Print Page | Close Window


Printed From: Rocket Software
Category: AccuTerm Knowledge Base (read only)
Forum Name: Connectivity
Forum Description: Questions about serial, modem, telnet and secure shell connections?
Printed Date: February 02 2023 at 1:21pm
Software Version: Web Wiz Forums 12.03 -

Topic: SSH KEX List
Posted By: TonyG
Subject: SSH KEX List
Date Posted: September 05 2018 at 5:10pm
I commented on a post by" rel="nofollow - Steven about KEx negotiation. Then this got a little weird.

Guided by" rel="nofollow - this other thread by Auctor, I installed the AccuTerm 7.3 Debug build. Then when I connect to this Ubuntu server with Putty, I get this list of Kex algorithms :

Outgoing packet type 20 / 0x14 (SSH2_MSG_KEXINIT)

So group14 is there.

But when I use AT7.3 in Debug mode :

SSH2 server algorithm list:
key exchange:,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256

Yes, this is the same server, same port, same SSHD. No group14

I created a file under /home/myuser/.ssh/config with this line, but it doesn't change the list sent to AccuTerm.

KexAlgorithms +diffie-hellman-group14-sha1

Any idea why a server would cough up a different Kex list? Thanks!

Tony Gravagno Nebula Research & Development
TG@ Nebula-RnD . com

Posted By: TonyG
Date Posted: September 06 2018 at 4:05pm
Follow-up: It looks like I was confusing a couple things. First, when debugging the Putty exchanges, note that I have the "Outgoing packet type". I'm thinking that might be outgoing from Putty, not outgoing from the server. So Putty is reporting that it supports those algorithms, not the server.

I got a note from the server admin that they removed diffie-hellman-group14-sha1 a couple months ago for security reasons. Well, that's like pruning a rotten plant because they are still using an old OpenSSH 6.6.1. But at least I now know that AccuTerm cannot communicate with that server anymore.

At some point soon I'll try to run a secure tunnel from my PC to the server, and then I'll try to run into that from AccuTerm.

I believe I read elsewhere that v8.0 supports newer algorithms. I can deal with that.

Tony Gravagno Nebula Research & Development
TG@ Nebula-RnD . com

Posted By: sdavmor
Date Posted: September 06 2018 at 7:43pm
I also removed diffie-helman-group14-sha1 a few months ago, when Trustwave started failing my customers on the monthly security scan for "weak KEX algorithms".

SDM -- A 21st century schizoid man

Print Page | Close Window

Forum Software by Web Wiz Forums® version 12.03 -
Copyright ©2001-2019 Web Wiz Ltd. -