On Fri, Jun 17, 2016 at 11:09 AM, Todd C. Miller <todd.mil...@courtesan.com> wrote: > On Fri, 17 Jun 2016 19:49:44 +0200, "Dennis Matthiesen" wrote: > >> I'm not sure if this a configuration issue or could this be a general >> problem with the 'Diffie-Hellman Group Exchange Request' not being >> processed properly by OpenBSD. >> >> Problem: OpenBSD SSH server isn't responding to the 'Diffie-Hellman Group >> Exchange Request' with 'Diffie-Hellman Group Exchange Group'. Server is >> sending a FIN ACK instead. > > That sounds like a configuration issue. Newer versions of OpenSSH > don't accept these weak key exchange algorithms by default: > > diffie-hellman-group1-sha1 > diffie-hellman-group-exchange-sha1 > > You can add them back in /etc/ssh/sshd_config using the KexAlgorithms > setting.
...after really thinking HARD about what you're doing with an ssh client which hasn't been updated in reaction all the cryptographical attacks over the last couple years. Before you flip the options to let it work, you should have a plan on how and when you'll be able to turn them back off. Do you connect to this host with a more up to date ssh client too? How are you making sure the new client can't be tricked into using the old, attackable key-exchange methods? Cryptography is always moving forward; software that doesn't get updated is falling behind. Philip Guenther
