On Fri, 15 Feb 2019 at 13:21, Yegor Ievlev <koops1997@xxxxxxxxx> wrote: > Also, how are default moduli shipped with OpenSSH for use in > diffie-hellman-group-exchange-sha1/sha256 chosen? Are they chosen > randomly by developers or are they chosen for security properties? A bit of both. They're generated using ssh-keygen(1) in a 2 step process (look for the -G and -T options). For each group size, candidates are picked at random and then screened (see https://github.com/openssh/openssh-portable/blob/master/moduli.c). > If they are random, why not use moduli from RFC 7919 instead, like > Mozilla recommends? Quoting RFC4419 (which predates 7919 by more than a decade): """ we fear that extensive precomputation and more efficient algorithms to compute the discrete logarithm over a fixed group might pose a security threat to the SSH protocol. The ability to propose new groups will reduce the incentive to use precomputation for more efficient calculation of the discrete logarithm. The server can constantly compute new groups in the background. "" Using a small, fixed set of groups shared with another protocol would be counter to this goal (see also: LogJam and the Oakley groups). You're welcome to replace your file with the ones from RFC7919, though. -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev