Re: DH Group Exchange Fallback

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 09/22/2017 06:10 PM, Mark D. Baushke wrote:
> I suppose you want to be more paranoid:
>
> DH *
> dh_new_group_fallback(int max)
> {
>          debug3("%s: requested max size %d", __func__, max);
>          if (max <= 2048) {
>                  debug3("using 2k bit group 14");
>                  return dh_new_group14();
>          } else if (max <= 4096) {
>                  debug3("using 4k bit group 16");
>                  return dh_new_group16();
>          }
>          debug3("using 8k bit group 18");
>          return dh_new_group18();
> }

This wouldn't fix the underlying issue. I'm interested in having the code respect the admin's wishes. If the admin edits out entries in /etc/ssh/moduli, the server should follow that 100%, and not sometimes make decisions on its own, against what the admin told it point-blank. Both the existing code, and the above change results in unexpected behavior.

It seems like removing the fallback mechanism entirely is the way to go. If the server and client can't agree on a group-exchange, then the attempt should fail. And after all, the client is free to try again with another kex.

FYI, the OpenSSH client (v6.6) in Linux Mint 17 (which is a couple years old) requests a range of 1024 - 8192 bits by default. I can look into what PuTTY does, if anyone is interested. I strongly suspect, though, that modern clients aren't going to be impacted by removing the fallback.

   - Joe
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux