DH Group Exchange Fallback

Joseph S Testa II jtesta at positronsecurity.com
Wed Sep 27 01:40:01 AEST 2017

On 09/24/2017 12:32 PM, Mark D. Baushke wrote:

> Please answer this question first:
> Q1: If the moduli file is currently empty as in zero entries (apparently
> the server has not yet populated it, or the administrator has truncated
> the file to zero bytes). The server should do the following:
>    a) Do not send the diffie-hellman-group-exchange-sha256 or
>       diffie-hellman-group-exchange-sha1 option even if it is
>       configured in the sshd_config file, or
>    b) Send a DH group that it 'knows about' (be it group14, group16,
>       group18, or some other DH group it has on hand)?

Option A.  Maybe option C would be to call fatal(), so as to draw the 
admin's attention immediately.  Or perhaps that's too extreme.  I don't 
have a strong opinion between A and C.

> In my opinion, if the group exchange is configured in the sshd_config
> file (or the default), I personally believe that if there is no entries
> at all in the moduli file it should send a pre-defined DH MODP group
> when there is no entry at all in the moduli file.

Admins have the option of using pre-defined DH groups already, like 
"diffie-hellman-group14-sha256", "diffie-hellman-group16-sha512", etc. 
If they want a static group, then they should use those.  However, 
admins that want dynamic groups have a reasonable expectation that 
"diffie-hellman-group-exchange-sha256" actually uses them.  To me, this 
seems like the entire point of this group.

    - Joe

More information about the openssh-unix-dev mailing list