DH Group Exchange Fallback

Joseph S Testa II jtesta at positronsecurity.com
Mon Sep 25 01:19:23 AEST 2017

On 09/24/2017 12:21 AM, Mark D. Baushke wrote:
> I suggest you upgrade to a more recent edition of the OpenSSH software.
> The most recent release is OpenSSH 7.5 and OpenSSH 7.6 will be released
> very soon.

This problem is in v7.5 and v7.6.  See dh.c:436.

> OpenSSH 6.6 was first released on October 6, 2014.

I brought up v6.6 to give an example that older clients wouldn't be 
impacted by the removal of the fallback mechanism.

> You should also take a closer look at RFC 4419. I believe you will find
> that returning the biggest prime the SSH daemon knows which is larger
> than the requested prime is correct. Even if it is not necessarily in
> the moduli file.

Section 3 says: "The server should return the smallest group it knows 
that is larger than the size the client requested."  Even though my 
system has values in /etc/ssh/moduli that are 3072-bits all the way up 
to 8192-bits, its still returning group14.  I suppose with a loose 
interpretation, you could say OpenSSH is still adhering to the spec, 
since, technically, it does know about group14...

However, my main point still stands.  The admin is unambiguously saying 
"ONLY use these groups", yet in some cases, the present code disregards 
this and unexpectedly does something else.

Written in March 2006, RFC 4419 also says "Servers and clients SHOULD 
support groups with a modulus length of k bits, where 1024 <= k <= 
8192."  Hence, removing this fallback mechanism "SHOULDN'T" be a 
problem, as clients have been encouraged for 11+ years to support groups 
up to 8192-bit.  It strongly appears that the code can be reasonably 
changed to return the smallest group it knows (i.e.: the smallest value 
in /etc/ssh/moduli), without causing significant interoperability problems.

Motion to remove the group-exchange fallback mechanism entirely.

    - Joe

P.S.  I volunteer to write the patch if this change would be accepted.

More information about the openssh-unix-dev mailing list