As others have mentioned, there is guidance about this in draft-ietf-curdle-ssh-kex-sha2: https://datatracker.ietf.org/doc/draft-ietf-curdle-ssh-kex-sha2/ In summary, of these SHA-1 KexAlgorithms: * diffie-hellman-group1-sha1 * diffie-hellman-group14-sha1 * diffie-hellman-group-exchange-sha1 and these SHA-1 GSSAPIKexAlgorithms: * gss-gex-sha1- * gss-group1-sha1- * gss-group14-sha1- …if it is necessary to enable one of them for backward compatibility with clients/servers that support only SHA-1 algorithms, then this is the only one that should be enabled: * diffie-hellman-group14-sha1 (for KexAlgorithms) * gss-group14-sha1- (for GSSAPIKexAlgorithms) …because of the three, only group14-sha1 is using a 2048-bit MODP group. So if one must be enabled, it is the least-bad one to enable. This reasoning was explained in a previous version of the kex draft: https://tools.ietf.org/id/draft-ietf-curdle-ssh-kex-sha2-11.html Unfortunately, the explanation in the current version of the draft is arguably less clear. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
