fatal: DH_GEX_REQUEST, bad parameters: 2048 !< 1024 !< 8192

  • A+

These days got an issue that some AIX servers could not access one Linux server:

(I removed the hostname and username).

From the ssh server, I found more detail reason:

Also could verify such error from the client side:

I found below useful note from Novell:

ssh and sftp client failures after updating openssh package

And I knew the OpenSSH was upgraded within several months on these AIX servers, so this issue should be an compatibility issue as the client only accepted host key at least 2048 bits or more while the server with lower version and preferred 1024 bit.

One workaround was using parameter KexDHMin or KexAlgorithms. On AIX I have to use the latter one as it is the only supported one.

(I input 'no' just for test purpose.)

If I have many clients, I have to do such modify on everyone of them, so this way is not so good.

I read many documents and found this issue maybe could be fixed by enabled more Key Exchange Algorithms on the ssh server.

From the man page of ssh_config on the AIX clients:

While on the server:

The version of the ssh server is 5.3, so it should be able to support ECDH key exchange method, and I learned how to do it from the KDB on the RedHat:

How to use ECDSA and ECDH with openssh on Red Hat Enterprise Linux 6?

The steps were not complicate:

Then made a backup of /etc/ssh/sshd_config and added below line to it:

We could confirm this change:

Then connected it from the client:

So it did work. :)


:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: