DrayTek UK Users' Community Forum

Help, Advice and Solutions from DrayTek Users

SSH connection problems from Mac OS to Draytek products

  • sjltech.uk
  • Topic Author
  • Offline
  • Junior Member
  • Junior Member
More
18 Sep 2016 23:44 #86842 by sjltech.uk
Hello all, I've just spent an frustrating couple of hours trying to work out why I couldn't SSH from an iMac to a 2925 router, and have found an interesting problem which I suspect several people are going to encounter sooner rather than later if they use SSH, so wanted to share what I've found, and how to fix it.
The setup is:
iMac running El Capitan, fully patched
2925 running 3.8.2.3 firmware
Raspberry Pi (Raspbian GNU/Linux 7 (wheezy))

The issue:
from a terminal on the iMac, SSH connection to the router would just "hang", never getting as far as a password prompt:
$> ssh admin@router -vv
(lots of information, then stalling at this point)
debug2: kex_parse_kexinit: reserved 0
debug1: kex: server->client 3des-cbc hmac-sha1 none
debug1: kex: client->server 3des-cbc hmac-sha1 none
debug1: sending SSH2_MSG_KEXDH_INIT
debug2: bits set: 1049/2048
debug1: expecting SSH2_MSG_KEXDH_REPLY
^C

Trying the same thing from the Raspberry Pi worked fine, taking me straight to the prompt for the password.
telnet works fine from either the iMac or the Pi
The long and short of the problem is an issue with the SSH client on the iMac, or more specifically the SSL libraries. It seems that some security concerns around DSS mean that DSS support is no longer enabled by default (please have a look at http://www.openssh.com/legacy.html for further information)
The SSH client on the Pi uses older libraries which DO enable DSS support by default, hence why I could connect from there.
The "quick fix" is to add the following
Code:
HostkeyAlgorithms ssh-dss
to the file /etc/ssh/ssh_config (I added it at the end of the file)
It is obviously possible to do it in the "local" ssh config file, but as I use a laptop (MacBook) for a number of different Draytek routers at different sites, the "global" change is more sensible for me.
Once that one line was added to the config file, trying the same SSH again worked fine:
$> ssh admin@router -vv
(lots of information, then a password prompt !)
debug1: Authentications that can continue: password
debug1: Next authentication method: password
admin@router's password:

Type ? for command help

ROUTER>

and we're in :D

Apologies for such a long winded post, and I hope some of you out there might find it useful.
All the best
Simon

Please Log in or Create an account to join the conversation.

Moderators: ChrisSami