Re: diffie-hellman-group14-sha256 vs ssh-rsa and SHA-1

[Peter Gutmann <pgut001%cs.auckland.ac.nz@localhost>]

Mouse <mouse%Rodents-Montreal.ORG@localhost> writes:

>Well, if all you want is one that ignores the REQUIREDs, github.com will do;

Either OpenSSH in general, or some widely-used configuration of OpenSSH, does
this out of the box, the version check I've got is >= 7.1, so there's already
plenty of sites to test that with.  The code comment I've got for the version
check is:

  Doesn't support MTI encryption algorithms as of 7.4 or 7.6 (the release
  notes are vague on when they were removed from client vs. server, in some
  cases it's been seen as early as 7.1).

>(I'm told it's "a vanilla Ubuntu 20.04 server instance".  I find it
>depressing that Ubuntu apparently ships with sshd ignoring those REQUIREDs -
>and also depressing that it only barely surprises me.)

Looking at the handshake, there's a solid 1kB pile of non-MTI algorithmic
fashion statements, and indeed no way to connect via the MTI algorithms.
However:

  Enabling workaround for OpenSSH no-MTI cipher bug.

So with a bug workaround for nonstandard implementations you can connect OK, I
get:

Final accepted suite: diffie-hellman-group-exchange-sha256.
Final accepted suite: rsa-sha2-256.
Final accepted suite: aes128-ctr.
Final accepted suite: hmac-sha2-256.

>The signature check is failing with a disagreement in the low 160 bits of the
>result.  This strikes me as suspicious, because that's the size of a SHA-1
>result.  On code examination, it turns out this is because the host key in
>question is an ssh-rsa key and ssh-rsa is defined to use SHA-1.  I don't
>offhand see anything that calls for changing this, but I could easily have
>missed something; is it correct to continue to use SHA-1 there even when
>using a -sha256 or -sha512 kex method?

I'm getting SHA2 everywhere, see above, how are you getting SHA1?

Peter.