SHA-1 practical recommendations?
Damien Miller
djm at mindrot.org
Thu Mar 11 11:43:18 AEDT 2021
On Wed, 10 Mar 2021, James Ralston wrote:
> As others have mentioned, there is guidance about this in
> draft-ietf-curdle-ssh-kex-sha2:
>
> https://datatracker.ietf.org/doc/draft-ietf-curdle-ssh-kex-sha2/
>
> In summary, of these SHA-1 KexAlgorithms:
>
> * diffie-hellman-group1-sha1
> * diffie-hellman-group14-sha1
> * diffie-hellman-group-exchange-sha1
(none of these are enabled by default in OpenSSH)
> and these SHA-1 GSSAPIKexAlgorithms:
>
> * gss-gex-sha1-
> * gss-group1-sha1-
> * gss-group14-sha1-
(these are added by a popular third-party patch to OpenSSH)
> …if it is necessary to enable one of them for backward compatibility
> with clients/servers that support only SHA-1 algorithms, then this is
> the only one that should be enabled:
>
> * diffie-hellman-group14-sha1 (for KexAlgorithms)
> * gss-group14-sha1- (for GSSAPIKexAlgorithms)
Disagree. diffie-hellman-group-exchange-sha1 will use a bigger/better
MODP group than group14. If I had to enable one then that would be it.
As an aside, I don't think there is honestly any concern about using
SHA1 in the key exchange hash - collisions there don't matter as the
hash is used solely as a PRF and the input to hashing is not under
either party's sole control.
-d
More information about the openssh-unix-dev
mailing list