Re: Weak DH primes and openssh

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Thu, May 21, 2015 at 11:26 PM, Matthew Vernon <matthew@xxxxxxxxxx> wrote:
>
> You will be aware of https://weakdh.org/ by now, I presume; the
> take-home seems to be that 1024-bit DH primes might well be too weak.
> I'm wondering what (if anything!) you propose to do about this issue,
> and what Debian might do for our users?


Would you (and any other vendors) consider generating your own moduli file
for your distribution?  If a few vendors did that it'd increase the
diversity quite a lot and it'd stop us (well, specifically me) being the
point of failure for not making updates.

I have some scripts to split the screening (the CPU intensive part) up into
1 shard per CPU, which would let the whole process run in about a day on a
decent sized machine.  If there is any interest I can tidy them up and
stick them in contrib/ or something.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux