Date: Sat, 25 Nov 2000 16:28:03 -0400 From: "Jeroen C. van Gelderen" <jeroen@vangelderen.org> To: "Brian F. Feldman" <green@FreeBSD.org> Cc: audit@FreeBSD.org Subject: Re: OpenSSH 2.3.0 pre-upgrade Message-ID: <3A2020D3.A3BFDC2A@vangelderen.org> References: <200011242344.eAONiG560473@green.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[current@freebsd.org trimmed from CC] "Brian F. Feldman" wrote: > It's time again for an upgrade to our FreeBSD OpenSSH. Version 2.3.0 was > released a few weeks back, and working off that I've produced a set of diffs > from either what's in the tree now or the original OpenBSD, 2.3.0 sources. Good work! > What's new in this release? Mostly the adding of the AES (Rijndael) to the > SSH2 algorithms. Is anything now broken? Well, nothing new broken that I > know of; there was an issue of the canonical host name not being used, which > I could have sworn it was before: in either case, it is used now. The auth > loops previously did not take NULL struct passwd * arguments, but now they > do (to inform them to fake authorization). This deprecated our fake auth > loop, but gave me a lot of work to correct the logic in the code that > expects non-NULL pw's. I think I did it all, but wouldn't be surprised if > there's still a mistake, so I'd really appreciate others looking at it. > > There's some weird issue where for the Diffie-Hellman exchange, OpenSSH > wants primes but doesn't seem to want to generate them... it expects an > /etc/ssh/primes (which should become /var/run/ssh_primes, if anything) Not neccessarily: these primes are in the same league as the various host keys which are stored in /etc/ssh already. > and I > have no clue where the program is that supposedly generates them. Something like ssh-keygen or OpenSSL I'd presume. You don't want to generate them on-the-fly in sshd as that's way too time-consuming. > So, for > SSH2, the authentication stage generates a large warning and uses a > hardcoded prime. This should not actually have an affect on security, > though, according to my understanding of the Diffie-Hellman protocol. The warning seems to be generated when a key-exchange of type DH_GEX_SHA1 is performed. DH_GEX_SHA1 appears to be a non-standard (not documented in any RFC/I-D I could find) extension implemented by OpenSSH only. This kex-type doesn't add much to the security but makes the protocol computationally less efficient (iff implemented properly). It certainly isn't something you want enabled by default. Anyway, this key exchange type should *only* be accepted when the server actually supports it. The warning will only be generated when the server claims to support DH_GEX_SHA1 *and* /etc/ssh/primes cannot be found. However, if /etc/ssh/primes doesn't exist, DH_GEX_SHA1 should not be accepted as a supported kex-type which would eliminate the warning. The warning certainly isn't harmless as it will condition people to ignore warnings, including serious ones. I would argue that we disable support for this non-standard kex-type (at least in the sshd but preferrably in the ssh client as well) until it is properly documented. I can smell embrace-and-extend :-( switch (kex->kex_type) { + case DH_GRP1_SHA1: + ssh_dh1_server(kex, client_kexinit, server_kexinit); + break; + case DH_GEX_SHA1: /* non-standard? */ + ssh_dhgex_server(kex, client_kexinit, server_kexinit); + break; + default: + fatal("Unsupported key exchange %d", kex->kex_type); + } Cheers, Jeroen -- Jeroen C. van Gelderen o _ _ _ jeroen@vangelderen.org _o /\_ _ \\o (_)\__/o (_) _< \_ _>(_) (_)/<_ \_| \ _|/' \/ (_)>(_) (_) (_) (_) (_)' _\o_ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A2020D3.A3BFDC2A>