ssh stuck at expecting SSH2_MSG_KEX_ECDH_REPLY #17800
Description
Describe the bug
Starting from rc6 and rc7 (I did not observe this with rc5), I could not connect to remote ssh servers any more. See also #17759.
The ssh client got stuck at expecting SSH2_MSG_KEX_ECDH_REPLY.
I found a post describing my problem and the workaround as well as the solutions described worked for me:
1. Workaround
Add -o KexAlgorithms=curve25519-sha256:
ssh -l root <server> -o KexAlgorithms=curve25519-sha2562. Solution
Modify firewall rules
Add the following message types to the "Allow-ICMPv6-Input"
and "Allo-ICMPv6-Forward" rules:
fragmentation-needed
-
Delete the "Allow-ICMPv6-Input" and "Allo-ICMPv6-Forward" rules.
-
Recreate "Allow-ICMPv6-Input":
uci add firewall rule uci set firewall.@rule[-1].name='Allow-ICMPv6-Input' uci set firewall.@rule[-1].src='wan' uci set firewall.@rule[-1].proto='icmp' uci set firewall.@rule[-1].limit='1000/sec' uci set firewall.@rule[-1].family='ipv6' uci set firewall.@rule[-1].target='ACCEPT' uci add_list firewall.@rule[-1].icmp_type='bad-header' uci add_list firewall.@rule[-1].icmp_type='destination-unreachable' uci add_list firewall.@rule[-1].icmp_type='echo-reply' uci add_list firewall.@rule[-1].icmp_type='echo-request' uci add_list firewall.@rule[-1].icmp_type='fragmentation-needed' uci add_list firewall.@rule[-1].icmp_type='neighbour-advertisement' uci add_list firewall.@rule[-1].icmp_type='neighbour-solicitation' uci add_list firewall.@rule[-1].icmp_type='packet-too-big' uci add_list firewall.@rule[-1].icmp_type='router-advertisement' uci add_list firewall.@rule[-1].icmp_type='router-solicitation' uci add_list firewall.@rule[-1].icmp_type='time-exceeded' uci add_list firewall.@rule[-1].icmp_type='unknown-header-type' -
Recreate "Allow-ICMPv6-Forward":
uci add firewall rule uci set firewall.@rule[-1].name='Allow-ICMPv6-Forward' uci set firewall.@rule[-1].src='wan' uci set firewall.@rule[-1].dest='*' uci set firewall.@rule[-1].proto='icmp' uci set firewall.@rule[-1].limit='1000/sec' uci set firewall.@rule[-1].family='ipv6' uci set firewall.@rule[-1].target='ACCEPT' uci add_list firewall.@rule[-1].icmp_type='bad-header' uci add_list firewall.@rule[-1].icmp_type='destination-unreachable' uci add_list firewall.@rule[-1].icmp_type='echo-reply' uci add_list firewall.@rule[-1].icmp_type='echo-request' uci add_list firewall.@rule[-1].icmp_type='fragmentation-needed' uci add_list firewall.@rule[-1].icmp_type='packet-too-big' uci add_list firewall.@rule[-1].icmp_type='time-exceeded' uci add_list firewall.@rule[-1].icmp_type='unknown-header-type'
Question/Suggestion
As ssh is a common use case, the firewall rules should not hinder reliable connection. Maybe some more ICMP type should be allowed by default?
OpenWrt version
r28417-daef29c75d
OpenWrt release
24.10.0-rc7
OpenWrt target/subtarget
mediatek/filogic
Device
Xiaomi Mi Router AX3000T (OpenWrt U-Boot layout)
Edit
20250405
I installed the packages swconfig and kmod-swconfig and I can ssh <server> without -o KexAlgorithms=curve25519-sha256.
20250429
Upgrade OpenWrt to v24.10.1 solved the problems I had with the Ethernet driver. No swconfig need any more for stability. The ssh connection problem described here still persists.