Re: DH Group Exchange Fallback

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 09/24/2017 12:32 PM, Mark D. Baushke wrote:

Please answer this question first:

Q1: If the moduli file is currently empty as in zero entries (apparently
the server has not yet populated it, or the administrator has truncated
the file to zero bytes). The server should do the following:

   a) Do not send the diffie-hellman-group-exchange-sha256 or
      diffie-hellman-group-exchange-sha1 option even if it is
      configured in the sshd_config file, or

   b) Send a DH group that it 'knows about' (be it group14, group16,
      group18, or some other DH group it has on hand)?

Option A. Maybe option C would be to call fatal(), so as to draw the admin's attention immediately. Or perhaps that's too extreme. I don't have a strong opinion between A and C.


In my opinion, if the group exchange is configured in the sshd_config
file (or the default), I personally believe that if there is no entries
at all in the moduli file it should send a pre-defined DH MODP group
when there is no entry at all in the moduli file.

Admins have the option of using pre-defined DH groups already, like "diffie-hellman-group14-sha256", "diffie-hellman-group16-sha512", etc. If they want a static group, then they should use those. However, admins that want dynamic groups have a reasonable expectation that "diffie-hellman-group-exchange-sha256" actually uses them. To me, this seems like the entire point of this group.

   - Joe
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux