Date: Sat, 25 Nov 2000 16:28:03 -0400 From: "Jeroen C. van Gelderen" <jeroen@vangelderen.org> To: "Brian F. Feldman" <green@FreeBSD.org> Cc: audit@FreeBSD.org Subject: Re: OpenSSH 2.3.0 pre-upgrade Message-ID: <3A2020D3.A3BFDC2A@vangelderen.org> References: <200011242344.eAONiG560473@green.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
[current@freebsd.org trimmed from CC]
"Brian F. Feldman" wrote:
> It's time again for an upgrade to our FreeBSD OpenSSH. Version 2.3.0 was
> released a few weeks back, and working off that I've produced a set of diffs
> from either what's in the tree now or the original OpenBSD, 2.3.0 sources.
Good work!
> What's new in this release? Mostly the adding of the AES (Rijndael) to the
> SSH2 algorithms. Is anything now broken? Well, nothing new broken that I
> know of; there was an issue of the canonical host name not being used, which
> I could have sworn it was before: in either case, it is used now. The auth
> loops previously did not take NULL struct passwd * arguments, but now they
> do (to inform them to fake authorization). This deprecated our fake auth
> loop, but gave me a lot of work to correct the logic in the code that
> expects non-NULL pw's. I think I did it all, but wouldn't be surprised if
> there's still a mistake, so I'd really appreciate others looking at it.
>
> There's some weird issue where for the Diffie-Hellman exchange, OpenSSH
> wants primes but doesn't seem to want to generate them... it expects an
> /etc/ssh/primes (which should become /var/run/ssh_primes, if anything)
Not neccessarily: these primes are in the same league as the
various host keys which are stored in /etc/ssh already.
> and I
> have no clue where the program is that supposedly generates them.
Something like ssh-keygen or OpenSSL I'd presume. You don't want
to generate them on-the-fly in sshd as that's way too time-consuming.
> So, for
> SSH2, the authentication stage generates a large warning and uses a
> hardcoded prime. This should not actually have an affect on security,
> though, according to my understanding of the Diffie-Hellman protocol.
The warning seems to be generated when a key-exchange of type
DH_GEX_SHA1 is performed. DH_GEX_SHA1 appears to be a non-standard
(not documented in any RFC/I-D I could find) extension implemented
by OpenSSH only. This kex-type doesn't add much to the security but
makes the protocol computationally less efficient (iff implemented
properly). It certainly isn't something you want enabled by default.
Anyway, this key exchange type should *only* be accepted when the
server actually supports it. The warning will only be generated
when the server claims to support DH_GEX_SHA1 *and* /etc/ssh/primes
cannot be found. However, if /etc/ssh/primes doesn't exist,
DH_GEX_SHA1 should not be accepted as a supported kex-type which
would eliminate the warning.
The warning certainly isn't harmless as it will condition people
to ignore warnings, including serious ones.
I would argue that we disable support for this non-standard kex-type
(at least in the sshd but preferrably in the ssh client as well) until
it is properly documented. I can smell embrace-and-extend :-(
switch (kex->kex_type) {
+ case DH_GRP1_SHA1:
+ ssh_dh1_server(kex, client_kexinit, server_kexinit);
+ break;
+ case DH_GEX_SHA1: /* non-standard? */
+ ssh_dhgex_server(kex, client_kexinit, server_kexinit);
+ break;
+ default:
+ fatal("Unsupported key exchange %d", kex->kex_type);
+ }
Cheers,
Jeroen
--
Jeroen C. van Gelderen o _ _ _
jeroen@vangelderen.org _o /\_ _ \\o (_)\__/o (_)
_< \_ _>(_) (_)/<_ \_| \ _|/' \/
(_)>(_) (_) (_) (_) (_)' _\o_
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-audit" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3A2020D3.A3BFDC2A>