ssh: drop dh-group1-sha1 from default key exchanges

This removes diffie-hellman-group1-sha1 from the list of default
key exchange algorithms. This kex is considered weak and potentially
vulnerable to the Logjam attack.

Note: This is a backwards incompatible change: if you connect to ssh
servers that do not support any key exchanges except for dh-group1-sha1,
you must now specify config.KeyExchanges explicity.

See also:
https://www.openssh.com/legacy.html
https://blog.gdssecurity.com/labs/2015/8/3/ssh-weak-diffie-hellman-group-identification-tool.html

Fixes golang/go#12955

Change-Id: I032d5175d63ab5d1912de72957a80200eb396bc9
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/123595
Reviewed-by: Han-Wen Nienhuys <hanwen@google.com>

ssh/common.go

@@ -58,6 +58,14 @@ var serverForbiddenKexAlgos = map[string]struct{}{
 	kexAlgoDHGEXSHA256: {}, // server half implementation is only minimal to satisfy the automated tests
 }
 
+// preferredKexAlgos specifies the default preference for key-exchange algorithms
+// in preference order.
+var preferredKexAlgos = []string{
+	kexAlgoCurve25519SHA256,
+	kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521,
+	kexAlgoDH14SHA1,
+}
+
 // supportedHostKeyAlgos specifies the supported host-key algorithms (i.e. methods
 // of authenticating servers) in preference order.
 var supportedHostKeyAlgos = []string{
@@ -246,7 +254,7 @@ func (c *Config) SetDefaults() {
 	c.Ciphers = ciphers
 
 	if c.KeyExchanges == nil {
-		c.KeyExchanges = supportedKexAlgos
+		c.KeyExchanges = preferredKexAlgos
 	}
 
 	if c.MACs == nil {