Are these configurations still valid after The 1024-bit DH attacks ?

[iemejia]

Hi, I just read this article in the EFF website and wondered if maybe the different configurations here must be updated. https://www.eff.org/deeplinks/2015/10/how-to-protect-yourself-from-nsa-attacks-1024-bit-DH https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking-so-much-crypto/

[GigabyteProductions]

Most of the configurations currently in the repository only allow for ECDHE, which doesn't have an export like DHE does, but a server administrator should also be generating DH parameters that are at least 2048-bit and configuring their servers to use them. These configuration files don't include an example of this, so servers using these configurations will use the server defaults in DH params, which are usually decent 2048-bit DH params.

So, I think the answer is yes, but I'd have to research the default behavior of each of the servers to give a definite answer. If you have a publicly accessible web server that you're concerned about, you can test it's SSL configuration with https://www.ssllabs.com/ssltest/.

[guidoiaquinti]

If I understood properly the goal of this repository I'm for updating the configurations. By default it should provide a hardened configuration. I don't like too much add the condition "DH kex method is ok only if len(params) >= 2048-bit".

[iemejia]

@GigabyteProductions thanks for your answer, those DH parameters you refer to are the ones commonly found in /etc/ssh/moduli ? Is there a way to enforce those ?

[guidoiaquinti]

@GigabyteProductions please correct me if I'm wrong

@iemejia the /etc/ssh/moduli contains pre-generated group parameters for Diffie-Hellman. You can generate new parameters with openssl (example: 'openssl dhparam -out dhparams.pem 2048')

You can find more info about the generation and '/etc/ssh/moduli' usage in: https://wiki.openssl.org/index.php/Diffie_Hellman https://wiki.openssl.org/index.php/Diffie-Hellman_parameters http://security.stackexchange.com/questions/41941/consequences-of-tampered-etc-ssh-moduli http://security.stackexchange.com/questions/54359/what-is-the-difference-between-diffie-hellman-generator-2-and-5

[iemejia]

@ilmerovingio thanks, do you know if there is a way to restrict in the sshd_config that those DH moduli parameters are >= 2048-bit ?

I suppose that the correct hardened config would be to disable non-EC DHE too, no ?, leaving just:

KexAlgorithms curve25519-sha256@libssh.org

[mrc0mmand]

@iemejia As far as I know, there's no way to explicitly specify DH moduli size in ssh* conf. files. You can either remove unsafe moduli from your /etc/ssh/moduli file or you can regenerate it, eg.:

ssh-keygen -G /etc/ssh/moduli.all -b 2048
ssh-keygen -T /etc/ssh/moduli.safe -f /etc/ssh/moduli.all
mv /etc/ssh/moduli.safe /etc/ssh/moduli
rm /etc/ssh/moduli.all

But keep in mind this can take a really long time on slow devices. (Source: https://stribika.github.io/2015/01/04/secure-secure-shell.html)

[GigabyteProductions]

@ilmerovingio Hmmm. I actually didn't realize that's what /etc/ssh/moduli was. Now that I'm looking at it's manual page, it, indeed, appears to be a kind of DH-parameters, but you can't generate them with openssl like one would in most cases. As @mrc0mmand has pointed out, it also cannot be stated in the configuration files which size to use (though, it looks like each KexAlgorithm has it's own minimum), so it's better to re-generate the moduli file with only the sizes you approve of. @mrc0mmand gives a good demonstration of this.

@iemejia While disabling non-EC DHE would suffice, you can safely use DHE as long as you've generated at least 2048-bit moduli and aren't supporting the weak versions of SSH's DHE (see https://weakdh.org/sysadmin.html#openssh). The safe Kex config would be:

KexAlgorithms curve25519-sha256@libssh.org,diffie-hellman-group-exchange-sha256

A lot of what was discussed here has been done in the ssh configuration files in my fork of duraconf, so maybe I'll try to re-arrange the commits to make them merge-friendly (just merging my ssh files rather than merging ssh, gpg , and whatever else I worked on), unless @ioerror just wants to merge my master or something.

[ecki]

I don’t see this fixed in the current master for sshd/sshclient (absent) (unless you consider recent OpenSSH defaults beeing secure). Would be good to have at least a close comment (or close the Repo)

[iemejia]

Well this repo has not been updated in 4 years so I consider it invalid now that's why I closed this issue (question). Anyone knows if there is a more recent equivalent?

[nodiscc]

@iemejia You can find interesting hardened configurations for various services (apache, nginx, openssh, ...) in the repos at https://github.com/dev-sec

[iemejia]

Thanks for the pointer @nodiscc