SHA-1 practical recommendations?
Damien Miller
djm at mindrot.org
Fri Mar 12 09:01:00 AEDT 2021
On Thu, 11 Mar 2021, James Ralston wrote:
> On Wed, Mar 10, 2021 at 7:43 PM Damien Miller <djm at mindrot.org> wrote:
>
> > On Wed, 10 Mar 2021, James Ralston wrote:
> >
> > > …if it is necessary to enable one of them for backward
> > > compatibility with clients/servers that support only SHA-1
> > > algorithms, then this is the only one that should be enabled:
> > >
> > > * diffie-hellman-group14-sha1 (for KexAlgorithms)
> > > * gss-group14-sha1- (for GSSAPIKexAlgorithms)
> >
> > Disagree. diffie-hellman-group-exchange-sha1 will use a
> > bigger/better MODP group than group14. If I had to enable one then
> > that would be it.
>
> Is this guaranteed to be true even if /etc/ssh/moduli contains small
> primes (e.g. 1023 bits)?
Yes, see dh_estimate() in dh.c - it will never select a <2048 bit
group and will usually select one considerably larger,
If /etc/moduli is missing then dh_new_group_fallback() will use either a
2k or 4k group.
-d
More information about the openssh-unix-dev
mailing list