On Fri, 15 Feb 2019, Darren Tucker wrote:
On Fri, 15 Feb 2019 at 14:22, Yegor Ievlev <koops1997@xxxxxxxxx> wrote:
I'm not nearly knowledgeable enough in crypto to fully understand your
answer, but I will try. I wonder why moduli are not automatically
generated the first time sshd is started though. That would make much
more sense than shipping a default moduli file but also asking
everyone to replace it with their own.
That was the original intent (and it's mentioned in RFC4419) however
each moduli file we ship (70-80 instances of 6 sizes) takes about 1
cpu-month to generate on a lowish-power x86-64 machine. Most of it is
parallelizable, but even then it'd likely take a few hours to generate
one of each size. I imagine that'd cause some complaints about
startup time.
is there a document somewhere that gives simple instructions on how to do this
(as opposed to digging them out of a large RFC that covers lots of other stuff)
ideally a simple script that could be run.
Can this be something that is set to run in the background (heavily niced) and
then switch in when completed? or would that cause grief with existing keys in
use?
David Lang
With those caveats, you are also welcome to add the appropriate
ssh-keygen commands to your startup scripts.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev