Weak DH primes and openssh

Darren Tucker dtucker at zip.com.au
Sun May 24 09:24:48 AEST 2015

On Sat, May 23, 2015 at 12:30 AM, David McBride <dwm37 at cam.ac.uk> wrote:

> On Fri, May 22, 2015 at 12:27:01, Darren Tucker <dtucker at zip.com.au>
> wrote:
> > Note that PuTTY does do Diffie-Hellman Group Exchange, but until very
> > recently (ie after their 0.64 release) they didn't do the one that was
> > actually standardized in RFC4419.  OpenSSH recently removed support for
> > that non-standard one and as a result we don't offer DHGEX to PuTTY
> > versions <= 0.64 so they'll fall back to group14 (2k bit fix group).
> I think this is wrong.
> This commit [0] from 2005 appears to show the addition of
> diffie-hellman-group-exchange-sha256 support to PuTTY.

You're right, thanks for pointing this out.  When I looked at it I was
specifically looking at group-exchange-sha1 (because that was the thing
using the deprecated format) and overlooked sha256.

That does mean that there's a stronger case for removing 1kbit and 1.5kbit
groups from the moduli file because that would result in stronger groups
being used for versions of PuTTY from then until 0.64, which is the current
release as I write this.

Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

More information about the openssh-unix-dev mailing list