Fixing ssh-keygen Unknown Option -G or -T on Ubuntu 20.04

This blog post talks about how you can resolve the problem “ssh-keygen Unknown Option -G” on Ubuntu 20.04.

What is ssh-keygen -G and -T used for?

The command ssh-keygen -G was originally used to generate a list of prime numbers that could be used for key exchange.

Typically the list of primes to use are pre-generated as it can take some time. By regenerating them you can increase the security of key exchange protocols marginally.

Once the list or primes are generated you then need to screen them to check they are not inherently weak. To do this you would normally then call ssh-keygen -T on the list of generated primes to verify they were valid.

Once done you will have a file which can be used to replace your /etc/ssh/moduli file.

The new way of generating Moduli instead of -G and -T

The latest version of OpenSSH which Ubuntu 20.04 comes bundled with has changed the commands. Previously you would run the following commands.

ssh-keygen -G moduli-2048.candidates -b 2048
ssh-keygen -T moduli-2048 -f moduli-2048.candidates

To achieve the same outcome with the new OpenSSH version you should use the following commands.

ssh-keygen -M generate -O bits=2048 moduli-2048.candidates
ssh-keygen -M screen -f moduli-2048.candidates moduli-2048

This will generate the same file as before which then can be used to replace your current /etc/ssh/moduli file.

This can be done with the following commands.

cp moduli-2048 /etc/ssh/moduli
rm moduli-2048

Once done SSH on your computer will be slightly more secure as you are using a new random set of prime numbers.

If this worked for you or you have any questions post a comment below so I know if it works. Thanks!