Re: ssh regenerated moduli file much smaller than the one provided by Debian
On Sat, Feb 20, 2016 at 10:23:26PM +0300, Reco wrote:
> Hi.
>
> On Sat, 20 Feb 2016 19:50:54 +0100
> Daniel <daniel@zift.no> wrote:
>
> > I have followed the instructions under "MODULI GENERATION" in the "ssh-keygen" man page.
> > The resulting "moduli-2048" file is considerably smaller than the one provided with the
> > "openssh-client" package. I have a few questions around this:
> >
> > 1) Why is the resulting "moduli-2048" file so much smaller?
>
> Because /etc/ssh/moduli contains primes of length 1023, 1535, 2047,
> 3071 and 4095 bytes. Curiously enough, primes of length 2048 are absent
> in this file.
>
Ah yes, i see that now. Seems they are off by one for the number of bits,
which might make sense for primes, since 2048 is probably a bad start for
a prime number or something.
>
> > 2) How is the original "moduli" generated in Debian 8?
>
-snip-
>
>
> > 3) Why is the "moduli" file provided by the openssh _client_
> > package ("openssh-client")? I would have thought that
> > this file is important when generating the server keys
> > as well?
>
> And it is important indeed. There are some things that you might
> possibly miss though:
>
> - It's impossible for two different packages to provide exactly the
> same file (without resorting to dpkg-divert at least).
> - openssh-server depends on exactly the same version of openssh-client.
Ah, yes, i thought there was an openssh-common package here, but
apparently I was wrong in that assumption.
>
> Reco
>
Thanks for all the info!
- Daniel
Reply to: