openssh bugs - May 2008 - [Bug 1469] New: Should sshd detect and reject vulnerable SSH keys (re: Debian DSA-1571 and DSA-1576)

https://bugzilla.mindrot.org/show_bug.cgi?id=1469

           Summary: Should sshd detect and reject vulnerable SSH keys (re:
                    Debian DSA-1571 and DSA-1576)
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 5.0p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: davee at ceu.ox.ac.uk


Debian/Ubuntu have added additional components to their openssh-*
packages which detect (and, on the server side, reject) vulnerable SSH
keys as a result of the broken random number generatation.

http://www.debian.org/security/2008/dsa-1571
http://www.debian.org/security/2008/dsa-1576

Given that such vulnerable keys might have been uploaded to *any*
ssh-running OS, should similar detection be built into openssh
directly?  It would seem odd that as a result of this vulnerability
becoming public that Debian and Ubuntu sshd servers are (once updated)
*more* secure than those running on other OSes, because the Debian and
Ubuntu servers now reject attempts to connect with those vulnerable
keys.

I've done some searching around this bugtracker and mailing list
archives, but can't even find *discussion* of this issue.

Alternatively, please tell me why such a modification to openssh would
be a really bad idea - I can then refer to this bug in other contexts
explaining why it isn't going to be done :-)

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1469


Alex Howells <alex.howells at 0wn3d.us> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |alex.howells at 0wn3d.us




--- Comment #1 from Alex Howells <alex.howells at 0wn3d.us>  2008-05-25
06:35:22 ---
I think there is a considerable disadvantage to the implementation of
this feature: users are liable assume any vulnerable key will be
detected and rejected, which is likely a false assumption :(

What certain distributions are including is not a complete list, their
utilities/patches seem to analyze the first 80-84 bits of a fingerprint
-- this is liable to give false positives, and the inclusive blacklists
only cover the most basic permutations of key, a la;

    1024-bit DSA
    768-bit RSA
    1024-bit RSA
    2048-bit RSA

As far as I am aware they don't cover 4096-bit RSA, and any user who
had generated with `ssh-keygen -b 8150 -t rsa` would not be blocked.

I think this might be a feature which needs to be maintained
externally. That way there can be good documentation showing what
permutations would be detected and users are less liable to make nasty
assumptions... Perhaps another good reason to not include this is the
'bloat factor'? It'd probably make releases considerably larger?

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1469





--- Comment #2 from Alex Howells <alex.howells at 0wn3d.us>  2008-05-25
06:38:59 ---
> As far as I am aware they don't cover 4096-bit RSA, and any user who
> had generated with `ssh-keygen -b 8150 -t rsa` would not be blocked.
Sorry, perhaps I should clarify -- any user who has generated with a
non-standard key length would not be covered and it would be
computationally impossible to generate all 32767 permutations per
architecture / word length vs. all possible key length possibilities.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1469





--- Comment #3 from Colin Watson <cjwatson at debian.org>  2008-05-26
23:44:30 ---
Created an attachment (id=1508)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1508)
blacklisting and ssh-vulnkey

Here's the current patch we're using for this in Debian. I've tried
to
ensure that it can at least theoretically be acceptable on all systems,
but am more than happy to work on this as necessary; I think it's
important to deploy this as widely as possible.

I believe that the blacklisting feature itself is separate from the
distribution of the blacklist files. Those are, as observed, large,
unwieldy from the point of view of distribution with OpenSSH, and not
necessarily complete (although the published blacklists for each key
type and size are complete with respect to this particular
vulnerability). However, I can imagine other uses for the blacklisting
code itself. For instance, a sysadmin responding to a compromised
machine might want to use it as a quick way to lock out use of
particular keys.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1469


Colin Watson <cjwatson at debian.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |cjwatson at debian.org




-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1469


Colin Watson <cjwatson at debian.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #1508|0                           |1
        is obsolete|                            |




--- Comment #4 from Colin Watson <cjwatson at debian.org>  2008-05-31
08:10:09 ---
Created an attachment (id=1510)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1510)
blacklist patch from Debian 1:4.7p1-12

Here's an updated version to align with the most recent Debian upload.
Changes from the previous attachment:

  * Refactor rejection of blacklisted user keys into a single
    reject_blacklisted_key function in auth.c (thanks, Dmitry V.
Levin).
  * Fix memory leak of blacklisted host keys (thanks, Dmitry V. Levin).

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1469





--- Comment #5 from Solar Designer <solar at openwall.com>  2008-06-16
16:16:00 ---
Created an attachment (id=1529)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1529)
Support for key blacklisting based on compact binary encoding of
partial fingerprints (e.g., under 4.5 bytes per 48-bit fingerprint);
patch against 3.6.1p2, but is trivial to forward-port.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1469





--- Comment #6 from Solar Designer <solar at openwall.com>  2008-06-16
16:19:17 ---
Created an attachment (id=1530)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1530)
The blacklist encoder program - takes Debian's 32-hex-char one-per-line
fingerprint lists as input

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1469





--- Comment #7 from Solar Designer <solar at openwall.com>  2008-06-16
16:21:05 ---
Created an attachment (id=1531)
 --> (http://bugzilla.mindrot.org/attachment.cgi?id=1531)
The blacklist checker program - can be used to test correctness of the
encoding, etc.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1469


Solar Designer <solar at openwall.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |solar at openwall.com




--- Comment #8 from Solar Designer <solar at openwall.com>  2008-06-16
16:32:07 ---
I have attached the key blacklisting code from Openwall GNU/*/Linux
(also used at least by ALT Linux).  We've been using this "in
production" on many systems for 2+ weeks with no issues (and have
detected some weak keys "in the wild").  I am posting this primarily
to
have everything in one place.  Also relevant are these URLs:

http://www.openwall.com/lists/oss-security/2008/05/27/3 - the original
announcement
http://www.openwall.com/lists/oss-security/2008/05/27/4 - on
forward-port to openssh-5.0p1
http://cvsweb.openwall.com/cgi/cvsweb.cgi/Owl/packages/openssh/
http://git.altlinux.org/people/ldv/packages/?p=openssh.git -
repositories with these patches (and more)

Compared to the Debian patch, this uses much smaller files (less than
4.5 bytes per key for 48-bit partial fingerprints), it's very fast
(will work just fine on a VAX), it can be configured to be fail-close
(in case of errors), and the size of partial fingerprints is not
hardcoded anywhere (it's specified on "blacklist-encode"
command-line,
with no need to recompile anything, so an existing build of sshd that
works with 48-bit fingerprints now will also work with, say, 64-bit
just fine).

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.