ECDSA and first connection; bug?
Dan Kaminsky
dan at doxpara.com
Fri Jan 28 10:36:29 EST 2011
On Thu, Jan 27, 2011 at 3:34 PM, Damien Miller <djm at mindrot.org> wrote:
> On Thu, 27 Jan 2011, Dan Kaminsky wrote:
>
>> On Thu, Jan 27, 2011 at 3:20 PM, Damien Miller <djm at mindrot.org> wrote:
>> > On Thu, 27 Jan 2011, Dan Kaminsky wrote:
>> >
>> >> Would this add a RTT? SSH is a little slow as is.
>> >
>> > No, it would just be an informational message sent from the server to the
>> > client probably right after the first SSH_MSG_NEWKEYS.
>>
>> A message that said "BTW, here's my other host keys" would be
>> excellent. Question: If we know the ECC key for something, should we
>> no longer respect the RSA/DSA key? My understanding is the ECC key is
>> stronger.
>
> In OpenSSH 5.7, the preference order is:
>
> #define KEX_DEFAULT_PK_ALG \
> "ecdsa-sha2-nistp256-cert-v01 at openssh.com," \
> "ecdsa-sha2-nistp384-cert-v01 at openssh.com," \
> "ecdsa-sha2-nistp521-cert-v01 at openssh.com," \
> "ssh-rsa-cert-v01 at openssh.com," \
> "ssh-dss-cert-v01 at openssh.com," \
> "ssh-rsa-cert-v00 at openssh.com," \
> "ssh-dss-cert-v00 at openssh.com," \
> "ecdsa-sha2-nistp256," \
> "ecdsa-sha2-nistp384," \
> "ecdsa-sha2-nistp521," \
> "ssh-rsa," \
> "ssh-dss"
>
> -d
>
>
True, but suppose I'm a malicious server w/ the valid DSA key, but not
the ECC key. I could advertise DSA exclusively, and the question is:
Should the client accept the downgrade?
Also, shouldn't we prefer *more* secure keys to less secure keys, client side?
More information about the openssh-unix-dev
mailing list