Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Re: /etc/ssh/moduli file

964 views
Skip to first unread message
Message has been deleted

Richard E. Silverman

unread,
Jan 16, 2005, 5:39:59 PM1/16/05
to
>>>>> "Chris" == Chris <nos...@junk.baldrick.org> writes:

Chris> Hi, I read in a previous post about being able to change the
Chris> moduli file to alter the key exchange in openssh.. I've been
Chris> meaning to take a peek at this and have just got around to it.

Chris> I can't seem to find any information on google about how
Chris> openssh uses this file - would simply removing the smaller
Chris> entries from it equate to raising the security of the DH key
Chris> exchange by only leaving it the option of using larger values?

Yes, although this only applies if the client chooses to use the
diffie-hellman-group-exchange-sha1 method, which is not yet part of the
SSH-TRANS draft and not universally supported; in fact, the only exchange
you can be sure of is the least secure one, diffie-hellman-group1-sha1.
You also can't configure which exchange methods OpenSSH offers; you'd have
to change the source.

The man moduli(5) man page is part of OpenBSD, and even though
OpenSSH-portable installs the modulie file on non-OpenBSD systems and
refers to its man page in sshd(8), it does not install a man page for it
(this seems like an omission?). I'm appending a copy of it for reference.

I wouldn't go to a lot of trouble to increase the security of the key
exchange. The idea of having a choice of groups is a long-range strategy,
designed to avoid the possibility of future specialized attacks against a
fixed group and to allow increasing the key size as needed. Hopefully,
the group-exchange method will become the standard. However, most
practical attacks are going to be against other aspects of the system: the
integrity of your user's key files, password/passphrase guessing, host
spoofing by getting people to ignore server authentication, etc. I'd
spend a lot more time dealing with these issues.

--
Richard Silverman
r...@qoxp.net

------------------------------------------------------------------------

MODULI(5) OpenBSD Programmer's Manual

NAME
moduli - system moduli file

DESCRIPTION The /etc/moduli file contains the system-wide Diffie-Hellman
prime moduli for sshd(8).

Each line in this file contains the following fields: Time, Type,
Tests, Tries, Size, Generator, Modulus. The fields are separated by
white space (tab or blank).

Time: yyyymmddhhmmss. Specifies the system time that the line was
ap- pended to the file. The value 00000000000000 means unknown
(historic).

Type: decimal. Specifies the internal structure of the prime
modulus.

0: unknown; often learned from peer during proto-
col operation, and saved for later analysis.

1: unstructured; a common large number.

2: safe (p = 2q + 1); meets basic structural re-
quirements.

3: Schnorr.

4: Sophie-Germaine (q = (p-1)/2); usually gener-
ated in the process of testing safe or strong primes.

5: strong; useful for RSA public key generation.

Tests: decimal (bit field). Specifies the methods used in checking
for primality. Usually, more than one test is used.

0: not tested; often learned from peer during
protocol opera- tion, and saved for later analysis.

1: composite; failed one or more tests. In this
case, the highest bit specifies the test that failed.

2: sieve; checked for division by a range of
smaller primes.

4: Miller-Rabin.

8: Jacobi.

16: Elliptic Curve.

Tries: decimal. Depends on the value of the highest valid Test bit,
where the method specified is:


0: not tested (always zero).

1: composite (irrelevant).

2: sieve; number of primes sieved. Commonly on
the order of 32,000,000.

4: Miller-Rabin; number of M-R iterations. Com-
monly on the order of 32 to 64.

8: Jacobi; unknown (always zero).

16: Elliptic Curve; unused (always zero).

Size: decimal. Specifies the number of the most significant bit (0
to M).

Generator: hex string. Specifies the best generator for a
Diffie-Hellman exchange. 0 = unknown or variable, 2, 3, 5, etc.

Modulus: hex string. The prime modulus.

The file is searched for moduli that meet the appropriate Time, Size
and Generator criteria. When more than one meet the criteria, the
selection should be weighted toward newer moduli, without completely
disqualifying older moduli.

FILES
/etc/moduli

SEE ALSO
sshd(8)

OpenBSD 3.4 July 28, 1997

------------------------------------------------------------------------

Darren Tucker

unread,
Jan 16, 2005, 7:30:15 PM1/16/05
to
In article <200501162...@abin.onyqevpx>,
Chris <nos...@junk.baldrick.org> wrote:
>I read in a previous post about being able to change the moduli file to
>alter the key exchange in openssh.. I've been meaning to take a peek at
>this and have just got around to it.
>
>I can't seem to find any information on google about how openssh uses this
>file - would simply removing the smaller entries from it equate to raising
>the security of the DH key exchange by only leaving it the option of using
>larger values?

That's correct. sshd scans the moduli file to find a group that is as
large as the client requests or larger. Removing the smaller ones will
mean that it only has the larger ones to offer.

Your other option is modifying the client. When using group exchange
the client sends a request which specifies minimum, preferred and maximum
sizes. In OpenSSH, the min and max are 1024 and 8192 respectively,
and the preferred size is computed from the key length of the symmetric
cipher used.

This preferred size is not a user-tunable knob, but you could change the
sizes your client requests by modifying ssh (see dh.c:dh_estimate()),
which would cause it to request larger group sizes; this would mean that
you would get larger groups if they are available even if the server's
moduli file has not been modified.

The details of the group exchange protocol are at:
http://www.ietf.org/internet-drafts/draft-ietf-secsh-dh-group-exchange-04.txt

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

Darren Tucker

unread,
Jan 17, 2005, 5:19:39 PM1/17/05
to
In article <m2zmz9o...@darwin.oankali.net>,

Richard E. Silverman <r...@qoxp.net> wrote:
>The man moduli(5) man page is part of OpenBSD, and even though
>OpenSSH-portable installs the moduli file on non-OpenBSD systems and

>refers to its man page in sshd(8), it does not install a man page for it
>(this seems like an omission?).

Yes, this is an ommission.

The moduli file was originally a part of Photuris (a now-disused IPSEC
key management system) before being usurped by OpenSSH. Some licensing
issues need to be sorted out before moduli.5 can be put into the Portable
OpenSSH distribution, hopefully this will be resolved shortly.

Message has been deleted
0 new messages