Bug#1082728: openssh: Passive SSH Key Compromise via Lattices (RSA host keys)
On 9/24/24 22:01, Colin Watson wrote:
On Tue, Sep 24, 2024 at 08:55:29PM -0700, Matt Taggart wrote:
Passive SSH Key Compromise via Lattices
Keegan Ryan, Kaiwen He, George Arnold Sullivan, and Nadia Heninger
https://eprint.iacr.org/2023/1711.pdf
details an attack that allows a passive observer to potentially compromise
RSA host keys. They also include details on internet-wide scans to measure
the prevalence of vulnerable signatures in the wild.
This paper has been public since November 2023, and it also says in
section 5 that OpenSSH implements countermeasures against it. Is there
something new that's come to light more recently?
(I haven't yet had time to read the paper in depth.)
Sorry, I should have read the whole thing before filing the bug...
Section 5.1 says: not an issue on openssh because it uses openssl to
generate signatures and openssl has had countermeasures for this since
2001. So hopefully that is enough....
Section 5.2 says: openssh 8.8 deprecated "ssh-rsa" (sha1), but
"rsa-sha2-256" and "rsa-sha2-512" remain.
I am a bit confused as to what controls this in sshd_config. I see:
HostbasedAcceptedAlgorithms: signature algorithms that will be accepted
for host based authentication
HostKeyAlgorithms: host key signature algorithms that the server offers
and the manpage entry for those has lists that do NOT contain ssh-rsa.
However, running `ssh -Q` for each of these on my bookworm
(1:9.2p1-2+deb12u3) system still lists `ssh-rsa` and
`ssh-rsa-cert-v01@openssh.com`. Are they really still available?
As for RSA keys, existing RSA host keys still function and I don't think
there has been any call to deprecate RSA as a key type, or even stop
generating and using it by default on new installs. I'm not sure what
those HardenedBSD folks are thinking...
So I think this is not severity grave and also I'm not sure if there is
anything to do here. The authors make the point that there is a huge
installed base still using ssh-rsa, but for Debian hosts they A) are
likely not vulnerable due to 5.1 above and B) if they were, the way to
fix them would probably be upgrading to 8.8+?
But is there anything about mixed interactions that Debian should be
doing? What is the current (and also expected) behavior of:
* newer Debian client connecting to older rsa-sha server
* older rsa-sha client connecting to newer Debian server
In negotiating, it would have to be a pretty old version to only have
ssh-rsa and not also one of the newer options, right?
Hopefully in any case where only ssh-rsa is available, these complain
loudly and refuse to connect. Also currently the News.Debian entry for
1:8.8p1-1 explains the issue well.
So sorry for the fire drill, although I am curious about the `ssh -Q`
weirdness I saw, hopefully someone can explain that.
--
Matt Taggart
matt@lackof.org
Reply to: