Re: Can we disable diffie-hellman-group-exchange-sha1 by default?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi John,

The short answer is YES.

Jon DeVree <nuxi@xxxxxxxxxxx> writes:

> I ask because the removal of diffie-hellman-group-exchange-sha1 happened
> accidently in 7.8 due to a mistake in a change to readconf.c. I noticed
> this and filed a bug about it along with a patch to fix readconf.c to use
> KEX_CLIENT_* like it used to:

The diffie-hellman-group-exchange-sha1 is an optional key exchange
method provided by RFC4419 and updated by RFC8270.

Support for it is not required and may (and in my opinion should) be
disabled by default without any impact to the SSHv2 protocol.

The only two Mandatory To Implement (MTI) key exchange methods are those
in RFC3253 (diffie-hellman-group1-sha1 and diffie-hellman-group14-sha1).
Even though they are MTIs, that just means you need to be able configure
them, there is no mandatory requirement that a given installation enable
them by default.

	Enjoy!
	-- Mark
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux