On Wed, Mar 10, 2021 at 7:43 PM Damien Miller <djm at mindrot.org> wrote:
> On Wed, 10 Mar 2021, James Ralston wrote:
>
> > ?if it is necessary to enable one of them for backward
> > compatibility with clients/servers that support only SHA-1
> > algorithms, then this is the only one that should be enabled:
> >
> > * diffie-hellman-group14-sha1 (for KexAlgorithms)
> > * gss-group14-sha1- (for GSSAPIKexAlgorithms)
>
> Disagree. diffie-hellman-group-exchange-sha1 will use a
> bigger/better MODP group than group14. If I had to enable one then
> that would be it.
Is this guaranteed to be true even if /etc/ssh/moduli contains small
primes (e.g. 1023 bits)?
For example, RHEL7 ships OpenSSH 7.4, which contains:
$ head -7 /etc/ssh/moduli | cut -c1-70
# $OpenBSD: moduli,v 1.18 2016/08/11 01:42:11 dtucker Exp $
# Time Type Tests Tries Size Generator Modulus
20150520233853 2 6 100 1023 5 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92
20150520233854 2 6 100 1023 5 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92
20150520233854 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92
20150520233855 2 6 100 1023 5 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92
20150520233856 2 6 100 1023 2 DB662973FB21C0B7BF21AB46AFD3E2002AE70C92
If we enable diffie-hellman-group-exchange-sha1, our InfoSec guys tell
us that our RHEL7 hosts all hit on:
https://www.tenable.com/plugins/nessus/86328
In contrast, group14 guarantees that the MODP group won?t be less than
2048.