On Thu, Nov 3, 2016 at 8:14 AM, Jonathan Paquet <[email protected]>
wrote:
> Ok, so for protocol 2, what is used by default?
There is no exact equivalent of ServerKeyBits in ssh Protocol 2.
In Protocol 1 the server generates an ephemeral RSA key that is
ServerKeyBits in size when it starts up, and regenerates it every ~1h if it
has been used. That key is used to encrypt the SSH session key sent to the
client.
In Protocol 2 the session key is derived from a Diffie-Hellman[1] exchange
at the beginning of each connection, which produces a shared secret that
both sides contribute to but neither controls.
> > The minimum key encryption that we want to allow is 1024, and the
> version
> > > of openssh on esxi 6 is 7.1p1. Openssl 1.0.1p.
>
Short answer: OpenSSH's Protocol 2 doesn't support anything weaker than
1024 bits.
Long answer:
The absolute minimum strength key exchange in the SSHv2 spec is
diffie-hellman-group1-sha1, which is specified as 1024 bits. It is
considered weak and has been disabled by default since OpenSSH 7.0. There
is another set of Diffie-Hellman algorithms where the server picks the
group (diffie-hellman-group-exchange-sha{1,256}) and in OpenSSH those are
picked from the moduli file. OpenSSH hasn't ever shipped a moduli file
with groups <1k bits, 1k bit groups were removed around 7.0 as well, then
1.5kbit groups some time later.
[1] Actually there are several supported key exchange algorithms (see
KexAlgorithms in sshd_config(8)), and exactly which one gets used will
depend on what the client and server support and/or have enabled. They all
have the same security properties, though.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
