Re: Creating ssh/moduli

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Wed, 13 Apr 2022 at 20:49, Keine Eile <keine-eile@xxxxxxxxx> wrote:
>
> Am 13.04.22 um 12:31 schrieb Brian Candler:
> > On 13/04/2022 10:59, Keine Eile wrote:
> >> Q: Hot to make a new ssh/moduli?
> >
> > The ssh-keygen(1) manpage has a whole section under heading "MODULI GENERATION":
> >
> > https://man.openbsd.org/ssh-keygen#MODULI_GENERATION

Also, the script we use to regenerate it is here:
https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/moduli-gen/moduli-gen.sh?annotate=1.5

Note that it's several days worth cpu time on a single core depending
on the speed of that core.  It could be trivially parallelized, but
since we tend to generate it once per release cycle (~6 months) it's
not been worth doing for us.

> Of cause, this is too obvious. Thank you!
>
> May I suggest to mention 'ssh-keygen -M' in the sshd man page (Files, /etc/ssh/moduli), too.

sshd(8) [0] already refers to moduli(5):

"/etc/moduli - Contains Diffie-Hellman groups used for the
"Diffie-Hellman Group Exchange" key exchange method. The file format
is described in moduli(5)."

which says

"New moduli may be generated with ssh-keygen(1) using a two-step
process. An initial candidate generation pass, using ssh-keygen -G,
calculates numbers that are likely to be useful. A second primality
testing pass, using ssh-keygen -T [...]."

which we should fix, since -T and -G are the old flags that predate
-M.  Once that's fixed I don't think any additions to sshd(8) are
needed.

[0] https://man.openbsd.org/sshd.8
[1] https://man.openbsd.org/moduli.5

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux