On 09/22/2017 06:10 PM, Mark D. Baushke wrote:
> I suppose you want to be more paranoid:
>
> DH *
> dh_new_group_fallback(int max)
> {
> debug3("%s: requested max size %d", __func__, max);
> if (max <= 2048) {
> debug3("using 2k bit group 14");
> return dh_new_group14();
> } else if (max <= 4096) {
> debug3("using 4k bit group 16");
> return dh_new_group16();
> }
> debug3("using 8k bit group 18");
> return dh_new_group18();
> }
This wouldn't fix the underlying issue. I'm interested in having the
code respect the admin's wishes. If the admin edits out entries in
/etc/ssh/moduli, the server should follow that 100%, and not sometimes
make decisions on its own, against what the admin told it point-blank.
Both the existing code, and the above change results in unexpected behavior.
It seems like removing the fallback mechanism entirely is the way to go.
If the server and client can't agree on a group-exchange, then the
attempt should fail. And after all, the client is free to try again
with another kex.
FYI, the OpenSSH client (v6.6) in Linux Mint 17 (which is a couple years
old) requests a range of 1024 - 8192 bits by default. I can look into
what PuTTY does, if anyone is interested. I strongly suspect, though,
that modern clients aren't going to be impacted by removing the fallback.
- Joe
Hi Joe, I suggest you upgrade to a more recent edition of the OpenSSH software. The most recent release is OpenSSH 7.5 and OpenSSH 7.6 will be released very soon. OpenSSH 6.6 was first released on October 6, 2014. There have been a number of bug fixes and enhancments to the OpenSSH software base in the past three years. You should also take a closer look at RFC 4419. I believe you will find that returning the biggest prime the SSH daemon knows which is larger than the requested prime is correct. Even if it is not necessarily in the moduli file. -- Mark
On 09/24/2017 12:21 AM, Mark D. Baushke wrote:> I suggest you upgrade to a more recent edition of the OpenSSH software. > The most recent release is OpenSSH 7.5 and OpenSSH 7.6 will be released > very soon.This problem is in v7.5 and v7.6. See dh.c:436.> OpenSSH 6.6 was first released on October 6, 2014.I brought up v6.6 to give an example that older clients wouldn't be impacted by the removal of the fallback mechanism.> You should also take a closer look at RFC 4419. I believe you will find > that returning the biggest prime the SSH daemon knows which is larger > than the requested prime is correct. Even if it is not necessarily in > the moduli file.Section 3 says: "The server should return the smallest group it knows that is larger than the size the client requested." Even though my system has values in /etc/ssh/moduli that are 3072-bits all the way up to 8192-bits, its still returning group14. I suppose with a loose interpretation, you could say OpenSSH is still adhering to the spec, since, technically, it does know about group14... However, my main point still stands. The admin is unambiguously saying "ONLY use these groups", yet in some cases, the present code disregards this and unexpectedly does something else. Written in March 2006, RFC 4419 also says "Servers and clients SHOULD support groups with a modulus length of k bits, where 1024 <= k <= 8192." Hence, removing this fallback mechanism "SHOULDN'T" be a problem, as clients have been encouraged for 11+ years to support groups up to 8192-bit. It strongly appears that the code can be reasonably changed to return the smallest group it knows (i.e.: the smallest value in /etc/ssh/moduli), without causing significant interoperability problems. Motion to remove the group-exchange fallback mechanism entirely. - Joe P.S. I volunteer to write the patch if this change would be accepted.