[Bug 2302] with DH-GEX, ssh (and sshd) should not fall back to unconfigured DH groups or at least document this behaviour and use a stronger group

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue May 26 22:40:40 AEST 2015


https://bugzilla.mindrot.org/show_bug.cgi?id=2302

--- Comment #5 from Darren Tucker <dtucker at zip.com.au> ---
(In reply to Damien Miller from comment #4)
> Comment on attachment 2630 [details]
> Make the DH-GEX fallback group 4k bit.
> 
> Where did this group come from?

I generated it.  I pulled it off the file being prepared for the next
moduli update.

> IMO it would be best to use one of
> the standard groups if we're picking another fixed one - logjam
> attacks aren't remotely plausible at this length, and doing so
> avoids any questions over the group's provenance.

Presumably someone said something similar about group1 and group14 at
one point?

> You could use the RFC3526 (ISAKMP) 4096-bit group:
> https://tools.ietf.org/html/rfc3526#page-5

Isn't the whole point of the LogJam style attacks is that up-front
precomputation against a fixed group used in many protocols pays
dividends across all of them?  In this case we need a group, but we
don't need that particular group.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list