diff options
| -rw-r--r-- | lib/public_key/doc/src/public_key.xml | 22 | ||||
| -rwxr-xr-x | lib/public_key/priv/generate | 2 | ||||
| -rw-r--r-- | lib/public_key/src/Makefile | 2 | ||||
| -rw-r--r-- | lib/ssh/doc/src/ssh.xml | 38 |
4 files changed, 39 insertions, 25 deletions
diff --git a/lib/public_key/doc/src/public_key.xml b/lib/public_key/doc/src/public_key.xml index 7f68138497..258e7cd1b9 100644 --- a/lib/public_key/doc/src/public_key.xml +++ b/lib/public_key/doc/src/public_key.xml @@ -316,17 +316,17 @@ <p>Selects a group for Diffie-Hellman key exchange with the key size in the range <c>MinSize...MaxSize</c> and as close to <c>SuggestedSize</c> as possible. If <c>Groups == undefined</c> a default set will be used, otherwise the group is selected from <c>Groups</c>.</p> - <p>First is a size as close as possible to <c>SuggestedSize</c> selected. Then is one group with that key size - randomly selected from the list. If no size within the limits of <c>MinSize</c> and <c>MaxSize</c> is - available, <c>{error,no_group_found}</c> is returned.</p> - <p>The default list is in <c>lib/public_key/priv/ssh_moduli</c>. The format is as produced by the openssh tool - <c>ssh-keygen -G</c> followed by <c>ssh-keygen -T</c>. When that list is changed, <c>make</c> should be run in - <c>lib/public_key</c> to make it available for <c>dh_gex_group/4</c>.</p> - <note> - <p>If you change the default ssh_moduli file, be sure to run <c>ssh-keygen -T</c> as described - in the ssh-keygen manual. Failure to do so correctly will compromise the security of applications - relying on this function.</p> - </note> + <p>First a size, as close as possible to SuggestedSize, is selected. Then one group with that key size + is randomly selected from the specified set of groups. If no size within the limits of <c>MinSize</c> + and <c>MaxSize</c> is available, <c>{error,no_group_found}</c> is returned.</p> + <p>The default set of groups is listed in <c>lib/public_key/priv/moduli</c>. This file may be regenerated like this:</p> + <pre> + $> cd $ERL_TOP/lib/public_key/priv/ + $> generate + ---- wait until all background jobs has finished. It may take several days ! + $> cat moduli-* > moduli + $> cd ..; make + </pre> </desc> </func> diff --git a/lib/public_key/priv/generate b/lib/public_key/priv/generate index da47e99b91..fd185bfd52 100755 --- a/lib/public_key/priv/generate +++ b/lib/public_key/priv/generate @@ -21,5 +21,5 @@ do done # When all files moduli-* are generated, do: -# cat moduli-* > ssh_moduli +# cat moduli-* > moduli diff --git a/lib/public_key/src/Makefile b/lib/public_key/src/Makefile index ca91fd5a4a..786f244f85 100644 --- a/lib/public_key/src/Makefile +++ b/lib/public_key/src/Makefile @@ -88,7 +88,7 @@ debug opt: $(TARGET_FILES) $(APP_TARGET) $(APPUP_TARGET) $(HRL_FILES) $(EBIN)/pubkey_ssh.$(EMULATOR): pubkey_moduli.hrl -pubkey_moduli.hrl: ../priv/ssh_moduli +pubkey_moduli.hrl: ../priv/moduli escript ../priv/convert.escript $< $@ clean: diff --git a/lib/ssh/doc/src/ssh.xml b/lib/ssh/doc/src/ssh.xml index 06bc39f8fe..43db63e7e6 100644 --- a/lib/ssh/doc/src/ssh.xml +++ b/lib/ssh/doc/src/ssh.xml @@ -464,27 +464,41 @@ kex is implicit but public_key is set explicitly.</p> <tag><c><![CDATA[{dh_gex_groups, [{Size=integer(),G=integer(),P=integer()}] | {file,filename()} {ssh_moduli_file,filename()} }]]></c></tag> <item> - <p>Sets the groups that the server may choose among when diffie-hellman-group-exchange is negotiated. - See RFC 4419 for details. + <p>Defines the groups the server may choose among when diffie-hellman-group-exchange is negotiated. + See RFC 4419 for details. The three variants of this option are: </p> - <p>The default list is fetched from the public_key application. - </p> - <p>If the parameter is <c>{file,filename()}</c>, the file must exist and have one or more three-tuples terminated by a dot. The interpretation is as if the tuples had been given directly in the option. The file is read when the daemon starts. - </p> - <p>If the parameter is <c>{ssh_moduli_file,filename()}</c>, the file must exist and be in ssh-keygen moduli file format. The file is read when the daemon starts. + <taglist> + <tag><c>{Size=integer(),G=integer(),P=integer()}</c></tag> + <item>The groups are given explicitly in this list. There may be several elements with the same <c>Size</c>. + In such a case, the server will choose one randomly in the negotiated Size. + </item> + <tag><c>{file,filename()}</c></tag> + <item>The file must have one or more three-tuples <c>{Size=integer(),G=integer(),P=integer()}</c> + terminated by a dot. The file is read when the daemon starts. + </item> + <tag><c>{ssh_moduli_file,filename()}</c></tag> + <item>The file must be in + <seealso marker="public_key:public_key#public_key/4">ssh-keygen moduli file format</seealso>. + The file is read when the daemon starts. + </item> + </taglist> + <p>The default list is fetched from the + <seealso marker="public_key:public_key#public_key/4">public_key</seealso> application. </p> </item> <tag><c><![CDATA[{dh_gex_limits,{Min=integer(),Max=integer()}}]]></c></tag> <item> - <p>Limits the key Sizes what a client can ask for in diffie-hellman-group-exchange. - The effective value will be - <c>MaxUsed = min(MaxClient,Max), MinUsed = max(MinClient,Min)</c>. - The default value is <c>{0,infinity}</c>. + <p>Limits what a client can ask for in diffie-hellman-group-exchange. + The limits will be + <c>{MaxUsed = min(MaxClient,Max), MinUsed = max(MinClient,Min)}</c> where <c>MaxClient</c> and + <c>MinClient</c> are the values proposed by a connecting client. + </p> + <p>The default value is <c>{0,infinity}</c>. </p> <p>If <c>MaxUsed < MinUsed</c> in a key exchange, it will fail with a disconnect. </p> - <p>See RFC 4419 for the function of the Max an Min values.</p> + <p>See RFC 4419 for the function of the Max and Min values.</p> </item> <tag><c><![CDATA[{pwdfun, fun(User::string(), password::string()) -> boolean()}]]></c></tag> |