Bug#774711: recommendations for changing openssh defaults

[Jens Thiele <karme@karme.de>]

Matt Taggart <taggart@debian.org> writes:

> Jens Thiele writes:
>> Afair I have seen small default primes with this one.

I can't reproduce it (maybe my memory was just wrong).

>> Did you inspect this?
> I didn't.

I just did a quick test connecting 100 times from jessie to wheezy and
wheezy to wheezy[1]. Looks like primes are from the target system
/etc/ssh/moduli file and always 4095 bits => not really "small" (thought
I did see <=1024 bits)

(Only downside in this test: the number of primes of that length in
ssh/moduli is relatively small => they are reused quite often.)

But maybe someone can inspect this in more detail.

[1]
using something like:
unset GNOME_KEYRING_CONTROL GNOME_DESKTOP_SESSION_ID GNOME_KEYRING_PID \
 && dumpcap -q -i wlan0 -w - \
 |su nobody -c "tshark -d tcp.port==2222,ssh -Tfields \
  -e ssh.dh.g -e ssh.dh.p \
  -Y \
  'ssh and (ssh.dh.g or ssh.dh.p)' -r -" \
  |head -n100|sort|uniq -c|tee /tmp/primes