expected key exchange group packet from server错误解决过程

版权声明:本文为博主原创文章,未经博主允许不得转载。 https://blog.csdn.net/sanbingyutuoniao123/article/details/79945304

  昨天在虚拟机上安装了个CentOS7.4系统,装的是minimal类型。配置好ip后,就用远程连接工具去连接,结果就碰到了

文章标题中提到的错误。

先说一下我的环境吧,我用的mac电脑,系统是OS X EI Capitan 版本 10.11.6;远程连接工具是vSSH 1.7(注:看介绍

也是参考PuTTY软件开发的),sshd版本:OpenSSH_7.4p1, OpenSSL 1.0.2k-fips  26 Jan 2017。

在用vSSH连接报错后,我尝试用mac自带的命令行ssh 去连接,但是没发现这样的问题。这样一对比,就会发现:

1.是我远程连接工具的问题 2.sshd版本或者配置的问题

然后查看错误日志:

journalctl --unit sshd --no-pager 

发现:error: kex protocol error: type 30 seq 1 [preauth]

在网上查阅了一些解决办法后,发现 https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/rfc4419.html 这个链接

里已经解释了这个问题。

The variant of Diffie-Hellman key exchange in which the server sends a different prime modulus every time (known in

SSH as 'group exchange') was revised by RFC 4419 to change the format of the SSH_MSG_KEX_DH_GEX_REQUEST

message, and also its message number. PuTTY didn't get round to supporting the revised message for quite a long time,

but as of 0.65 it will now do so.
(The OpenSSH server is removing support for these messages. It has backwards-compatibility code for old versions

of PuTTY, but assumes that 0.65 onwards will support the revised message. If for some reason the backwards-compatibility

arrangements don't work, the symptom is a message like error: Hm, kex protocol error: type 30 seq 1 [preauth] in the SSH

server log.)

最终在这个链接 https://my.oschina.net/longquan/blog/1612533 里找到了解决办法,亲测可用。

# Add this to /etc/ssh/sshd_config
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group14-sha1
# systemctl restart sshd
原因大概就是
use libssh2, and libssh2 only support diffie-hellman key exchange methods
而且升级libssh2也不能解决,应该是个bug。

阅读更多

没有更多推荐了,返回首页