Quantcast
Channel: sshnet Issue Tracker Rss Feed
Viewing all articles
Browse latest Browse all 1026

Created Unassigned: WARNING: no suitable primes in /etc/primes [1973]

$
0
0
On some very strict servers a connect attempt with SSH.NET can lead to a warning of the sshd:
"WARNING: no suitable primes in /etc/primes"
This is because SSH.NET requests 1024 bits for group-exchange during kex and in /etc/moduli
(yeah, the file is name different than in the warning, but this is a OpenSSH-Issue) are no 1024 bits entries.
Connection is still established succesfully, but this warning may irritate people.

```
this.SendMessage(new KeyExchangeDhGroupExchangeRequest(1024,1024,1024));
```
So SSH.NET requests min 1024, max 1024 and prefers 1024.

I changed in KeyExchangeDiffieHellmanGroupExchangeSha256.cs:
```
this.SendMessage(new KeyExchangeDhGroupExchangeRequest(1024,1024,8192));
```
and
```
MaximumGroupSize = 8192
```

So now 8192 bits are the maximum.
With this changes client/server choose 2048 bits, the warning disappears and the connection is still working fine.
I'm not sure if the strict 1024 bits are intended.

Would be nice to have this in the upstream code, since OpenSSH client does the same.
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/dh.h?rev=1.11;content-type=text%2Fplain
http://tools.ietf.org/html/rfc4419

```
#define DH_GRP_MIN 1024
#define DH_GRP_MAX 8192
```

Viewing all articles
Browse latest Browse all 1026

Trending Articles