Re: [EC]DH KEx and how to restrict ssh/sshd to secure(er) DH parameters

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Sun, 2014-10-19 at 17:07 +0000, Christian Weisgerber wrote: 
> > Just out of curiosity,... what is done to make the the DH authenticated?
> > I guess it depends on the chosen HostKeyAlogrithm (so either RSA, DSS,
> > ECDSA or EdDSA)... but do client/server exchange the DH parameters
> > signed or doe they exchange a signed version of the agreed key?
> https://tools.ietf.org/html/rfc4253#section-8
So it's basically the signature s over H, which includes amongst others
K from the server.
Why is there never a step, in which the server S somehow verifies that e
actually comes from C (i.e. authenticating C)?


> > a) Documentations seems to imply that this is only used by sshd?
> > So how does the ssh client come to his accepted parameters? Does he
> > simply take anything a SSH server proposes?
> 
> The client sends the minimal/preferred/maximal group size, and the
> server picks a group and responds with the modulus and generator
> for the group.
> https://tools.ietf.org/html/rfc4419

So with DH group exchange, I have no way to tell the client to only
accept larger groups, or is there any configuration option where I can
say, e.g. minimal=4096 or whatever?

Wouldn't it be nice to have an option to set min/pref/max?


And it basically also means, the client checks just for the group
size,... and has no way to accept/reject certain moduli?
Now for ECDH, we know that some curves may be insecure,... is the same
known for DH? I.e. could a server accidentally propose the client an
insecure moduli (which the client takes without any check except for the
group size)?


> > b) How can I restrict what the server accepts as parameters?
> > E.g. if I think 1024 bit groups are to weak, can I simply remove those
> > entries from the moduli file and such groups will no longer be used?
> 
> If the server doesn't find (a suitable group in) /etc/moduli, it
> will fall back to the group from diffie-hellman-group14-sha1.
So that means, that even when I have diffie-hellman-group1-sha1
and diffie-hellman-group14-sha1 disabled... and when I only have e.g.
8129 bit groups in /etc/ssh/moduli...
It will still fall back to using the "weak" groups from
diffie-hellman-group14-sha1?

Wouldn't it be good to have an option to disable this fallback?


So in other words, as soon as I have normal DH kex algos enabled, I can
neither force the client (who will anyway accept what the server gives
him in the min/max range) nor the server to use "stronger" groups, and
they'll always fall back to at least the - what was it? - 2048bit group
from diffie-hellman-group14-sha1.



Thanks,
Chris.

Attachment: smime.p7s
Description: S/MIME cryptographic signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux