[EC]DH KEx and how to restrict ssh/sshd to secure(er) DH parameters

Christoph Anton Mitterer calestyo at scientia.net
Fri Oct 24 13:46:45 EST 2014

On Thu, 2014-10-23 at 11:58 +0200, Daniel Kahn Gillmor wrote: 
> Christoph is pointing out that the client might actually have a way to
> verify that the group is strong.
Well that's even already one step ahead, my main point was, that right
now I have (AFAIU) not really a chance to disallow weak groups (in the
sense of size) at both sides - server and client.

OpenSSH's ssh will accept 1024 (which I personally would feel more
comfortable if I could harden it, and e.g. only selectively allow
smaller groups for older server's I'm speaking to).
And AFAIU Christian, the server will always fall back to the 2048bit
group from diffie-hellman-group14-sha1, even if I "harden" my sshd's
moduli file by removing all smaller groups.

But really checking the moduli goes already one step further.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5313 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141024/815904c5/attachment.bin>

More information about the openssh-unix-dev mailing list