openssh unix dev - May 2015 - Weak DH primes and openssh

On Fri, May 22, 2015 at 12:27:01, Darren Tucker <dtucker at zip.com.au>
wrote:
> Note that PuTTY does do Diffie-Hellman Group Exchange, but until very
> recently (ie after their 0.64 release) they didn't do the one that was
> actually standardized in RFC4419.  OpenSSH recently removed support for
> that non-standard one and as a result we don't offer DHGEX to PuTTY
> versions <= 0.64 so they'll fall back to group14 (2k bit fix group).
I think this is wrong.

This commit [0] from 2005 appears to show the addition of
diffie-hellman-group-exchange-sha256 support to PuTTY.

I've also just successfully connected to a local test OpenSSH server
(v6.7p1, as packaged by Debian) with only
diffie-hellman-group-exchange-sha256 enabled with an older release of
PuTTY (0.63) without any issue.

Indeed, PuTTY explicitly reported in its event log that it performed
key-exchange using Diffie-Hellman group exchange and SHA-256, so I'm
quite sure this is working!

Unless there's more than one key-exchange mechanism going by the name
diffie-hellman-group-exchange-sha256?

Kind regards,
David

[0]
http://tartarus.org/~simon-git/gitweb/?p=putty.git;a=commit;h=91319142781a69cb16053c180870878749477012

-- 
David McBride <dwm37 at cam.ac.uk>
Unix Specialist, University Information Services

On Sat, May 23, 2015 at 12:30 AM, David McBride <dwm37 at cam.ac.uk>
wrote:
> On Fri, May 22, 2015 at 12:27:01, Darren Tucker <dtucker at
zip.com.au>
> wrote:
>
> > Note that PuTTY does do Diffie-Hellman Group Exchange, but until very
> > recently (ie after their 0.64 release) they didn't do the one that
was
> > actually standardized in RFC4419.  OpenSSH recently removed support
for
> > that non-standard one and as a result we don't offer DHGEX to
PuTTY
> > versions <= 0.64 so they'll fall back to group14 (2k bit fix
group).
>
> I think this is wrong.
>
> This commit [0] from 2005 appears to show the addition of
> diffie-hellman-group-exchange-sha256 support to PuTTY.
>
You're right, thanks for pointing this out.  When I looked at it I was
specifically looking at group-exchange-sha1 (because that was the thing
using the deprecated format) and overlooked sha256.

That does mean that there's a stronger case for removing 1kbit and 1.5kbit
groups from the moduli file because that would result in stronger groups
being used for versions of PuTTY from then until 0.64, which is the current
release as I write this.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

On Sat, May 23, 2015 at 12:30 AM, David McBride <dwm37 at cam.ac.uk>
wrote:
> On Fri, May 22, 2015 at 12:27:01, Darren Tucker <dtucker at
zip.com.au>
> wrote:
>
> > Note that PuTTY does do Diffie-Hellman Group Exchange, but until very
> > recently (ie after their 0.64 release) they didn't do the one that
was
> > actually standardized in RFC4419.  OpenSSH recently removed support
for
> > that non-standard one and as a result we don't offer DHGEX to
PuTTY
> > versions <= 0.64 so they'll fall back to group14 (2k bit fix
group).
>
> I think this is wrong.
>
I've looked into it some more and unfortunately it's not wrong.

> This commit [0] from 2005 appears to show the addition of
> diffie-hellman-group-exchange-sha256 support to PuTTY.
>
diffie-hellman-group-exchange-sha256 and diffie-hellman-group-exchange-sha1
use the same message type defined in RFC4419 to request a group, and PuTTY
up to 0.64 uses the same deprecated message type (30) for both.

See
>
https://anongit.mindrot.org/openssh.git/commit/?id=318be28cda1fd9108f2e6f2f86b0b7589ba2aed0
>
> + if ((datafellows & SSH_OLD_DHGEX) != 0) {
> +         p = filter_proposal(p,
"diffie-hellman-group-exchange-sha256");
> +         p = filter_proposal(p,
"diffie-hellman-group-exchange-sha1");
> + }
>
> >
> > I've also just successfully connected to a local test OpenSSH
server
> (v6.7p1, as packaged by Debian) with only
> diffie-hellman-group-exchange-sha256 enabled with an older release of
> PuTTY (0.63) without any issue.
>
The removal of the pre-RFC4419 message type in OpenSSH was made after the
last release.   Please retry your test with a current development snapshot.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

On 27/05/15 10:58, Darren Tucker wrote:
> diffie-hellman-group-exchange-sha256 and diffie-hellman-group-exchange-sha1
> use the same message type defined in RFC4419 to request a group, and PuTTY
> up to 0.64 uses the same deprecated message type (30) for both.
> 
> See
>>
https://anongit.mindrot.org/openssh.git/commit/?id=318be28cda1fd9108f2e6f2f86b0b7589ba2aed0
>>
>> + if ((datafellows & SSH_OLD_DHGEX) != 0) {
>> +         p = filter_proposal(p,
"diffie-hellman-group-exchange-sha256");
>> +         p = filter_proposal(p,
"diffie-hellman-group-exchange-sha1");
>> + }
>>
> The removal of the pre-RFC4419 message type in OpenSSH was made after the
> last release.   Please retry your test with a current development snapshot.
Ouch.  Thank you very much for chasing this down; while I haven't
compiled up a current development OpenSSH snapshot and re-run my
previous experiment, I assume you're correct.

Digging through the PuTTY git repository, the corresponding update that
adds SSH_MSG_KEX_DH_GEX_REQUEST (as opposed to _REQUEST_OLD) support is
here:

http://tartarus.org/~simon-git/gitweb/?p=putty.git;a=commit;h=62a1bce7cb3ecb98feb57c7f1fd5d55845ce1533

... and so should become available in the next PuTTY release, along with
elliptic-curve key-exchange and host key support.

The pragmatic consequence is that I should not disable both -group1-sha1
and -group14-sha1 key-exchange support on my servers, nor suggest others
to do the same, as this configuration will break compatibility with
current versions of PuTTY when the configuration is inherited by future
versions of OpenSSH.

(As you might expect, PuTTY is quite widely used within Cambridge.
Also, judging from some of the screenshots of other Windows SSH/SFTP
software, it appears that a fair amount of the PuTTY codebase can be
found in other tools as well.)

Pragmatically, the conclusion I've reached is that, while it would
involve violating an RFC MUST, disabling -group1-sha1 while leaving
-group14-sha1 support enabled should not significantly affect
interoperability, and would address concerns that users with antiquated
or misconfigured SSH clients would reveal sensitive data to state-level
passive observers.

I am conscious that I am not an expert, so please do correct me if any
of this appears to be wrong or foolish.

Would it be virtuous to postpone the application of the SSH_OLD_DHGEX
commit you reference above until after the new version of PuTTY has been
released and has time to enter circulation?

Kind regards,
David
-- 
David McBride <dwm37 at cam.ac.uk>
Unix Specialist, University Information Services