need to finish dh stuff still.
This commit is contained in:
parent
4eb554aa38
commit
d7ffbea913
27
README.md
27
README.md
@ -33,17 +33,19 @@ the default configuration and keys used may not be the strongest they can be (an
|
||||
This software will harden your OpenSSH security as much as possible to currently known weaknesses.
|
||||
|
||||
## How?
|
||||
This program will generate/replace:
|
||||
This program will generate/modify and replace:
|
||||
|
||||
* your hostkeys (typically `/etc/ssh/ssh_host_*_key*`)
|
||||
* the client keys (`~/.ssh/id_*`) for the running user
|
||||
* your `sshd` (server) configuration (typically `/etc/ssh/sshd_config`)
|
||||
* your system-wide `ssh` (client) configuration (typically `/etc/ssh/ssh_config`)
|
||||
* the `ssh` (client) configuration for the running user (`~/.ssh/config`)
|
||||
* the SSH DH parameters (typically `/etc/ssh/moduli`)
|
||||
* Your hostkeys (typically `/etc/ssh/ssh_host_*_key*`)
|
||||
* The client keys (`~/.ssh/id_*`) for the running user
|
||||
* Your `sshd` (server) configuration (typically `/etc/ssh/sshd_config`)
|
||||
* Your system-wide `ssh` (client) configuration (typically `/etc/ssh/ssh_config`)
|
||||
* The `ssh` (client) configuration for the running user (`~/.ssh/config`)
|
||||
* The SSH DH parameters (typically `/etc/ssh/moduli`)
|
||||
|
||||
with much stronger implementations from typical/upstream defaults.
|
||||
|
||||
Any and all pre-existing files are backed up before being replaced.
|
||||
|
||||
It takes the recommendations from _[Secure Secure Shell](https://stribika.github.io/2015/01/04/secure-secure-shell.html)_ (and perhaps other sources) and automatically applies
|
||||
them.
|
||||
|
||||
@ -67,11 +69,18 @@ running already).
|
||||
## FAQ
|
||||
|
||||
### Why a binary?
|
||||
I originally wrote this as a python script. However, some machines don't have the python
|
||||
I originally wrote this as a Python script. However, some machines don't have the Python
|
||||
interpreter installed and due to the lack of low-level access, I ended up making a lot
|
||||
of calls to the shell anyways.
|
||||
|
||||
I wrote it in Golang so the source would be easily read for auditing purposes.
|
||||
I wrote it in Golang because:
|
||||
|
||||
* The source would be easily read for auditing purposes
|
||||
* Golang is, admittedly, incredibly faster at some tasks than Python
|
||||
* Multiprocessing/multithreading is *incredibly* more simple in Golang than Python
|
||||
* Building widely-deployable binaries is easier in Golang than C or C++
|
||||
|
||||
As much as I like Python, Golang should offer significant improvements.
|
||||
|
||||
### How can I contact you?
|
||||
You can either [file a bug](https://bugs.square-r00t.net/index.php?do=newtask&project=15)
|
||||
|
11
dh/README
11
dh/README
@ -1,6 +1,11 @@
|
||||
The functions found in this sub-component are ported almost directly from the
|
||||
openssh-portable[0]'s `moduli.c`[1] code (with, of course, changes made where
|
||||
appropriate to match and take advantage of Golang).
|
||||
THIS SUBMODULE IS INCOMPLETE. DO NOT USE IT.
|
||||
It technically is not necessary as upstream offers generated parameters.
|
||||
Theoretically as long as we filter anything 2048 bits and lower, it should be fine.
|
||||
|
||||
The functions, etc. (even a significant amount of the comments) found in this
|
||||
sub-component are ported almost directly from the openssh-portable[0]'s
|
||||
`moduli.c`[1] code (with, of course, changes made where appropriate to match
|
||||
and take advantage of Golang and its patterns).
|
||||
|
||||
The OpenBSD and OpenSSH(-portable) teams have my gratitude.
|
||||
|
||||
|
39
dh/const.go
39
dh/const.go
@ -1,5 +1,9 @@
|
||||
package dh
|
||||
|
||||
import (
|
||||
"math/big"
|
||||
)
|
||||
|
||||
const (
|
||||
// QSizeMinimum Specifies the number of the most significant bit (0 to M).
|
||||
// WARNING: internally, usually 1 to N.
|
||||
@ -7,9 +11,9 @@ const (
|
||||
|
||||
// Prime sieving constants
|
||||
// Assuming 8 bit bytes and 32 bit words.
|
||||
ShiftBit = 3
|
||||
ShiftByte = 2
|
||||
ShiftWord = ShiftBit + ShiftByte
|
||||
ShiftBit = 3
|
||||
ShiftByte = 2
|
||||
ShiftWord = ShiftBit + ShiftByte
|
||||
ShiftMegabyte = 20
|
||||
ShiftMegaWord = ShiftMegabyte - ShiftBit
|
||||
|
||||
@ -25,8 +29,33 @@ const (
|
||||
// Ensure enough bit space for testing 2*q.
|
||||
TestMaximum = uint32(1) << 16
|
||||
TestMinimum = QSizeMinimum + 1 // (uint32(1) << (ShiftWord - TestPower))
|
||||
TestPower = 3 // 2**n, n < ShiftWord
|
||||
TestPower = 3 // 2**n, n < ShiftWord
|
||||
// Minimum number of primality tests to perform
|
||||
TrialMinimum = 4
|
||||
)
|
||||
|
||||
var (
|
||||
type (
|
||||
|
||||
/*
|
||||
Sieving data (XXX - move to struct)
|
||||
*/
|
||||
|
||||
// sieve 2**16
|
||||
TinySieve *uint32
|
||||
tinybits uint32
|
||||
|
||||
// sieve 2**30 in 2**16 parts
|
||||
SmallSieve *uint32
|
||||
smallbits uint32
|
||||
smallbase uint32
|
||||
|
||||
// sieve relative to the initial value
|
||||
LargeSieve *uint32
|
||||
largewords uint32
|
||||
largetries uint32
|
||||
largenumbers uint32
|
||||
largebits uint32 // Megabytes..
|
||||
largememory uint32 // ""
|
||||
|
||||
largebase big.Int
|
||||
)
|
||||
|
@ -34,3 +34,5 @@ package dh
|
||||
|
||||
And that's why I'm a sad panda and porting moduli.c to native Golang.
|
||||
*/
|
||||
|
||||
func SieveLarge()
|
||||
|
@ -50,3 +50,5 @@ func BitTest(a []uint32, n uint32) (i uint32) {
|
||||
|
||||
return
|
||||
}
|
||||
|
||||
// The qfileout function is replaced by a moduli.Entry method Write.
|
||||
|
Loading…
Reference in New Issue
Block a user