2

I'm seeking to mitigate CVE-2002-20001 by disabling DHE key exchange through OpenSSH on an Ubuntu instance.

I understand this can be achieved through editing the /etc/ssh/sshd_config at line

KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256

How might I edit this line to disable DHE key exchange? Will this be sufficient to mitigate the vulnerability? How can I make sure the threat is mitigated?

kenlukas
  • 1,961
  • 1
  • 9
  • 21
user281564
  • 21
  • 1
  • 2

2 Answers2

4

The KexAlgorithms configuration option is correct, but you want to use a - at the beginning of the line like:

KexAlgorithms -diffie-hellman-group1-sha1,diffie-hellman-group1-sha256,diffie-hellman-group14-sha1,diffie-hellman-group14-sha256,diffie-hellman-group15-sha256,diffie-hellman-group15-sha512,diffie-hellman-group16-sha256,diffie-hellman-group16-sha512,diffie-hellman-group17-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha512

Because:

If the specified list begins with a ‘-’ character, then the specified algorithms (including wildcards) will be removed from the default set instead of replacing them.

Note: you can wildcard this e.g. KexAlgorithms -diffie-hellman-group*

NOTE2: This doesn't work for older versions of openssh, on CentOS 7 for example the - doesn't work and you have to explicitly state what algorithms you want to use:
KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521

You also want to control the number of unauthenticated connections with the following settings:

MaxStartups 10:30:100
PerSourceMaxStartups 1
PerSourceNetBlockSize 32:128

You can find a list of available KexAlgorithms using this command:
sudo sshd -T |grep kexalgorithms

Output before blocking Diffie-Hellman:

kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group14-sha256

and after:

kexalgorithms curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521

or you could us nmap:

nmap --script ssh2-enum-algos -sV -p 22 localhost

References
dheater git repo
sshd_config KexAlgorithms

kenlukas
  • 1,961
  • 1
  • 9
  • 21
  • The output of ssh -Q kex is the same before and after adding the KexAlgorithms configuration option and restarting the SSH service. Any idea why this may be the case? – user281564 Aug 12 '22 at 15:33
  • @user281564 I've updated the post. Using the sshd or nmap test provides an accurate output. I don't have time to look but I'm guessing the ssh -Q kex command is what's available for ssh to use. Not what's allowed by the sshd daemon. – kenlukas Aug 12 '22 at 16:43
  • I'm now able to verify that the configurations have taken effect. Thank you! – user281564 Aug 12 '22 at 17:38
  • 1
    It's not the version of Linux that matters for the "algs minus" syntax, but the version of OpenSSH, see https://www.openssh.com/txt/release-7.5 -- and CentOS/RHEL7 packages OpenSSH 7.4, though with enough effort you could replace it – dave_thompson_085 Aug 13 '22 at 01:12
  • Thanks @dave_thompson_085! I updated the answer to reflect your feedback – kenlukas Aug 13 '22 at 18:00
2

On Ubuntu 20.04 you can limit the key exchange algorithms by setting the config item KexAlgorithms in /etc/ssh/sshd_config.d/ssh-audit_hardening.conf. To avoid all Diffie-Hellman groups you could set:

KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org

There is an (updated) Python tool ssh-audit that checks sshd on a tcp socket. Its hardening guide advises to include a specific subset of the Diffie-Hellman groups:

KexAlgorithms curve25519-sha256,curve25519-sha256@libssh.org,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512,diffie-hellman-group-exchange-sha256

To validate:

pip install ssh-audit
ssh-audit -l warn -p <port> <hostname>
bbaassssiiee
  • 452
  • 2
  • 16