On 09/24/2017 12:21 AM, Mark D. Baushke wrote:
I suggest you upgrade to a more recent edition of the OpenSSH software. The most recent release is OpenSSH 7.5 and OpenSSH 7.6 will be released very soon.
This problem is in v7.5 and v7.6. See dh.c:436.
OpenSSH 6.6 was first released on October 6, 2014.
I brought up v6.6 to give an example that older clients wouldn't be impacted by the removal of the fallback mechanism.
You should also take a closer look at RFC 4419. I believe you will find that returning the biggest prime the SSH daemon knows which is larger than the requested prime is correct. Even if it is not necessarily in the moduli file.
Section 3 says: "The server should return the smallest group it knows that is larger than the size the client requested." Even though my system has values in /etc/ssh/moduli that are 3072-bits all the way up to 8192-bits, its still returning group14. I suppose with a loose interpretation, you could say OpenSSH is still adhering to the spec, since, technically, it does know about group14...
However, my main point still stands. The admin is unambiguously saying "ONLY use these groups", yet in some cases, the present code disregards this and unexpectedly does something else.
Written in March 2006, RFC 4419 also says "Servers and clients SHOULD support groups with a modulus length of k bits, where 1024 <= k <= 8192." Hence, removing this fallback mechanism "SHOULDN'T" be a problem, as clients have been encouraged for 11+ years to support groups up to 8192-bit. It strongly appears that the code can be reasonably changed to return the smallest group it knows (i.e.: the smallest value in /etc/ssh/moduli), without causing significant interoperability problems.
Motion to remove the group-exchange fallback mechanism entirely. - Joe P.S. I volunteer to write the patch if this change would be accepted. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev