DH Group Exchange Fallback
Joseph S Testa II
jtesta at positronsecurity.com
Sun Sep 24 03:32:11 AEST 2017
On 09/22/2017 06:55 PM, Tim Broberg wrote:
> Do I understand correctly, that you find the security of group 14 unacceptable and yet you left it enabled?
In the end, I'm trying to ensure a minimum equivalent of 128-bits of
security. Group14 is 2048-bits, which roughly translates to 112-bits. [1]
To this end, I disabled the "diffie-hellman-group14-sha1" and
"diffie-hellman-group14-sha256" kex algorithms, but the problem is that
the group exchange "diffie-hellman-group-exchange-sha256" is not
respecting the admin's wishes, and falls back to group14, even when
specifically told not to (by the admin removing 2048-bit groups in
/etc/ssh/moduli).
There's currently no way to ensure 100% that 2048-bit DH is disabled.
- Joe
[1] See NIST Special Publication 800-57, Part 1, Revision 4, p. 53,
<http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-57pt1r4.pdf>.
More information about the openssh-unix-dev
mailing list