You are not logged in.
Hi,
after updating to version 10.0p1.3, I can no longer connect to some (but not all) target servers via SSH/SFTP. The server then closes the connection immediately.
ssh username@example-server
connection closed by username@example-server With "ssh -v" I see that the disconnect occurs after:
debug1: expecting SSH2_MSG_KEX_ECDH_REPLYThe error no longer occurs after downgrading to 9.9p2.
The following ancient thread on serverfault helped me without downgrading: https://serverfault.com/questions/21040 … -gex-reply
by adding the following:
ssh KexAlgorithms=ecdh-sha2-nistp521 username@example-server But, as I said, this seems to be an ancient problem. Why is it only now appearing (again? and only for specific servers?) with the latest OpenSSH version?
Offline
When you write update, you mean only your client ?
What about your servers ? Are they updated too, latest openssh ? Including sshd_config ?
Running ssh-audit shows me, "ecdh-sha2-nistp521" is not considered as secure anymore:
(kex) ecdh-sha2-nistp521 -- [fail] using elliptic curves that are suspected as being backdoored by the U.S. National Security Agency
`- [info] available since OpenSSH 5.7, Dropbear SSH 2013.62Maybe your client dropped default support ?
Hint: You can put in your own defaults in ~/.ssh/config as well, but I propose to fix your insecure ssh setup at first.
Last edited by ua4000 (2025-04-14 10:26:31)
Offline
Unfortunately I can't answer that as the servers are not self hosted, it's just rented storage. I will ask the service provider about the current version there.
Offline
I was having similar issue. Client openssh version: 10.0. Server openssh version 8.0
I believe there was a bug in older versions of openssh where if the list of KEX algorithms included an unrecognized algorithm (even if it was not selected), would cause an error.
Manually specifying KexAlgorithms and HostKeyAlgorithms for the specific host fixed the issue for me.
Offline