https://jbeekman.nl/ 2015-05-20T12:00:00Z Jethro Beekman https://jbeekman.nl/blog https://jbeekman.nl/favicon.ico tag:jbeekman.nl,2015-05-20:/blog/2015/05/ssh-logjam/ 2015-05-20T12:00:00Z 2015-05-20T12:00:00Z <p><a href="https://weakdh.org/">Recent work</a> showing the feasibility of calculating discrete logarithms on large integers has put the Diffie-Hellman key exchange parameters we use every day in the spotlight. I have looked at what this means for SSH key exchange. In short, on your <strong>SSH server</strong>, do the following:</p> <pre><code>awk '{ if ($5 &lt;= 2000) printf "#"; print }' /etc/ssh/moduli &gt; /tmp/large_moduli mv /tmp/large_moduli /etc/ssh/moduli </code></pre> <p>And put the following in your <code>sshd_config</code>:</p> <pre><code>KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256, ecdh-sha2-nistp384,ecdh-sha2-nistp521, diffie-hellman-group14-sha1, diffie-hellman-group-exchange-sha1, diffie-hellman-group-exchange-sha256 </code></pre> <p>Note that <code>curve25519-sha256@libssh.org</code> is only supported in <a href="http://www.openssh.com/txt/release-6.5">OpenSSH 6.5</a> and up, and only works reliably in <a href="http://www.openssh.com/txt/release-6.7">OpenSSH 6.7</a> and up. On your <strong>SSH client</strong>, put the following in your <code>ssh_config</code>:</p> <pre><code>KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256, ecdh-sha2-nistp384,ecdh-sha2-nistp521, diffie-hellman-group14-sha1 </code></pre> <p>If with this configuration you are unable to connect to some SSH servers, and you need to add <code>diffie-hellman-group-exchange-sha1</code> or <code>diffie-hellman-group-exchange-sha256</code> to the supported list of algorithms, you should recompile your SSH client with a <code>DH_GRP_MIN</code> of 2048, so that a server can’t force your client to use a weak group.</p> <h3 id="technical-details">Technical details</h3> <p>Now follows a detailed explanation of these recommendations. The following key exchange mechanisms are supported in the current version (6.8) of OpenSSH:</p> <ul> <li><code>curve25519-sha256@libssh.org</code></li> <li><code>ecdh-sha2-nistp256</code></li> <li><code>ecdh-sha2-nistp384</code></li> <li><code>ecdh-sha2-nistp521</code></li> <li><code>diffie-hellman-group1-sha1</code></li> <li><code>diffie-hellman-group14-sha1</code></li> <li><code>diffie-hellman-group-exchange-sha1</code></li> <li><code>diffie-hellman-group-exchange-sha256</code></li> </ul> <p>The first four mechanisms, <code>curve25519-sha256@libssh.org</code>, <code>ecdh-sha2-nistp256</code>, <code>ecdh-sha2-nistp384</code>, <code>ecdh-sha2-nistp521</code>, do not use prime-field Diffie-Hellman and are not affected. <a href="http://nmav.gnutls.org/2011/12/price-to-pay-for-perfect-forward.html">Previous work</a> shows that these mechanisms are much faster when used at the same security level, so you should use them!</p> <p>The <code>diffie-hellman-group1-sha1</code> mechanism uses the fixed 1024-bit <a href="https://www.ietf.org/rfc/rfc2409.txt">Oakley Group 2</a> (not the 768-bit group 1, as the name of the mechanism might suggest). This group is within the range of being a viable target for nation-state attackers, and should not be used.</p> <p>The <code>diffie-hellman-group14-sha1</code> mechanism uses the fixed 2048-bit <a href="https://www.ietf.org/rfc/rfc3526.txt">Oakley Group 14</a>, which should be secure enough for now.</p> <p>The <code>diffie-hellman-group-exchange-sha1</code> and <code>diffie-hellman-group-exchange-sha256</code> mechanisms let the client and server negotiate a custom DH group. The client sends a tuple «min, n, max» to the server, indicating the client’s minimum, preferred and maximum group size. <a href="https://www.ietf.org/rfc/rfc4419.txt">According to the RFC</a>,</p> <blockquote> <p>Servers and clients SHOULD support groups with a modulus length of k bits, where 1024 &lt;= k &lt;= 8192. The recommended values for min and max are 1024 and 8192, respectively.</p> </blockquote> <p>The OpenSSH server selects a suitable group from a pre-generated set of groups, installed system-wide in <code>/etc/ssh/moduli</code> (falling back to <code>/etc/ssh/primes</code>), using the <code>choose_dh</code> function in <a href="https://github.com/openssh/openssh-portable/blob/master/dh.c"><code>dh.c</code></a>. In case no suitable group is found, the code defaults to Oakley Group 14, which is safe. A pre-generated set is <a href="https://github.com/openssh/openssh-portable/blob/master/moduli">distributed with the OpenSSH source</a> and many binary distributions and is infrequently changed. The group sizes distributed with OpenSSH are 1024, 1536, 2048, 3072, 4096, 6144, and 8192 bits, with about 30 groups per size. The OpenSSH-distributed 1024-bit groups are well-known and within the range of being a viable target for nation-state attackers, and as such should not be used.</p> <p>It is possible to generate your own set of groups, in which case it would be safer to use a 1024-bit group, but you might as well go for larger groups. The <code>ssh-keygen</code> man page mentions that “It is important that … both ends of a connection share common moduli.” That statement should not be interpreted as “both server and client need to have the same moduli configured”, as the server sends the chosen modulus to the client. As a case-in-point, the OpenSSH client does not access the system-wide moduli file at all during connection setup.</p> <p>Speaking about the client, it usually offers the RFC-specified minimum of 1024 bits. There is nothing preventing a server from using that value and offering a well-known (and thus weak) group. So, a standard client shouldn’t use the custom group key exchange mechanisms, unless there is a way to change the minimum group size.</p>

<p><a href="https://weakdh.org/">Recent work</a> showing the feasibility of calculating discrete logarithms on large integers has put the Diffie-Hellman key exchange parameters we use every day in the spotlight. I have looked at what this means for SSH key exchange. In short, on your <strong>SSH server</strong>, do the following:</p>