Weak DH primes and openssh

Darren Tucker dtucker at zip.com.au
Sun May 24 09:20:27 AEST 2015


On Sun, May 24, 2015 at 1:14 AM, Grant <emailgrant at gmail.com> wrote:

> > Can this be addressed in ssh_config/sshd_config with the KexAlgorithms
> setting?
>
> weakdh.org/sysadmin.html recommends adding:
>
> KexAlgorithms curve25519-sha256 at libssh.org
>
> But this thread makes it sound as if it's not necessary.  Can anyone
> confirm?  Personally I'm on openssh-6.7.
>

There's 3 pieces of advice for OpenSSH there, and IMO two of them are bad
including that one.

Firstly the somewhat reasonable one: remove diffie-hellman-group1-sha1 from
KexAlgorithms, ie

KexAlgorithms curve25519-sha256 at libssh.org
,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1

That still means it'll break any implementation that doesn't do at least
group14.  I don't know of one, but it's possible.

Of the other two suggestions:
 - having just curve25519-sha256 at libssh.org will break interop with
anything that doesn't support it (and many don't) and doesn't buy you much
since on the client side the stronger methods will get used by preference.
 - regenerating the moduli file is in itself not a bad idea, but the
instructions given will result in a file that has only 2kbit groups, which
will result in significantly *weaker* groups being used in many cases (eg
OpenSSH will typically ask for 3kbit to 8kbit groups.

The other possible action that IMO would be reasonable but is not listed:
remove all of the 1kbit and 1.5kbit groups from the moduli file (or
omitting them when regenerating).

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list