A few questions regarding the OpenSSH support for the Diffie Hellman key exchange algorithms: (1) Are the diffie-hellman-group-exchange-sha256", "diffie-hellman-group-exchange-sha1" , "diffie-hellman-group14-sha1" "diffie-hellman-group1-sha1" (as defined in RFCs 4253 and RFC 4419) the complete list of key exchange algorithms supported by OpenSSH? (2) Is there a way to configure the DH key exchange algorithms to be supported? For e.g. if we want to support only "diffie-hellman-group14-sha1", is it possible to configure it? It looks like it is possible to configure the data encryption algorithms (like AES) using the Ciphers keyword and the data integrity algorithms (like HMAC-SHA-1) using the MACs keyword in the sshd_config file. However there doesn't seem to be a keyword to configure key exchange algorithms. (3) The /etc/primes file is used for the "diffie-hellman-group-exchange-sha256", "diffie-hellman-group-exchange-sha1" algorithms. However if the primes file does not exist does the SSH connection simply fail if one of these two algorithms is chosen during the initial part of the setup. That is, based on RFC 4419, since the server cannot choose a suitable prime group (p,g) from the primes file (since it does not exist) will it simply reject the SSH connection? Thanks, Vik _________________________________________________________________ Gear up for Halo? 3 with free downloads and an exclusive offer. It?s our way of saying thanks for using Windows Live?. http://gethalo3gear.com?ocid=SeptemberWLHalo3_WLHMTxt_2
On Thu, 20 Sep 2007, Vikram Mhetre wrote:> A few questions regarding the OpenSSH support for the Diffie Hellman key exchange algorithms: > > (1) Are the diffie-hellman-group-exchange-sha256", > "diffie-hellman-group-exchange-sha1" , "diffie-hellman-group14-sha1" > "diffie-hellman-group1-sha1" (as defined in RFCs 4253 and RFC 4419) > the complete list of key exchange algorithms supported by OpenSSH?Yes> (2) Is there a way to configure the DH key exchange algorithms to be > supported?No> (3) The /etc/primes file is used for the > "diffie-hellman-group-exchange-sha256", > "diffie-hellman-group-exchange-sha1" algorithms. However if the primes > file does not exist does the SSH connection simply fail if one of > these two algorithms is chosen during the initial part of the setup. > That is, based on RFC 4419, since the server cannot choose a suitable > prime group (p,g) from the primes file (since it does not exist) will > it simply reject the SSH connection?That is incorrect. The group exchange methods will fall back to a fixed modulus (the same used in diffie-hellman-group14-sha1) if they cannot open /etc/moduli. -d
Hello All, To add to this question, I also am interested in knowing if the size of the DH key to be negotiated both from the Server and the Client can be configured? If yes, how? Thanks, Srinath -----Original Message----- From: openssh-unix-dev-bounces+srinath_balaraman=mentor.com at mindrot.org [mailto:openssh-unix-dev-bounces+srinath_balaraman=mentor.com at mindrot.or g] On Behalf Of Damien Miller Sent: Friday, September 21, 2007 10:06 PM To: Vikram Mhetre Cc: openssh-unix-dev at mindrot.org Subject: Re: Diffie Hellman key exchange algorithms On Thu, 20 Sep 2007, Vikram Mhetre wrote:> A few questions regarding the OpenSSH support for the Diffie Hellmankey exchange algorithms:> > (1) Are the diffie-hellman-group-exchange-sha256", > "diffie-hellman-group-exchange-sha1" , "diffie-hellman-group14-sha1" > "diffie-hellman-group1-sha1" (as defined in RFCs 4253 and RFC 4419) > the complete list of key exchange algorithms supported by OpenSSH?Yes> (2) Is there a way to configure the DH key exchange algorithms to be > supported?No> (3) The /etc/primes file is used for the > "diffie-hellman-group-exchange-sha256", > "diffie-hellman-group-exchange-sha1" algorithms. However if the primes > file does not exist does the SSH connection simply fail if one of > these two algorithms is chosen during the initial part of the setup. > That is, based on RFC 4419, since the server cannot choose a suitable > prime group (p,g) from the primes file (since it does not exist) will > it simply reject the SSH connection?That is incorrect. The group exchange methods will fall back to a fixed modulus (the same used in diffie-hellman-group14-sha1) if they cannot open /etc/moduli. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev at mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
In response to being able to configure the DH key algorithms to be used... the changes to the code are failrly small and seem safe to me. If someone is interested in what needs to change I had posted the changes needed to openbsd-misc back in January of this year. I did not make a patch file.. I only described it in text. I would appreciate comments if anyone sees something that is not safe. I did not add any logic or algorithms... I just made changes to the existing code. The subject of the thread was "How to remove group1 and group14 from OpenSSH.." In retrospect.. it never belonged on that board and perhaps would have been better here. I kinda wish that sshd would let you configure this as it seems like an important security decision for an admin. I made the changes to the code on my machine because I spent a good amount of time making very large primes. The only way to use them is to use the KEX method. If the user that logs in does not have the KEX method enabled.. I believe that it will use the group 1 or group 14. It has been a while since I looked at this code so perhaps my logic here is not so clear.. but I know at the time I had researched it I had definite reason for doing it. One of the RFCs states that you have to include the ability to use group 1 and 14. To me.. this is nice for everyone in the world to happily be able to negotiate with any server... but that is not my desire. To me.. if someone is using an old client that does not allow KEX.. then I don't want them on my system.. and I think I have a right to decide that. In all likelihood, no one is going to break your data being sent with group 1. But that doesn't mean I don't want to force a higher level of security. You could also force KEX_DH_GEX_SHA256 and not allow KEX_DH_GEX_SHA1 but I have found that a number of clients don't support this and at this time I have left KEX_DH_GEX_SHA1 as usable. Also if anyone is new to playing around in the code for OpenSSH... I found the following page pretty useful for getting an overview of the protocol: http://cs.wellesley.edu/~cs342/SSH2Protocol.html Then of course the RFCs I believe generally in the rfc425X range. And then getting a good packet sniffer so you can see what a particular ssh client is allowing.
On Mon, 24 Sep 2007, Balaraman, Srinath wrote:> Hello All, > > To add to this question, I also am interested in knowing if the size of > the DH key to be negotiated both from the Server and the Client can be > configured? If yes, how?Do you mean the size of the key generated by DH or the size of the group used in diffie-hellman-group-exchange-*? If you mean the former, then the key length is that of the symmetric cipher that has been negotiated. If you mean the latter, then the size of the group is chosen to yield a similar attack complexity as the negotiated symmetric cipher. See dh.c:dh_estimate() and the comment that preceeds it. Either way, there is are no configuration knobs. -d
Maybe Matching Threads
- Can we disable diffie-hellman-group-exchange-sha1 by default?
- Can we disable diffie-hellman-group-exchange-sha1 by default?
- Can we disable diffie-hellman-group-exchange-sha1 by default?
- Can we disable diffie-hellman-group14-sha1 by default?
- [Bug 2515] New: Implement diffie-hellman-group{14,15,16)-sha256