On 2015-10-17, <22xtrv+f800c4addk...@guerrillamail.com> <22xtrv+f800c4addk...@guerrillamail.com> wrote: > According to > https://freedom-to-tinker.com/blog/haldermanheninger/how-is-nsa-breaking-so-m > uch-crypto/ > > "Since a handful of primes are so widely reused, the payoff, in > terms of connections they could decrypt, would be enormous. Breaking a single, > common 1024-bit prime would allow NSA to passively decrypt connections to > two-thirds of VPNs and a quarter of all SSH servers globally. Breaking a > second 1024-bit prime would allow passive eavesdropping on connections to > nearly 20% of the top million HTTPS websites. In other words, a one-time > investment in massive computation would make it possible to eavesdrop on > trillions of encrypted connections." > > How is the prime set up for DH in > OpenSSH and is that something a user can change?
See moduli(5), 'MODULI GENERATION' in ssh-keygen(1) and the script/Makefile in /usr/src/usr.bin/ssh/moduli-gen. You can build your own. The distributed file is updated from time to time (recently it's been at least once per release, sometimes more often). It's included in baseXX.tgz so local changes get overwritten when you update. These are used for 'diffie-hellman-group-exchange-sha1' and ...-sha256 (RFC4419), there are also options with fixed moduli (diffie-hellman-group1-sha1 and ...-group14-sha1). In recent code, the -group1 one is now disabled by default both client- and server-side. Also the fixed-group ones are blacklisted on the server for clients known to support RFC4419. And the shorter moduli have been removed from the distributed file. See also https://lists.mindrot.org/pipermail/openssh-unix-dev/2015-May/thread.html#33892 - but that's 5 months old, the code has moved on.
