Problem

When using an sftp client [ OpenSSH_7.x / OpenSSH_6.x] to connect to the Gateway server 6.16.x, the session is ending with the error:

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<4096<8192) sent

debug1: expecting SSH2_MSG_KEX_DH_GEX_GROUP

DH_GEX group out of range: 2048 !< 1024 !< 8192

Solution

Make sure you are running Gateway 6.16.1 SP4 or higher. This contains a fix that forces Gateway to u DH_GROUP_EXCHANGE_SHA256 is used, it will send a 2048-bit key.

Explanation

This is related to the Logjam vulnerability, described at https://jbeekman.nl/blog/2015/05/ssh-logjam/:

Group1, which uses 1024 bits, is currently considered within range of attack by Nation-States.

In Gateway 6.16.1 SP3 and earlier, DH_GROUP_EXCHANGE_SHA256 sends a 1024-bit key, which is therefore rejected by the remote server.

If you are unable to apply SP4, then uncheck the following options from the SSH profile :

DH_GROUP1_SHA1

DH_GROUP_EXCHANGE_SHA1

DH_GROUP_EXCHANGE_SHA256

and use one of the following Key exchange algorithms:

DH_GROUP14_SHA1

ECDH_SHA2_NISTP256

ECDH_SHA2_NISTP384

ECDH_SHA2_NISTP521