Confusing diffie-hellman-group-exchange-sha256 recommendation/output

[scop]

I see this in current (git master, 5ddd8cc) ssh-audit output

[...]
# key exchange algorithms
[...]
(kex) diffie-hellman-group-exchange-sha256 (3072-bit) -- [warn] does not provide protection against post-quantum attacks
                                                      `- [info] available since OpenSSH 4.4
                                                      `- [info] OpenSSH's GEX fallback mechanism was triggered during testing. Very old SSH clients will still be able to create connections using a 2048-bit modulus, though modern clients will use 3072. This can only be disabled by recompiling the code (see https://github.com/openssh/openssh-portable/blob/V_9_4/dh.c#L477).
[...]
# algorithm recommendations (for OpenSSH 9.9)
(rec) !diffie-hellman-group-exchange-sha256 -- kex algorithm to change (increase modulus size to 3072 bits or larger) 

This is in a setup that has the moduli hardenings from https://www.sshaudit.com/hardening_guides.html already made ($5 >= 3071...).

What I find curious is that it first seems to say a 3072-bit diffie-hellman-group-exchange-sha256 is already in use, and then recommends to increase its modulus size to >= 3072.

Removing diffie-hellman-group-exchange-sha256 altogether gets rid of the warning, but it doesn't seem that's what's being recommended.

Could this be clarified somehow?

[jtesta]

The recommendation system is notoriously difficult to maintain. Historically, it has had many such bugs where it makes incorrect suggestions.

In this case, it got confused because of the attached warning about lack of post-quantum protections. A better recommendation would be to consider disabling it entirely if PQ safety is a goal.

Thanks for reporting! I'll see about getting this fixed before the next release.