weakdh.org: Doesn't work with "KexAlgorithms email@example.com" #532
As suggested here: https://weakdh.org/sysadmin.html on the new weakdh.org attack site, one solution is to use:
On the sshd_config of the server. So that lines restricts the KexAlgorithms to just that one. But that makes paramiko unable to connect.
It throws this error:
I'm using paramiko==1.15.2 (the last release). Can you please consider fixing this ?
The text was updated successfully, but these errors were encountered:
The weakdh.org recommendations ultimately brought me here.
There is a temporary fix that permits Paramiko to function without curve 25519. This is essentially described at https://weakdh.org/sysadmin.html#openssh although it is not obvious how to apply it to the Paramiko situation. I have clarified the instructions for Paramiko users:
Generate fresh 2048-bit modulii
Assuming your sshd configuration is in /etc/ssh, the following would overwrite the weak moduli that ship with openssh by default.
Set the available sshd key exchange algorithms:
In /etc/ssh/sshd_config, specify the available algorithms to include a non-elliptic-curve algorithm.
This provides a fallback algorithm that Paramiko can use that will at least make use of the fresh 2048-bit modulii we generated, thereby mitigating weakdh (according to weakdh.org recommendations).
Of course, the solution for Paramiko is still to merge code that supports curve 25519... I have to confess I haven't tried to solve this, so I know I've got no standing to complain. I hope this temporary fix helps in the meanwhile.