Can we disable diffie-hellman-group14-sha1 by default?

Damien Miller djm at
Sun Jan 20 08:09:24 AEDT 2019

On Sat, 19 Jan 2019, Yegor Ievlev wrote:

> I'm not sure if collision resistance is required for DH key
> derivation, but generally, SHA-1 is on its way out. If it's possible
> (if there's not a very large percentage of servers that do not support
> anything newer), it should be disabled.

No, SHA1 is used as a PRF for key derivation so collision-resistance
is not needed.

Yes, a large number of devices only support this curve - it's the only
remaining MUST curve from the original RFCs that we enable by default.

It's the last preference on the client, and the KEX isn't subject to
MITM downgrade attacks unless the hostkey signature algorithm is broken,
so keeping it there doesn't affect the security of connections to
servers that support better KEX algorithms.

For these reasons we're keeping it. Feel free to adjust your own configs -
it's easy: "KexAlgorithms=-diffie-hellman-group14-sha1"


More information about the openssh-unix-dev mailing list