Joseph S Testa II <jtesta@xxxxxxxxxxxxxxxxxxxx> writes: > On 09/22/2017 03:22 PM, Daniel Kahn Gillmor wrote: > > On Thu 2017-09-21 18:12:44 -0400, Joseph S Testa II wrote: > >> I gotta say... having a fallback mechanism here seems pretty > >> strange. The entire point of the group exchange is to use a dynamic > >> group and not a static one. > > > > fwiw, i think dynamic groups for DHE key exchange is intrinsically > > problematic when there is any computational expense in validating the > > quality of the group parameters. > > While some may agree with this, the fact remains that the current > implementation isn't working as expected. I'm interested in > correcting the behavior. Hmmm... the OpenSSH 7.5 sources use this method for the fallback: DH * dh_new_group_fallback(int max) { debug3("%s: requested max size %d", __func__, max); if (max < 3072) { debug3("using 2k bit group 14"); return dh_new_group14(); } else if (max < 6144) { debug3("using 4k bit group 16"); return dh_new_group16(); } debug3("using 8k bit group 18"); return dh_new_group18(); } Group 14 == 2048-bit DH group. (Group 15 == 3072-bit DH group.) Group 16 == 4096-bit DH group. (Group 17 == 6144-bit DH group.) Group 18 == 8192-bit DH group. I suppose you want to be more paranoid: DH * dh_new_group_fallback(int max) { debug3("%s: requested max size %d", __func__, max); if (max <= 2048) { debug3("using 2k bit group 14"); return dh_new_group14(); } else if (max <= 4096) { debug3("using 4k bit group 16"); return dh_new_group16(); } debug3("using 8k bit group 18"); return dh_new_group18(); } If so, you should probably open a bug against the dh.c::dh_new_group_fallback() function. -- Mark _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev