Modern OpenSSH clients and servers will really only negotiate 3072-, 7680-, and 8192-bit DH moduli per the dh.c source code:
u_int dh_estimate(int bits) {
if (bits <= 112)
return 2048;
if (bits <= 128)
return 3072;
if (bits <= 192)
return 7680;
return 8192;
}
So the 2048-, 4096-, and 6144-bit DH moduli must be used in older OpenSSH clients.
Thus, if generating your own SSH moduli file, just stick to those 3 sizes.
Aaron Toponce ⚛️:debian:
npub1t9…t8529
2025-02-27 00:33:10 UTC
in reply to nevent1q…92ec
Author Public Key
npub1t9cz9v7zph5jvadd8rjfp25msrx6r0hdxnsyfmx88k8qp3pvv04szt8529Published at
2025-02-27 00:33:10 UTCEvent JSON
{
"id": "b44ed338754ae68e0dc77b03337ccf3dbfc8f0943c434dfd8ab135d39fd3b360",
"pubkey": "597022b3c20de92675ad38e490aa9b80cda1beed34e044ecc73d8e00c42c63eb",
"created_at": 1740616390,
"kind": 1,
"tags": [
[
"p",
"597022b3c20de92675ad38e490aa9b80cda1beed34e044ecc73d8e00c42c63eb"
],
[
"proxy",
"https://fosstodon.org/@atoponce/114073035778113291",
"web"
],
[
"e",
"43b4903228f745dad991a352f3050274eafcf87f17dc0ccbd647f4f64fb7970e",
"",
"root",
"597022b3c20de92675ad38e490aa9b80cda1beed34e044ecc73d8e00c42c63eb"
],
[
"e",
"ff072091680d089a9ce80e43c48a4bd840118bccce9b5222e162345cf612c000",
"",
"reply",
"597022b3c20de92675ad38e490aa9b80cda1beed34e044ecc73d8e00c42c63eb"
],
[
"proxy",
"https://fosstodon.org/users/atoponce/statuses/114073035778113291",
"activitypub"
],
[
"L",
"pink.momostr"
],
[
"l",
"pink.momostr.activitypub:https://fosstodon.org/users/atoponce/statuses/114073035778113291",
"pink.momostr"
],
[
"-"
]
],
"content": "Modern OpenSSH clients and servers will really only negotiate 3072-, 7680-, and 8192-bit DH moduli per the dh.c source code:\n\nu_int dh_estimate(int bits) {\n if (bits \u003c= 112)\n return 2048;\n if (bits \u003c= 128)\n return 3072;\n if (bits \u003c= 192)\n return 7680;\n return 8192;\n}\n\nSo the 2048-, 4096-, and 6144-bit DH moduli must be used in older OpenSSH clients.\n\nThus, if generating your own SSH moduli file, just stick to those 3 sizes.",
"sig": "f100418e1f9ae2e163717b10e0872651b5d310f497383d3f5589b63478e4076d81e77967b7285374a885a2ef628dbf18f2d51a4c6b962637f294b9ff0ee66d88"
}