On 2014-10-18, Christoph Anton Mitterer <calestyo@xxxxxxxxxxxx> wrote: > 1) I guess ALL these are ephemeral versions of DH/ECDC, in order to get > FS/PFS, right? Yes. > Just out of curiosity,... what is done to make the the DH authenticated? > I guess it depends on the chosen HostKeyAlogrithm (so either RSA, DSS, > ECDSA or EdDSA)... but do client/server exchange the DH parameters > signed or doe they exchange a signed version of the agreed key? https://tools.ietf.org/html/rfc4253#section-8 > AFAIU for diffie-hellman-group1-sha1 anddiffie-hellman-group14-sha1 and > the parameters are fixed (with 1024 and 2048 bit groups) > > The same for the the four ECDH versions (ecdh-sha2-nistp* and > curve25519-sha256@xxxxxxxxxx), they all have fixed values > > So if I'd find that to be too weak, then the only thing one could do is > disable those, right? Right. > But for the diffie-hellman-group-exchange-sha1 > diffie-hellman-group-exchange-sha256 the /etc/ssh/moduli file is used to > find parameters, right? > > a) Documentations seems to imply that this is only used by sshd? > So how does the ssh client come to his accepted parameters? Does he > simply take anything a SSH server proposes? The client sends the minimal/preferred/maximal group size, and the server picks a group and responds with the modulus and generator for the group. https://tools.ietf.org/html/rfc4419 > b) How can I restrict what the server accepts as parameters? > E.g. if I think 1024 bit groups are to weak, can I simply remove those > entries from the moduli file and such groups will no longer be used? If the server doesn't find (a suitable group in) /etc/moduli, it will fall back to the group from diffie-hellman-group14-sha1. The elliptic curve key exchanges have pretty much obsoleted the Diffie-Hellman group exchange. -- Christian "naddy" Weisgerber naddy@xxxxxxxxxxxx _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev