DH Group Exchange Fallback
Joseph S Testa II
jtesta at positronsecurity.com
Mon Sep 25 01:19:23 AEST 2017
On 09/24/2017 12:21 AM, Mark D. Baushke wrote:
> I suggest you upgrade to a more recent edition of the OpenSSH software.
> The most recent release is OpenSSH 7.5 and OpenSSH 7.6 will be released
> very soon.
This problem is in v7.5 and v7.6. See dh.c:436.
> OpenSSH 6.6 was first released on October 6, 2014.
I brought up v6.6 to give an example that older clients wouldn't be
impacted by the removal of the fallback mechanism.
> You should also take a closer look at RFC 4419. I believe you will find
> that returning the biggest prime the SSH daemon knows which is larger
> than the requested prime is correct. Even if it is not necessarily in
> the moduli file.
Section 3 says: "The server should return the smallest group it knows
that is larger than the size the client requested." Even though my
system has values in /etc/ssh/moduli that are 3072-bits all the way up
to 8192-bits, its still returning group14. I suppose with a loose
interpretation, you could say OpenSSH is still adhering to the spec,
since, technically, it does know about group14...
However, my main point still stands. The admin is unambiguously saying
"ONLY use these groups", yet in some cases, the present code disregards
this and unexpectedly does something else.
Written in March 2006, RFC 4419 also says "Servers and clients SHOULD
support groups with a modulus length of k bits, where 1024 <= k <=
8192." Hence, removing this fallback mechanism "SHOULDN'T" be a
problem, as clients have been encouraged for 11+ years to support groups
up to 8192-bit. It strongly appears that the code can be reasonably
changed to return the smallest group it knows (i.e.: the smallest value
in /etc/ssh/moduli), without causing significant interoperability problems.
Motion to remove the group-exchange fallback mechanism entirely.
P.S. I volunteer to write the patch if this change would be accepted.
More information about the openssh-unix-dev