On Wed, 13 Apr 2022 at 20:49, Keine Eile <keine-eile@xxxxxxxxx> wrote: > > Am 13.04.22 um 12:31 schrieb Brian Candler: > > On 13/04/2022 10:59, Keine Eile wrote: > >> Q: Hot to make a new ssh/moduli? > > > > The ssh-keygen(1) manpage has a whole section under heading "MODULI GENERATION": > > > > https://man.openbsd.org/ssh-keygen#MODULI_GENERATION Also, the script we use to regenerate it is here: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/moduli-gen/moduli-gen.sh?annotate=1.5 Note that it's several days worth cpu time on a single core depending on the speed of that core. It could be trivially parallelized, but since we tend to generate it once per release cycle (~6 months) it's not been worth doing for us. > Of cause, this is too obvious. Thank you! > > May I suggest to mention 'ssh-keygen -M' in the sshd man page (Files, /etc/ssh/moduli), too. sshd(8) [0] already refers to moduli(5): "/etc/moduli - Contains Diffie-Hellman groups used for the "Diffie-Hellman Group Exchange" key exchange method. The file format is described in moduli(5)." which says "New moduli may be generated with ssh-keygen(1) using a two-step process. An initial candidate generation pass, using ssh-keygen -G, calculates numbers that are likely to be useful. A second primality testing pass, using ssh-keygen -T [...]." which we should fix, since -T and -G are the old flags that predate -M. Once that's fixed I don't think any additions to sshd(8) are needed. [0] https://man.openbsd.org/sshd.8 [1] https://man.openbsd.org/moduli.5 -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
