On Fri, Feb 16, 2018 at 11:45:56AM -0000, ChristianEhrhardt wrote: > So maybe (but only maybe) a ssh-extra-security package doing so as > suggests or helper tool bundled to openssh that would do the update > might be a nice security addition. I'm adding the security Team to > weight in on opinions: > - should it be unique per system?
It is fine for this file to be shared amongst all OpenSSH users. A cryptographer friend and I discussed the wisdom of self-generating DH primes recently. He was strongly of the opinion that well-vetted primes should be preferred over randomly-selected primes. Some numbers have vastly weaker performance against the generalized number field sieve than other numbers. > - if so, preferred delivery mechanism Packaging upstream's as a config file makes sense to me. Local sites can replace it, and if they understand the risks it may make sense. > - might an individual generated moduli file decrease security compared > to a "curated and reviewed" shared one? There are mentions of > "Ssh-keygen’s primality tests are statistical tests and can lead to > false positives." that make me think so. The statistical primality tests worry me less than performance of the purported prime numbers against the GNFS in the precomputation steps that lead to an attack. I believe this is the weakest link in the chain and reason enough to stick with numbers shared with upstream. Thanks -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/1748709 Title: Upgrade from xenial to bionic wants to replace moduli Status in openssh package in Ubuntu: New Bug description: I see this on upgrade on one machine, which is unexpected. If this file is generated by each machine, why would we ship a default? Configuration file '/etc/ssh/moduli' ==> Modified (by you or by a script) since installation. ==> Package distributor has shipped an updated version. What would you like to do about it ? Your options are: Y or I : install the package maintainer's version N or O : keep your currently-installed version D : show the differences between the versions Z : start a shell to examine the situation The default action is to keep your current version. *** moduli (Y/I/N/O/D/Z) [default=N] ? To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1748709/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
