questions regarding session establishment in SSH

Daniel Dent openssh at
Mon Jan 12 20:05:53 AEDT 2015


I spent some time today with RFC4253, RFC5056 and the OpenSSH source code and I have a few questions.

1) For authentication methods such as "publickey" that work by providing a signature over a session identifier, is it fair to say that a MITM attacker is unable to use a MITM attack to log in to the server the client meant to log into? The reason I believe that to be the case is that the SSH protocol appears to have both end point and unique channel bindings through its session identifier mechanisms.

If that holds true, then if:
* publickey authentication is used on a connection, and
* a shared secret is available on both the SSH server and the SSH client, which the server will only provide after a user authenticates, and
* the SSH server is able to provide the SSH client with the secret, then
An SSH client can safely conclude that no MITM attack has occurred.

Per my blog post at, I am looking for an easy way to bring new hosts online and know that the initial connection to them has not been subject to a MITM. I proposed a more complicated approach that could work for any authentication method, but with further analysis I believe that if the authentication method is restricted to ones which leverages channel bindings, then all that is needed is to have a way to load a shared secret onto servers.

2) How was the 16 byte/128 bit size of the cookie in SSH_MSG_KEXINIT chosen?

In earlier versions of the protocol, a 16 byte cookie would have had both the client and the server contributing at least as much entropy as the output of the hash function it contributed entropy towards (MD5).  But that no longer holds true. Has there been any analysis done on the adequacy of a 16 byte cookie?

3) Regarding section 7.2 of RFC4253:

An explanation of how keys are chosen is given, ending with "This process will lose entropy if the amount of entropy in K is larger than the internal state size of HASH."

The keys described in 7.2 are chosen using the output of hash functions; there is only so much entropy available in the output of those hash functions. If the amount of entropy is less than the key size of the encryption functions, does that not mean that the higher key size is only a dangerous illusion?



Daniel Dent

More information about the openssh-unix-dev mailing list