Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.

Dismiss

disabling diffie-hellman-group1-sha1

683 views

Skip to first unread message

JustRep...@spambucket.net

unread,

Sep 26, 2005, 2:06:57 PM9/26/05

My company uses Foundstone to scan for security vulnerabilities and it is
telling me that I should disable the diffie-hellman-group1-sha1 key
exchange algorithm.

"The SSH2 protocol specification requires that a SSH2 server support the
diffie-hellman-group1-sha1 key exchange algorithm. This key exchange
algorithm is considered strong, but faces a potential weakness in that the
same prime number is used for all key exchanges.

An alternative key exchange algorithm, diffie-hellman-exchange-group-sha1,
provides enhanced security by allowing for the prime number to be
specified during key exchange."

Fine and dandy. Is there even a way to do this in the sshd_conf? I am
using a mix of openssh and solaris ssh.

--
Mark Keisler

"Blessed is he who finds happiness in his own foolishness, for he will
always be happy".

Darren Tucker

unread,

Sep 26, 2005, 8:57:00 PM9/26/05

On 2005-09-26, JustRep...@spambucket.net

<JustRep...@spambucket.net> wrote:
> My company uses Foundstone to scan for security vulnerabilities and it is
> telling me that I should disable the diffie-hellman-group1-sha1 key
> exchange algorithm.

[...]

> Fine and dandy. Is there even a way to do this in the sshd_conf? I am
> using a mix of openssh and solaris ssh.

In OpenSSH: no, you would have to modify the source. In SunSSH: don't know.

I'm not sure it's a good idea, though. diffie-hellman-group1-sha1 is
mandatory in the spec.

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

JustRep...@spambucket.net

unread,

Sep 27, 2005, 1:53:27 PM9/27/05

On Mon, 27 Sep 2005, Darren Tucker wrote:

>
>
> On 2005-09-26, JustRep...@spambucket.net
> <JustRep...@spambucket.net> wrote:
>> My company uses Foundstone to scan for security vulnerabilities and it is
>> telling me that I should disable the diffie-hellman-group1-sha1 key
>> exchange algorithm.
> [...]
>> Fine and dandy. Is there even a way to do this in the sshd_conf? I am
>> using a mix of openssh and solaris ssh.
>
> In OpenSSH: no, you would have to modify the source. In SunSSH: don't know.
>
> I'm not sure it's a good idea, though. diffie-hellman-group1-sha1 is
> mandatory in the spec.
>

That's what I thought. Now I have to convince my managemnet of that.

Message has been deleted

0 new messages