Bug#787037: openssh-client: remove 1Kbit DH groups from /etc/ssh/moduli
Hi Matthew--
On Thu 2015-05-28 08:30:30 -0400, Matthew Vernon wrote:
> Daniel Kahn Gillmor <dkg@fifthhorseman.net> writes:
>
>> Upstream is removing 1Kbit DH groups from /etc/ssh/moduli (see attached
>> message). Debian should do the same (possibly backporting the fix to
>> earlier releases as well), to reduce the likelihood that clients of
>> debian ssh servers get stuck using a widely-used group that is weaker
>> than we'd like.
>
> I've been following the discussion upstream; but we did already have a
> bug where weak-DH was being discussed - #774711. Do we need this one
> too?
Sorry, i was unaware of 774711. That bug seems to cover several
different changes, while 787037 just asks for one specific change.
774711 also asks for significantly more radical changes to
/etc/ssh/moduli than i was asking for here. certainly, if you resolve
774711 by adopting all the changes asked for there, you can close
787037.
So if you want to merge them together, I have no objection.
But if you'd rather separate out the changes (handling the weakdh here,
and just the cipher configuration and default secret key size changes on
787037), that's fine with me too.
Regards,
--dkg
Reply to: