Can we disable diffie-hellman-group-exchange-sha1 by default?

Yegor Ievlev koops1997 at
Fri Feb 15 14:12:56 AEDT 2019

The main concern about this method is that such file is not
independently reproducible. This may be worrying for some more
paranoid folks.

On Fri, Feb 15, 2019 at 6:04 AM Darren Tucker <dtucker at> wrote:
> On Fri, 15 Feb 2019 at 13:21, Yegor Ievlev <koops1997 at> wrote:
> > Also, how are default moduli shipped with OpenSSH for use in
> > diffie-hellman-group-exchange-sha1/sha256 chosen? Are they chosen
> > randomly by developers or are they chosen for security properties?
> A bit of both.  They're generated using ssh-keygen(1) in a 2 step
> process (look for the -G and -T options).  For each group size,
> candidates are picked at random and then screened (see
> > If they are random, why not use moduli from RFC 7919 instead, like
> > Mozilla recommends?
> Quoting RFC4419 (which predates 7919 by more than a decade):
> """
>    we fear that extensive precomputation and more efficient
>    algorithms to compute the discrete logarithm over a fixed group might
>    pose a security threat to the SSH protocol.
>    The ability to propose new groups will reduce the incentive to use
>    precomputation for more efficient calculation of the discrete
>    logarithm.  The server can constantly compute new groups in the
>    background.
> ""
> Using a small, fixed set of groups shared with another protocol would
> be counter to this goal (see also: LogJam and the Oakley groups).
> You're welcome to replace your file with the ones from RFC7919,
> though.
> --
> Darren Tucker (dtucker at
> GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
>     Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.

More information about the openssh-unix-dev mailing list