search for: modulifile

...wild, perpetuated by multiple sources of logjam mediation papers and also Andras Stribnik's very influential piece "Secure Secure Shell", is that server operators can force the use of a minimum group size by removing moduli smaller than that group size from the file pointed to by ModuliFile. I was very surprised to learn this isn't the case. OpenSSH will happily (and almost silently) default to using canned moduli if it doesn't find one less than the client's sent MAX. I am hoping to convince devs of the usefulness of changing this behaviour so that a server will re...

...cate for: > > - Change behaviour of the server to allow server operators to set the > minimum modulus group size allowable for a connection using > diffie-hellman-group-exchange-sha256 > Whether this is by having the server refuse to allow smaller moduli to > be used than exist in ModuliFile, or another explicit configuration > setting is added, it doesn't matter I strongly support this requirement. We have a similar one for RSA and having an explicit setting for DH would be great. -- Dmitry Belyavskiy

...exactly is going wrong with the failing test or how to fix it. I'm happy to provide more information about my environment, but I'm not immediately sure what's relevant. Hopefully the following is a good starting place. regress.log looks as follows: """ trace: adding modulifile='/tmp/guix-build-openssh-9.6p1.drv-0/openssh-9.6p1/moduli' to sshd_config trace: adding modulifile='/tmp/guix-build-openssh-9.6p1.drv-0/openssh-9.6p1/moduli' to sshd_config Executing: /tmp/guix-build-openssh-9.6p1.drv-0/openssh-9.6p1/ssh -Q key-plain log /tmp/guix-build-openssh-9.6p...

Dear colleagues, I came across an upstream test suite failure on Fedora 36. The test in question is forwarding, the output is ========== adding modulifile='/home/dbelyavs/work/upstream/openssh-portable/moduli' to sshd_config using cached key type ssh-ed25519 using cached key type sk-ssh-ed25519 at openssh.com using cached key type ecdsa-sha2-nistp256 using cached key type ecdsa-sha2-nistp384 using cached key type ecdsa-sha2-nistp521 using cac...