- default_kexes = "dh-gex-sha1,dh-group14-sha1,dh-group1-sha1,rsa,WARN";
- gprefs(sesskey, "KEX", default_kexes,
- kexnames, KEX_MAX, conf, CONF_ssh_kexlist);
+ default_kexes = normal_default;
+ /* Migration: after 0.67 we decided we didn't like
+ * dh-group1-sha1. If it looks like the user never changed
+ * the defaults, quietly upgrade their settings to demote it.
+ * (If they did, they're on their own.) */
+ raw = gpps_raw(sesskey, "KEX", default_kexes);
+ assert(raw != NULL);
+ /* Lack of 'ecdh' tells us this was saved by 0.58-0.67
+ * inclusive. If it was saved by a later version, we need
+ * to leave it alone. */
+ if (strcmp(raw, "dh-group14-sha1,dh-group1-sha1,rsa,"
+ "WARN,dh-gex-sha1") == 0) {
+ /* Previously migrated from BugDHGEx2. */
+ sfree(raw);
+ raw = dupstr(bugdhgex2_default);
+ } else if (strcmp(raw, "dh-gex-sha1,dh-group14-sha1,"
+ "dh-group1-sha1,rsa,WARN") == 0) {
+ /* Untouched old default setting. */
+ sfree(raw);
+ raw = dupstr(normal_default);
+ }
+ gprefs_from_str(raw, kexnames, KEX_MAX, conf, CONF_ssh_kexlist);
+ sfree(raw);