SSH:TDG
SSH: The Secure Shell (The Definitive Guide)
Barrett, Silverman, & Byrnes / O’Reilly
HomeProtocolsReferencesAuthors

SSH Frequently Asked Questions

My OpenSSH server keeps logging this message:

WARNING: /etc/primes does not exist, using old prime

This sounds bad; what does it mean?

The short answer is that this message is undocumented and confusing, and there's nothing to worry about.

The long answer:

OpenSSH 2.3.0 and later implements two key-exchange methods: the existing diffie-hellman-group1-sha1 documented in the SSH transport draft, and a proposed more general method called diffie-hellman-group-exchange-sha1.

The Diffie-Hellman key exchange requires the participants to agree on some initial parameters: a large prime p, and another number g which generates a large multiplicative subgroup of GF(p). These parameters need not be secret, and the diffie-hellman-group1-sha1 method uses a particular, fixed choice of (p,g).

The new method allows the speakers to negotiate a new (p,g) for each key exchange. This deals with concerns that using the same (p,g) over time is dangerous, since it invites precomputation and other specialized attacks on those particular parameters.

The file ETCDIR/primes is where sshd keeps its stash of possible Diffie-Hellman parameters (the draft suggests the server might compute random new values in the background; the current OpenSSH implementation just uses a fixed store of them). When you use the OpenSSH client and server together, they use the new method — but if the primes file doesn't exist, the server has no other DH parameters to offer, and it uses the known diffie-hellman-group1-sha1 parameters. The warning message about "using old prime" is a bit misleading, since it sounds as if something is being reused which ought not to be. Really, it means "using the parameters from the old key-exchange method."

You won't see this message when all clients connect to the OpenSSH server, but rather only with ones that use the new key-exchange method. The only ones we know of at the moment that do this are OpenSSH and MindTerm.

This is not an issue on OpenBSD, since the base OpenBSD 2.8 release includes an /etc/primes file. The pre-2.5.1 "portable" OpenSSH releases for other platforms did not include the primes file, so this warning message would occur regularly when using OpenSSH on anything besides OpenBSD. OpenSSH-2.5.1p1 does include a primes file, so this is no longer an issue. Here is a copy of that primes file.