SHA-1 practical recommendations?

Damien Miller djm at mindrot.org
Thu Mar 11 11:43:18 AEDT 2021


On Wed, 10 Mar 2021, James Ralston wrote:

> As others have mentioned, there is guidance about this in
> draft-ietf-curdle-ssh-kex-sha2:
> 
> https://datatracker.ietf.org/doc/draft-ietf-curdle-ssh-kex-sha2/
> 
> In summary, of these SHA-1 KexAlgorithms:
> 
> * diffie-hellman-group1-sha1
> * diffie-hellman-group14-sha1
> * diffie-hellman-group-exchange-sha1

(none of these are enabled by default in OpenSSH)

> and these SHA-1 GSSAPIKexAlgorithms:
> 
> * gss-gex-sha1-
> * gss-group1-sha1-
> * gss-group14-sha1-

(these are added by a popular third-party patch to OpenSSH)

> …if it is necessary to enable one of them for backward compatibility
> with clients/servers that support only SHA-1 algorithms, then this is
> the only one that should be enabled:
> 
> * diffie-hellman-group14-sha1 (for KexAlgorithms)
> * gss-group14-sha1- (for GSSAPIKexAlgorithms)

Disagree. diffie-hellman-group-exchange-sha1 will use a bigger/better
MODP group than group14. If I had to enable one then that would be it.

As an aside, I don't think there is honestly any concern about using
SHA1 in the key exchange hash - collisions there don't matter as the
hash is used solely as a PRF and the input to hashing is not under
either party's sole control.

-d


More information about the openssh-unix-dev mailing list