Openssh, moduli and ssh-keygen
mailing-list ssh
lssh.mailing.list at gmail.com
Fri Jan 24 21:21:09 EST 2014
Hi,
my question is related to the kex algorithm
diffie-hellman-group-exchange-sha256 and moduli generation. I've seen that
through ssh-keygen, I'm able to re-generate my moduli file used by DH but
I'm note sure to understand one point in the ssh-keygen manpage :
"Screened DH groups may be installed in /etc/ssh/moduli. It is important
that this file contains moduli of a range of bit lengths and that both ends
of a connection share common moduli."
I don't understand why both ends of a connection should share a common
moduli file ?
If I trace the key exchange through wiresharck, I can see that the modulus
in transmitted as a public data to the client which is the expected
behavior according to the protocol.
If I strace the ssh client command (OpenSSH_5.9p1), I do not see any access
to the /etc/ssh/moduli file.
It seems that the moduli sharing between server and client is automaticaly
done by the protocol.
So, did I miss something or the manpage has a typo or is not clear ? Maybe
the sentence is aimed to say that bit lengths generated must be supported
by both ends ?
Thanks in advance for your explanation.
More information about the openssh-unix-dev
mailing list