DH Group Exchange Fallback
Joseph S Testa II
jtesta at positronsecurity.com
Fri Sep 22 08:12:44 AEST 2017
Hi,
I'm interested in requiring a minimum of 3072-bit DH moduli when
using the "diffie-hellman-group-exchange-sha256" kex, so I edited my
/etc/ssh/moduli file such that only 3071+ moduli are left. However,
when clients ask for a max of 2048-bit moduli, they actually get one
(!). I poked around and found that a fallback mechanism exists
(dh.c:185), which returns back the fixed group14 Group in that case
(dh.c:441).
I gotta say... having a fallback mechanism here seems pretty
strange. The entire point of the group exchange is to use a dynamic
group and not a static one. Otherwise, the admin would have chosen to
use "diffie-hellman-group[14,16,18]-sha256". Letting the kex fail when
clients ask for groups that the admin disabled would be the correct
behavior.
To be clear, this would involve removing the fallback mechanism
entirely. I can submit a patch to do this, if others agree. Otherwise,
what would be a better approach?
Thanks,
- Joe
More information about the openssh-unix-dev
mailing list