Mailing List Archive

[Bug 769] dh-group-exchange should be configurable off in client and server
http://bugzilla.mindrot.org/show_bug.cgi?id=769

dtucker@zip.com.au changed:

What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED



------- Additional Comments From dtucker@zip.com.au 2004-01-29 21:39 -------
The new moduli file has now been added to OpenSSH (+OpenBSD) too, so snapshots
and the next release will have it.

Note that if you're upgrading, in most cases moduli will not be replaced by an
upgrade, so you'll have to do it yourself.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 769] dh-group-exchange should be configurable off in client and server [ In reply to ]
http://bugzilla.mindrot.org/show_bug.cgi?id=769





------- Additional Comments From jacobn+mindrot@chiark.greenend.org.uk 2004-02-02 05:01 -------
Still haven't had a chance to try this patch, sorry...

While the speedups are welcome, and do a lot to address my original beef -
thanks for them - no-one has yet discussed the issue as raised ("dh-group-
exchange should be configurable off in client and server" as recommended by the
IETF documents).

What I'm really after is some sort of statement on the configurability issue -
is OpenSSH actively against it (why?), or do you consider it a low-priority
wishlist feature, or what?

I can change the title of this bug to cover just the performance improvements,
and move this discussion to a new bug, if you want.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 769] dh-group-exchange should be configurable off in client and server [ In reply to ]
http://bugzilla.mindrot.org/show_bug.cgi?id=769





------- Additional Comments From mouring@eviladmin.org 2004-02-02 09:11 -------
[..]
> What I'm really after is some sort of statement on the
> configurability issue - is OpenSSH actively against it (why?),
> or do you consider it a low-priority wishlist feature, or what?

I'm actively against it. The more options you give a user the more of a
chance they will decide to use or not use it based on lack of, or bad,
information.

Honestly, if you know a machine is underpowered and can't handle this
this then it is not hard to mv /etc/moduli /etc/moduli.dead, and be
done with it. If it is going to be an issue for the sshd server running
on the old machine it will be an issue for the ssh client running on the
same machine.

- Ben



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 769] dh-group-exchange should be configurable off in client and server [ In reply to ]
http://bugzilla.mindrot.org/show_bug.cgi?id=769





------- Additional Comments From jacobn+mindrot@chiark.greenend.org.uk 2004-02-03 06:03 -------
Created an attachment (id=538)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=538&action=view)
Patch to /etc/moduli description in sshd(8)

Added one sentence to make it clearer that removing /etc/moduli will disable DH
group exchange.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
[Bug 769] dh-group-exchange should be configurable off in client and server [ In reply to ]
http://bugzilla.mindrot.org/show_bug.cgi?id=769





------- Additional Comments From jacobn+mindrot@chiark.greenend.org.uk 2004-02-03 06:04 -------
Ben, thanks for replying. I can see that view.

I suggest a one-line change to the sshd(8) man page (attached) which would have
made it more obvious to me how to disable this feature. (I still think this is
worth doing, as it allows a clueful admin to engineer a better situation on an
underpowered server than would arise if users switch back to SSH-1.)



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.