diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2023-12-18 15:45:17 +0100 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2023-12-18 15:51:11 +0100 |
| commit | 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 (patch) | |
| tree | d1e2e3a301cdfb9fe828e290710faf1a5f273bdd /PROTOCOL | |
| parent | better detection of broken -fzero-call-used-regs (diff) | |
| download | openssh-1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5.tar.xz openssh-1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5.zip | |
upstream: implement "strict key exchange" in ssh and sshd
This adds a protocol extension to improve the integrity of the SSH
transport protocol, particular in and around the initial key exchange
(KEX) phase.
Full details of the extension are in the PROTOCOL file.
with markus@
OpenBSD-Commit-ID: 2a66ac962f0a630d7945fee54004ed9e9c439f14
Diffstat (limited to 'PROTOCOL')
| -rw-r--r-- | PROTOCOL | 28 |
1 files changed, 27 insertions, 1 deletions
@@ -137,6 +137,32 @@ than as a named global or channel request to allow pings with very short packet lengths, which would not be possible with other approaches. +1.9 transport: strict key exchange extension + +OpenSSH supports a number of transport-layer hardening measures under +a "strict KEX" feature. This feature is signalled similarly to the +RFC8308 ext-info feature: by including a additional algorithm in the +initiial SSH2_MSG_KEXINIT kex_algorithms field. The client may append +"kex-strict-c-v00@openssh.com" to its kex_algorithms and the server +may append "kex-strict-s-v00@openssh.com". These pseudo-algorithms +are only valid in the initial SSH2_MSG_KEXINIT and MUST be ignored +if they are present in subsequent SSH2_MSG_KEXINIT packets. + +When an endpoint that supports this extension observes this algorithm +name in a peer's KEXINIT packet, it MUST make the following changes to +the the protocol: + +a) During initial KEX, terminate the connection if any unexpected or + out-of-sequence packet is received. This includes terminating the + connection if the first packet received is not SSH2_MSG_KEXINIT. + Unexpected packets for the purpose of strict KEX include messages + that are otherwise valid at any time during the connection such as + SSH2_MSG_DEBUG and SSH2_MSG_IGNORE. +b) After sending or receiving a SSH2_MSG_NEWKEYS message, reset the + packet sequence number to zero. This behaviour persists for the + duration of the connection (i.e. not just the first + SSH2_MSG_NEWKEYS). + 2. Connection protocol changes 2.1. connection: Channel write close extension "eow@openssh.com" @@ -745,4 +771,4 @@ master instance and later clients. OpenSSH extends the usual agent protocol. These changes are documented in the PROTOCOL.agent file. -$OpenBSD: PROTOCOL,v 1.49 2023/08/28 03:28:43 djm Exp $ +$OpenBSD: PROTOCOL,v 1.50 2023/12/18 14:45:17 djm Exp $ |