DH Group Exchange Fallback

Joseph S Testa II jtesta at positronsecurity.com
Fri Sep 22 08:12:44 AEST 2017


    I'm interested in requiring a minimum of 3072-bit DH moduli when 
using the "diffie-hellman-group-exchange-sha256" kex, so I edited my 
/etc/ssh/moduli file such that only 3071+ moduli are left.  However, 
when clients ask for a max of 2048-bit moduli, they actually get one 
(!).  I poked around and found that a fallback mechanism exists 
(dh.c:185), which returns back the fixed group14 Group in that case 

    I gotta say... having a fallback mechanism here seems pretty 
strange.  The entire point of the group exchange is to use a dynamic 
group and not a static one.  Otherwise, the admin would have chosen to 
use "diffie-hellman-group[14,16,18]-sha256".  Letting the kex fail when 
clients ask for groups that the admin disabled would be the correct 

    To be clear, this would involve removing the fallback mechanism 
entirely.  I can submit a patch to do this, if others agree.  Otherwise, 
what would be a better approach?

    - Joe

More information about the openssh-unix-dev mailing list