On Thu, May 21, 2015 at 11:26 PM, Matthew Vernon <matthew@xxxxxxxxxx> wrote: > > You will be aware of https://weakdh.org/ by now, I presume; the > take-home seems to be that 1024-bit DH primes might well be too weak. > I'm wondering what (if anything!) you propose to do about this issue, > and what Debian might do for our users? Would you (and any other vendors) consider generating your own moduli file for your distribution? If a few vendors did that it'd increase the diversity quite a lot and it'd stop us (well, specifically me) being the point of failure for not making updates. I have some scripts to split the screening (the CPU intensive part) up into 1 shard per CPU, which would let the whole process run in about a day on a decent sized machine. If there is any interest I can tidy them up and stick them in contrib/ or something. -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev