[prev in list] [next in list] [prev in thread] [next in thread]
List: openssh-unix-dev
Subject: Re: Openssh, moduli and ssh-keygen
From: Darren Tucker <dtucker () zip ! com ! au>
Date: 2014-01-24 11:00:49
Message-ID: CALDDTe1Ssb2ttiYqxHT0BX-LX+GqEDODW7ey-WEzJ-v6zQbU5A () mail ! gmail ! com
[Download RAW message or body]
On Fri, Jan 24, 2014 at 9:21 PM, mailing-list ssh
<lssh.mailing.list@gmail.com> wrote:
> my question is related to the kex algorithm
> diffie-hellman-group-exchange-sha256 and moduli generation. I've seen that
> through ssh-keygen, I'm able to re-generate my moduli file used by DH but
> I'm note sure to understand one point in the ssh-keygen manpage :
> "Screened DH groups may be installed in /etc/ssh/moduli. It is important
> that this file contains moduli of a range of bit lengths and that both ends
> of a connection share common moduli."
>
> I don't understand why both ends of a connection should share a common
> moduli file ?
I think the man page is unclear.
The part about needing a range of sizes is true. I suspect the part
about "both ends sharing common moduli" is trying to refer to
Diffie-Hellman Group Exchange, which is how the moduli for a
particular SSH session get to the client.
There is no requirement for the server and client to have the same
moduli file, and in fact no requirement for a client to have a moduli
file at all.
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic