Subject: Re: security/21983: [RFE] install /etc/moduli utilities qsieve + qsafe
To: NetBSD security list <>
From: William Allen Simpson <>
List: tech-security
Date: 06/30/2003 04:12:55
Luke Mewburn wrote:
> On Sun, Jun 29, 2003 at 02:38:12PM -0400, William Allen Simpson wrote:
>   | Since I haven't heard anything from filing the PR, I'll try an open
>   | list.  The file /etc/moduli was/is generated by a couple of programs,
>   | originally part of Photuris.  The file is still used by OpenSSH.
>   |
>   | Technically, they are homeless.  Where should they be housed?
>   |
>   | They should be used from time to time to update the moduli.  They
>   | aren't actually "crypto".  But the moduli.5 definition is with ssh.
> Is there a current canonical location for the source to these two programs?
As I mentioned in the PR, they've been posted to Perry's Cryptography 
list, and were used to generate the existing OpenSSH /etc/moduli file
(used to be in OpenBSD's /etc/photuris/primes some time ago).  But the 
utilities themselves were just tools, never part of the OpenSSH package.  
Although I originally wrote the moduli.5 man page for them, and that 
*has* been added to OpenSSH (by Provos).

> Is updating the moduli file something that we should do on a per major
> (or minor) release basis?
Yes.  Karn and I had envisioned on the order of monthly -- certainly 
for every system release.

Of course, that really depends on the size of the moduli.  The big ones
could be yearly.  But part of the "security" concept was to have a 
truly large and varying number of moduli, rather than the fixed target 
that the /etc/moduli file has become (or the single target built in).

> (At first glance these could either go in src/usr.bin or othersrc/)
They're small, although they take a long time to run....  A server 
might want to put them in a cron job.  Otherwise, it's probably just 
system releases.
William Allen Simpson
    Key fingerprint =  17 40 5E 67 15 6F 31 26  DD 0D B9 9B 6A 15 2C 32