Weak DH primes and openssh

Grant emailgrant at gmail.com
Sun May 24 01:14:08 AEST 2015


> Can this be addressed in ssh_config/sshd_config with the KexAlgorithms setting?


weakdh.org/sysadmin.html recommends adding:

KexAlgorithms curve25519-sha256 at libssh.org

But this thread makes it sound as if it's not necessary.  Can anyone
confirm?  Personally I'm on openssh-6.7.

- Grant


> You will be aware of https://weakdh.org/ by now, I presume; the take-home seems to be that 1024-bit DH primes might well be too weak.
> I'm wondering what (if anything!) you propose to do about this issue, and what Debian might do for our users?
>
> openssh already prefers ECDH, which must reduce the impact somewhat, although the main Windows client (PuTTY) doesn't support ECDH yet. But openssh does still offer diffie-hellman-group1-sha1 (uses a 1024-bit
> group) and diffie-hellman-group14-sha1 (uses a 2047-bit group), which must be considered a bit suspect? Of course RFC4253 says implementations MUST offer these...
>
> The moduli file you provide has this distribution of sizes:
>
> size  count
> 1023  36
> 1535  50
> 2047  36
> 3071  31
> 4095  41
> 6143  27
> 8191  39
>
> Would it be sensible to remove the <2047 moduli? Generating the larger ones is quite time-consuming on non-specialist kit, which would seem to argue against re-generating them on users' machines.


More information about the openssh-unix-dev mailing list