The IETF ssh working group has proposed adding MODP groups 15 and 16 with SHA256 and deprecating group14-sha1 (we're already doing the latter). https://datatracker.ietf.org/doc/draft-baushke-ssh-dh-group-sha2/
Created attachment 2766 [details] add diffie-hellman-group{14,15,16}-sha256
Created attachment 2767 [details] add diffie-hellman-group{14,15,16}-sha256 Add missing change to ssh_api.c, from Mark D. Baushke.
This is still hashing with sha1, see kex_dh_hash() - it doesn't use hash_alg. I've patched Dropbear for group14-sha256, https://secure.ucc.asn.au/hg/dropbear/rev/d2f9ef67af15
Created attachment 2768 [details] add diffie-hellman-group{14,15,16}-sha256 > This is still hashing with sha1, see kex_dh_hash() - it doesn't use hash_alg. Well, that's not cool :-) djm implemented the code to fix this which is included in the updated patch. With this change, openssh client interops with the dropbear server. dbclient doesn't work (the openssh server kills the connection claiming a negative bignum) but it also worked with an unmodified openssh-current with group14-sha1 (dbclient claims "Bad hostkey signature"). I don't know where the problem is though.
Created attachment 2769 [details] Fix first_kex_follows
The Dropbear client failure was because it's sending first_kex_follows so OpenSSH parsed the first (should be discarded) kexdhinit packet. It looks like that broke in https://github.com/openssh/openssh-portable/commit/57d10cbe861a235dd269c74fb2fe248469ecee9d in January :-\ Patch attached.
Bah, breaking first-kex-follows was my fault. Fix committed and will be in OpenSSH 7.2
Retarget to openssh-7.3
Created attachment 2808 [details] update to draft-ietf-curdle-ssh-kex-sha2-03 prefer groups 14, 16, 18 This updates Darren's diff to draft-ietf-curdle-ssh-kex-sha2-03, specifically changing the hash for the group16 KEX to SHA512. This diff also removes group 15 instead of group 18, so the groups supported are: diffie-hellman-group14-sha256 - 2048 bit diffie-hellman-group16-sha512 - 4096 bit diffie-hellman-group18-sha512 - 8192 bit IMO the powers of two are a bit cleaner than the intermediate ones. Finally, this tweaks the fallback group logic to choose the next larger group a bit sooner and to consider the 8192 bit fixed group.
Thanks Mark and Darren - patch applied. This will be in OpenSSH 7.3. commit 0e8eeec8e75f6d0eaf33317376f773160018a9c7 Author: djm@openbsd.org <djm@openbsd.org> Date: Mon May 2 10:26:04 2016 +0000 upstream commit add support for additional fixed DH groups from draft-ietf-curdle-ssh-kex-sha2-03 diffie-hellman-group14-sha256 (2K group) diffie-hellman-group16-sha512 (4K group) diffie-hellman-group18-sha512 (8K group) based on patch from Mark D. Baushke and Darren Tucker ok markus@ Upstream-ID: ac00406ada4f0dfec41585ca0839f039545bc46f commit 67f1459efd2e85bf03d032539283fa8107218936 Author: djm@openbsd.org <djm@openbsd.org> Date: Mon May 2 09:52:00 2016 +0000 upstream commit unit and regress tests for SHA256/512; ok markus Upstream-Regress-ID: a0cd1a92dc824067076a5fcef83c18df9b0bf2c6
Close all resolved bugs after 7.3p1 release