--- Begin Message ---
- To: Grant <emailgrant@gmail.com>
- Cc: Scott Neugroschl <scott_n@xypro.com>, "openssh-unix-dev\@mindrot.org" <openssh-unix-dev@mindrot.org>, Matthew Vernon <matthew@debian.org>
- Subject: Re: Weak DH primes and openssh
- From: Darren Tucker <dtucker@zip.com.au>
- Date: Thu, 28 May 2015 10:14:07 +1000
- Message-id: <CALDDTe1aXCghjDpReQG56tHig50ebHt+JaJ__=CKHnF+ajFF2g@mail.gmail.com>
- In-reply-to: <CALDDTe0EvB7nJy62882KKgw1XbwC8e=T4v4vXS50C3Lu7P-1Gg@mail.gmail.com>
- References: <555DDD09.3090606@debian.org> <D358E5B1511A314F8160ADC6F375498706A0D0CE@XYSVEX02.XYPRO-23.LOCAL> <CAN0CFw2tz=DH9PLOxT_GNu3v9-d-bZgx9FPx0bS5Ksm9UC86pg@mail.gmail.com> <CALDDTe0EvB7nJy62882KKgw1XbwC8e=T4v4vXS50C3Lu7P-1Gg@mail.gmail.com>
On Sun, May 24, 2015 at 9:20 AM, Darren Tucker <dtucker@zip.com.au> wrote:
> [...]
> The other possible action that IMO would be reasonable but is not listed:
> remove all of the 1kbit and 1.5kbit groups
>
After some consideration we have decided to remove[1] the 1k bit groups
from the moduli file. Vendors may want to consider doing this even for
older versions of OpenSSH (either by importing the new file, or by removing
them from the existing file) as it will result in stronger groups being
used for diffie-hellman-group-exchange-sha{1,256} transparently even if the
client prefers 1k bit groups (eg PuTTY and derivatives when using 128bit
ciphers).
[1]
https://anongit.mindrot.org/openssh.git/commit/?id=5ab7d5fa03ad55bc438fab45dfb3aeb30a3c237a
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
--- End Message ---