On Sat, Feb 20, 2016 at 10:23:26PM +0300, Reco wrote: > Hi. > > On Sat, 20 Feb 2016 19:50:54 +0100 > Daniel <dan...@zift.no> wrote: > > > I have followed the instructions under "MODULI GENERATION" in the > > "ssh-keygen" man page. > > The resulting "moduli-2048" file is considerably smaller than the one > > provided with the > > "openssh-client" package. I have a few questions around this: > > > > 1) Why is the resulting "moduli-2048" file so much smaller? > > Because /etc/ssh/moduli contains primes of length 1023, 1535, 2047, > 3071 and 4095 bytes. Curiously enough, primes of length 2048 are absent > in this file. >
Ah yes, i see that now. Seems they are off by one for the number of bits, which might make sense for primes, since 2048 is probably a bad start for a prime number or something. > > > 2) How is the original "moduli" generated in Debian 8? > -snip- > > > > 3) Why is the "moduli" file provided by the openssh _client_ > > package ("openssh-client")? I would have thought that > > this file is important when generating the server keys > > as well? > > And it is important indeed. There are some things that you might > possibly miss though: > > - It's impossible for two different packages to provide exactly the > same file (without resorting to dpkg-divert at least). > - openssh-server depends on exactly the same version of openssh-client. Ah, yes, i thought there was an openssh-common package here, but apparently I was wrong in that assumption. > > Reco > Thanks for all the info! - Daniel