On Thu, Mar 11, 2021 at 5:01 PM Damien Miller <djm at mindrot.org> wrote:
> On Thu, 11 Mar 2021, James Ralston wrote:
>
> > On Wed, Mar 10, 2021 at 7:43 PM Damien Miller <djm at
mindrot.org> wrote:
> >
> > > diffie-hellman-group-exchange-sha1 will use a bigger/better MODP
> > > group than group14. If I had to enable one then that would be
> > > it.
> >
> > Is this guaranteed to be true even if /etc/ssh/moduli contains
> > small primes (e.g. 1023 bits)?
>
> Yes, see dh_estimate() in dh.c - it will never select a <2048 bit
> group and will usually select one considerably larger,
>
> If /etc/moduli is missing then dh_new_group_fallback() will use
> either a 2k or 4k group.
Who is determining this, though? The client or the server?
This exchange:
debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32
debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32
debug3: send packet: type 34
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<8192<8192) sent
debug3: receive packet: type 31
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug2: bits set: 4092/8192
debug3: send packet: type 32
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug3: receive packet: type 33
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY
?suggests that the client tells the server its minimum, desired, and
maximum group size, and the server picks a group accordingly.
But what happens if a random ssh client (not OpenSSH) sends this?
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<1024) sent
Will OpenSSH server honor this and pick a 1024-bit group?
The Nessus hits against our RHEL7 hosts that have group-exchange
enabled suggests that OpenSSH server will honor this request.
The documentation for the Nessus plugin that tests this points to this
page:
https://stribika.github.io/2015/01/04/secure-secure-shell.html
?which suggests that removing all groups with size <2047 from
/etc/ssh/moduli will prevent OpenSSH server from picking any group
with less than 2048 bits. (Which, at that point, will break the
client?)
In summary, I think what this boils down to is that for OpenSSH
client, if SHA-1 key exchange algorithms must be enable for backward
compatibility, then the preferred list/ordering should be:
* diffie-hellman-group-exchange-sha1
* diffie-hellman-group14-sha1
This is true because OpenSSH client is well-behaved when it comes to
picking the size of the group for group-exchange, such that it will
never be smaller than group14 (2048), and will almost always be
larger.
But: for OpenSSH server, it is not safe to enable either of:
* diffie-hellman-group-exchange-sha1
* diffie-hellman-group-exchange-sha256
?because OpenSSH server cannot prevent a random (potentially insane)
ssh client from picking a small group (at least not without removing
them from /etc/ssh/moduli, if the distribution is shipping an older
OpenSSH that still has them).
Or have I misunderstood?