On Fri, 2019-02-15 at 15:57 +1100, Darren Tucker wrote: > That was the original intent (and it's mentioned in RFC4419) however > each moduli file we ship (70-80 instances of 6 sizes) takes about 1 > cpu-month to generate on a lowish-power x86-64 machine. Most of it > is > parallelizable, but even then it'd likely take a few hours to > generate > one of each size. I imagine that'd cause some complaints about > startup time. One way of handling this, at least if the moduli generation was nicely interruptable, is that distros ship a file, e.g. /etc/ssh/moduli.dist but by some mean (init script, systemd unit, maybe even sshd itself) a daemon that does calculation of new moduli values is started whenever /etc/ssh/moduli (no ".dist") isn't found. Since some systems (workstations, notebooks) may shutdown frequently, this would need to be interruptable and resumable... e.g. on SIGINT/HUP that calculation service would write to /var/lib/ssh/moduli.tmp or whatever. With new config options, distros/admin could even pre-set which and how many groups are calculated. Cheers, Chris. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev