Weak DH primes and openssh

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sat May 23 02:42:37 AEST 2015

On Thu 2015-05-21 20:33:24 -0400, Damien Miller wrote:
> On Thu, 21 May 2015, Matthew Vernon wrote:
>> openssh already prefers ECDH, which must reduce the impact somewhat,
>> although the main Windows client (PuTTY) doesn't support ECDH yet. But
>> openssh does still offer diffie-hellman-group1-sha1 (uses a 1024-bit
>> group) and diffie-hellman-group14-sha1 (uses a 2047-bit group), which
>> must be considered a bit suspect? Of course RFC4253 says implementations
>> MUST offer these...
> We'll be violating a few "MUST" clauses in the 7.0 release in the
> interests of security, including turning off group1 by default.

Is it worth trying to update the RFC to change these MUSTs for something


More information about the openssh-unix-dev mailing list