[GTALUG] dh key exchange question.

Mike el.fontanero at gmail.com
Wed Oct 3 10:44:23 EDT 2018 

Hi Karen,

Ironically, dreamhost.com  does still seem to support  group1 diffie hellman.
I poked at it with nmap and it listed group1 along with a bunch of old
ciphers, so that doesn't seem likely to be your problem.

Bell doesn't say they block outbound access to port 22 (this would be
quite rude) but the symptoms you describe could be explained by such a
block.  You say you can't connect to anyone on port 22 anymore?

You say you can still connect to a host at - is it Scientific Linux?
Is that port 22?
You also mention that the shellworld host is at a port other than 22...

As technical background, regarding SSH and keys: as others have
mentioned, DH is used to exchange session keys in order to establish a
private connection - only after that are your user public / private
key pair used to authenticate you as a user.


Cheers,
Mike


On 10/2/18, Karen Lewellen <klewellen at shellworld.net> wrote:
> No,
> It is opensource now with the author having moved on.
> that means likely my hunting for someone to compile.
> I am told that the djpgg project includes security keys that are more
> current, with the possibility existing I hope for upgrading that way.
> The client has some putty components but putty is not opensource I
> understand.
> Checking for an upgrade was my first step some months back.
> Kare
>
>
>
> On Tue, 2 Oct 2018, Mike wrote:
>
>> Hi Karen,
>>
>> SSH has seen a lot of activity in the past couple of years, with
>> vulnerabilities published against various algorithms and standard
>> advice to stop using them.  It's possible that all those servers have
>> also deprecated group 1 (only a 768 bit key).  Group 14 is the minimum
>> considered acceptable these days (2048 bit key).
>>
>> Is it possible that the author of the SSH client you are using has
>> updated the software?
>>
>> On 10/2/18, Karen Lewellen <klewellen at shellworld.net> wrote:
>>> Hi Mike,
>>> Thanks for that information.
>>> I would feel better though if  the same problem was not happening
>>> practically everywhere else.
>>> i can check my list, I believe, but imagine it will take someone skilled
>>> in compiling to update anything.
>>> Meaning I will need to either find that skill, or move our office
>>> hosting
>>> services  somewhere equal to dreamhost but less paranoid.
>>> Thanks again,
>>>
>>>
>>>
>>> On Tue, 2 Oct 2018, Mike wrote:
>>>
>>>> Hi Karen,
>>>>
>>>> I found a reference at Dreamhost wherein a user says that Support hold
>>>> him that "diffie-hellman-group1-sha1 was recently removed for security
>>>> concerns".  This is 26 days ago.  The reference URL is:
>>>>
>>>> https://discussion.dreamhost.com/t/ssh-issue-with-key-exchange-algorithms/68804
>>>>
>>>> It may be that your SSH client does not support newer DH modes, for
>>>> example group 14.  Is there a way you can find out what key exchange
>>>> modes and ciphers your SSH client supports?
>>>>
>>>> Regards,
>>>> Mike
>>>>
>>>>
>>>> On 10/2/18, Karen Lewellen via talk <talk at gtalug.org> wrote:
>>>>> Hi folks,
>>>>> The accessible ssh client I use provides a way to send dh keys when I
>>>>> use
>>>>> ssh TELNET to reach a location.
>>>>> I have a bell dsl account, and since the first of July I have not been
>>>>> able to reach dreamhost who hosts my office shell.
>>>>> While I have not ruled out Bell as the problem, it started  one day
>>>>> when
>>>>> they claimed to have a service interruption,  and refuse to discuss
>>>>> Linux
>>>>> at all, I want to see if something else might have happened.
>>>>> With very few exceptions, every place where I visit involving port 22
>>>>> presents the same dh key exchange failure.
>>>>> Was openssh updated on June 29 2018?
>>>>> Hosting companies who use some  different Linux options for their
>>>>> shell
>>>>> services, scientific for example, still work.  Shellworld does too,
>>>>> but
>>>>> we
>>>>> use  a different port for ssh and the administrator  still allows most
>>>>> public keys.
>>>>> can anyone provide wisdom here?
>>>>> Thanks,
>>>>> Karen
>>>>>
>>>>>
>>>>> ---
>>>>> Talk Mailing List
>>>>> talk at gtalug.org
>>>>> https://gtalug.org/mailman/listinfo/talk
>>>>>
>>>>
>>>>
>>>
>>
>>
>

More information about the talk mailing list