On 2024-09-23 05:56, Dmitry Belyavskiy wrote:
Hello,
On Sun, Sep 22, 2024 at 10:15 AM Kurt Fitzner via openssh-unix-dev
<openssh-unix-dev@xxxxxxxxxxx> wrote:
I would like to advocate for:
- Change behaviour of the server to allow server operators to set the
minimum modulus group size allowable for a connection using
diffie-hellman-group-exchange-sha256
Whether this is by having the server refuse to allow smaller moduli to
be used than exist in ModuliFile, or another explicit configuration
setting is added, it doesn't matter
I strongly support this requirement. We have a similar one for RSA and
having an explicit setting for DH would be great.
This is almost as significant as logjam was to begin with, and I have to
say I'm dismayed that there is no way to prevent connections at insecure
group sizes with the server using default canned primes that have been
long exposed to pre-calculations.
I'm not convinced that MITM can't force a lower "maximum" group size on
a connection, which basically means this IS logjam.
I have disabled diffie-hellman-group-exchange-sha256 on all servers as
insecure and would like clarification from OpenSSH devs. There needs to
at least be a statement issued somewhere warning people that removing
small primes from /etc/ssh/moduli has no effect on the minimum size the
server will issue, and that this is actually a worse option as this will
cause the server to use canned primes.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev