Re: OpenSSH: SSH2 sshd - Increase key size from 2048 to 8192 bits (Cygwin)

On 2007-08-15, Simon Tatham <anakin@xxxxxxxxx> wrote:
I don't know of a way in OpenSSH to configure the group size used in
Diffie-Hellman exchanges.

You can't directly, but one thing you can do is remove the smaller groups
from the "moduli" file on the server.

When the client asks for a DH group, sshd searches the moduli file for
groups and picks one at random from the set at least as large as what
the client requested. If there's no small (eg 1k, 1.5k) keys, then sshd
will always use larger ones.

The moduli file that ships with current OpenSSH versions has groups up
to 6k. I generated a couple of 8k ones (which took about a month :-)
when I last rebuilt the file[1], but it's not in any release.

That said, I agree with what you said about larger keys/groups being
mostly irrelevant.

[1] http://www.zip.com.au/~dtucker/openssh/moduli

--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
.