[Bug 2302] with DH-GEX, ssh (and sshd) should not fall back to unconfigured DH groups or at least document this behaviour and use a stronger group

[aixtools]

On 2015-06-02 5:31 AM, bugzilla-daemon at mindrot.org wrote:
> https://bugzilla.mindrot.org/show_bug.cgi?id=2302
>
> --- Comment #13 from Darren Tucker<dtucker at zip.com.au>  ---
> (In reply to Christoph Anton Mitterer from comment #10)
> [...]
>> Even though an attacker cannot (AFAIU??) for a connection to
>> downgrade to the weaker groups,
> The server's DH-GEX exchange hash includes the DH group sizes it
> received from the client.  If these are modified in transit the
> exchange hash will not match.
>
>> it still doesn't give the server
>> admin a good way to "block out" weak clients.
> Do any such clients actually exist?  RFC4419 says DH-GEX
> implementations SHOULD have a max group size of 8k.
>
Yes I expect. I have a ssh client from 2002 era that has worked very 
well for me (from ssh.com before they renamed it tectia) - and I would 
buy it again today - but they only to B2B these days.

Putty is functional, but I really prefer the 'tectia'-like UI.

I expect I will have no choice - other than replace it - as servers get 
tighter about key exchange protocols (mine still needs the (please dont 
hit me !) sha1 exchanges.

So, yes - they exist because until openssh-6.7 they were all supported 
by default - so again thank you (openbsd/openssh devs) for opening my 
eyes - and giving me time to adjust!