Updated moduli file in OpenSSH 3.8

Damien Miller djm at mindrot.org
Wed Feb 25 10:22:56 EST 2004

Moulding, Dan wrote:

> Hi,
> Can anybody briefly explain the significance of the updated moduli file?
> Is this a critical update? Should all existing installations update
> their moduli file?

The purpose of the group-exchange KEX method is to make cryptographic
attacks against well-known DH groups impractical, by providing a
diversity of moduli. Obviously this works best if the moduli are
recycled every now and then. So, the update isn't critical, but it is

Note that recent versions of ssh-keygen allow you to generate moduli for
yourself. Have a look at the "MODULI GENERATION" section of the
ssh-keygen manpage for details on how to do this.

Note that you will need to generate a range of group sizes for this to
be effective. I'd recommend that you base these on the sizes of the
shipped moduli file. Beware - the generation process is quite slow and
CPU/memory intensive.


More information about the openssh-unix-dev mailing list