Can we disable diffie-hellman-group-exchange-sha1 by default?
David Lang
david at lang.hm
Fri Feb 15 16:51:37 AEDT 2019
On Fri, 15 Feb 2019, Darren Tucker wrote:
> On Fri, 15 Feb 2019 at 14:22, Yegor Ievlev <koops1997 at gmail.com> wrote:
>> I'm not nearly knowledgeable enough in crypto to fully understand your
>> answer, but I will try. I wonder why moduli are not automatically
>> generated the first time sshd is started though. That would make much
>> more sense than shipping a default moduli file but also asking
>> everyone to replace it with their own.
>
> That was the original intent (and it's mentioned in RFC4419) however
> each moduli file we ship (70-80 instances of 6 sizes) takes about 1
> cpu-month to generate on a lowish-power x86-64 machine. Most of it is
> parallelizable, but even then it'd likely take a few hours to generate
> one of each size. I imagine that'd cause some complaints about
> startup time.
is there a document somewhere that gives simple instructions on how to do this
(as opposed to digging them out of a large RFC that covers lots of other stuff)
ideally a simple script that could be run.
Can this be something that is set to run in the background (heavily niced) and
then switch in when completed? or would that cause grief with existing keys in
use?
David Lang
> With those caveats, you are also welcome to add the appropriate
> ssh-keygen commands to your startup scripts.
>
>
More information about the openssh-unix-dev
mailing list