Weak DH primes and openssh

Daniel Kahn Gillmor dkg at fifthhorseman.net
Sat May 23 06:22:13 AEST 2015

On Fri 2015-05-22 00:06:29 -0400, Darren Tucker wrote:
> On Thu, May 21, 2015 at 11:26 PM, Matthew Vernon <matthew at debian.org> wrote:
>> You will be aware of https://weakdh.org/ by now, I presume; the
>> take-home seems to be that 1024-bit DH primes might well be too weak.
>> I'm wondering what (if anything!) you propose to do about this issue,
>> and what Debian might do for our users?
> Would you (and any other vendors) consider generating your own moduli file
> for your distribution?  If a few vendors did that it'd increase the
> diversity quite a lot and it'd stop us (well, specifically me) being the
> point of failure for not making updates.

(thanks for making the recent moduli update, Darren!)

This is an interesting proposal as a way to increase group diversity,
but it also creates a non-obvious fingerprinting channel.  That is,
distro-specific groups would provide a way that someone scanning to find
out what distro is in use can make a more accurate guess based on the
primes offered.

I grant that debian's current patches that add the debian revision
themselves provide a fingerprinting mechanism, but those can be disabled
on Debian with "DebianBanner no" in sshd_config.  We'd want to make sure
that distro-specific moduli don't re-introduce fingerprinting for
operators who want to hide their choice of distro.


PS Darren, has there been any attempt at generating primality proofs for
   the values in ./moduli, as opposed to 100 rounds of Miller-Rabin?  It
   would be a shame for a pseudoprime to slip in, however unlikely that
   would be.

More information about the openssh-unix-dev mailing list