> Can this be addressed in ssh_config/sshd_config with the KexAlgorithms setting?weakdh.org/sysadmin.html recommends adding: KexAlgorithms curve25519-sha256 at libssh.org But this thread makes it sound as if it's not necessary. Can anyone confirm? Personally I'm on openssh-6.7. - Grant> You will be aware of https://weakdh.org/ by now, I presume; the take-home seems to be that 1024-bit DH primes might well be too weak. > I'm wondering what (if anything!) you propose to do about this issue, and what Debian might do for our users? > > openssh already prefers ECDH, which must reduce the impact somewhat, although the main Windows client (PuTTY) doesn't support ECDH yet. But openssh does still offer diffie-hellman-group1-sha1 (uses a 1024-bit > group) and diffie-hellman-group14-sha1 (uses a 2047-bit group), which must be considered a bit suspect? Of course RFC4253 says implementations MUST offer these... > > The moduli file you provide has this distribution of sizes: > > size count > 1023 36 > 1535 50 > 2047 36 > 3071 31 > 4095 41 > 6143 27 > 8191 39 > > Would it be sensible to remove the <2047 moduli? Generating the larger ones is quite time-consuming on non-specialist kit, which would seem to argue against re-generating them on users' machines.
On Sun, May 24, 2015 at 1:14 AM, Grant <emailgrant at gmail.com> wrote:> > Can this be addressed in ssh_config/sshd_config with the KexAlgorithms > setting? > > weakdh.org/sysadmin.html recommends adding: > > KexAlgorithms curve25519-sha256 at libssh.org > > But this thread makes it sound as if it's not necessary. Can anyone > confirm? Personally I'm on openssh-6.7. >There's 3 pieces of advice for OpenSSH there, and IMO two of them are bad including that one. Firstly the somewhat reasonable one: remove diffie-hellman-group1-sha1 from KexAlgorithms, ie KexAlgorithms curve25519-sha256 at libssh.org ,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1 That still means it'll break any implementation that doesn't do at least group14. I don't know of one, but it's possible. Of the other two suggestions: - having just curve25519-sha256 at libssh.org will break interop with anything that doesn't support it (and many don't) and doesn't buy you much since on the client side the stronger methods will get used by preference. - regenerating the moduli file is in itself not a bad idea, but the instructions given will result in a file that has only 2kbit groups, which will result in significantly *weaker* groups being used in many cases (eg OpenSSH will typically ask for 3kbit to 8kbit groups. The other possible action that IMO would be reasonable but is not listed: remove all of the 1kbit and 1.5kbit groups from the moduli file (or omitting them when regenerating). -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
On Sun, May 24, 2015 at 9:20 AM, Darren Tucker <dtucker at zip.com.au> wrote:> [...] > The other possible action that IMO would be reasonable but is not listed: > remove all of the 1kbit and 1.5kbit groups >After some consideration we have decided to remove[1] the 1k bit groups from the moduli file. Vendors may want to consider doing this even for older versions of OpenSSH (either by importing the new file, or by removing them from the existing file) as it will result in stronger groups being used for diffie-hellman-group-exchange-sha{1,256} transparently even if the client prefers 1k bit groups (eg PuTTY and derivatives when using 128bit ciphers). [1] https://anongit.mindrot.org/openssh.git/commit/?id=5ab7d5fa03ad55bc438fab45dfb3aeb30a3c237a -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.