OpenSSH with OpenSSL 3.0: preventing loss of remote access

Jochen Bern Jochen.Bern at binect.de
Tue Oct 5 21:41:54 AEDT 2021 

On 04.10.21 10:57, Dmitry Belyavskiy wrote:
> OpenSSL 3.0 doesn't provide any crypto primitives itself. It is done via
> the providers' mechanism. The provider should be loaded and activated to
> make some algorithms and RNG available.
> 
> The default provider is a bit special. If no providers are activated
> explicitly, the default one is activated implicitly. (See details in
> https://github.com/openssl/openssl/issues/16249). Its activation is
> commented out in the config file. If anybody tries to activate a legacy
> provider and doesn't uncomment the default provider activation, the system
> becomes almost unsuitable for work and not remotely accessible anymore.
> 
> I am pretty sure that there will be enough people who because either not
> reading the documentation or just being in a hurry will turn the remote
> accessibility off.
> 
> To prevent it, the viable option is explicitly load the default provider in
> openssh if necessary.
> We can check if it is necessary in several ways. First, we can check if the
> default or FIPS provider is already loaded. Second, we could check that any
> algorithm (I'd prefer some of the AES-CTR family) is available, and load
> the default provider if not, implying that it the selected algorithm is
> implemented in the provider carrying also some sort of key exchange
> algorithm, RNG, etc. I have a tentative patch for this purpose.
> 
> There also may be an option to add an explicit switch
> 'FallbackToDefaultProvider yes' to the openssh configuration.
> 
> Please, any feedback is welcome.

My .02: There is a *lot* of ways to hose one's SSH access, from various 
statements in the /etc/ssh/ config files, to peripheral config files 
(oops, chmod -R 660 got ~/.ssh/authorized_keys, too), to the local OS 
(iptables) and beyond. For a great many environments, the last resort is 
access to a login prompt (where you can use a password) through some OOB 
management solution (physical access, iLO, dialin modem, your cloud 
provider's admin WebUI, whatever). OpenSSH *cannot* cover as many 
scenarios, much less all, and I doubt that it should insinuate that it 
wants to.

Apart from that, any algorithm nominated as a trigger for such an 
autocompletion would gain implicit tenure, making it difficult to phase 
it out when necessary (cryptographically broken). Note how little 
overlap current-day OpenSSH setups have with the set of algos listed in 
the original RFCs it *otherwise* still adheres to ...

More generally speaking, a rule along the lines of "unless you have 
available at least a) one symmetric cipher of >= 256 bit, b) one 
asymmetric cipher as strong as 4 kbit RSA, c) a hash function of >= 256 
bit, ..., the default provider will be loaded as well" seems sensible, 
but it would need to replace the "unless you have ANYTHING" rule within 
OpenSSL 3, rather than being a fix by the application on top.

Regards,
-- 
Jochen Bern
Systemingenieur

Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20211005/895f910f/attachment.p7s>

More information about the openssh-unix-dev mailing list