DH Group Exchange Fallback

Damien Miller djm at mindrot.org
Mon Sep 25 08:01:32 AEST 2017

On Thu, 21 Sep 2017, Joseph S Testa II wrote:

> Hi,
>    I'm interested in requiring a minimum of 3072-bit DH moduli when using the
> "diffie-hellman-group-exchange-sha256" kex, so I edited my /etc/ssh/moduli
> file such that only 3071+ moduli are left.  However, when clients ask for a
> max of 2048-bit moduli, they actually get one (!).  I poked around and found
> that a fallback mechanism exists (dh.c:185), which returns back the fixed
> group14 Group in that case (dh.c:441).

What behaviour would you like for this case? We can't send a group that is
larger than 2048, because the client has said that is the maxiumum that
will accept. Would you prefer the server disconnect at that point?


More information about the openssh-unix-dev mailing list