On 09/22/2017 06:10 PM, Mark D. Baushke wrote:
> I suppose you want to be more paranoid:
>
> DH *
> dh_new_group_fallback(int max)
> {
> debug3("%s: requested max size %d", __func__, max);
> if (max <= 2048) {
> debug3("using 2k bit group 14");
> return dh_new_group14();
> } else if (max <= 4096) {
> debug3("using 4k bit group 16");
> return dh_new_group16();
> }
> debug3("using 8k bit group 18");
> return dh_new_group18();
> }
This wouldn't fix the underlying issue. I'm interested in having the
code respect the admin's wishes. If the admin edits out entries in
/etc/ssh/moduli, the server should follow that 100%, and not sometimes
make decisions on its own, against what the admin told it point-blank.
Both the existing code, and the above change results in unexpected behavior.
It seems like removing the fallback mechanism entirely is the way to go.
If the server and client can't agree on a group-exchange, then the
attempt should fail. And after all, the client is free to try again
with another kex.
FYI, the OpenSSH client (v6.6) in Linux Mint 17 (which is a couple years
old) requests a range of 1024 - 8192 bits by default. I can look into
what PuTTY does, if anyone is interested. I strongly suspect, though,
that modern clients aren't going to be impacted by removing the fallback.
- Joe