On Thu, 21 May 2015, Matthew Vernon wrote: > Hi, > > You will be aware of https://weakdh.org/ by now, I presume; the > take-home seems to be that 1024-bit DH primes might well be too weak. > I'm wondering what (if anything!) you propose to do about this issue, > and what Debian might do for our users? I don't think much needs to be done: OpenSSH has preferred ECDH, and before that DH group-exchange with regularly refreshed modp groups for over a decade, so the diffie-hellman-group1-sha1 mode is only ever used for compatibility with legacy implementations. While it is still offered (only by the client), it is offered last in preference and will never be selected if the client and server support better options. SSH's key exchange protocol AFAIK stronger than SSL/TLS's and forcing a downgrade requires breaking both the DH exchange and the hostkey algorithm in more or less real time. We do plan on dropping diffie-hellman-group1-sha1 from the default client offer later this year. We dropped it from servers a few releases ago. As for what Debian (and other distribtors) can do: IMO the best thing is to aggressively backport recent releases of OpenSSH to older supported releases of your operating systems. We've been trying to modernise the crypto across the 6.x releases as fast as we can without breaking stuff. > openssh already prefers ECDH, which must reduce the impact somewhat, > although the main Windows client (PuTTY) doesn't support ECDH yet. But > openssh does still offer diffie-hellman-group1-sha1 (uses a 1024-bit > group) and diffie-hellman-group14-sha1 (uses a 2047-bit group), which > must be considered a bit suspect? Of course RFC4253 says implementations > MUST offer these... We'll be violating a few "MUST" clauses in the 7.0 release in the interests of security, including turning off group1 by default. > The moduli file you provide has this distribution of sizes: > > size count > 1023 36 > 1535 50 > 2047 36 > 3071 31 > 4095 41 > 6143 27 > 8191 39 > > Would it be sensible to remove the <2047 moduli? Generating the larger > ones is quite time-consuming on non-specialist kit, which would seem to > argue against re-generating them on users' machines. Darren can chime in here, but I don't think anything <2047 will actually be used since he updated dh.c:dh_estimate() a few years ago. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev