Updated moduli file in OpenSSH 3.8

Damien Miller djm at mindrot.org
Wed Feb 25 10:22:56 EST 2004


Moulding, Dan wrote:

> Hi,
>  
> Can anybody briefly explain the significance of the updated moduli file?
> Is this a critical update? Should all existing installations update
> their moduli file?

The purpose of the group-exchange KEX method is to make cryptographic
attacks against well-known DH groups impractical, by providing a
diversity of moduli. Obviously this works best if the moduli are
recycled every now and then. So, the update isn't critical, but it is
recommended.

Note that recent versions of ssh-keygen allow you to generate moduli for
yourself. Have a look at the "MODULI GENERATION" section of the
ssh-keygen manpage for details on how to do this.

Note that you will need to generate a range of group sizes for this to
be effective. I'd recommend that you base these on the sizes of the
shipped moduli file. Beware - the generation process is quite slow and
CPU/memory intensive.

-d




More information about the openssh-unix-dev mailing list