openssh bugs - Jan 2004 - [Bug 769] dh-group-exchange should be configurable off in client and server

http://bugzilla.mindrot.org/show_bug.cgi?id=769

dtucker at zip.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED



------- Additional Comments From dtucker at zip.com.au  2004-01-29 21:39 -------
The new moduli file has now been added to OpenSSH (+OpenBSD) too, so snapshots
and the next release will have it.

Note that if you're upgrading, in most cases moduli will not be replaced by
an
upgrade, so you'll have to do it yourself.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=769





------- Additional Comments From jacobn+mindrot at chiark.greenend.org.uk 
2004-02-02 05:01 -------
Still haven't had a chance to try this patch, sorry...

While the speedups are welcome, and do a lot to address my original beef - 
thanks for them - no-one has yet discussed the issue as raised ("dh-group-
exchange should be configurable off in client and server" as recommended by
the
IETF documents).

What I'm really after is some sort of statement on the configurability issue
-
is OpenSSH actively against it (why?), or do you consider it a low-priority 
wishlist feature, or what?

I can change the title of this bug to cover just the performance improvements, 
and move this discussion to a new bug, if you want.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=769





------- Additional Comments From mouring at eviladmin.org  2004-02-02 09:11
-------
[..]
> What I'm really after is some sort of statement on the 
> configurability issue - is OpenSSH actively against it (why?), 
> or do you consider it a low-priority wishlist feature, or what?
I'm actively against it.  The more options you give a user the more of a 
chance they will decide to use or not use it based on lack of, or bad,
information.

Honestly, if you know a machine is underpowered and can't handle this
this then it is not hard to mv /etc/moduli /etc/moduli.dead, and be
done with it.  If it is going to be an issue for the sshd server running
on the old machine it will be an issue for the ssh client running on the
same machine.

- Ben



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=769





------- Additional Comments From jacobn+mindrot at chiark.greenend.org.uk 
2004-02-03 06:03 -------
Created an attachment (id=538)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=538&action=view)
Patch to /etc/moduli description in sshd(8)

Added one sentence to make it clearer that removing /etc/moduli will disable DH
group exchange.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=769





------- Additional Comments From jacobn+mindrot at chiark.greenend.org.uk 
2004-02-03 06:04 -------
Ben, thanks for replying. I can see that view.

I suggest a one-line change to the sshd(8) man page (attached) which would have 
made it more obvious to me how to disable this feature. (I still think this is 
worth doing, as it allows a clueful admin to engineer a better situation on an 
underpowered server than would arise if users switch back to SSH-1.)



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.