Verification of primes in /etc/ssh/moduli file

Damien Miller djm at
Fri Sep 3 14:39:03 AEST 2021

On Thu, 2 Sep 2021, Hubert Kario wrote:

> I haven't looked into OpenSSH or libssh, but for TLS the clients generally 
> _don't_ check if the p is a prime, let alone a safe prime, so it doesn't 
> really matter if the isPrime() function is hardened or not as it's not used 
> in the first place...

It doesn't matter in the context of a single connection, where the
endpoints have to trust each other not to divulge session contents or

But we use BN_is_prime() in the moduli verification tools we ship
for users to verify that we're not shipping out composite numbers.
This is an adversarial use case.

Of course, having actual primality certificates is better.


More information about the openssh-unix-dev mailing list