On Sun, 2014-10-19 at 17:07 +0000, Christian Weisgerber wrote: > > Just out of curiosity,... what is done to make the the DH authenticated? > > I guess it depends on the chosen HostKeyAlogrithm (so either RSA, DSS, > > ECDSA or EdDSA)... but do client/server exchange the DH parameters > > signed or doe they exchange a signed version of the agreed key? > https://tools.ietf.org/html/rfc4253#section-8 So it's basically the signature s over H, which includes amongst others K from the server. Why is there never a step, in which the server S somehow verifies that e actually comes from C (i.e. authenticating C)? > > a) Documentations seems to imply that this is only used by sshd? > > So how does the ssh client come to his accepted parameters? Does he > > simply take anything a SSH server proposes? > > The client sends the minimal/preferred/maximal group size, and the > server picks a group and responds with the modulus and generator > for the group. > https://tools.ietf.org/html/rfc4419 So with DH group exchange, I have no way to tell the client to only accept larger groups, or is there any configuration option where I can say, e.g. minimal=4096 or whatever? Wouldn't it be nice to have an option to set min/pref/max? And it basically also means, the client checks just for the group size,... and has no way to accept/reject certain moduli? Now for ECDH, we know that some curves may be insecure,... is the same known for DH? I.e. could a server accidentally propose the client an insecure moduli (which the client takes without any check except for the group size)? > > b) How can I restrict what the server accepts as parameters? > > E.g. if I think 1024 bit groups are to weak, can I simply remove those > > entries from the moduli file and such groups will no longer be used? > > If the server doesn't find (a suitable group in) /etc/moduli, it > will fall back to the group from diffie-hellman-group14-sha1. So that means, that even when I have diffie-hellman-group1-sha1 and diffie-hellman-group14-sha1 disabled... and when I only have e.g. 8129 bit groups in /etc/ssh/moduli... It will still fall back to using the "weak" groups from diffie-hellman-group14-sha1? Wouldn't it be good to have an option to disable this fallback? So in other words, as soon as I have normal DH kex algos enabled, I can neither force the client (who will anyway accept what the server gives him in the min/max range) nor the server to use "stronger" groups, and they'll always fall back to at least the - what was it? - 2048bit group from diffie-hellman-group14-sha1. Thanks, Chris.
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev