Bug 2793

Summary:

DH Group Exchange Incorrect Fallback

Product:

Portable OpenSSH

Reporter:

Joe Testa <jtesta>

Component:

sshd

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

NEW ---

Severity:

major

CC:

djm

Priority:

Version:

-current

Hardware:

All

OS:

All

Attachments:

Description	Flags
Patch to remove the fallback mechanism.	none

Description Joe Testa 2017-10-10 05:41:59 AEDT

Created attachment 3066 [details]
Patch to remove the fallback mechanism.

(This issue was discussed in-depth on the openssh-unix-dev mailing list here: https://lists.mindrot.org/pipermail/openssh-unix-dev/2017-September/036217.html)

The Diffie-Hellman group exchange code has a fallback mechanism in case a sufficient entry in /etc/ssh/moduli is not found.  Unfortunately, this mechanism directly disobeys what a sysadmin wants.

For example, if the sysadmin deletes all DH groups with moduli smaller than 3072-bit, code will nevertheless return 2048-bit group14 (see dh.c:441).  The correct behavior would be to disconnect with the client.

In fact, ALL cases where a sufficient group cannot be found in /etc/ssh/moduli should result in a disconnect, as the admin has indicated that *only* those listed in that file should be used.  Hence, the attached patch fully removes this fallback mechanism in order to respect the admin's wishes.

Comment 1 Damien Miller 2017-10-10 07:28:44 AEDT

Comment on attachment 3066 [details]
Patch to remove the fallback mechanism.

I'm not sure I agree with removing the fallback and I don't think making people edit the moduli file is a great way to control which groups are negotiated. IMO a general MinimumDHSize option would probably be a better way to achieve this.