On Thu, Mar 11, 2021 at 5:01 PM Damien Miller <djm@xxxxxxxxxxx> wrote: > On Thu, 11 Mar 2021, James Ralston wrote: > > > On Wed, Mar 10, 2021 at 7:43 PM Damien Miller <djm@xxxxxxxxxxx> wrote: > > > > > diffie-hellman-group-exchange-sha1 will use a bigger/better MODP > > > group than group14. If I had to enable one then that would be > > > it. > > > > Is this guaranteed to be true even if /etc/ssh/moduli contains > > small primes (e.g. 1023 bits)? > > Yes, see dh_estimate() in dh.c - it will never select a <2048 bit > group and will usually select one considerably larger, > > If /etc/moduli is missing then dh_new_group_fallback() will use > either a 2k or 4k group. Who is determining this, though? The client or the server? This exchange: debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32 debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32 debug3: send packet: type 34 debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<8192<8192) sent debug3: receive packet: type 31 debug1: got SSH2_MSG_KEX_DH_GEX_GROUP debug2: bits set: 4092/8192 debug3: send packet: type 32 debug1: SSH2_MSG_KEX_DH_GEX_INIT sent debug3: receive packet: type 33 debug1: got SSH2_MSG_KEX_DH_GEX_REPLY …suggests that the client tells the server its minimum, desired, and maximum group size, and the server picks a group accordingly. But what happens if a random ssh client (not OpenSSH) sends this? debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<1024) sent Will OpenSSH server honor this and pick a 1024-bit group? The Nessus hits against our RHEL7 hosts that have group-exchange enabled suggests that OpenSSH server will honor this request. The documentation for the Nessus plugin that tests this points to this page: https://stribika.github.io/2015/01/04/secure-secure-shell.html …which suggests that removing all groups with size <2047 from /etc/ssh/moduli will prevent OpenSSH server from picking any group with less than 2048 bits. (Which, at that point, will break the client?) In summary, I think what this boils down to is that for OpenSSH client, if SHA-1 key exchange algorithms must be enable for backward compatibility, then the preferred list/ordering should be: * diffie-hellman-group-exchange-sha1 * diffie-hellman-group14-sha1 This is true because OpenSSH client is well-behaved when it comes to picking the size of the group for group-exchange, such that it will never be smaller than group14 (2048), and will almost always be larger. But: for OpenSSH server, it is not safe to enable either of: * diffie-hellman-group-exchange-sha1 * diffie-hellman-group-exchange-sha256 …because OpenSSH server cannot prevent a random (potentially insane) ssh client from picking a small group (at least not without removing them from /etc/ssh/moduli, if the distribution is shipping an older OpenSSH that still has them). Or have I misunderstood? _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
