ssh: drop dh-group1-sha1 from default key exchanges
This removes diffie-hellman-group1-sha1 from the list of default
key exchange algorithms. This kex is considered weak and potentially
vulnerable to the Logjam attack.
Note: This is a backwards incompatible change: if you connect to ssh
servers that do not support any key exchanges except for dh-group1-sha1,
you must now specify config.KeyExchanges explicity.
See also:
https://www.openssh.com/legacy.html
https://blog.gdssecurity.com/labs/2015/8/3/ssh-weak-diffie-hellman-group-identification-tool.html
Fixes golang/go#12955
Change-Id: I032d5175d63ab5d1912de72957a80200eb396bc9
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/123595
Reviewed-by: Han-Wen Nienhuys <hanwen@google.com>
diff --git a/ssh/common.go b/ssh/common.go
index e55fe0a..290382d 100644
--- a/ssh/common.go
+++ b/ssh/common.go
@@ -58,6 +58,14 @@
kexAlgoDHGEXSHA256: {}, // server half implementation is only minimal to satisfy the automated tests
}
+// preferredKexAlgos specifies the default preference for key-exchange algorithms
+// in preference order.
+var preferredKexAlgos = []string{
+ kexAlgoCurve25519SHA256,
+ kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521,
+ kexAlgoDH14SHA1,
+}
+
// supportedHostKeyAlgos specifies the supported host-key algorithms (i.e. methods
// of authenticating servers) in preference order.
var supportedHostKeyAlgos = []string{
@@ -246,7 +254,7 @@
c.Ciphers = ciphers
if c.KeyExchanges == nil {
- c.KeyExchanges = supportedKexAlgos
+ c.KeyExchanges = preferredKexAlgos
}
if c.MACs == nil {
