[Bug 769] dh-group-exchange should be configurable off in client and server
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Fri Dec 5 06:12:33 EST 2003
http://bugzilla.mindrot.org/show_bug.cgi?id=769
Summary: dh-group-exchange should be configurable off in client
and server
Product: Portable OpenSSH
Version: 3.7p1
Platform: All
OS/Version: All
Status: NEW
Severity: enhancement
Priority: P2
Component: ssh
AssignedTo: openssh-bugs at mindrot.org
ReportedBy: jacobn+mindrot at chiark.greenend.org.uk
I have observed the extra overhead of dh-group-exchange to cause people to
switch from using SSH-2 back to SSH-1, in several contexts. This is
unfortunate, as SSH-2 with the default group is still presumably several miles
more secure than SSH-1.
The OpenSSH client and server should both allow dh-group-exchange to be turned
off (and in general, allow configuration of kex method preferences).
Supporting data:
On slow machines (e.g., 486-class, old SPARCs), dh-gex takes an unreasonably
long time (e.g., 14 seconds for gex followed by kex on a SS20 server).
Disabling gex (at the client end - there's a config option in PuTTY) gives a
much more sensible delay (2 seconds).
Also, from draft-ietf-secsh-architecture-15.txt:
The following policy issues SHOULD be addressed in the configuration
mechanisms of each implementation:
[...]
o Public key algorithms and key exchange method to be used for host
authentication.
(No patch though, sorry. Also, apologies if this has been addressed recently; I
was going off the man pages on openssh.com.)
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
More information about the openssh-bugs
mailing list