Bug 3387

Summary: Will future versions of openssh not support DHE because of "dheater" vulnerability :CVE-2002-20001?
Product: Portable OpenSSH Reporter: renmingshuai <rmsh1216>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: enhancement CC: djm
Priority: P5    
Version: 8.8p1   
Hardware: Other   
OS: All   

Description renmingshuai 2022-02-11 14:57:39 AEDT 
The Diffie-Hellman Key Agreement Protocol allows remote attackers (from the client side) to send arbitrary numbers that are actually not public keys, and trigger expensive server-side DHE modular-exponentiation calculations, aka a D(HE)ater attack. We have repeated the attack when establish ssh connections. What will openssh do to avoid dheater?
Comment 1 Damien Miller 2022-02-11 15:04:23 AEDT 
Not based on that attack, it's AFAIK a denial of service only that is already mitigated by existing measures in sshd including LoginGraceTime and MaxStartups.
Comment 2 renmingshuai 2022-02-11 17:16:15 AEDT 
Is it a vulnerability in DHE algorithm protocol, not in openssh?
Comment 3 Damien Miller 2022-02-14 16:33:27 AEDT 
It's probably an intrinsic issue to any cryptographic key agreement protocol that an attacker can cause the server to do useless work. I don't think ECDSA or any of the PQ KEM algorithms will be any less susceptible, though they are faster so the impact is less.
Comment 4 Damien Miller 2023-03-17 13:41:34 AEDT 
OpenSSH 9.3 has been released. Close resolved bugs