I have noticed that the ssh-keygen for ubuntu 20.04 is missing the options for generating the Diffie-Hellman parameters. This is normally part of SSH hardening. Does anyone know why it has disappeared?
Asked
Active
Viewed 2,440 times
2 Answers
8
The reason invoked was to free up several option letters for the ssh-keygen command. This was consolidated in additional -O options and an modified use of the -M option, which breaks compatibility with former versions. This was done on 30 Dec 2019 in this commit:
upstream: remove single-letter flags for moduli options
Move all moduli generation options to live under the -O flag.
Frees up seven single-letter flags.
NB. this change break existing ssh-keygen commandline syntax for moduli- related operations. Very few people use these fortunately.
feedback and ok markus@
OpenBSD-Commit-ID: d498f3eaf28128484826a4fcb343612764927935
The newer syntax is described in the newer (focal) ssh-keygen man page under MODULI GENERATION:
Generation of primes is performed using the
-M generateoption. The desired length of the primes may be specified by the-O bitsoption. For example:# ssh-keygen -M generate -O bits=2048 moduli-2048.candidates[...]
# ssh-keygen -M screen -f moduli-2048.candidates moduli-2048
A.B
- 9,037
- 2
- 19
- 37
1
This isn't an ubuntu issue, it is actually a part of OpenSSH. the diffie-hellman algorithm is notably weak and so they have made it legacy in more recent versions in favor of stronger algorithms.
If you need to communicate with a system that requires diffie-hellman you can do:
ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 user@legacyhost
Or you can substitute any legacy algorithm in place of diffie-hellman
d_kennetz
- 119
- 3
-
1Using group1 is the OPPOSITE of generating your own groups, which is the question here. – dave_thompson_085 May 01 '20 at 07:11