Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add the strict key exchange extension #103

Open
darses opened this issue Feb 15, 2024 · 2 comments
Open

Add the strict key exchange extension #103

darses opened this issue Feb 15, 2024 · 2 comments

Comments

@darses
Copy link

darses commented Feb 15, 2024

After the Terrapin attack a two new SSH Extensions were introduced: kex-strict-c-v00@openssh.com (Client) and kex-strict-s-v00@openssh.com (Server).

This is a feature request to add these extensions to the comparison.

I will quote the OpenSSH PROTOCOL page for more information:

1.10 transport: strict key exchange extension

OpenSSH supports a number of transport-layer hardening measures under
a "strict KEX" feature. This feature is signalled similarly to the
RFC8308 ext-info feature: by including a additional algorithm in the
initial SSH2_MSG_KEXINIT kex_algorithms field. The client may append
"kex-strict-c-v00@openssh.com" to its kex_algorithms and the server
may append "kex-strict-s-v00@openssh.com". These pseudo-algorithms
are only valid in the initial SSH2_MSG_KEXINIT and MUST be ignored
if they are present in subsequent SSH2_MSG_KEXINIT packets.

@fingolfin
Copy link
Owner

fingolfin commented Feb 19, 2024

I'd be happy to merge a PR adding this.

Anyone who would like to work on this should probably start by editing https://github.com/fingolfin/ssh-comparison/blob/gh-pages/_data/specs.yml

But then of course the entries for clients supporting it (presumably at least OpenSSH) should be updated to reflect that, by editing their entries in https://github.com/fingolfin/ssh-comparison/tree/gh-pages/_impls

@darses
Copy link
Author

darses commented Feb 21, 2024

I am working on a PR, primarily based on the patches page on the Terrapin website.

At this moment my proposal is to add both client and server extensions, despite all implementations implementing either both or none.

Furthermore, I do not intend to list support for unreleased versions such as the support in Dropbear.

Please let me know if these are points that I need to reconsider while I draft a PR.

@darses darses mentioned this issue Feb 21, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants