'

debug1: SSH2_MSG_KEXINIT sent

debug1: SSH2_MSG_KEXINIT received

debug2: local client KEXINIT proposal

debug2: KEX algorithms: curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c

debug2: host key algorithms: ssh-rsa-cert-v01@openssh.com,rsa-sha2-512,rsa-sha2-256,ssh-rsa,ecdsa-sha2-nistp256-cert-v01@openssh.com,ecdsa-sha2-nistp384-cert-v01@openssh.com,ecdsa-sha2-nistp521-cert-v01@openssh.com,ssh-ed25519-cert-v01@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-ed25519

debug2: ciphers ctos: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc

debug2: ciphers stoc: chacha20-poly1305@openssh.com,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,aes128-cbc,aes192-cbc,aes256-cbc

debug2: MACs ctos: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: MACs stoc: umac-64-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512-etm@openssh.com,hmac-sha1-etm@openssh.com,umac-64@openssh.com,umac-128@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-sha1

debug2: compression ctos: none,zlib@openssh.com,zlib

debug2: compression stoc: none,zlib@openssh.com,zlib

debug2: languages ctos: 

debug2: languages stoc: 

debug2: first_kex_follows 0 

debug2: reserved 0 

debug2: peer server KEXINIT proposal

debug2: KEX algorithms: diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1

debug2: host key algorithms: ssh-rsa,ssh-dss

debug2: ciphers ctos: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr

debug2: ciphers stoc: aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,arcfour,aes192-cbc,aes256-cbc,rijndael-cbc@lysator.liu.se,aes128-ctr,aes192-ctr,aes256-ctr

debug2: MACs ctos: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: MACs stoc: hmac-md5,hmac-sha1,hmac-ripemd160,hmac-ripemd160@openssh.com,hmac-sha1-96,hmac-md5-96

debug2: compression ctos: none,zlib

debug2: compression stoc: none,zlib

debug2: languages ctos: 

debug2: languages stoc: 

debug2: first_kex_follows 0 

debug2: reserved 0 

debug1: kex: algorithm: diffie-hellman-group-exchange-sha1

debug1: kex: host key algorithm: ssh-rsa

debug1: kex: server->client cipher: aes128-ctr MAC: hmac-sha1 compression: none

debug1: kex: client->server cipher: aes128-ctr MAC: hmac-sha1 compression: none

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<7680<8192) sent

debug1: got SSH2_MSG_KEX_DH_GEX_GROUP

ssh_dispatch_run_fatal: Connection to 10.0.99.250 port 22: DH GEX group out of range

macpro:~ warwick$ 

HTH

Warwick
Hong Kong 

Comments

  • JasonTsai
    JasonTsai Posts: 104  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Nebula
    Hi @warwickt,

    Openssh starts using "sha2" in the recent version, so you will see the error message and use the workaround to use "sha1" to access the switch.
    It will be enhanced in the firmware version V4.50 on GS2210 series.

    Note: Because of the security concern, firmware V4.50 will support "sha2" but no longer support "sha1".

    Hope it helps.
    Jason
  • newtype
    newtype Posts: 29  Freshman Member
    First Comment Friend Collector Sixth Anniversary Nebula Gratitude
    @Zyxel_Jason sounds good, when is your V4.50 ?
  • JasonTsai
    JasonTsai Posts: 104  Zyxel Employee
    Zyxel Certified Network Engineer Level 2 - Switch Zyxel Certified Network Engineer Level 2 - Nebula Zyxel Certified Network Engineer Level 1 - Switch Zyxel Certified Network Administrator - Nebula
    Hi @newtype,

    The firmware version V4.50 for GS2210 will be released around the end of February.

    Hope it helps.
    Jason
  • Zyxel_Albert
    Zyxel_Albert Posts: 36  Zyxel Employee
    First Answer First Comment Friend Collector Third Anniversary
    Hi @warwickt,

    We have a good news for you. The firmware version V4.50 for GS2210 release schedule is accelerated to the week of 1/29/2018. Hope you like the Chinese New Year present and happy new year. 

    Zyxel Switch Team
  • warwickt
    warwickt Posts: 111  Ally Member
    5 Answers First Comment Friend Collector Third Anniversary
    Hi Zyxel_Albert, thanks mate! thats sounds good. Looking forward to the CNY gift!..

    Thanks again Zyxel lads!.

    Warwick
    Hong Kong