Chris, Jean,
I found the answer to my questions:
Here goes:
(from comp.security.ssh)
"The long answer:
OpenSSH 2.3.0 implements two key-exchange methods: the existing
diffie-hellman-group1-sha1 documented in the SSH transport draft, and a
proposed more general method called diffie-hellman-group-exchange-sha1,
documented in:
http://www.ietf.org/internet-drafts/draft-provos-secsh-dh-group-exchange-00.
txt
The Diffie-Hellman key exchange requires the participants to agree on some
initial parameters: a large prime p, and another number g which generates a
large multiplicative subgroup of GF(p). These parameters need not be
secret, and the diffie-hellman-group1-sha1 method uses a particular, fixed
choice of (p,g).
The new method allows the speakers to negotiate a new (p,g) for each key
exchange. This deals with concerns that using the same (p,g) over time is
dangerous, since it invites precomputation and other specialized attacks on
those particular parameters.
The file ETCDIR/primes is where sshd keeps its stash of possible
Diffie-Hellman parameters (the draft suggests the server might compute
random new values in the background; the current OpenSSH implementation just
uses a fixed store of them). When you use the OpenSSH client and server
together, they use the new method -- but the "primes" file doesn't exist, so
the server has no other DH parameters to offer, and it uses the known
diffie-hellman-group1-sha1 parameters. The warning message about "using old
prime" is a bit misleading, since it sounds as if something is being reused
which ought not to be. Really, it means "using the parameters from the old
key-exchange method."
--
Richard Silverman"
-----Original Message-----
From: Jean Chouanard [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, December 12, 2000 8:35 AM
To: Dharmendra Mohan
Cc: [EMAIL PROTECTED]
Subject: Re: /etc/ssh/primes ?
>From what I see on OpenBSD, the primes file is not generated but part of the
/etc source distribution of OpenBSD (and not of ssh).
You can download it from:
http://www.openbsd.org/cgi-bin/cvsweb/src/etc/primes?rev=1.1
and manually install it as it is done in OpenBSD:
${INSTALL} -c -o root -g wheel -m 644 primes ${DESTDIR}/etc
jean
On 11 December 2000 at 19:11, someone using the login of "Dharmendra Mohan
<[EMAIL PROTECTED]> " wrote:
> Hello,
> Can somebody tell the real reason? I am having the same problem.
> In my case it didn't get solved even after downloading the latest
> version. It didn't generate any primes file when I compiled it.
> I am running it on NetBSD 1.5.
>
> Thanks,
> Dm
>
>
> ----
> Dharmendra Mohan
> [EMAIL PROTECTED]
>
>
> -----Original Message-----
> From: Chris Vaughan [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, December 10, 2000 1:57 PM
> To: 'Daniel Woods'
> Cc: [EMAIL PROTECTED]
> Subject: RE: /etc/ssh/primes ?
>
>
> Hello,
>
> Yes I asked this message recently. The fix that I was advised of was to
get
> the latest snapshot souce of openssh, compile it and move the resulting
> primes file into the /etc/ssh directory.
>
> I have not encountered the the error message since I carried this out.
>
> Chris Vaughan
> Communications Administrator
>
> Department of Information Technology & Management NSW
>
>
> -----Original Message-----
> From: Daniel Woods [mailto:[EMAIL PROTECTED]]
> Sent: Friday, 8 December 2000 5:26 AM
> To: Noam Sturmwind
> Cc: [EMAIL PROTECTED]
> Subject: Re: /etc/ssh/primes ?
>
>
> > I believe someone else mentioned this recently, but either there wasn't
a
> > reply or I managed to delete the reply email (I did accidentally delete
a
> > few before reading -- sorry if this is a repeat question!)
> >
> > Since I've upgraded to OpenSSH 2.3.0p1 (mandrake openssh-2.3.0-p1-7.3mdk
> > package) I've been receiving these warning messages through syslog every
> > time someone connects (before the authentication):
> >
> > sshd[22064]: WARNING: no primes in /etc/ssh/primes, using old prime
> >
> > I'm a bit concerned; depending on what primes are used for, would this
> > have an impact on security? I've looked through old ssh installs and
> > haven't found a primes file, so I'm wondering if this is a new feature?
>
> I have not read any message about this topic before.
> I have also started to get these messages, yet nothing has changed in my
> OpenSSH setup.
>
> Using ...
> openssh-2.3.0p1-7.1mdk
> openssh-askpass-2.3.0p1-7.1mdk
> openssh-clients-2.3.0p1-7.1mdk
> openssh-server-2.3.0p1-7.1mdk
>
> I have the same on two Mandrake systems (7.1), yet the second one has
> not been showing the syslog messages.
>
> Thanks... Dan.
>
