https://jbeekman.nl/SSH – Technology & Policy2015-05-20T12:00:00ZJethro Beekmanhttps://jbeekman.nl/bloghttps://jbeekman.nl/favicon.icotag:jbeekman.nl,2015-05-20:/blog/2015/05/ssh-logjam/On OpenSSH and Logjam – Technology & Policy2015-05-20T12:00:00Z2015-05-20T12:00:00Z<p><a href="https://weakdh.org/">Recent work</a> showing the feasibility of calculating
discrete logarithms on large integers has put the Diffie-Hellman key exchange
parameters we use every day in the spotlight. I have looked at what this means
for SSH key exchange. In short, on your <strong>SSH server</strong>, do the following:</p>
<pre><code>awk '{ if ($5 <= 2000) printf "#"; print }' /etc/ssh/moduli > /tmp/large_moduli
mv /tmp/large_moduli /etc/ssh/moduli
</code></pre>
<p>And put the following in your <code>sshd_config</code>:</p>
<pre><code>KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,
ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group14-sha1,
diffie-hellman-group-exchange-sha1,
diffie-hellman-group-exchange-sha256
</code></pre>
<p>Note that <code>curve25519-sha256@libssh.org</code> is only supported in <a href="http://www.openssh.com/txt/release-6.5">OpenSSH
6.5</a> and up, and only works reliably in
<a href="http://www.openssh.com/txt/release-6.7">OpenSSH 6.7</a> and up. On your <strong>SSH
client</strong>, put the following in your <code>ssh_config</code>:</p>
<pre><code>KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,
ecdh-sha2-nistp384,ecdh-sha2-nistp521,
diffie-hellman-group14-sha1
</code></pre>
<p>If with this configuration you are unable to connect to some SSH servers, and
you need to add <code>diffie-hellman-group-exchange-sha1</code> or
<code>diffie-hellman-group-exchange-sha256</code> to the supported list of algorithms, you
should recompile your SSH client with a <code>DH_GRP_MIN</code> of 2048, so that a server
can’t force your client to use a weak group.</p>
<h3 id="technical-details">Technical details</h3>
<p>Now follows a detailed explanation of these recommendations. The following key
exchange mechanisms are supported in the current version (6.8) of OpenSSH:</p>
<ul>
<li><code>curve25519-sha256@libssh.org</code></li>
<li><code>ecdh-sha2-nistp256</code></li>
<li><code>ecdh-sha2-nistp384</code></li>
<li><code>ecdh-sha2-nistp521</code></li>
<li><code>diffie-hellman-group1-sha1</code></li>
<li><code>diffie-hellman-group14-sha1</code></li>
<li><code>diffie-hellman-group-exchange-sha1</code></li>
<li><code>diffie-hellman-group-exchange-sha256</code></li>
</ul>
<p>The first four mechanisms, <code>curve25519-sha256@libssh.org</code>,
<code>ecdh-sha2-nistp256</code>, <code>ecdh-sha2-nistp384</code>, <code>ecdh-sha2-nistp521</code>, do not use
prime-field Diffie-Hellman and are not affected. <a href="http://nmav.gnutls.org/2011/12/price-to-pay-for-perfect-forward.html">Previous
work</a>
shows that these mechanisms are much faster when used at the same security
level, so you should use them!</p>
<p>The <code>diffie-hellman-group1-sha1</code> mechanism uses the fixed 1024-bit <a href="https://www.ietf.org/rfc/rfc2409.txt">Oakley
Group 2</a> (not the 768-bit group 1, as the
name of the mechanism might suggest). This group is within the range of being a
viable target for nation-state attackers, and should not be used.</p>
<p>The <code>diffie-hellman-group14-sha1</code> mechanism uses the fixed 2048-bit <a href="https://www.ietf.org/rfc/rfc3526.txt">Oakley
Group 14</a>, which should be secure enough
for now.</p>
<p>The <code>diffie-hellman-group-exchange-sha1</code> and
<code>diffie-hellman-group-exchange-sha256</code> mechanisms let the client and server
negotiate a custom DH group. The client sends a tuple «min, n, max» to the
server, indicating the client’s minimum, preferred and maximum group size.
<a href="https://www.ietf.org/rfc/rfc4419.txt">According to the RFC</a>,</p>
<blockquote>
<p>Servers and clients SHOULD support groups with a modulus length of k
bits, where 1024 <= k <= 8192. The recommended values for min and
max are 1024 and 8192, respectively.</p>
</blockquote>
<p>The OpenSSH server selects a suitable group from a pre-generated set of groups,
installed system-wide in <code>/etc/ssh/moduli</code> (falling back to <code>/etc/ssh/primes</code>),
using the <code>choose_dh</code> function in
<a href="https://github.com/openssh/openssh-portable/blob/master/dh.c"><code>dh.c</code></a>. In case
no suitable group is found, the code defaults to Oakley Group 14, which is
safe. A pre-generated set is <a href="https://github.com/openssh/openssh-portable/blob/master/moduli">distributed with the OpenSSH
source</a> and
many binary distributions and is infrequently changed. The group sizes
distributed with OpenSSH are 1024, 1536, 2048, 3072, 4096, 6144, and 8192 bits,
with about 30 groups per size. The OpenSSH-distributed 1024-bit groups are
well-known and within the range of being a viable target for nation-state
attackers, and as such should not be used.</p>
<p>It is possible to generate your own set of groups, in which case it would be
safer to use a 1024-bit group, but you might as well go for larger groups. The
<code>ssh-keygen</code> man page mentions that “It is important that … both ends of a
connection share common moduli.” That statement should not be interpreted as
“both server and client need to have the same moduli configured”, as the server
sends the chosen modulus to the client. As a case-in-point, the OpenSSH client
does not access the system-wide moduli file at all during connection setup.</p>
<p>Speaking about the client, it usually offers the RFC-specified minimum of 1024
bits. There is nothing preventing a server from using that value and offering a
well-known (and thus weak) group. So, a standard client shouldn’t use the
custom group key exchange mechanisms, unless there is a way to change the
minimum group size.</p>
<p><a href="https://weakdh.org/">Recent work</a> showing the feasibility of calculating
discrete logarithms on large integers has put the Diffie-Hellman key exchange
parameters we use every day in the spotlight. I have looked at what this means
for SSH key exchange. In short, on your <strong>SSH server</strong>, do the following:</p>