Mailing List Archive

Creating ssh/moduli
Hello list members,

I am playing with automated host deployment and ssh host key generation. I also found a /etc/ssh/moduli and in a 'man moduli' is says, generating a new one using 'ssh-keygen -G' was no thing. So I was not shy and removed that moduli. But ssh-keygen does not help here as it says 'unknown option -- G'.

Q: Hot to make e new ssh/moduli?

Not sure, when this moduli man page was last touched, looks like about ten years ago?


_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Creating ssh/moduli [ In reply to ]
On 13/04/2022 10:59, Keine Eile wrote:
> Q: Hot to make e new ssh/moduli?

The ssh-keygen(1) manpage has a whole section under heading "MODULI
GENERATION":

https://man.openbsd.org/ssh-keygen#MODULI_GENERATION

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Creating ssh/moduli [ In reply to ]
Am 13.04.22 um 12:31 schrieb Brian Candler:
> On 13/04/2022 10:59, Keine Eile wrote:
>> Q: Hot to make e new ssh/moduli?
>
> The ssh-keygen(1) manpage has a whole section under heading "MODULI GENERATION":
>
> https://man.openbsd.org/ssh-keygen#MODULI_GENERATION
>

Of cause, this is too obvious. Thank you!

May I suggest to mention 'ssh-keygen -M' in the sshd man page (Files, /etc/ssh/moduli), too.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Creating ssh/moduli [ In reply to ]
On Wed, 13 Apr 2022 at 20:49, Keine Eile <keine-eile@e-mail.de> wrote:
>
> Am 13.04.22 um 12:31 schrieb Brian Candler:
> > On 13/04/2022 10:59, Keine Eile wrote:
> >> Q: Hot to make a new ssh/moduli?
> >
> > The ssh-keygen(1) manpage has a whole section under heading "MODULI GENERATION":
> >
> > https://man.openbsd.org/ssh-keygen#MODULI_GENERATION

Also, the script we use to regenerate it is here:
https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/moduli-gen/moduli-gen.sh?annotate=1.5

Note that it's several days worth cpu time on a single core depending
on the speed of that core. It could be trivially parallelized, but
since we tend to generate it once per release cycle (~6 months) it's
not been worth doing for us.

> Of cause, this is too obvious. Thank you!
>
> May I suggest to mention 'ssh-keygen -M' in the sshd man page (Files, /etc/ssh/moduli), too.

sshd(8) [0] already refers to moduli(5):

"/etc/moduli - Contains Diffie-Hellman groups used for the
"Diffie-Hellman Group Exchange" key exchange method. The file format
is described in moduli(5)."

which says

"New moduli may be generated with ssh-keygen(1) using a two-step
process. An initial candidate generation pass, using ssh-keygen -G,
calculates numbers that are likely to be useful. A second primality
testing pass, using ssh-keygen -T [...]."

which we should fix, since -T and -G are the old flags that predate
-M. Once that's fixed I don't think any additions to sshd(8) are
needed.

[0] https://man.openbsd.org/sshd.8
[1] https://man.openbsd.org/moduli.5

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev