SHA-1 practical recommendations?

James Ralston ralston at pobox.com
Fri Mar 12 06:46:22 AEDT 2021


On Wed, Mar 10, 2021 at 7:43 PM Damien Miller <djm at mindrot.org> wrote:

> On Wed, 10 Mar 2021, James Ralston wrote:
>
> > …if it is necessary to enable one of them for backward
> > compatibility with clients/servers that support only SHA-1
> > algorithms, then this is the only one that should be enabled:
> >
> > * diffie-hellman-group14-sha1 (for KexAlgorithms)
> > * gss-group14-sha1- (for GSSAPIKexAlgorithms)
>
> Disagree. diffie-hellman-group-exchange-sha1 will use a
> bigger/better MODP group than group14. If I had to enable one then
> that would be it.

Is this guaranteed to be true even if /etc/ssh/moduli contains small
primes (e.g. 1023 bits)?

For example, RHEL7 ships OpenSSH 7.4, which contains:

$ head -7 /etc/ssh/moduli | cut -c1-70
#    $OpenBSD: moduli,v 1.18 2016/08/11 01:42:11 dtucker Exp $
# Time Type Tests Tries Size Generator Modulus
20150520233853 2 6 100 1023 5 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92
20150520233854 2 6 100 1023 5 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92
20150520233854 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92
20150520233855 2 6 100 1023 5 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92
20150520233856 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92

If we enable diffie-hellman-group-exchange-sha1, our InfoSec guys tell
us that our RHEL7 hosts all hit on:

https://www.tenable.com/plugins/nessus/86328

In contrast, group14 guarantees that the MODP group won’t be less than
2048.


More information about the openssh-unix-dev mailing list