Hi folks, This applies to src/share/man/man5/moduli.5 in the OpenBSD source tree, and doesn't seem to apply to the portable OpenSSH, so I've sent this change here instead of via Bugzilla. The wording of moduli(5) implies that sshd puts more thought about which modulus it selects than it really does. The following patch corrects this. Simon. -- Simon Burge <simonb at wasabisystems.com> NetBSD Development, Support and Service: http://www.wasabisystems.com/ Index: moduli.5 ==================================================================RCS file: /cvsroot/src/crypto/dist/ssh/moduli.5,v retrieving revision 1.8 retrieving revision 1.9 diff -d -p -u -r1.8 -r1.9 --- moduli.5 4 Jul 2003 21:56:48 -0000 1.8 +++ moduli.5 7 Feb 2005 12:26:56 -0000 1.9 @@ -31,7 +31,7 @@ .\" .\" Manual page, using -mandoc macros .\" -.Dd July 28, 1997 +.Dd February 7, 2005 .Dt MODULI 5 .Os .Sh NAME @@ -140,11 +140,16 @@ Specifies the best generator for a Diffi .Fa Modulus : hex string . The prime modulus. .Pp -The file is searched for moduli that meet the appropriate +The file should be searched for moduli that meet the appropriate Time, Size and Generator criteria. When more than one meet the criteria, the selection should be weighted toward newer moduli, without completely disqualifying older moduli. +.Pp +Note that +.Xr sshd 8 +uses only the Size criteria and then selects a modulus at random +if more than one meet the Size criteria. .Sh FILES .Bl -tag -width /etc/moduli -compact .It Pa /etc/moduli
Simon Burge wrote:> Hi folks, > > This applies to src/share/man/man5/moduli.5 in the OpenBSD source > tree, and doesn't seem to apply to the portable OpenSSH, so I've > sent this change here instead of via Bugzilla. > > The wording of moduli(5) implies that sshd puts more thought about which > modulus it selects than it really does. The following patch corrects > this. > > Simon. > -- > Simon Burge <simonb at wasabisystems.com> > NetBSD Development, Support and Service: http://www.wasabisystems.com/ > > Index: moduli.5 > ==================================================================> RCS file: /cvsroot/src/crypto/dist/ssh/moduli.5,v > retrieving revision 1.8 > retrieving revision 1.9 > diff -d -p -u -r1.8 -r1.9 > --- moduli.5 4 Jul 2003 21:56:48 -0000 1.8 > +++ moduli.5 7 Feb 2005 12:26:56 -0000 1.9 > @@ -31,7 +31,7 @@ > .\" > .\" Manual page, using -mandoc macros > .\" > -.Dd July 28, 1997 > +.Dd February 7, 2005 > .Dt MODULI 5 > .Os > .Sh NAME > @@ -140,11 +140,16 @@ Specifies the best generator for a Diffi > .Fa Modulus : hex string . > The prime modulus. > .Pp > -The file is searched for moduli that meet the appropriate > +The file should be searched for moduli that meet the appropriateI don't know whether that is much better. The time column at least is purely informational. Maybe it should just say the it is checked for size. -d
Possibly Parallel Threads
- Openssh, moduli and ssh-keygen
- [Bug 1372] New: sshd(8) and ssh-keygen(1) refer to non-existent moduli(5)
- Updated moduli file in OpenSSH 3.8
- Proposed patch: ssh-keygen allows writing to stdout for moduli generation
- [Bug 612] moduli.5 documentation doesn't match ssh code (off by 1)