[Bug 2302] ssh (and sshd) should not fall back to deselected KEX algos

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Dec 20 14:39:29 EST 2014 

https://bugzilla.mindrot.org/show_bug.cgi?id=2302

Christoph Anton Mitterer <calestyo at scientia.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|WONTFIX                     |---
             Status|RESOLVED                    |REOPENED

--- Comment #2 from Christoph Anton Mitterer <calestyo at scientia.net> ---
Hi Damien.

Reopening this for now because (see below):


(In reply to Damien Miller from comment #1)
> It isn't falling back to a deselected KEX method, it's using a
> fallback DH group that is completely compliant with the DHGEX method.
Okay,.. I see,... you're right.
Just checked that and with the server only offering
diffie-hellman-group-exchange-sha256 and /etc/ssh/moduli being empty, a
client can't connect with diffie-hellman-group1-sha1 or
diffie-hellman-group14-sha1, but can connect with an implicit 2048 bit
group with diffie-hellman-group-exchange-sha256.

But this is just something OpenSSH specific, right? Nothing which would
come from the RFC.


> IMO the use of the fallback group is preferable to simply failing.
Why?...


- This "failing" isn't much different from when the admin would simply
disable all KexMethods... if he empties his /etc/moduli file, he
basically intentionally disables DH-GEX

Apart from that, only OpenSSH-to-OpenSSH would benefit from this, since
AFAICS, there is not standardised fallback group in DH-GEX.

Further, to get the idea behind such a fallback working (i.e.
compatibility and connections-always working) it means that OpenSSH
must keep that group basically forever (to allow interoperability)...
which OTOH prevents replacing "ageing" groups when their size is no
longer considered enough for security.

=> so I still think, not falling back would be better, since this seems
to be the logic effect one would expect from emptying /etc/ssh/moduli


But if you really insist on keeping this behaviour, could you then
please to the following:


- It makes it at least ambiguous in how things work since this
behaviour is not documented (i.e. people may think empty moduli file
means no group can be found/used for DH_GEX and therefore disables it.
=> so could this information be added to moduli(5) manpage?

- Replace the 2048b group that is used by something stronger? Looking
at the ECRYPT II recommendations... 2048 is not really enough for
longer terms.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list