Re: Can we disable diffie-hellman-group-exchange-sha1 by default?

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Fri, 2019-02-15 at 15:57 +1100, Darren Tucker wrote:
> That was the original intent (and it's mentioned in RFC4419) however
> each moduli file we ship (70-80 instances of 6 sizes)  takes about 1
> cpu-month to generate on a lowish-power x86-64 machine.  Most of it
> is
> parallelizable, but even then it'd likely take a few hours to
> generate
> one of each size.  I imagine that'd cause some complaints about
> startup time.

One way of handling this, at least if the moduli generation was nicely
interruptable, is that distros ship a file, e.g. /etc/ssh/moduli.dist
but by some mean (init script, systemd unit, maybe even sshd itself) a
daemon that does calculation of new moduli values is started whenever
/etc/ssh/moduli (no ".dist") isn't found.

Since some systems (workstations, notebooks) may shutdown frequently,
this would need to be interruptable and resumable... e.g. on SIGINT/HUP
that calculation service would write to /var/lib/ssh/moduli.tmp or
whatever.


With new config options, distros/admin could even pre-set which and how
many groups are calculated.


Cheers,
Chris.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux