On Sun, 8 Jun 2014, Darren Tucker wrote: > # Broken curve25519-sha256@xxxxxxxxxx > Match Implementation OpenSSH-6.6 > KexAlgorithms > diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1 > > Plus you could turn off DH Group exchange to those Cisco implementations > that fail when asked for a preferred group >4k bit without compromising > security for every other implementation. That opens a door for a MITM to degrade the crypto options used by spoofing one/both banner strings. Of course they would need to be able to fake the KEX hash later, but if they get to choose the algorithms used then this becomes more likely. I've been removing the compat hacks for old SSH implementations that cause dodgy crypto to be used for this very reason. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev