Home / server / Questions / 942776
In Process
Kurt Fitzner
Asked: 2018-12-04 23:36:31 +0800 CST

How do you set the session key size in OpenSSH?

  • 772

In version 1 of the SSH protocol, it was possible to set the ephemeral session key size with the ServerKeyBits setting in sshd_config. Is there a way to do this for version 2 of the ssh protocol?

In the SSH protocol there are three encryption keys used:

  1. The server key
  2. The (intermediary) ephemeral session key
  3. The final symmetric cipher key

The intermediary ephemeral session key is an asymmetric cipher key created only for that session. It is created so that when the final symmetric key is passed, it doesn't have to be encrypted with the server key. This is so that if the server key is ever compromised, you can't use it to recover the end symmetric cipher key from previously "recorded" sessions. This is forward secrecy.

The size of the server key is set by the user when the user creates it. The size of the end symmetric cipher is preset by RFC and is inherent in the symmetric cipher that is chosen. The intermediary key, the ephemeral session key, I don't know how to set the size of that key. In version 1 of she SSH protocol you could set it with the ServerKeyBits setting. What is the way to set this in version 2 of the protocol?

It appears that the client specifies the minimum, preferred, and maximum modulus size when diffie-hellman-group-exchange-sha256 is used as the key exchange method. Does this mean removing smaller bit sizes from the server moduli file (as recommended here) will actually prevent small ephemeral key sizes from being used if the client asks for it, or will the server simply used one of its built-in fixed moduli if a broken client only wants a really small one?

ssh

1 Answers

  1. A lot of security improvements were made in the SSH 2 protocol compared to protocol version 1 and I imagine removing that option was one of those.

    As far as I can divine the session key size is somewhat implicitly imposed by the server in the selection of the encryption algorithms offered with the Ciphers directive. The actual session key size will eventually be whatever actual cipher then gets negotiated with between client and server.

    The supported ciphers in OpenSSH are:

                   3des-cbc
               aes128-cbc
               aes192-cbc
               aes256-cbc
               aes128-ctr
               aes192-ctr
               aes256-ctr
               [email protected]
               [email protected]
               arcfour
               arcfour128
               arcfour256
               blowfish-cbc
               cast128-cbc
               [email protected]

    RFC 4253 defines the key sizes asociated with each cipher, although the only ones not immediately obvious from the cipher name are:

    • "3des-cbc" - will be deprecated but is still included for historical reasons - has effective key length of 112 bits
    • plain "arcfour" is RC4 and has problems with weak keys, and should be used with caution - keylength 128 bits (See this Q&A on the difference between "arcfour" and "arcfour128")
    • [email protected] - RFC 7539 has AFAIK also a 256 bit key
    • 2