SHA-1 practical recommendations?

James Ralston ralston at pobox.com
Fri Mar 12 10:33:09 AEDT 2021 

On Thu, Mar 11, 2021 at 5:01 PM Damien Miller <djm at mindrot.org> wrote:

> On Thu, 11 Mar 2021, James Ralston wrote:
>
> > On Wed, Mar 10, 2021 at 7:43 PM Damien Miller <djm at mindrot.org> wrote:
> >
> > > diffie-hellman-group-exchange-sha1 will use a bigger/better MODP
> > > group than group14. If I had to enable one then that would be
> > > it.
> >
> > Is this guaranteed to be true even if /etc/ssh/moduli contains
> > small primes (e.g. 1023 bits)?
>
> Yes, see dh_estimate() in dh.c - it will never select a <2048 bit
> group and will usually select one considerably larger,
>
> If /etc/moduli is missing then dh_new_group_fallback() will use
> either a 2k or 4k group.

Who is determining this, though?  The client or the server?

This exchange:

debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32
debug1: kex: diffie-hellman-group-exchange-sha256 need=32 dh_need=32
debug3: send packet: type 34
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(2048<8192<8192) sent
debug3: receive packet: type 31
debug1: got SSH2_MSG_KEX_DH_GEX_GROUP
debug2: bits set: 4092/8192
debug3: send packet: type 32
debug1: SSH2_MSG_KEX_DH_GEX_INIT sent
debug3: receive packet: type 33
debug1: got SSH2_MSG_KEX_DH_GEX_REPLY

…suggests that the client tells the server its minimum, desired, and
maximum group size, and the server picks a group accordingly.

But what happens if a random ssh client (not OpenSSH) sends this?

debug1: SSH2_MSG_KEX_DH_GEX_REQUEST(1024<1024<1024) sent

Will OpenSSH server honor this and pick a 1024-bit group?

The Nessus hits against our RHEL7 hosts that have group-exchange
enabled suggests that OpenSSH server will honor this request.

The documentation for the Nessus plugin that tests this points to this
page:

https://stribika.github.io/2015/01/04/secure-secure-shell.html

…which suggests that removing all groups with size <2047 from
/etc/ssh/moduli will prevent OpenSSH server from picking any group
with less than 2048 bits.  (Which, at that point, will break the
client?)

In summary, I think what this boils down to is that for OpenSSH
client, if SHA-1 key exchange algorithms must be enable for backward
compatibility, then the preferred list/ordering should be:

* diffie-hellman-group-exchange-sha1
* diffie-hellman-group14-sha1

This is true because OpenSSH client is well-behaved when it comes to
picking the size of the group for group-exchange, such that it will
never be smaller than group14 (2048), and will almost always be
larger.

But: for OpenSSH server, it is not safe to enable either of:

* diffie-hellman-group-exchange-sha1
* diffie-hellman-group-exchange-sha256

…because OpenSSH server cannot prevent a random (potentially insane)
ssh client from picking a small group (at least not without removing
them from /etc/ssh/moduli, if the distribution is shipping an older
OpenSSH that still has them).

Or have I misunderstood?

More information about the openssh-unix-dev mailing list