openssh bugs - Oct 2017 - [Bug 2793] New: DH Group Exchange Incorrect Fallback

https://bugzilla.mindrot.org/show_bug.cgi?id=2793

            Bug ID: 2793
           Summary: DH Group Exchange Incorrect Fallback
           Product: Portable OpenSSH
           Version: -current
          Hardware: All
                OS: All
            Status: NEW
          Severity: major
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jtesta at positronsecurity.com

Created attachment 3066
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3066&action=edit
Patch to remove the fallback mechanism.

(This issue was discussed in-depth on the openssh-unix-dev mailing list
here:
https://lists.mindrot.org/pipermail/openssh-unix-dev/2017-September/036217.html)

The Diffie-Hellman group exchange code has a fallback mechanism in case
a sufficient entry in /etc/ssh/moduli is not found.  Unfortunately,
this mechanism directly disobeys what a sysadmin wants.

For example, if the sysadmin deletes all DH groups with moduli smaller
than 3072-bit, code will nevertheless return 2048-bit group14 (see
dh.c:441).  The correct behavior would be to disconnect with the
client.

In fact, ALL cases where a sufficient group cannot be found in
/etc/ssh/moduli should result in a disconnect, as the admin has
indicated that *only* those listed in that file should be used.  Hence,
the attached patch fully removes this fallback mechanism in order to
respect the admin's wishes.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2793

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
Comment on attachment 3066
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3066
Patch to remove the fallback mechanism.

I'm not sure I agree with removing the fallback and I don't think
making people edit the moduli file is a great way to control which
groups are negotiated. IMO a general MinimumDHSize option would
probably be a better way to achieve this.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2793

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net
             Blocks|                            |3740


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3740
[Bug 3740] Tracking bug for OpenSSH 10.0
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2793

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #2 from Darren Tucker <dtucker at dtucker.net> ---
I just committed part of this change:

Remove fallback to compiled-in gropup for dhgex when the moduli file
exists, but does not contain moduli within the client-requested range.
The fallback behaviour remains for the case where the moduli file does
not exist (typically, running tests prior to
installing).
>From bz#2793, based in part on patch from Joe Testa, ok djm@
Thanks for the report and patch.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.