Bug 2322 - please let the server enable/disable delayed compression on a per user basis
Summary: please let the server enable/disable delayed compression on a per user basis
Status: CLOSED WONTFIX
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: 3.7p1
Hardware: All All
: P5 enhancement
Assignee: Damien Miller
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-12-01 14:23 AEDT by philcerf
Modified: 2021-04-23 15:03 AEST (History)
1 user (show)

See Also:

Attachments
Require multiple publickey entries in AuthenticationMethods use different keys (8.37 KB, patch)
2014-12-11 14:31 AEDT, Damien Miller 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description philcerf 2014-12-01 14:23:52 AEDT 
Hi.

This is basically from https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-November/033176.html .


1) In encryption, compression may generally be abused as an oracle for side-channel attack, when the attacker can inject chosen-plaintext (e.g. as in CRIME and BREACH attacks).

While this is far less likely for SSH as in CRIME and BREACH it's not really impossible to happen (see the above mail thread for example scenarios like log files that are transferred via SSH).

The SSH client side can protect against this, simply by disabling encryption.
The SSH server side may want to only allow certain users to use SSH-protocol-level compression. E.g. users which are only used for automated systems where it's known that no chosen plain text can be injected,... or human users which have been educated about that principal problem.
Of course, even when SSH-level compression is disallowed, users could still do any other manual compression, which would be vulnerable to the same problem - but better protect against something than nothing.


2) Even though gzip is a rather fast compression algorithm (at least compared to some others), it may be desirable for a sysadmin to allow only certain users to enable encryption (especially since the user could choose high compression levels) in order to prevent overloading the system.



For these two motivations, it would be nice if one could control on the SSH server side, whether a user is allowed to use compression or not, ideally via the Match block, e.g.

#global setting:
Compression no

#per user settings:
Match User foo bar
     Compression delayed

As Damien suggested in the thread above - a clean solution would be, that if such configuration is given, the server enforces a key-renegotiation immediately after the handshake with the "new" compression algos.


Regards,
Philippe
Comment 1 Damien Miller 2014-12-11 14:31:44 AEDT 
Created attachment 2515 [details]
Require multiple publickey entries in AuthenticationMethods use different keys

Thanks for reminding me to do this - I've been planning it for a while. Here's a patch that implements it for -current.
Comment 2 Damien Miller 2014-12-11 14:50:12 AEDT 
Comment on attachment 2515 [details]
Require multiple publickey entries in AuthenticationMethods use different keys

oops, wrong bug - please disregard
Comment 3 Damien Miller 2020-01-26 00:43:27 AEDT 
Unfortunately this isn't trivially possible - in the SSH protocol, compression is negotiated before the authentication, and it is only at the authentication stage that the server learns the name of the user who is connecting.

It is theoretically possible to force a rekeying operation after authentication to renegotiate the encryption/compression options but this is expensive and IMO not worth the complexity needed to implement it.
Comment 4 Damien Miller 2021-04-23 15:03:34 AEST 
closing resolved bugs as of 8.6p1 release