upstream: Turn off finite field (a.k.a modp) Diffie-Hellman key

exchange in sshd by default. Specifically, this removes the
diffie-hellman-group* and diffie-hellman-group-exchange-* methods. The client
is unchanged and continues to support these methods by default.

Finite field Diffie Hellman is slow and computationally expensive for
the same security level as Elliptic Curve DH or PQ key agreement while
offering no redeeming advantages.

ECDH has been specified for the SSH protocol for 15 years and some
form of ECDH has been the default key exchange in OpenSSH for the last
14 years.

ok markus@

OpenBSD-Commit-ID: 4e238ad480a33312667cc10ae0eb6393abaec8da

diff --git a/myproposal.h b/myproposal.h
index 3bdc2e955535113d75d9fe679d50c81a53f0ee40..c1459054a509a0966e656d3a044e76e7a79981f9 100644 (file)
--- a/myproposal.h
+++ b/myproposal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: myproposal.h,v 1.73 2024/09/09 02:39:57 djm Exp $ */
+/* $OpenBSD: myproposal.h,v 1.74 2024/10/06 23:37:17 djm Exp $ */
 
 /*
  * Copyright (c) 2000 Markus Friedl.  All rights reserved.
@@ -32,14 +32,14 @@
        "curve25519-sha256@libssh.org," \
        "ecdh-sha2-nistp256," \
        "ecdh-sha2-nistp384," \
-       "ecdh-sha2-nistp521," \
+       "ecdh-sha2-nistp521" \
+
+#define KEX_CLIENT_KEX KEX_SERVER_KEX "," \
        "diffie-hellman-group-exchange-sha256," \
        "diffie-hellman-group16-sha512," \
        "diffie-hellman-group18-sha512," \
        "diffie-hellman-group14-sha256"
 
-#define KEX_CLIENT_KEX KEX_SERVER_KEX
-
 #define        KEX_DEFAULT_PK_ALG      \
        "ssh-ed25519-cert-v01@openssh.com," \
        "ecdsa-sha2-nistp256-cert-v01@openssh.com," \

diff --git a/sshd_config.5 b/sshd_config.5
index dbed44f2a02d9a02bf8178927a4467ffda3c674f..6e12fbe254facb61c62eb0fd8bdd3b219c30d721 100644 (file)
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.374 2024/09/15 08:27:38 jmc Exp $
-.Dd $Mdocdate: September 15 2024 $
+.\" $OpenBSD: sshd_config.5,v 1.375 2024/10/06 23:37:17 djm Exp $
+.Dd $Mdocdate: October 6 2024 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -1062,10 +1062,7 @@ The default is:
 sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,
 mlkem768x25519-sha256,
 curve25519-sha256,curve25519-sha256@libssh.org,
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
-diffie-hellman-group-exchange-sha256,
-diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
-diffie-hellman-group14-sha256
+ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
 .Ed
 .Pp
 The list of supported key exchange algorithms may also be obtained using