Hi, this port brings along a dhparams file that was last re-generated in 2013; it should be re-generated and not include any <3072 params. per size it also only has a single param which, as far as I remember, isn't ideal either. It's also doubtful why it has it's own in general, /etc/ssh/moduli *might* be compatible (but probably not accessible if running non-root) At least maybe using the same source file for that could help.
Another thing that worries me here but totally doesn't relate to this port: Did noone ever audit the ports tree as a whole for high-entropy things like this after all the NSA shit came down? No idea who to ask about that, but I see a corpse right here and its rotten.
Maintainer feedback?
I didn't hear anything, and had long forgotten about the issue. If you know how to get a security person to look into it, please go ahead. Somehow it seems I just can't "find" the proper channel in cases like this. I just checked and I really did replace it everywhere in the env I helped run back then: (ansible snippet that should work everywhere follows) - name: do not use upstream dhparams file shell: rsync -ci /etc/ssh/moduli /usr/local/etc/proftpd/dhparams.pem register: rsync_result changed_when: 'rsync_result.stdout != ""' )