| Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 1 | MODULI(5) File Formats Manual MODULI(5) |
| Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 2 | |
| 3 | NAME |
| Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 4 | moduli M-bM-^@M-^S Diffie-Hellman moduli |
| Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 5 | |
| 6 | DESCRIPTION |
| 7 | The /etc/moduli file contains prime numbers and generators for use by |
| 8 | sshd(8) in the Diffie-Hellman Group Exchange key exchange method. |
| 9 | |
| 10 | New moduli may be generated with ssh-keygen(1) using a two-step process. |
| 11 | An initial candidate generation pass, using ssh-keygen -G, calculates |
| 12 | numbers that are likely to be useful. A second primality testing pass, |
| 13 | using ssh-keygen -T, provides a high degree of assurance that the numbers |
| 14 | are prime and are safe for use in Diffie-Hellman operations by sshd(8). |
| 15 | This moduli format is used as the output from each pass. |
| 16 | |
| 17 | The file consists of newline-separated records, one per modulus, |
| 18 | containing seven space-separated fields. These fields are as follows: |
| 19 | |
| 20 | timestamp The time that the modulus was last processed as |
| 21 | YYYYMMDDHHMMSS. |
| 22 | |
| 23 | type Decimal number specifying the internal structure of |
| 24 | the prime modulus. Supported types are: |
| 25 | |
| 26 | 0 Unknown, not tested. |
| 27 | 2 "Safe" prime; (p-1)/2 is also prime. |
| Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 28 | 4 Sophie Germain; 2p+1 is also prime. |
| Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 29 | |
| 30 | Moduli candidates initially produced by ssh-keygen(1) |
| 31 | are Sophie Germain primes (type 4). Further primality |
| 32 | testing with ssh-keygen(1) produces safe prime moduli |
| 33 | (type 2) that are ready for use in sshd(8). Other |
| 34 | types are not used by OpenSSH. |
| 35 | |
| 36 | tests Decimal number indicating the type of primality tests |
| 37 | that the number has been subjected to represented as a |
| 38 | bitmask of the following values: |
| 39 | |
| 40 | 0x00 Not tested. |
| Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 41 | 0x01 Composite number M-bM-^@M-^S not prime. |
| Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 42 | 0x02 Sieve of Eratosthenes. |
| 43 | 0x04 Probabilistic Miller-Rabin primality tests. |
| 44 | |
| 45 | The ssh-keygen(1) moduli candidate generation uses the |
| 46 | Sieve of Eratosthenes (flag 0x02). Subsequent |
| 47 | ssh-keygen(1) primality tests are Miller-Rabin tests |
| 48 | (flag 0x04). |
| 49 | |
| 50 | trials Decimal number indicating the number of primality |
| 51 | trials that have been performed on the modulus. |
| 52 | |
| 53 | size Decimal number indicating the size of the prime in |
| 54 | bits. |
| 55 | |
| 56 | generator The recommended generator for use with this modulus |
| 57 | (hexadecimal). |
| 58 | |
| 59 | modulus The modulus itself in hexadecimal. |
| 60 | |
| 61 | When performing Diffie-Hellman Group Exchange, sshd(8) first estimates |
| 62 | the size of the modulus required to produce enough Diffie-Hellman output |
| 63 | to sufficiently key the selected symmetric cipher. sshd(8) then randomly |
| 64 | selects a modulus from /etc/moduli that best meets the size requirement. |
| 65 | |
| 66 | SEE ALSO |
| 67 | ssh-keygen(1), sshd(8) |
| 68 | |
| Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 69 | STANDARDS |
| 70 | M. Friedl, N. Provos, and W. Simpson, Diffie-Hellman Group Exchange for |
| 71 | the Secure Shell (SSH) Transport Layer Protocol, RFC 4419, March 2006, |
| 72 | 2006. |
| Greg Hartman | bd77cf7 | 2015-02-25 13:21:06 -0800 | [diff] [blame] | 73 | |
| Adam Langley | d059297 | 2015-03-30 14:49:51 -0700 | [diff] [blame] | 74 | OpenBSD 5.7 September 26, 2012 OpenBSD 5.7 |