DH Group Exchange Fallback
Joseph S Testa II
jtesta at positronsecurity.com
Wed Sep 27 01:40:01 AEST 2017
On 09/24/2017 12:32 PM, Mark D. Baushke wrote:
> Please answer this question first:
> Q1: If the moduli file is currently empty as in zero entries (apparently
> the server has not yet populated it, or the administrator has truncated
> the file to zero bytes). The server should do the following:
> a) Do not send the diffie-hellman-group-exchange-sha256 or
> diffie-hellman-group-exchange-sha1 option even if it is
> configured in the sshd_config file, or
> b) Send a DH group that it 'knows about' (be it group14, group16,
> group18, or some other DH group it has on hand)?
Option A. Maybe option C would be to call fatal(), so as to draw the
admin's attention immediately. Or perhaps that's too extreme. I don't
have a strong opinion between A and C.
> In my opinion, if the group exchange is configured in the sshd_config
> file (or the default), I personally believe that if there is no entries
> at all in the moduli file it should send a pre-defined DH MODP group
> when there is no entry at all in the moduli file.
Admins have the option of using pre-defined DH groups already, like
"diffie-hellman-group14-sha256", "diffie-hellman-group16-sha512", etc.
If they want a static group, then they should use those. However,
admins that want dynamic groups have a reasonable expectation that
"diffie-hellman-group-exchange-sha256" actually uses them. To me, this
seems like the entire point of this group.
More information about the openssh-unix-dev