Weak DH primes and openssh
Grant
emailgrant at gmail.com
Sun May 24 01:14:08 AEST 2015
> Can this be addressed in ssh_config/sshd_config with the KexAlgorithms setting?
weakdh.org/sysadmin.html recommends adding:
KexAlgorithms curve25519-sha256 at libssh.org
But this thread makes it sound as if it's not necessary. Can anyone
confirm? Personally I'm on openssh-6.7.
- Grant
> You will be aware of https://weakdh.org/ by now, I presume; the take-home seems to be that 1024-bit DH primes might well be too weak.
> I'm wondering what (if anything!) you propose to do about this issue, and what Debian might do for our users?
>
> openssh already prefers ECDH, which must reduce the impact somewhat, although the main Windows client (PuTTY) doesn't support ECDH yet. But openssh does still offer diffie-hellman-group1-sha1 (uses a 1024-bit
> group) and diffie-hellman-group14-sha1 (uses a 2047-bit group), which must be considered a bit suspect? Of course RFC4253 says implementations MUST offer these...
>
> The moduli file you provide has this distribution of sizes:
>
> size count
> 1023 36
> 1535 50
> 2047 36
> 3071 31
> 4095 41
> 6143 27
> 8191 39
>
> Would it be sensible to remove the <2047 moduli? Generating the larger ones is quite time-consuming on non-specialist kit, which would seem to argue against re-generating them on users' machines.
More information about the openssh-unix-dev
mailing list