similar to: primes

In message <Pine.LNX.4.30.0104031615270.8678-100000 at holly.crl.go.jp>, Tom Holro yd writes: >SRP has different requirements from Diffie-Hellman. In particular, >for SRP the generator must be primitive. It turns out that the "primes" >file contains only safe primes with primitive generators, and is thus >ideal for SRP, but so far in OpenSSH it has only been used for

> Can this be addressed in ssh_config/sshd_config with the KexAlgorithms setting? weakdh.org/sysadmin.html recommends adding: KexAlgorithms curve25519-sha256 at libssh.org But this thread makes it sound as if it's not necessary. Can anyone confirm? Personally I'm on openssh-6.7. - Grant > You will be aware of https://weakdh.org/ by now, I presume; the take-home seems to be

On Fri, May 22, 2015 at 12:27:01, Darren Tucker <dtucker at zip.com.au> wrote: > Note that PuTTY does do Diffie-Hellman Group Exchange, but until very > recently (ie after their 0.64 release) they didn't do the one that was > actually standardized in RFC4419. OpenSSH recently removed support for > that non-standard one and as a result we don't offer DHGEX to PuTTY >

I ran into a problem where systems without DNS entries could not connect to the rsync server with the IPV6 patch applied. Here is a fix to the problem. Basically they were checking the list of IP addresses returned by getaddr even if getaddr failed. I just changed it so they only check the list of IP addresses if getaddr succeeds. Any comments on this please email me directly because I do not

Hi, You will be aware of https://weakdh.org/ by now, I presume; the take-home seems to be that 1024-bit DH primes might well be too weak. I'm wondering what (if anything!) you propose to do about this issue, and what Debian might do for our users? openssh already prefers ECDH, which must reduce the impact somewhat, although the main Windows client (PuTTY) doesn't support ECDH yet. But

A few questions regarding the OpenSSH support for the Diffie Hellman key exchange algorithms: (1) Are the diffie-hellman-group-exchange-sha256", "diffie-hellman-group-exchange-sha1" , "diffie-hellman-group14-sha1" "diffie-hellman-group1-sha1" (as defined in RFCs 4253 and RFC 4419) the complete list of key exchange algorithms supported by OpenSSH? (2) Is there a

I'm not nearly knowledgeable enough in crypto to fully understand your answer, but I will try. I wonder why moduli are not automatically generated the first time sshd is started though. That would make much more sense than shipping a default moduli file but also asking everyone to replace it with their own. On Fri, Feb 15, 2019 at 5:50 AM Mark D. Baushke <mdb at juniper.net> wrote: >

On Mon, Oct 19, 2015 at 11:28:04AM +0200, Florent B wrote: > Have you read this article from ars technica ? > > http://arstechnica.com/security/2015/10/how-the-nsa-can-break-trillions-of-encrypted-web-and-vpn-connections/ Yes. > What I understand is that 1024-bits Diffie-Hellman keys are broken by NSA. More precisely, they can spend a lot of effort to break Diffie-Hellman for a

Hello everyone.. I am fairly new to the patching format.. so I just decided to post a basic info about how to remove group1 and group14 diffie key exchange in OpenSSH. I know that they are listed as required in RFC 4253 but I don't want a client to have the choice to use a 1024 bit prime for the key exchange. If someone is getting into my system.. they should upgrade to a new client. I am a

Hello all In a recent spate of paranoia we set our server (SuSE Linux 7.0, kernel 2.2.16) to use SSH version 2 and not SSH1. With openssh 2.3.0p1-5 running as client and server, we find that stdout output is occasionally dropped: ssh server echo "JJJ" usually emits JJJ, but sometimes returns nothing -- although the command is apparently performed. In the happy case the server logs

https://bugzilla.mindrot.org/show_bug.cgi?id=2559 Bug ID: 2559 Summary: Warnings from reading moduli file, refer to primes file Product: Portable OpenSSH Version: 7.2p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: sshd

Currently, dovecot generates two primes for Diffie-Hellman key exchanges: a 512-bit one and a 1024-bit one. In light of recent events, I think it would be wise to add support for 2048-bit primes as well, or even better, add a configuration option that lets the user select a file (or files) containing the DH parameters In recent years, there has been increased interest in DH especially in its

On Wed 2015-05-27 05:23:41 -0400, Hubert Kario wrote: > On Tuesday 26 May 2015 15:10:01 Daniel Kahn Gillmor wrote: >> On Tue 2015-05-26 14:02:07 -0400, Hubert Kario wrote: >> > OEIS A014233 >> >> Hm, this is a sequence, but not an algorithm. It looks to me like it is >> not exhaustive, just a list of those integers which are known to have >> the stated

https://bugzilla.mindrot.org/show_bug.cgi?id=1540 Summary: Incorrect hash in SSH_MSG_KEX_DH_GEX_REPLY Product: Portable OpenSSH Version: 5.1p1 Platform: Other OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: sshd AssignedTo: unassigned-bugs at mindrot.org ReportedBy:

On Fri, Jan 26, 2024 at 7:24?PM Jochen Bern <Jochen.Bern at binect.de> wrote: > On 25.01.24 14:09, Kaushal Shriyan wrote: > > I am running the below servers on Red Hat Enterprise Linux release 8.7 > > How do I enable strong KexAlgorithms, Ciphers and MACs > > On RHEL 8, you need to be aware that there are "crypto policies" > modifying sshd's behaviour,

This is regarding openssh 2.3.0p1 (the following problem was seen on Linux client / server): I have a problem with openssh when i don't "login": ie. i do the following: ssh -2 10.1.6.13 echo 0 It doesn't print the "0". However, i can get it to print the "0" by doing the following: ssh -2 10.1.6.13 echo 0 \; sleep 1 using "ssh -2 10.1.6.13"

Hi. So I have been having problems using scp to copy files between two of my machines, both of which are running OpenSSH 2.30p1 (though I've had the same problem with previous versions). It is basically as simple as the file not being transferred after authentication occurs. I can however use scp to copy files back and forth from another machine using a SSH Communications version

On Fri, Apr 13, 2018 at 11:53:31AM -0700, Jonathan Helman wrote: > > > On 04/13/2018 06:44 AM, Michael S. Tsirkin wrote: > > Jason Wang points out that it's vary hard for users to build an array of > > s/vary/very > > > stat names. The naive thing is to use VIRTIO_BALLOON_S_NR but that > > breaks if we add more stats. > > > > Let's add

On 2018?04?12? 08:24, Jonathan Helman wrote: > > > On 04/10/2018 08:12 PM, Jason Wang wrote: >> >> >> On 2018?04?10? 05:11, Jonathan Helman wrote: >>> >>> >>> On 03/22/2018 07:38 PM, Jason Wang wrote: >>>> >>>> >>>> On 2018?03?22? 11:10, Michael S. Tsirkin wrote: >>>>> On Thu, Mar 22, 2018 at

On Fri, Apr 13, 2018 at 10:10:57AM -0700, Jonathan Helman wrote: > > > On 04/13/2018 06:44 AM, Michael S. Tsirkin wrote: > > On Fri, Apr 13, 2018 at 03:01:11PM +0800, Jason Wang wrote: > > > > > > > > > On 2018?04?12? 08:24, Jonathan Helman wrote: > > > > > > > > > > > > On 04/10/2018 08:12 PM, Jason Wang wrote: