[GTALUG] dh key exchange question.

Karen Lewellen klewellen at shellworld.net
Tue Oct 2 17:52:39 EDT 2018


Hi,
  Your tag line gave me the Giggles!
Here at shellworld  while using the latest Ubuntu, they addressed the 
problem  security wise by moving our 
port,  in addition to allowing this key to remain.
Still,  indeed when asked dreamhost said no,  I am not their only customer 
to  be sure.
When seeking an alternative I came across a service called Eskimo.
They incorporate more than one Linux distribution, I could say use centos 6 
but not centos 7  or Scientific 6 but not say mint.
That gave me hope  that if I kept hunting I would find a company who either 
allowed for a different ssh port, since that works here at shellworld and 
one other test, or that I might find a back door in.
The Dreamhost door being closed means no sftp of files and things either.
Thanks for the great wisdom though.  Bell just started screaming at the 
word   Linux so I did not get far.  Add that I got some  w3c information 
indicating Bell had blocked port 22,  and I stayed hopeful.
thanks again,
Karen


On Tue, 2 Oct 2018, Christopher Browne wrote:

> On Tue, 2 Oct 2018 at 16:30, Karen Lewellen via talk <talk at gtalug.org> wrote:
>> Hi Mike,
>> Thanks for that information.
>> I would feel better though if  the same problem was not happening
>> practically everywhere else.
>> i can check my list, I believe, but imagine it will take someone skilled
>> in compiling to update anything.
>> Meaning I will need to either find that skill, or move our office hosting
>> services  somewhere equal to dreamhost but less paranoid.
>> Thanks again,
>
> Unfortunately, I suspect that "less paranoid" isn't the right answer.
>
> Older algorithms (and variants) are being deprecated because weaknesses
> have been found in them.
>
> In this particular case, the "group 1" Diffie Hellman algorithm was discovered
> to have vulnerability to a particular class of attacks called "Logjam".
> https://weakdh.org/
> That web site points to some of the research work from 2015.
>
> OpenSSH documentation references this:
> https://www.openssh.com/legacy.html
>
> They describe the opposite scenario to what you are experiencing; they
> indicate the situation where a server is willing to accept
> diffie-hellman-group1-sha1, where the client, being on a newer version
> of OpenSSH, refuses to offer that.  If that was the situation you were
> experiencing, you could change the configuration of your SSH client to
> accept lower-grade forms of encryption.
>
> Unfortunately, for your purposes, it appears likely that what has
> happened is that dreamhost has upgraded to a more recent version of
> OpenSSH, and has taken the recommendation by the developers that
> deprecated algorithms should not be accepted.  In principle, dreamhost
> could change their OpenSSH configuration to accept use of
> diffie-hellman-group1-sha1, but I expect that they would be reluctant
> to do this.
>
> I work in an area where we have a lot of Java-based applications; we
> wind up having regular efforts to ensure that applications are ported
> to newer versions of Java for much the same reason, because the older
> crypto algorithms supported by SSL libraries are being deprecated
> because weaknesses have been found.  It's not good enough to suppress
> paranoia; organizations that ignore the weaknesses wind up getting
> bitten by attackers that use these weaknesses to steal data, often
> including users' passwords.  It's really no fun to need to announce
> that all the customers need to change their passwords because they
> have gotten stolen.
>
> I appreciate that it may be challenging to keep up with the
> cryptographic "arms race"; unfortunately, the world is a sufficiently
> hostile place that there seems to be no way around this.  You need to
> be prepared to update your ssh keys often enough to keep up with
> changes in SSH.
>
> Feel sorry for those using SSL for web server applications; Giles Orr
> did a talk a few months back that made it clear that keeping up with
> crypto changes is a messy and thankless task.
> -- 
> When confronted by a difficult problem, solve it by reducing it to the
> question, "How would the Lone Ranger handle this?"
>
>


More information about the talk mailing list