Can we disable diffie-hellman-group14-sha1 by default?

Mark D. Baushke mdb at
Mon Jan 21 04:58:40 AEDT 2019

Yegor Ievlev <koops1997 at> writes:

> e.g. can we make it throw warnings etc. rsa-sha2-256 and rsa-sha2-512
> are fine, they use PSS.

I suggest you re-read RFC 8332 section 5.3 as they do NOT use PSS, they
use RSASSA-PKCS1-v1_5 signature padding.

| 5.3.  PKCS #1 v1.5 Padding and Signature Verification
|    This document prescribes RSASSA-PKCS1-v1_5 signature padding because:
|    (1)  RSASSA-PSS is not universally available to all implementations;
|    (2)  PKCS #1 v1.5 is widely supported in existing SSH
|         implementations;
|    (3)  PKCS #1 v1.5 is not known to be insecure for use in this scheme.
|    Implementers are advised that a signature with RSASSA-PKCS1-v1_5
|    padding MUST NOT be verified by applying the RSA key to the
|    signature, and then parsing the output to extract the hash.  This may
|    give an attacker opportunities to exploit flaws in the parsing and
|    vary the encoding.  Verifiers MUST instead apply RSASSA-PKCS1-v1_5
|    padding to the expected hash, then compare the encoded bytes with the
|    output of the RSA operation.

	-- Mark

More information about the openssh-unix-dev mailing list