Weak DH primes and openssh

Darren Tucker dtucker at zip.com.au
Wed May 27 19:58:01 AEST 2015


On Sat, May 23, 2015 at 12:30 AM, David McBride <dwm37 at cam.ac.uk> wrote:

> On Fri, May 22, 2015 at 12:27:01, Darren Tucker <dtucker at zip.com.au>
> wrote:
>
> > Note that PuTTY does do Diffie-Hellman Group Exchange, but until very
> > recently (ie after their 0.64 release) they didn't do the one that was
> > actually standardized in RFC4419.  OpenSSH recently removed support for
> > that non-standard one and as a result we don't offer DHGEX to PuTTY
> > versions <= 0.64 so they'll fall back to group14 (2k bit fix group).
>
> I think this is wrong.
>

I've looked into it some more and unfortunately it's not wrong.


> This commit [0] from 2005 appears to show the addition of
> diffie-hellman-group-exchange-sha256 support to PuTTY.
>

diffie-hellman-group-exchange-sha256 and diffie-hellman-group-exchange-sha1
use the same message type defined in RFC4419 to request a group, and PuTTY
up to 0.64 uses the same deprecated message type (30) for both.

See
> https://anongit.mindrot.org/openssh.git/commit/?id=318be28cda1fd9108f2e6f2f86b0b7589ba2aed0
>
> + if ((datafellows & SSH_OLD_DHGEX) != 0) {
> +         p = filter_proposal(p, "diffie-hellman-group-exchange-sha256");
> +         p = filter_proposal(p, "diffie-hellman-group-exchange-sha1");
> + }
>
> >
> > I've also just successfully connected to a local test OpenSSH server
> (v6.7p1, as packaged by Debian) with only
> diffie-hellman-group-exchange-sha256 enabled with an older release of
> PuTTY (0.63) without any issue.
>

The removal of the pre-RFC4419 message type in OpenSSH was made after the
last release.   Please retry your test with a current development snapshot.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list