Hi.
On Sat, 20 Feb 2016 19:50:54 +0100
Daniel <dan...@zift.no> wrote:
> I have followed the instructions under "MODULI GENERATION" in the
> "ssh-keygen" man page.
> The resulting "moduli-2048" file is considerably smaller than the one
> provided with the
> "openssh-client" package. I have a few questions around this:
>
> 1) Why is the resulting "moduli-2048" file so much smaller?
Because /etc/ssh/moduli contains primes of length 1023, 1535, 2047,
3071 and 4095 bytes. Curiously enough, primes of length 2048 are absent
in this file.
> 2) How is the original "moduli" generated in Debian 8?
Judging from 'apt-get source openssh' result, moduli file comes
unchanged from the upstream (i.e. OpenBSD).
The way I see it, ssh-keygen merely generates *possible* prime numbers,
as correct checking for primeness (sp?) would require very long and
very CPU intensive checking - basically you'd have to divide generated
number by each and any number less than generated candidate prime and
see if the result is integer (candidate is discarded then) or not.
ssh-keygen 'cheats' and does some minimal checks to ensure that
generated primes are 'good enough' aka 'safe primes'.
See also moduli(5) manpage for the definition of second and third
columns in /etc/ssh/moduli.
> 3) Why is the "moduli" file provided by the openssh _client_
> package ("openssh-client")? I would have thought that
> this file is important when generating the server keys
> as well?
And it is important indeed. There are some things that you might
possibly miss though:
- It's impossible for two different packages to provide exactly the
same file (without resorting to dpkg-divert at least).
- openssh-server depends on exactly the same version of openssh-client.
So Debian 'cheats'. Since both ssh client and server
need /etc/ssh/moduli file, *client* provides it, and *server* depends
on client. Because you can install ssh client without a server, but a
ssh server without a client on the same host is not of much use to
anyone.
Reco
