Bug#774711: openssh: OpenSSH should have stronger ciphers selected at least on the server side.
Jens Thiele <karme@karme.de> writes:
> see also:
> https://www.weakdh.org/
A few thoughts (my colleage David McBride was helpful here):
i) plausibly-new openssh (>=5.7) support and prefer ECDH, which I
believe to be unaffected by this issue. The commonest Windows client
(PuTTY), however, doesn't support this yet.
ii) I think it would be sensible to remove weaker moduli from
/etc/ssh/moduli. The current size distribution:
bits count
1023 36
1535 32
2047 28
3071 26
4095 31
6143 20
8191 6
A colleague reports that generating new 2047-bit moduli takes a few
minutes, and that time taking scales non-linearly with length (~90
minutes for 4095, ~40 hours for 8191). So I'm not sure if we should
make some newer larger moduli and start shipping them, and/or start
generating some at install time; the latter feels too invasive to me.
iii) it's less clear what to do about the weaker KexAlgorithms -
diffie-hellman-group1-sha1 uses Oakley Group 2 (1024 bits) and
diffie-hellman-group14-sha1 uses Oakley Group 14 (2048 bits); RFC4253
says that implementations MUST support these, and I don't know what
clients might break if we were to stop doing so.
I'd be interested to hear the opinions of the other openssh
maintainers, and perhaps we should ask upstream for their views (I've
not seen anything on the upstream dev list as yet).
Regards,
Matthew
--
"At least you know where you are with Microsoft."
"True. I just wish I'd brought a paddle."
http://www.debian.org
Reply to: