https://bugzilla.mindrot.org/show_bug.cgi?id=2302
Christoph Anton Mitterer <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|WONTFIX |--- Status|RESOLVED |REOPENED --- Comment #2 from Christoph Anton Mitterer <[email protected]> --- Hi Damien. Reopening this for now because (see below): (In reply to Damien Miller from comment #1) > It isn't falling back to a deselected KEX method, it's using a > fallback DH group that is completely compliant with the DHGEX method. Okay,.. I see,... you're right. Just checked that and with the server only offering diffie-hellman-group-exchange-sha256 and /etc/ssh/moduli being empty, a client can't connect with diffie-hellman-group1-sha1 or diffie-hellman-group14-sha1, but can connect with an implicit 2048 bit group with diffie-hellman-group-exchange-sha256. But this is just something OpenSSH specific, right? Nothing which would come from the RFC. > IMO the use of the fallback group is preferable to simply failing. Why?... - This "failing" isn't much different from when the admin would simply disable all KexMethods... if he empties his /etc/moduli file, he basically intentionally disables DH-GEX Apart from that, only OpenSSH-to-OpenSSH would benefit from this, since AFAICS, there is not standardised fallback group in DH-GEX. Further, to get the idea behind such a fallback working (i.e. compatibility and connections-always working) it means that OpenSSH must keep that group basically forever (to allow interoperability)... which OTOH prevents replacing "ageing" groups when their size is no longer considered enough for security. => so I still think, not falling back would be better, since this seems to be the logic effect one would expect from emptying /etc/ssh/moduli But if you really insist on keeping this behaviour, could you then please to the following: - It makes it at least ambiguous in how things work since this behaviour is not documented (i.e. people may think empty moduli file means no group can be found/used for DH_GEX and therefore disables it. => so could this information be added to moduli(5) manpage? - Replace the 2048b group that is used by something stronger? Looking at the ECRYPT II recommendations... 2048 is not really enough for longer terms. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
