diffie-hellman-group-exchange-sha256 group size concerns and request

[Kurt Fitzner]

On 2024-09-23 05:56, Dmitry Belyavskiy wrote:

> Hello,
> 
> On Sun, Sep 22, 2024 at 10:15 AM Kurt Fitzner via openssh-unix-dev
> <openssh-unix-dev at mindrot.org> wrote:
> 
>> I would like to advocate for:
>> 
>> - Change behaviour of the server to allow server operators to set the
>> minimum modulus group size allowable for a connection using
>> diffie-hellman-group-exchange-sha256
>> Whether this is by having the server refuse to allow smaller moduli to
>> be used than exist in ModuliFile, or another explicit configuration
>> setting is added, it doesn't matter
> 
> I strongly support this requirement. We have a similar one for RSA and
> having an explicit setting for DH would be great.

This is almost as significant as logjam was to begin with, and I have to 
say I'm dismayed that there is no way to prevent connections at insecure 
group sizes with the server using default canned primes that have been 
long exposed to pre-calculations.

I'm not convinced that MITM can't force a lower "maximum" group size on 
a connection, which basically means this IS logjam.

I have disabled diffie-hellman-group-exchange-sha256 on all servers as 
insecure and would like clarification from OpenSSH devs.  There needs to 
at least be a statement issued somewhere warning people that removing 
small primes from /etc/ssh/moduli has no effect on the minimum size the 
server will issue, and that this is actually a worse option as this will 
cause the server to use canned primes.