[EC]DH KEx and how to restrict ssh/sshd to secure(er) DH parameters
Christoph Anton Mitterer
calestyo at scientia.net
Mon Oct 20 07:15:25 EST 2014
On Sun, 2014-10-19 at 17:07 +0000, Christian Weisgerber wrote:
> > Just out of curiosity,... what is done to make the the DH authenticated?
> > I guess it depends on the chosen HostKeyAlogrithm (so either RSA, DSS,
> > ECDSA or EdDSA)... but do client/server exchange the DH parameters
> > signed or doe they exchange a signed version of the agreed key?
> https://tools.ietf.org/html/rfc4253#section-8
So it's basically the signature s over H, which includes amongst others
K from the server.
Why is there never a step, in which the server S somehow verifies that e
actually comes from C (i.e. authenticating C)?
> > a) Documentations seems to imply that this is only used by sshd?
> > So how does the ssh client come to his accepted parameters? Does he
> > simply take anything a SSH server proposes?
>
> The client sends the minimal/preferred/maximal group size, and the
> server picks a group and responds with the modulus and generator
> for the group.
> https://tools.ietf.org/html/rfc4419
So with DH group exchange, I have no way to tell the client to only
accept larger groups, or is there any configuration option where I can
say, e.g. minimal=4096 or whatever?
Wouldn't it be nice to have an option to set min/pref/max?
And it basically also means, the client checks just for the group
size,... and has no way to accept/reject certain moduli?
Now for ECDH, we know that some curves may be insecure,... is the same
known for DH? I.e. could a server accidentally propose the client an
insecure moduli (which the client takes without any check except for the
group size)?
> > b) How can I restrict what the server accepts as parameters?
> > E.g. if I think 1024 bit groups are to weak, can I simply remove those
> > entries from the moduli file and such groups will no longer be used?
>
> If the server doesn't find (a suitable group in) /etc/moduli, it
> will fall back to the group from diffie-hellman-group14-sha1.
So that means, that even when I have diffie-hellman-group1-sha1
and diffie-hellman-group14-sha1 disabled... and when I only have e.g.
8129 bit groups in /etc/ssh/moduli...
It will still fall back to using the "weak" groups from
diffie-hellman-group14-sha1?
Wouldn't it be good to have an option to disable this fallback?
So in other words, as soon as I have normal DH kex algos enabled, I can
neither force the client (who will anyway accept what the server gives
him in the min/max range) nor the server to use "stronger" groups, and
they'll always fall back to at least the - what was it? - 2048bit group
from diffie-hellman-group14-sha1.
Thanks,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5313 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141019/e1e135eb/attachment.bin>
More information about the openssh-unix-dev
mailing list