How do you plan to change sshd to use this class ? 2014-10-13 17:07 GMT+02:00 Pawel Sm7 <pawel....@gmail.com>:
> Hello, > > Please find attached proposal of moduli fingerprint functionality. > > Please let me know if you have any comments and if you plan add this > functionality to Apache Mina SSHD. > > Regards, > > Pawel > > > 2014-04-30 16:36 GMT+02:00 Pawel Sm7 <pawel....@gmail.com>: > > Hello, > > > > I have 3 issues I would like to discuss. > > > > 1. Handling error scenarios if Prime cannot be found. > > Mina does not support fallback to weaker Diffie-Hellman algorithm if > Prime > > cannot be found. > > > > The failure approach of fall-thru to weaker Diffie-Hellman algorithm, > e.g. > > Group14 (embedded within the Code) if Prime cannot be found, either due > to > > MODULI File Access Errors or Prime Not Found in the File, is the typical > > approach of most SSH Server Implementations. > > OpenSSH follows this paradigm. Also it would help in communications > > robustness. > > It would be also nice to have a log event when the fallback happens. > > Do you agree that this is an issue? When could it be implemented? > > > > 2. Moduli file integrity handling. > > Could you create e.g. a SHA-256 hash fingerprint of the moduli file > > contents, store it somewhere and add validation of moduli file using the > > fingerprint. > > This way we can deal with unauthorized tampering of moduli file. It is > > potential security issue. > > > > 3. Moduli file generator > > Is there a roadmap to add a moduli generator so that there’s full support > > for group exchange generation and usage within Mina? > > e.g. Primes could be regenerated also when moduli file is corrupted. > > > > > > Regards, > > > > Pawel >
