Hi. On Sat, 20 Feb 2016 19:50:54 +0100 Daniel <dan...@zift.no> wrote:
> I have followed the instructions under "MODULI GENERATION" in the > "ssh-keygen" man page. > The resulting "moduli-2048" file is considerably smaller than the one > provided with the > "openssh-client" package. I have a few questions around this: > > 1) Why is the resulting "moduli-2048" file so much smaller? Because /etc/ssh/moduli contains primes of length 1023, 1535, 2047, 3071 and 4095 bytes. Curiously enough, primes of length 2048 are absent in this file. > 2) How is the original "moduli" generated in Debian 8? Judging from 'apt-get source openssh' result, moduli file comes unchanged from the upstream (i.e. OpenBSD). The way I see it, ssh-keygen merely generates *possible* prime numbers, as correct checking for primeness (sp?) would require very long and very CPU intensive checking - basically you'd have to divide generated number by each and any number less than generated candidate prime and see if the result is integer (candidate is discarded then) or not. ssh-keygen 'cheats' and does some minimal checks to ensure that generated primes are 'good enough' aka 'safe primes'. See also moduli(5) manpage for the definition of second and third columns in /etc/ssh/moduli. > 3) Why is the "moduli" file provided by the openssh _client_ > package ("openssh-client")? I would have thought that > this file is important when generating the server keys > as well? And it is important indeed. There are some things that you might possibly miss though: - It's impossible for two different packages to provide exactly the same file (without resorting to dpkg-divert at least). - openssh-server depends on exactly the same version of openssh-client. So Debian 'cheats'. Since both ssh client and server need /etc/ssh/moduli file, *client* provides it, and *server* depends on client. Because you can install ssh client without a server, but a ssh server without a client on the same host is not of much use to anyone. Reco