Turn off finite field (a.k.a modp) Diffie-Hellman key exchange in sshd

by default. Specifically, this removes the diffie-hellman-group* and
diffie-hellman-group-exchange-* methods. The client is unchanged and
continues to support these methods by default.

Finite field Diffie Hellman is slow and computationally expensive for
the same security level as Elliptic Curve DH or PQ key agreement while
offering no redeeming advantages.

ECDH has been specified for the SSH protocol for 15 years and some
form of ECDH has been the default key exchange in OpenSSH for the last
14 years.

ok markus@

1 files changed, 3 insertions, 6 deletions

diff --git a/usr.bin/ssh/sshd_config.5 b/usr.bin/ssh/sshd_config.5
index eaf639fb03c..786dd08f204 100644
--- a/usr.bin/ssh/sshd_config.5
+++ b/usr.bin/ssh/sshd_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.374 2024/09/15 08:27:38 jmc Exp $
-.Dd $Mdocdate: September 15 2024 $
+.\" $OpenBSD: sshd_config.5,v 1.375 2024/10/06 23:37:17 djm Exp $
+.Dd $Mdocdate: October 6 2024 $
 .Dt SSHD_CONFIG 5
 .Os
 .Sh NAME
@@ -1063,10 +1063,7 @@ The default is:
 sntrup761x25519-sha512,sntrup761x25519-sha512@openssh.com,
 mlkem768x25519-sha256,
 curve25519-sha256,curve25519-sha256@libssh.org,
-ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
-diffie-hellman-group-exchange-sha256,
-diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,
-diffie-hellman-group14-sha256
+ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521
 .Ed
 .Pp
 The list of supported key exchange algorithms may also be obtained using