On Fri, May 22, 2015 at 12:27:01, Darren Tucker <dtucker at zip.com.au> wrote:> Note that PuTTY does do Diffie-Hellman Group Exchange, but until very > recently (ie after their 0.64 release) they didn't do the one that was > actually standardized in RFC4419. OpenSSH recently removed support for > that non-standard one and as a result we don't offer DHGEX to PuTTY > versions <= 0.64 so they'll fall back to group14 (2k bit fix group).I think this is wrong. This commit [0] from 2005 appears to show the addition of diffie-hellman-group-exchange-sha256 support to PuTTY. I've also just successfully connected to a local test OpenSSH server (v6.7p1, as packaged by Debian) with only diffie-hellman-group-exchange-sha256 enabled with an older release of PuTTY (0.63) without any issue. Indeed, PuTTY explicitly reported in its event log that it performed key-exchange using Diffie-Hellman group exchange and SHA-256, so I'm quite sure this is working! Unless there's more than one key-exchange mechanism going by the name diffie-hellman-group-exchange-sha256? Kind regards, David [0] http://tartarus.org/~simon-git/gitweb/?p=putty.git;a=commit;h=91319142781a69cb16053c180870878749477012 -- David McBride <dwm37 at cam.ac.uk> Unix Specialist, University Information Services
On Sat, May 23, 2015 at 12:30 AM, David McBride <dwm37 at cam.ac.uk> wrote:> On Fri, May 22, 2015 at 12:27:01, Darren Tucker <dtucker at zip.com.au> > wrote: > > > Note that PuTTY does do Diffie-Hellman Group Exchange, but until very > > recently (ie after their 0.64 release) they didn't do the one that was > > actually standardized in RFC4419. OpenSSH recently removed support for > > that non-standard one and as a result we don't offer DHGEX to PuTTY > > versions <= 0.64 so they'll fall back to group14 (2k bit fix group). > > I think this is wrong. > > This commit [0] from 2005 appears to show the addition of > diffie-hellman-group-exchange-sha256 support to PuTTY. >You're right, thanks for pointing this out. When I looked at it I was specifically looking at group-exchange-sha1 (because that was the thing using the deprecated format) and overlooked sha256. That does mean that there's a stronger case for removing 1kbit and 1.5kbit groups from the moduli file because that would result in stronger groups being used for versions of PuTTY from then until 0.64, which is the current release as I write this. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On Sat, May 23, 2015 at 12:30 AM, David McBride <dwm37 at cam.ac.uk> wrote:> On Fri, May 22, 2015 at 12:27:01, Darren Tucker <dtucker at zip.com.au> > wrote: > > > Note that PuTTY does do Diffie-Hellman Group Exchange, but until very > > recently (ie after their 0.64 release) they didn't do the one that was > > actually standardized in RFC4419. OpenSSH recently removed support for > > that non-standard one and as a result we don't offer DHGEX to PuTTY > > versions <= 0.64 so they'll fall back to group14 (2k bit fix group). > > I think this is wrong. >I've looked into it some more and unfortunately it's not wrong.> This commit [0] from 2005 appears to show the addition of > diffie-hellman-group-exchange-sha256 support to PuTTY. >diffie-hellman-group-exchange-sha256 and diffie-hellman-group-exchange-sha1 use the same message type defined in RFC4419 to request a group, and PuTTY up to 0.64 uses the same deprecated message type (30) for both. See> https://anongit.mindrot.org/openssh.git/commit/?id=318be28cda1fd9108f2e6f2f86b0b7589ba2aed0 > > + if ((datafellows & SSH_OLD_DHGEX) != 0) { > + p = filter_proposal(p, "diffie-hellman-group-exchange-sha256"); > + p = filter_proposal(p, "diffie-hellman-group-exchange-sha1"); > + } > > > > > I've also just successfully connected to a local test OpenSSH server > (v6.7p1, as packaged by Debian) with only > diffie-hellman-group-exchange-sha256 enabled with an older release of > PuTTY (0.63) without any issue. >The removal of the pre-RFC4419 message type in OpenSSH was made after the last release. Please retry your test with a current development snapshot. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On 27/05/15 10:58, Darren Tucker wrote:> diffie-hellman-group-exchange-sha256 and diffie-hellman-group-exchange-sha1 > use the same message type defined in RFC4419 to request a group, and PuTTY > up to 0.64 uses the same deprecated message type (30) for both. > > See >> https://anongit.mindrot.org/openssh.git/commit/?id=318be28cda1fd9108f2e6f2f86b0b7589ba2aed0 >> >> + if ((datafellows & SSH_OLD_DHGEX) != 0) { >> + p = filter_proposal(p, "diffie-hellman-group-exchange-sha256"); >> + p = filter_proposal(p, "diffie-hellman-group-exchange-sha1"); >> + } >> > The removal of the pre-RFC4419 message type in OpenSSH was made after the > last release. Please retry your test with a current development snapshot.Ouch. Thank you very much for chasing this down; while I haven't compiled up a current development OpenSSH snapshot and re-run my previous experiment, I assume you're correct. Digging through the PuTTY git repository, the corresponding update that adds SSH_MSG_KEX_DH_GEX_REQUEST (as opposed to _REQUEST_OLD) support is here: http://tartarus.org/~simon-git/gitweb/?p=putty.git;a=commit;h=62a1bce7cb3ecb98feb57c7f1fd5d55845ce1533 ... and so should become available in the next PuTTY release, along with elliptic-curve key-exchange and host key support. The pragmatic consequence is that I should not disable both -group1-sha1 and -group14-sha1 key-exchange support on my servers, nor suggest others to do the same, as this configuration will break compatibility with current versions of PuTTY when the configuration is inherited by future versions of OpenSSH. (As you might expect, PuTTY is quite widely used within Cambridge. Also, judging from some of the screenshots of other Windows SSH/SFTP software, it appears that a fair amount of the PuTTY codebase can be found in other tools as well.) Pragmatically, the conclusion I've reached is that, while it would involve violating an RFC MUST, disabling -group1-sha1 while leaving -group14-sha1 support enabled should not significantly affect interoperability, and would address concerns that users with antiquated or misconfigured SSH clients would reveal sensitive data to state-level passive observers. I am conscious that I am not an expert, so please do correct me if any of this appears to be wrong or foolish. Would it be virtuous to postpone the application of the SSH_OLD_DHGEX commit you reference above until after the new version of PuTTY has been released and has time to enter circulation? Kind regards, David -- David McBride <dwm37 at cam.ac.uk> Unix Specialist, University Information Services
Apparently Analagous Threads
- Weak DH primes and openssh
- Weak DH primes and openssh
- [Bug 2302] with DH-GEX, ssh (and sshd) should not fall back to unconfigured DH groups or at least document this behaviour and use a stronger group
- Can we disable diffie-hellman-group-exchange-sha1 by default?
- Can we disable diffie-hellman-group-exchange-sha1 by default?