svn commit: r49211 - head/en_US.ISO8859-1/articles/committers-guide
matthew at FreeBSD.org
Thu Aug 4 15:54:24 UTC 2016
On 2016/08/04 16:07, Warren Block wrote:
> On Thu, 4 Aug 2016, Kubilay Kocak wrote:
>> On 4/08/2016 1:43 AM, Benedict Reuschling wrote:
>>> Author: bcr
>>> Date: Wed Aug 3 15:43:10 2016
>>> New Revision: 49211
>>> URL: https://svnweb.freebsd.org/changeset/doc/49211
>>> Remove mention of specific key types to discourage the generation
>>> of old and potentially insecure keys.
>>> Discussed with: David Wolfskill
>>> Modified: head/en_US.ISO8859-1/articles/committers-guide/article.xml
>>> --- head/en_US.ISO8859-1/articles/committers-guide/article.xml Wed
>>> Aug 3 13:59:21 2016 (r49210)
>>> +++ head/en_US.ISO8859-1/articles/committers-guide/article.xml Wed
>>> Aug 3 15:43:10 2016 (r49211)
>>> @@ -3105,7 +3105,7 @@ Relnotes: yes</programlisting>
>>> <para>If you do not wish to type your password in every time
>>> - you use &man.ssh.1;, and you use RSA or DSA keys to
>>> + you use &man.ssh.1;, and you use keys to
>>> authenticate, &man.ssh-agent.1; is there for your
>>> convenience. If you want to use &man.ssh-agent.1;, make
>>> sure that you run it before running other applications. X
>> Without making a bikeshed out of it, could we provide some basic
>> recommendations here? Examples (note: *just* examples)
>> rsa with new key format, preferred bits, explicit passphrase
>> -o -t rsa -b <whateverwewant> -N <passprhase>
>> ed25519 with new key format, explicit passphrase
>> -t ed25519 -o -N <passphrase> (new format)
>> These might help ensure people don't accidentally (or through lack of
>> knowledge) create keys without passphrases, and provide a bump up on the
>> (openssh) defaults.
>> I'd be happy to write something short and sweet up in the wiki for
>> review first if needed, as well as get input from secteam and other
>> people as well.
> Agreed. Without recommendations, inexperienced users are just going to
> accept the defaults. Which is fine, if the defaults are good.
One thing I'd definitely like to see added is to advise people that if
they want to use a RSA key, they should set the bit-length to 2048 at
minimum and preferably use 4096.
Not sure about recommended lengths for ECDSA -- personally I like
ED25519 where the whole question of key length is a non-issue.
There is some prior-art we might refer to:
which mostly talk about hardening SSH servers, but there are some good
passages about client-side configuration.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 972 bytes
Desc: OpenPGP digital signature
More information about the svn-doc-all