[EC]DH KEx and how to restrict ssh/sshd to secure(er) DH parameters

Christoph Anton Mitterer calestyo at scientia.net
Sun Oct 19 03:58:17 EST 2014 

Hey.

AFAIU, all the key exchange algorithms in SSH (or perhaps better said
OpenSSH, since the RFCs would allow for MQV) are basically
Diffie-Hellman based[0]. Or the ECC versions (the ECDH versions with
NIST curves or curve25519).


1) I guess ALL these are ephemeral versions of DH/ECDC, in order to get
FS/PFS, right?

Just out of curiosity,... what is done to make the the DH authenticated?
I guess it depends on the chosen HostKeyAlogrithm (so either RSA, DSS,
ECDSA or EdDSA)... but do client/server exchange the DH parameters
signed or doe they exchange a signed version of the agreed key?




2) Now the security of DH/ECDH obviously depends on the parameters, e.g.
having a 16 bit DH group makes it useless....

AFAIU for diffie-hellman-group1-sha1 anddiffie-hellman-group14-sha1 and
the parameters are fixed (with 1024 and 2048 bit groups)

The same for the the four ECDH versions (ecdh-sha2-nistp* and
curve25519-sha256 at libssh.org), they all have fixed values

So if I'd find that to be too weak, then the only thing one could do is
disable those, right?


But for the diffie-hellman-group-exchange-sha1
diffie-hellman-group-exchange-sha256 the /etc/ssh/moduli file is used to
find parameters, right?

a) Documentations seems to imply that this is only used by sshd?
So how does the ssh client come to his accepted parameters? Does he
simply take anything a SSH server proposes?

b) How can I restrict what the server accepts as parameters?
E.g. if I think 1024 bit groups are to weak, can I simply remove those
entries from the moduli file and such groups will no longer be used?

c) How can I do the same for the client?



Thanks,
Chris.


[0] diffie-hellman-group1-sha1,diffie-hellman-group14-sha1,
diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,
ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,
curve25519-sha256 at libssh.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5313 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141018/930b4b3e/attachment.bin>

More information about the openssh-unix-dev mailing list