SSH Agent keys >4096 bit?

Peter Lebbing peter at
Sat May 5 20:03:04 CEST 2012

On 05/05/12 15:49, Hubert Kario wrote:
> As far as I know, OpenSSH uses DH parameters of the same size as the RSA keys: 
> for 8k DH you need 8k RSA or (which is unmaintainable) manually force use of 
> 8k DH.

Okay, going out on a limb here, since all what I say is conjecture.
Actually consulting the SSH RFC's seems like too much work, or seems too
much like work :).

I think it's rather the case that the size of the DH parameters is
proportional to the keysize of the symmetric algorithm used to secure
the SSH session, because the DH params are used to compute the session
key. So you are right that the DH params are proportional in size to a
key used, but you've confused the keys, asymmetric vs symmetric. That
way it makes sense to me.

If I look at the debug messages emitted by the OpenSSH client, I'm under
the impression that key exchange is already completed before
authentication with RSA starts.


I use the GNU Privacy Guard (GnuPG) in combination with Enigmail.
You can send me encrypted mail if you want some privacy.
My key is available at

More information about the Gnupg-users mailing list