Group Size Enumeration of diffie-hellman-group-exchange-sha1 and diffie-hellman-group-exchange-sha256

I’ve encountered an SSH server where the Diffie-Hellman group size used by the key exchange algorithm diffie-hellman-group-exchange-sha256 is hardcoded and cannot be seen or configured by an administrator.

My plan was to use ssh-audit to scan the server and find out more information about the supported group size(s) but then I realised that ssh-audit only returns the minimum value.

I studied RFC 4419 which explains how the client requests a modulus from the server by specifying a minimum, a preferred and a maximum value (expressed in bits). The send_init_gex function in ssh-audit has been implemented as per the explanation in RFC 4419, it accepts minbits, prefbits and maxbits.

I was able to modify gextest.py to invoke send_init_gex with minbits, prefbits and maxbits of the same value from 0 to 8192. This gave me the answer I was looking for, it showed that the server was configured with group sizes of 1024, 2048, 3072, 4096 and 6144. Using this information I can now contact the manufacturer of the SSH server software and ask if they will consider removing 1024.

@jtesta What do you think about about adding group size enumeration as a feature to ssh-audit? I could submit my patch as a draft for you to review?

Enumerating every value from 0 to 8192 is a slow process because it has to make a new connection to the target server each time. In my case this was not a problem because I ran the patched version of ssh-audit on the SSH server itself. However, if someone were to attempt this over a network it may cause a firewall’s rate control to be triggered resulting in requests being blocked. So we’d probably need to mention this as a potential caveat in the documentation.