openssh unix dev - Sep 2007 - Diffie Hellman key exchange algorithms

A few questions regarding the OpenSSH support for the Diffie Hellman key
exchange algorithms:

(1) Are the diffie-hellman-group-exchange-sha256",
"diffie-hellman-group-exchange-sha1"
, "diffie-hellman-group14-sha1" "diffie-hellman-group1-sha1"
(as
defined in RFCs 4253 and RFC 4419) the complete list of key exchange
algorithms supported by OpenSSH?

(2) Is there a way to configure the DH key exchange algorithms to be supported?
For e.g. if we want to support only "diffie-hellman-group14-sha1",
is it possible to configure it? It looks like it is possible to
configure the data encryption algorithms (like AES) using the Ciphers
keyword and the data integrity algorithms (like HMAC-SHA-1) using the
MACs keyword in the sshd_config file. However there doesn't seem to be
a keyword to configure key exchange algorithms.

(3)  The /etc/primes file is used for the
"diffie-hellman-group-exchange-sha256",
"diffie-hellman-group-exchange-sha1" algorithms. However if the primes
file does not exist does the SSH connection simply fail if one of these
two algorithms is chosen during the initial part of the setup. That is,
based on RFC 4419, since the server cannot choose a suitable prime
group (p,g) from the primes file (since it does not exist) will it
simply reject the SSH connection?

Thanks,
Vik

_________________________________________________________________
Gear up for Halo? 3 with free downloads and an exclusive offer. It?s our way of
saying thanks for using Windows Live?.
http://gethalo3gear.com?ocid=SeptemberWLHalo3_WLHMTxt_2

On Thu, 20 Sep 2007, Vikram Mhetre wrote:
> A few questions regarding the OpenSSH support for the Diffie Hellman key
exchange algorithms:
>
> (1) Are the diffie-hellman-group-exchange-sha256",
> "diffie-hellman-group-exchange-sha1" ,
"diffie-hellman-group14-sha1"
> "diffie-hellman-group1-sha1" (as defined in RFCs 4253 and RFC
4419)
> the complete list of key exchange algorithms supported by OpenSSH?
Yes
> (2) Is there a way to configure the DH key exchange algorithms to be
> supported?
No
> (3) The /etc/primes file is used for the
> "diffie-hellman-group-exchange-sha256",
> "diffie-hellman-group-exchange-sha1" algorithms. However if the
primes
> file does not exist does the SSH connection simply fail if one of
> these two algorithms is chosen during the initial part of the setup.
> That is, based on RFC 4419, since the server cannot choose a suitable
> prime group (p,g) from the primes file (since it does not exist) will
> it simply reject the SSH connection?
That is incorrect. The group exchange methods will fall back to a fixed
modulus (the same used in diffie-hellman-group14-sha1) if they cannot
open /etc/moduli.

-d

Hello All,

To add to this question, I also am interested in knowing if the size of
the DH key to be negotiated both from the Server and the Client can be
configured? If yes, how?

Thanks,
Srinath

-----Original Message-----
From: openssh-unix-dev-bounces+srinath_balaraman=mentor.com at mindrot.org
[mailto:openssh-unix-dev-bounces+srinath_balaraman=mentor.com at mindrot.or
g] On Behalf Of Damien Miller
Sent: Friday, September 21, 2007 10:06 PM
To: Vikram Mhetre
Cc: openssh-unix-dev at mindrot.org
Subject: Re: Diffie Hellman key exchange algorithms



On Thu, 20 Sep 2007, Vikram Mhetre wrote:
> A few questions regarding the OpenSSH support for the Diffie Hellman
key exchange algorithms:
>
> (1) Are the diffie-hellman-group-exchange-sha256",
> "diffie-hellman-group-exchange-sha1" ,
"diffie-hellman-group14-sha1"
> "diffie-hellman-group1-sha1" (as defined in RFCs 4253 and RFC
4419)
> the complete list of key exchange algorithms supported by OpenSSH?
Yes
> (2) Is there a way to configure the DH key exchange algorithms to be
> supported?
No
> (3) The /etc/primes file is used for the
> "diffie-hellman-group-exchange-sha256",
> "diffie-hellman-group-exchange-sha1" algorithms. However if the
primes
> file does not exist does the SSH connection simply fail if one of
> these two algorithms is chosen during the initial part of the setup.
> That is, based on RFC 4419, since the server cannot choose a suitable
> prime group (p,g) from the primes file (since it does not exist) will
> it simply reject the SSH connection?
That is incorrect. The group exchange methods will fall back to a fixed
modulus (the same used in diffie-hellman-group14-sha1) if they cannot
open /etc/moduli.

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

In response to being able to configure the DH key algorithms to be used... the 
changes 
to the code are failrly small and seem safe to me. 
 
If someone is interested in what needs to change I had posted the changes needed
to openbsd-misc back in January of this year. I did not make a patch file.. I 
only described it in text. I would appreciate comments if anyone sees something 
that is not safe. I did not add any logic or algorithms... I just made changes 
to the existing code. The 
subject of the thread was "How to remove group1 and group14 from
OpenSSH.." In
retrospect.. it never belonged on that board and perhaps would have been better 
here. 
 
I kinda wish that sshd would let you configure this as it seems like an 
important 
security decision for an admin. I made the changes to the code on my machine 
because I spent a good amount of time making very large primes. The only way 
to use them is to use the KEX method. If the user that logs in does not have the
KEX method enabled.. I believe that it will use the group 1 or group 14. It has 
been 
a while since I looked at this code so perhaps my logic here is not so clear.. 
but I know 
at the time I had researched it I had definite reason for doing it. One of the 
RFCs states 
that you have to include the ability to use group 1 and 14. To me.. this is nice
for 
everyone in the world to happily be able to negotiate with any server... but 
that 
is not my desire. To me.. if someone is using an old client that does not allow 
KEX.. 
then I don't want them on my system.. and I think I have a right to decide
that.
In all likelihood, no one is going to break your data being sent with group 1. 
But 
that doesn't mean I don't want to force a higher level of security. 
 
You could also force KEX_DH_GEX_SHA256 and not allow KEX_DH_GEX_SHA1 but I have 
found that a number of clients don't support this and at this time I have
left
KEX_DH_GEX_SHA1 as usable. 

Also if anyone is new to playing around in the code for 
OpenSSH... I 
found the following page pretty useful for getting an overview of the protocol: 
 
http://cs.wellesley.edu/~cs342/SSH2Protocol.html 
 
Then of course the RFCs I believe generally in the rfc425X range. 
 
And then getting a good packet sniffer so you can see what a particular ssh 
client 
is allowing.

On Mon, 24 Sep 2007, Balaraman, Srinath wrote:
> Hello All,
> 
> To add to this question, I also am interested in knowing if the size of
> the DH key to be negotiated both from the Server and the Client can be
> configured? If yes, how?
Do you mean the size of the key generated by DH or the size of the group
used in diffie-hellman-group-exchange-*?

If you mean the former, then the key length is that of the symmetric
cipher that has been negotiated.

If you mean the latter, then the size of the group is chosen to yield
a similar attack complexity as the negotiated symmetric cipher. See
dh.c:dh_estimate() and the comment that preceeds it.

Either way, there is are no configuration knobs.

-d