Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

x/crypto/ssh: Make SetDefaults disable diffie-hellman-group1-sha1 #12955

Closed
jeffallen opened this issue Oct 16, 2015 · 3 comments
Closed

x/crypto/ssh: Make SetDefaults disable diffie-hellman-group1-sha1 #12955

jeffallen opened this issue Oct 16, 2015 · 3 comments
Milestone

Comments

@jeffallen
Copy link
Contributor

@jeffallen jeffallen commented Oct 16, 2015

https://weakdh.org/sysadmin.html recommends that users of OpenSSH who want to continue to support non-elliptic-curve Diffie-Hellman should disable Group 1 support, by removing the diffie-hellman-group1-sha1 Key Exchange.

I think it would be in keeping with Go's normal forward looking and strong security posture that SetDefault does not include kexAlgoDH1SHA1 in Config.KeyExchanges. The docs could be updated to indicate that users wishing to enable this deprecated key exchange algorithm should add it at the end of Config.KeyExchanges themselves after calling SetDefaults.

@hanwen
Copy link
Contributor

@hanwen hanwen commented Oct 18, 2015

Would this really fix anything, practically speaking? Group1 is already the least preferred kex anyway.

Do you have any data on which implementations don't support anything but group1? Are there any clients which prefer group1 over the stronger kexes?

@jeffallen
Copy link
Contributor Author

@jeffallen jeffallen commented Oct 19, 2015

It's a question of defensive security posture. In a perfect world, clients would protect themselves by insisting on something other than group1, but we don't live in a perfect world.

In my opinion, Go's defaults should be defensive, and we now suspect that group1 is unusable for secure communication, so it has to be removed from the defaults.

@rsc rsc added this to the Unreleased milestone Oct 23, 2015
@gopherbot
Copy link

@gopherbot gopherbot commented Jul 12, 2018

Change https://golang.org/cl/123595 mentions this issue: ssh: drop dh-group1-sha1 from default key exchanges

bored-engineer pushed a commit to bored-engineer/ssh that referenced this issue Oct 13, 2019
This removes diffie-hellman-group1-sha1 from the list of default
key exchange algorithms. This kex is considered weak and potentially
vulnerable to the Logjam attack.

Note: This is a backwards incompatible change: if you connect to ssh
servers that do not support any key exchanges except for dh-group1-sha1,
you must now specify config.KeyExchanges explicity.

See also:
https://www.openssh.com/legacy.html
https://blog.gdssecurity.com/labs/2015/8/3/ssh-weak-diffie-hellman-group-identification-tool.html

Fixes golang/go#12955

Change-Id: I032d5175d63ab5d1912de72957a80200eb396bc9
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/123595
Reviewed-by: Han-Wen Nienhuys <hanwen@google.com>
bored-engineer pushed a commit to bored-engineer/ssh that referenced this issue Oct 13, 2019
This removes diffie-hellman-group1-sha1 from the list of default
key exchange algorithms. This kex is considered weak and potentially
vulnerable to the Logjam attack.

Note: This is a backwards incompatible change: if you connect to ssh
servers that do not support any key exchanges except for dh-group1-sha1,
you must now specify config.KeyExchanges explicity.

See also:
https://www.openssh.com/legacy.html
https://blog.gdssecurity.com/labs/2015/8/3/ssh-weak-diffie-hellman-group-identification-tool.html

Fixes golang/go#12955

Change-Id: I032d5175d63ab5d1912de72957a80200eb396bc9
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/123595
Reviewed-by: Han-Wen Nienhuys <hanwen@google.com>
bored-engineer pushed a commit to bored-engineer/ssh that referenced this issue Oct 13, 2019
This removes diffie-hellman-group1-sha1 from the list of default
key exchange algorithms. This kex is considered weak and potentially
vulnerable to the Logjam attack.

Note: This is a backwards incompatible change: if you connect to ssh
servers that do not support any key exchanges except for dh-group1-sha1,
you must now specify config.KeyExchanges explicity.

See also:
https://www.openssh.com/legacy.html
https://blog.gdssecurity.com/labs/2015/8/3/ssh-weak-diffie-hellman-group-identification-tool.html

Fixes golang/go#12955

Change-Id: I032d5175d63ab5d1912de72957a80200eb396bc9
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/123595
Reviewed-by: Han-Wen Nienhuys <hanwen@google.com>
@golang golang locked and limited conversation to collaborators Sep 8, 2020
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
4 participants
You can’t perform that action at this time.