expecting SSH2_MSG_KEX_DH_GEX_GROUP

Bug #174168 reported by Adrian on 2007-12-05
34
This bug affects 5 people
Affects Status Importance Assigned to Milestone
openssh (Debian)
New
Undecided
Unassigned
openssh (Ubuntu)
Medium
Unassigned

Bug Description

Server
Connected to xxxxxxxx
Escape character is '^]'.
SSH-2.0-OpenSSH_4.5

Client
Local version string SSH-2.0-OpenSSH_4.6p1 Debian-5build1

=========================
The client can not log into the server - stops @ the last line (see below)
Client / server "speak" ver. 2.0

Connection server to client OK !!!
Connection client to server NOT OK!!

debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

apulu (vasudha-jrao) wrote :

Have you solved this bug..??

Even I am facing same problem..

tommymcguiver (tommymcguiver) wrote :

The following describes the bug you are having with openssh and says this will be fixed in version 5.2 they are patches attached to these bugs, i have not tried them though.

https://bugzilla.mindrot.org/show_bug.cgi?id=1363

tommymcguiver (tommymcguiver) wrote :

Opps i mean version 5.1

This solved it for me:
http://www.snailbook.com/faq/mtu-mismatch.auto.html

"You probably have an MTU/fragmentation problem. For each network interface on both client and server set the MTU to 576, eg ifconfig eth0 mtu 576"

If 576 doesn't work try 1000.

Thanks for taking the time to report this bug. Marking as invalid as two different statements it is either patched or connected to network issues. If you feel at any time that this bug is valid on recent Ubuntu (Jaunty), feel free to reopen this bug again.

Changed in openssh:
status: New → Invalid

Well, I did not install jaunty, but i recompiled the jaunty sources on intrepid and also the latest upstream sources (5.2p1). Both show exaclty the same behaviour for me (ssh hangs with the "debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP" message)
The MTU trick did not work for me either. And even if that worked, this is not really an option in a GigE network.

Paolo Stancato (paolodoors) wrote :

Same problem trying to connect to Github, MTU trick did not help. I'm running Jaunty

paolo@darkstar:~$ uname -a
Linux darkstar 2.6.28-12-generic #43-Ubuntu SMP Fri May 1 19:31:32 UTC 2009 x86_64 GNU/Linux
paolo@darkstar:~$ ssh -v <email address hidden>
OpenSSH_5.1p1 Debian-5ubuntu1, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /home/paolo/.ssh/config
debug1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to github.com [65.74.177.129] port 22.
debug1: Connection established.
debug1: identity file /home/paolo/.ssh/identity type -1
debug1: identity file /home/paolo/.ssh/id_rsa type -1
debug1: identity file /home/paolo/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-2048
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.7
debug1: match: OpenSSH_4.7 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
Connection closed by 65.74.177.129

Server might be getting DOS'd.

Tweak MaxStartups in sshd_conf

Ken.

________________________________
From: Paolo Stancato <email address hidden>
To: <email address hidden>
Sent: Monday, 1 June, 2009 10:22:11 AM
Subject: [Bug 174168] Re: expecting SSH2_MSG_KEX_DH_GEX_GROUP

Same problem trying to connect to Github, MTU trick did not help. I'm
running Jaunty

paolo@darkstar:~$ uname -a
Linux darkstar 2.6.28-12-generic #43-Ubuntu SMP Fri May 1 19:31:32 UTC 2009 x86_64 GNU/Linux
paolo@darkstar:~$ ssh -v <email address hidden>
OpenSSH_5.1p1 Debian-5ubuntu1, OpenSSL 0.9.8g 19 Oct 2007
debug1: Reading configuration data /home/paolo/.ssh/config
debug1: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: Connecting to github.com [65.74.177.129] port 22.
debug1: Connection established.
debug1: identity file /home/paolo/.ssh/identity type -1
debug1: identity file /home/paolo/.ssh/id_rsa type -1
debug1: identity file /home/paolo/.ssh/id_dsa type 2
debug1: Checking blacklist file /usr/share/ssh/blacklist.DSA-2048
debug1: Checking blacklist file /etc/ssh/blacklist.DSA-2048
debug1: Remote protocol version 2.0, remote software version OpenSSH_4.7
debug1: match: OpenSSH_4.7 pat OpenSSH_4*
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_5.1p1 Debian-5ubuntu1
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP
Connection closed by 65.74.177.129

--
expecting SSH2_MSG_KEX_DH_GEX_GROUP
https://bugs.launchpad.net/bugs/174168
You received this bug notification because you are a direct subscriber
of the bug.

Status in “openssh” source package in Ubuntu: Invalid

Bug description:
Server
Connected to xxxxxxxx
Escape character is '^]'.
SSH-2.0-OpenSSH_4.5

Client
Local version string SSH-2.0-OpenSSH_4.6p1 Debian-5build1

=========================
The client can not log into the server - stops @ the last line (see below)
Client / server "speak" ver. 2.0

Connection server to client OK !!!
Connection client to server NOT OK!!

debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_init: found hmac-md5
debug1: kex: server->client aes128-cbc hmac-md5 none
debug2: mac_init: found hmac-md5
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

      Need a Holiday? Win a $10,000 Holiday of your choice. Enter now.http://us.lrd.yahoo.com/_ylc=X3oDMTJxN2x2ZmNpBF9zAzIwMjM2MTY2MTMEdG1fZG1lY2gDVGV4dCBMaW5rBHRtX2xuawNVMTEwMzk3NwR0bV9uZXQDWWFob28hBHRtX3BvcwN0YWdsaW5lBHRtX3BwdHkDYXVueg--/SIG=14600t3ni/**http%3A//au.rd.yahoo.com/mail/tagline/creativeholidays/*http%3A//au.docs.yahoo.com/homepageset/%3Fp1=other%26p2=au%26p3=mailtagline

wiz (wiz) wrote :

Got exactly this issue while connecting from Ubuntu 11.04 / ssh 5.8 to FreeBSD / ssh 5.4

Can easily connect from any other ubuntu out there.

mattismyname (mattismyname) wrote :

This issue still exists for me when trying to ssh from 11.04 box to a 10.04 box.

Changed in openssh (Ubuntu):
status: Invalid → New
Clint Byrum (clint-fewbar) wrote :

Matt, did you try ensuring that the MTU's are the same on both machines? Try using tracepath...

tracepath remote.host

Should give some idea.

Changed in openssh (Ubuntu):
importance: Undecided → Medium
Tessa Lau (tlau) wrote :

I have the same problem ssh'ing from a 11.04 box (running openssh 5.8) to a 10.04 box (running openssh 5.3). I've tried with three different clients all on the same network, two of with have 11.04 and one of which has 10.04. All are connecting to the same server Only the 10.04 box is able to connect. I believe the MTU's are the same on all the boxes.

This seems like an incompatibility between different versions of OpenSSH.

virbal (viraghal) wrote :

I have a same problem. In /etc/ssh/ssh_config comment out the line

  Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-cbc,3des-cbc

It worked for me.

mathew (meta23) wrote :

Just to note that virbal's fix worked for me connecting to RHEL and getting the same problem, but by "comment out" he means "make it so that the Ciphers line *isn't* commented out".

Clint Byrum (clint-fewbar) wrote :

Just as another data point, I can ssh fine from Ubuntu 11.10 and Ubuntu 12.04 to ssh servers running on CentOS 5 (OpenSSH 4.3) and CentOS 6 (OpenSSH 5.3).

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in openssh (Ubuntu):
status: New → Confirmed
Nickolay Ihalainen (ihanick) wrote :

Got the same problem:
ihanick@bb:~/ecu$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 12.04.1 LTS
Release: 12.04
Codename: precise
ihanick@bb:~/ecu$ ssh -V
OpenSSH_5.9p1 Debian-5ubuntu1, OpenSSL 1.0.1 14 Mar 2012

trying to ssh from 12.04 host to 10.04:
..
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit:
debug2: kex_parse_kexinit: first_kex_follows 0
debug2: kex_parse_kexinit: reserved 0
debug2: mac_setup: found hmac-md5
debug1: kex: server->client aes128-ctr hmac-md5 none
debug2: mac_setup: found hmac-md5
debug1: kex: client->server aes128-ctr hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<8192) sent
debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

After disabling hmac-md5, by using MACs hmac-sha1,<email address hidden>,hmac-ripemd160 in /etc/ssh/ssh_config

Marek Petrik (marekpetrik) wrote :

I have the same problem running Linux Mint Debian Edition 201303 connecting to both an Ubuntu and Red Hat servers. Editing the ciphers line works for me too.

Michael Ratliff (iammer) wrote :

I ran into the same issue connecting from 13.10 to 12.04. In order to fix I had to uncomment both the Ciphers line in virbal's fix and the MACs line.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.