Bug#774711: recommendations for changing openssh defaults
Matt Taggart <taggart@debian.org> writes:
> Jens Thiele writes:
>> Afair I have seen small default primes with this one.
I can't reproduce it (maybe my memory was just wrong).
>> Did you inspect this?
> I didn't.
I just did a quick test connecting 100 times from jessie to wheezy and
wheezy to wheezy[1]. Looks like primes are from the target system
/etc/ssh/moduli file and always 4095 bits => not really "small" (thought
I did see <=1024 bits)
(Only downside in this test: the number of primes of that length in
ssh/moduli is relatively small => they are reused quite often.)
But maybe someone can inspect this in more detail.
[1]
using something like:
unset GNOME_KEYRING_CONTROL GNOME_DESKTOP_SESSION_ID GNOME_KEYRING_PID \
&& dumpcap -q -i wlan0 -w - \
|su nobody -c "tshark -d tcp.port==2222,ssh -Tfields \
-e ssh.dh.g -e ssh.dh.p \
-Y \
'ssh and (ssh.dh.g or ssh.dh.p)' -r -" \
|head -n100|sort|uniq -c|tee /tmp/primes
Reply to: