Openssh, moduli and ssh-keygen

Darren Tucker dtucker at zip.com.au
Fri Jan 24 22:00:49 EST 2014


On Fri, Jan 24, 2014 at 9:21 PM, mailing-list ssh
<lssh.mailing.list at gmail.com> wrote:
> my question is related to the kex algorithm
> diffie-hellman-group-exchange-sha256 and moduli generation. I've seen that
> through ssh-keygen, I'm able to re-generate my moduli file used by DH but
> I'm note sure to understand one point in the ssh-keygen manpage :
> "Screened DH groups may be installed in /etc/ssh/moduli.  It is important
> that this file contains moduli of a range of bit lengths and that both ends
> of a connection share common moduli."
>
> I don't understand why both ends of a connection should share a common
> moduli file ?

I think the man page is unclear.

The part about needing a range of sizes is true.  I suspect the part
about "both ends sharing common moduli" is trying to refer to
Diffie-Hellman Group Exchange, which is how the moduli for a
particular SSH session get to the client.

There is no requirement for the server and client to have the same
moduli file, and in fact no requirement for a client to have a moduli
file at all.

-- 
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4  37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list