search for: group14

I'm not sure if collision resistance is required for DH key derivation, but generally, SHA-1 is on its way out. If it's possible (if there's not a very large percentage of servers that do not support anything newer), it should be disabled.

On 09/22/2017 06:55 PM, Tim Broberg wrote: > Do I understand correctly, that you find the security of group 14 unacceptable and yet you left it enabled? In the end, I'm trying to ensure a minimum equivalent of 128-bits of security. Group14 is 2048-bits, which roughly translates to 112-bits. [1] To this end, I disabled the "diffie-hellman-group14-sha1" and "diffie-hellman-group14-sha256" kex algorithms, but the problem is that the group exchange "diffie-hellman-group-exchange-sha256" is not respecting...

Hello everyone.. I am fairly new to the patching format.. so I just decided to post a basic info about how to remove group1 and group14 diffie key exchange in OpenSSH. I know that they are listed as required in RFC 4253 but I don't want a client to have the choice to use a 1024 bit prime for the key exchange. If someone is getting into my system.. they should upgrade to a new client. I am a fan of 8192 bit primes : ) I also g...

Can we disable diffie-hellman-group14-sha1 too? On Thu, Feb 14, 2019 at 10:23 PM Mark D. Baushke <mdb at juniper.net> wrote: > > Hi John, > > The short answer is YES. > > Jon DeVree <nuxi at vault24.org> writes: > > > I ask because the removal of diffie-hellman-group-exchange-sha1 happened > &...

e.g. can we make it throw warnings etc. rsa-sha2-256 and rsa-sha2-512 are fine, they use PSS. On Sun, Jan 20, 2019 at 1:55 AM Yegor Ievlev <koops1997 at gmail.com> wrote: > > Also can we do anything with ssh-rsa? It uses both SHA-1 and > deprecated PKCS#1 padding. If it's used to sign certificates, there's > no additional protection of SHA-2 hashing before SHA-1

A few questions regarding the OpenSSH support for the Diffie Hellman key exchange algorithms: (1) Are the diffie-hellman-group-exchange-sha256", "diffie-hellman-group-exchange-sha1" , "diffie-hellman-group14-sha1" "diffie-hellman-group1-sha1" (as defined in RFCs 4253 and RFC 4419) the complete list of key exchange algorithms supported by OpenSSH? (2) Is there a way to configure the DH key exchange algorithms to be supported? For e.g. if we want to support only "diffie-hellman-group...

...iguration data /etc/ssh/ssh_config.d/05-redhat.conf debug3: /etc/ssh/ssh_config.d/05-redhat.conf line 2: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config debug3: gss kex names ok: [gss-gex-sha1-,gss-group14-sha1-] debug3: kex names ok: [curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1] debug1: /etc/ssh/ssh_config.d/05-redhat.conf line 8: Applying options for * deb...

...lman-group-exchange-sha256" kex, so I edited my /etc/ssh/moduli file such that only 3071+ moduli are left. However, when clients ask for a max of 2048-bit moduli, they actually get one (!). I poked around and found that a fallback mechanism exists (dh.c:185), which returns back the fixed group14 Group in that case (dh.c:441). I gotta say... having a fallback mechanism here seems pretty strange. The entire point of the group exchange is to use a dynamic group and not a static one. Otherwise, the admin would have chosen to use "diffie-hellman-group[14,16,18]-sha256". Le...

On 09/22/2017 03:22 PM, Daniel Kahn Gillmor wrote: > On Thu 2017-09-21 18:12:44 -0400, Joseph S Testa II wrote: >> I gotta say... having a fallback mechanism here seems pretty >> strange. The entire point of the group exchange is to use a dynamic >> group and not a static one. > > fwiw, i think dynamic groups for DHE key exchange is intrinsically > problematic

Darren Tucker <dtucker at zip.com.au> writes: > On Tue, Nov 8, 2016 at 1:02 PM, Harry Putnam <reader at newsguy.com> wrote: > [...] >> gv harry> ssh -vv 2x >> >> OpenSSH_7.3p1-hpn14v11, OpenSSL 1.0.2j 26 Sep 2016 > > this is a third-party modified version of OpenSSH. Can you reproduce > the problem with a stock OpenSSH from the source from

...56-ctr,aes256-cbc,aes128-gcm at openssh.com,aes128-ctr,aes128-cbc -oMACs=hmac-sha2-256-etm at openssh.com,hmac-sha1-etm at openssh.com, umac-128-etm at openssh.com,hmac-sha2-512-etm at openssh.com ,hmac-sha2-256,hmac-sha1,umac-128 at openssh.com,hmac-sha2-512 -oGSSAPIKexAlgorithms=gss-gex-sha1-,gss-group14-sha1- -oKexAlgorithms= curve25519-sha256 at libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sh...

...etting O_NONBLOCK debug1: Authenticating to 2x:22 as 'harry' debug2: compat_kex_proposal: original KEX proposal: curve25519-sha256 at libssh.org,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha256,diffie-hellman-group14-sha1,ext-info-c debug2: Compat: skipping algorithm "curve25519-sha256 at libssh.org" debug2: compat_kex_proposal: compat KEX proposal: diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchan...

...t until very > recently (ie after their 0.64 release) they didn't do the one that was > actually standardized in RFC4419. OpenSSH recently removed support for > that non-standard one and as a result we don't offer DHGEX to PuTTY > versions <= 0.64 so they'll fall back to group14 (2k bit fix group). I think this is wrong. This commit [0] from 2005 appears to show the addition of diffie-hellman-group-exchange-sha256 support to PuTTY. I've also just successfully connected to a local test OpenSSH server (v6.7p1, as packaged by Debian) with only diffie-hellman-group-exch...

...s not necessarily in > the moduli file. Section 3 says: "The server should return the smallest group it knows that is larger than the size the client requested." Even though my system has values in /etc/ssh/moduli that are 3072-bits all the way up to 8192-bits, its still returning group14. I suppose with a loose interpretation, you could say OpenSSH is still adhering to the spec, since, technically, it does know about group14... However, my main point still stands. The admin is unambiguously saying "ONLY use these groups", yet in some cases, the present code disregar...

...tus: NEW Severity: security Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: calestyo at scientia.net Hi. In a recent discussion[0], Christian Weisgerber pointed me to the fact that ssh/sshd fall back to diffie-hellman-group14-sha1 if client and server couldn't agree on parameters for DH GEX,... even when client and/or server intentionally removed diffie-hellman-group14-sha1 from their KEX preference list (which is like explicitly/intentionally disabling it). It seems that this is not exactly correct - I made some t...

...tus: NEW Severity: security Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: calestyo at scientia.net Hi. In a recent discussion[0], Christian Weisgerber pointed me to the fact that ssh/sshd fall back to diffie-hellman-group14-sha1 if client and server couldn't agree on parameters for DH GEX,... even when client and/or server intentionally removed diffie-hellman-group14-sha1 from their KEX preference list (which is like explicitly/intentionally disabling it). It seems that this is not exactly correct - I made some t...

...oad_hostkeys: loaded 2 keys from localhost-with-alias debug3: order_hostkeyalgs: prefer hostkeyalgs: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa debug1: SSH2_MSG_KEXINIT sent debug1: SSH2_MSG_KEXINIT received debug2: kex_parse_kexinit: diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 debug2: kex_parse_kexinit: ssh-ed25519-cert-v01 at openssh.com,ssh-rsa-cert-v01 at openssh.com,ssh-ed25519,ss h-rsa,ecdsa-sha2-nistp256-cert-v01 at openssh.com,ecdsa-sha2-nistp384-cert-v01@ openssh.com,ecdsa-sha2-nistp521-cert-v01 at openssh.com,ecdsa-sha2-nistp256,...

...tus: ASSIGNED Severity: enhancement Priority: P3 Component: ssh Assignee: dtucker at zip.com.au Reporter: dtucker at zip.com.au Blocks: 2451 The IETF ssh working group has proposed adding MODP groups 15 and 16 with SHA256 and deprecating group14-sha1 (we're already doing the latter). https://datatracker.ietf.org/doc/draft-baushke-ssh-dh-group-sha2/ Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2451 [Bug 2451] Bugs intended to be fixed in 7.2 -- You are receiving this mail because: You are watching the reporter of t...

...o about this issue, and what Debian might do for our users? openssh already prefers ECDH, which must reduce the impact somewhat, although the main Windows client (PuTTY) doesn't support ECDH yet. But openssh does still offer diffie-hellman-group1-sha1 (uses a 1024-bit group) and diffie-hellman-group14-sha1 (uses a 2047-bit group), which must be considered a bit suspect? Of course RFC4253 says implementations MUST offer these... The moduli file you provide has this distribution of sizes: size count 1023 36 1535 50 2047 36 3071 31 4095 41 6143 27 8191 39 Would it be sensible to remove t...

I ask because the removal of diffie-hellman-group-exchange-sha1 happened accidently in 7.8 due to a mistake in a change to readconf.c. I noticed this and filed a bug about it along with a patch to fix readconf.c to use KEX_CLIENT_* like it used to: https://github.com/openssh/openssh-portable/commit/1b9dd4aa https://bugzilla.mindrot.org/show_bug.cgi?id=2967 Its clear the removal was unintentional