On Sat, 19 Jan 2019, Yegor Ievlev wrote: > I'm not sure if collision resistance is required for DH key > derivation, but generally, SHA-1 is on its way out. If it's possible > (if there's not a very large percentage of servers that do not support > anything newer), it should be disabled. No, SHA1 is used as a PRF for key derivation so collision-resistance is not needed. Yes, a large number of devices only support this curve - it's the only remaining MUST curve from the original RFCs that we enable by default. It's the last preference on the client, and the KEX isn't subject to MITM downgrade attacks unless the hostkey signature algorithm is broken, so keeping it there doesn't affect the security of connections to servers that support better KEX algorithms. For these reasons we're keeping it. Feel free to adjust your own configs - it's easy: "KexAlgorithms=-diffie-hellman-group14-sha1" -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev