[Bug 2302] New: ssh (and sshd) should not fall back to deselected KEX algos
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Wed Oct 29 07:21:15 EST 2014
https://bugzilla.mindrot.org/show_bug.cgi?id=2302
Bug ID: 2302
Summary: ssh (and sshd) should not fall back to deselected KEX
algos
Product: Portable OpenSSH
Version: 6.7p1
Hardware: All
OS: All
Status: NEW
Severity: security
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: calestyo at scientia.net
Hi.
In a recent discussion[0], Christian Weisgerber pointed me to the fact
that ssh/sshd fall back to diffie-hellman-group14-sha1 if client and
server couldn't agree on parameters for DH GEX,... even when client
and/or server intentionally removed diffie-hellman-group14-sha1 from
their KEX preference list (which is like explicitly/intentionally
disabling it).
It seems that this is not exactly correct - I made some tests and it
seems that this fallback only happens if /etc/ssh/moduli is completely
empty... as long as a single entry is in the moduli file, than no
fallback seems to be performed, even if client and server couldn't
agree.
But this put all control in the hand of the server, and while one can't
protect against "evil" servers one may want to protect against servers
that are just weakly configured (without any malicious intent).
Even with the ECDH algos in places now mostly replacing the plain DH
algos, it would be nice if this fallback would no longer happen or if
it could at least be disabled (e.g. if the RFC would mandate it for a
conforming implementation).
If a user/admin removes it from his KEX algo preference list, then he
probably does so by intention and thus this shouldn't be silently
reverted again by ssh/sshd.
Further, according to e.g. the ECRYPT II recommendations,... a 2048bit
group as in group14 is only suggested for something between "legacy
standard level" and "Medium term protection",... which may not be
enough for some people.
Since its typically those people who try to disable the algo by
removing it from their preference lists, that fallback behaviour is
even more of a problem.
Of course, any such fallback mechanisms should be disabled on both
sides, ssh and sshd,... and if it happens with other algos than
diffie-hellman-group14-sha1, than that should be stopped as well.
Cheers,
Chris.
[0]
https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-October/033056.html
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list