On Wed, 10 Mar 2021, James Ralston wrote: > As others have mentioned, there is guidance about this in > draft-ietf-curdle-ssh-kex-sha2: > > https://datatracker.ietf.org/doc/draft-ietf-curdle-ssh-kex-sha2/ > > In summary, of these SHA-1 KexAlgorithms: > > * diffie-hellman-group1-sha1 > * diffie-hellman-group14-sha1 > * diffie-hellman-group-exchange-sha1 (none of these are enabled by default in OpenSSH) > and these SHA-1 GSSAPIKexAlgorithms: > > * gss-gex-sha1- > * gss-group1-sha1- > * gss-group14-sha1- (these are added by a popular third-party patch to OpenSSH) > …if it is necessary to enable one of them for backward compatibility > with clients/servers that support only SHA-1 algorithms, then this is > the only one that should be enabled: > > * diffie-hellman-group14-sha1 (for KexAlgorithms) > * gss-group14-sha1- (for GSSAPIKexAlgorithms) Disagree. diffie-hellman-group-exchange-sha1 will use a bigger/better MODP group than group14. If I had to enable one then that would be it. As an aside, I don't think there is honestly any concern about using SHA1 in the key exchange hash - collisions there don't matter as the hash is used solely as a PRF and the input to hashing is not under either party's sole control. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
