I use lftp in a launchctl script to transfer and delete files from an Axway/Tumbleweed secure server, but after upgrading to macos Sierra, the connection failed (and looped forever retrying) with a brief flash of a “DH GEX group out of range” message.
Searching for the message reveals that it’s an ssh issue (DH is diffie-hellman): Apple apparently changed ssh to use a shorter keys by default in order to encourage use of TLS. At least I think that’s what happened. Could be that the secure server changed its key negotiation requirements the same day I upgraded to Sierra. The explanation of the error message (and solution to the problem) showed up in a Linux server forum.
First I mistakenly tried to rebuild lftp, which I could not do because ./configure died saying it couldn’t find the readline headers even though they were there (brew link –force readline). The second dead end was to try to change the fish:connect-program setting for lftp, but that had no effect. Finally, I scrolled through the lftp man page far enough to realize that the proper configuration setting is sftp:connect-program.
So I created ~/.lftprc and put this line in it:
set sftp:connect-program "ssh -a -x -o KexAlgorithms=diffie-hellman-group14-sha1"
###
2 responses to “lftp says “DH GEX group out of range””
[…] https://www.christophervickery.com/Notes/index.php/2016/10/21/dh_gex_group_out_of_range/ […]
Thanks – It worked in my case – I mean your options – like this:
ssh -a -x -o KexAlgorithms=diffie-hellman-group1-sha1 -l
Best Regards
Dahasak