Re: FYI HEAD now refuses <1024 bit DH keys in group-exchange

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 16/10/15 21:07, Damien Miller wrote:
Hi,

I just committed a change to HEAD that raises the minimum Diffie-Hellman
group size that the client will accept from 1024 to 2048 bits.
Connections to well-behaved servers should not be affected by this
change, but I've identified at least one case where a misconfigured
server can cause connection failure. The errors look like:

ssh_dispatch_run_fatal: Connection to 10.1.1.1: DH GEX group out of
range
The problematic software is OpenSSH<3.9 or Sun_SSH (all versions).
It will use a fixed 1024 bit DH group as an implicit fallback if
/etc/ssh/moduli is missing, unreadable or empty.

Thanks for the heads-up.
We know that people will find that a bit cryptic. What about showing a message like: "A Diffie-Hellman group of %d bits is too weak. Does the server have a /etc/ssh/moduli file with suitable values?"

Best regards


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux