From df622b62f72b6509505b32380fbb88203616868d Mon Sep 17 00:00:00 2001 From: Hans Nilsson Date: Thu, 5 Nov 2015 17:39:46 +0100 Subject: ssh, public_key: updates after doc review --- lib/public_key/doc/src/public_key.xml | 22 ++++++++++---------- lib/public_key/priv/generate | 2 +- lib/public_key/src/Makefile | 2 +- lib/ssh/doc/src/ssh.xml | 38 ++++++++++++++++++++++++----------- 4 files changed, 39 insertions(+), 25 deletions(-) (limited to 'lib') diff --git a/lib/public_key/doc/src/public_key.xml b/lib/public_key/doc/src/public_key.xml index 7f68138497..258e7cd1b9 100644 --- a/lib/public_key/doc/src/public_key.xml +++ b/lib/public_key/doc/src/public_key.xml @@ -316,17 +316,17 @@

Selects a group for Diffie-Hellman key exchange with the key size in the range MinSize...MaxSize and as close to SuggestedSize as possible. If Groups == undefined a default set will be used, otherwise the group is selected from Groups.

-

First is a size as close as possible to SuggestedSize selected. Then is one group with that key size - randomly selected from the list. If no size within the limits of MinSize and MaxSize is - available, {error,no_group_found} is returned.

-

The default list is in lib/public_key/priv/ssh_moduli. The format is as produced by the openssh tool - ssh-keygen -G followed by ssh-keygen -T. When that list is changed, make should be run in - lib/public_key to make it available for dh_gex_group/4.

- -

If you change the default ssh_moduli file, be sure to run ssh-keygen -T as described - in the ssh-keygen manual. Failure to do so correctly will compromise the security of applications - relying on this function.

- +

First a size, as close as possible to SuggestedSize, is selected. Then one group with that key size + is randomly selected from the specified set of groups. If no size within the limits of MinSize + and MaxSize is available, {error,no_group_found} is returned.

+

The default set of groups is listed in lib/public_key/priv/moduli. This file may be regenerated like this:

+ 
+	$> cd $ERL_TOP/lib/public_key/priv/
+	$> generate
+         ---- wait until all background jobs has finished. It may take several days !
+	$> cat moduli-* > moduli
+	$> cd ..; make 
+
diff --git a/lib/public_key/priv/generate b/lib/public_key/priv/generate index da47e99b91..fd185bfd52 100755 --- a/lib/public_key/priv/generate +++ b/lib/public_key/priv/generate @@ -21,5 +21,5 @@ do done # When all files moduli-* are generated, do: -# cat moduli-* > ssh_moduli +# cat moduli-* > moduli diff --git a/lib/public_key/src/Makefile b/lib/public_key/src/Makefile index ca91fd5a4a..786f244f85 100644 --- a/lib/public_key/src/Makefile +++ b/lib/public_key/src/Makefile @@ -88,7 +88,7 @@ debug opt: $(TARGET_FILES) $(APP_TARGET) $(APPUP_TARGET) $(HRL_FILES) $(EBIN)/pubkey_ssh.$(EMULATOR): pubkey_moduli.hrl -pubkey_moduli.hrl: ../priv/ssh_moduli +pubkey_moduli.hrl: ../priv/moduli escript ../priv/convert.escript $< $@ clean: diff --git a/lib/ssh/doc/src/ssh.xml b/lib/ssh/doc/src/ssh.xml index 06bc39f8fe..43db63e7e6 100644 --- a/lib/ssh/doc/src/ssh.xml +++ b/lib/ssh/doc/src/ssh.xml @@ -464,27 +464,41 @@ kex is implicit but public_key is set explicitly.

-

Sets the groups that the server may choose among when diffie-hellman-group-exchange is negotiated. - See RFC 4419 for details. +

Defines the groups the server may choose among when diffie-hellman-group-exchange is negotiated. + See RFC 4419 for details. The three variants of this option are:

-

The default list is fetched from the public_key application. -

-

If the parameter is {file,filename()}, the file must exist and have one or more three-tuples terminated by a dot. The interpretation is as if the tuples had been given directly in the option. The file is read when the daemon starts. -

-

If the parameter is {ssh_moduli_file,filename()}, the file must exist and be in ssh-keygen moduli file format. The file is read when the daemon starts. + + {Size=integer(),G=integer(),P=integer()} + The groups are given explicitly in this list. There may be several elements with the same Size. + In such a case, the server will choose one randomly in the negotiated Size. + + {file,filename()} + The file must have one or more three-tuples {Size=integer(),G=integer(),P=integer()} + terminated by a dot. The file is read when the daemon starts. + + {ssh_moduli_file,filename()} + The file must be in + ssh-keygen moduli file format. + The file is read when the daemon starts. + + +

The default list is fetched from the + public_key application.

-

Limits the key Sizes what a client can ask for in diffie-hellman-group-exchange. - The effective value will be - MaxUsed = min(MaxClient,Max), MinUsed = max(MinClient,Min). - The default value is {0,infinity}. +

Limits what a client can ask for in diffie-hellman-group-exchange. + The limits will be + {MaxUsed = min(MaxClient,Max), MinUsed = max(MinClient,Min)} where MaxClient and + MinClient are the values proposed by a connecting client. +

+

The default value is {0,infinity}.

If MaxUsed < MinUsed in a key exchange, it will fail with a disconnect.

-

See RFC 4419 for the function of the Max an Min values.

+

See RFC 4419 for the function of the Max and Min values.

 boolean()}]]> -- cgit v1.2.3