Subject: Re: security/21983: [RFE] install /etc/moduli utilities qsieve + qsafe
To: NetBSD security list <firstname.lastname@example.org>
From: William Allen Simpson <email@example.com>
Date: 06/30/2003 04:12:55
Luke Mewburn wrote:
> On Sun, Jun 29, 2003 at 02:38:12PM -0400, William Allen Simpson wrote:
> | Since I haven't heard anything from filing the PR, I'll try an open
> | list. The file /etc/moduli was/is generated by a couple of programs,
> | originally part of Photuris. The file is still used by OpenSSH.
> | Technically, they are homeless. Where should they be housed?
> | They should be used from time to time to update the moduli. They
> | aren't actually "crypto". But the moduli.5 definition is with ssh.
> Is there a current canonical location for the source to these two programs?
As I mentioned in the PR, they've been posted to Perry's Cryptography
list, and were used to generate the existing OpenSSH /etc/moduli file
(used to be in OpenBSD's /etc/photuris/primes some time ago). But the
utilities themselves were just tools, never part of the OpenSSH package.
Although I originally wrote the moduli.5 man page for them, and that
*has* been added to OpenSSH (by Provos).
> Is updating the moduli file something that we should do on a per major
> (or minor) release basis?
Yes. Karn and I had envisioned on the order of monthly -- certainly
for every system release.
Of course, that really depends on the size of the moduli. The big ones
could be yearly. But part of the "security" concept was to have a
truly large and varying number of moduli, rather than the fixed target
that the /etc/moduli file has become (or the single target built in).
> (At first glance these could either go in src/usr.bin or othersrc/)
They're small, although they take a long time to run.... A server
might want to put them in a cron job. Otherwise, it's probably just
William Allen Simpson
Key fingerprint = 17 40 5E 67 15 6F 31 26 DD 0D B9 9B 6A 15 2C 32