Can we disable diffie-hellman-group-exchange-sha1 by default?
Mark D. Baushke
mdb at juniper.net
Fri Feb 15 06:07:29 AEDT 2019
Hi John,
The short answer is YES.
Jon DeVree <nuxi at vault24.org> writes:
> I ask because the removal of diffie-hellman-group-exchange-sha1 happened
> accidently in 7.8 due to a mistake in a change to readconf.c. I noticed
> this and filed a bug about it along with a patch to fix readconf.c to use
> KEX_CLIENT_* like it used to:
The diffie-hellman-group-exchange-sha1 is an optional key exchange
method provided by RFC4419 and updated by RFC8270.
Support for it is not required and may (and in my opinion should) be
disabled by default without any impact to the SSHv2 protocol.
The only two Mandatory To Implement (MTI) key exchange methods are those
in RFC3253 (diffie-hellman-group1-sha1 and diffie-hellman-group14-sha1).
Even though they are MTIs, that just means you need to be able configure
them, there is no mandatory requirement that a given installation enable
them by default.
Enjoy!
-- Mark
More information about the openssh-unix-dev
mailing list