svn commit: r49211 - head/en_US.ISO8859-1/articles/committers-guide

Matthew Seaman matthew at FreeBSD.org
Thu Aug 4 15:54:24 UTC 2016 

On 2016/08/04 16:07, Warren Block wrote:
> On Thu, 4 Aug 2016, Kubilay Kocak wrote:
> 
>> On 4/08/2016 1:43 AM, Benedict Reuschling wrote:
>>> Author: bcr
>>> Date: Wed Aug  3 15:43:10 2016
>>> New Revision: 49211
>>> URL: https://svnweb.freebsd.org/changeset/doc/49211
>>>
>>> Log:
>>>   Remove mention of specific key types to discourage the generation
>>>   of old and potentially insecure keys.
>>>
>>>   Discussed with:        David Wolfskill
>>>
>>> Modified:
>>>   head/en_US.ISO8859-1/articles/committers-guide/article.xml
>>>
>>> Modified: head/en_US.ISO8859-1/articles/committers-guide/article.xml
>>> ==============================================================================
>>>
>>> --- head/en_US.ISO8859-1/articles/committers-guide/article.xml    Wed
>>> Aug  3 13:59:21 2016    (r49210)
>>> +++ head/en_US.ISO8859-1/articles/committers-guide/article.xml    Wed
>>> Aug  3 15:43:10 2016    (r49211)
>>> @@ -3105,7 +3105,7 @@ Relnotes:           yes</programlisting>
>>>      <procedure>
>>>        <step>
>>>      <para>If you do not wish to type your password in every time
>>> -      you use &man.ssh.1;, and you use RSA or DSA keys to
>>> +      you use &man.ssh.1;, and you use keys to
>>>        authenticate, &man.ssh-agent.1; is there for your
>>>        convenience.  If you want to use &man.ssh-agent.1;, make
>>>        sure that you run it before running other applications.  X
>>
>> Without making a bikeshed out of it, could we provide some basic
>> recommendations here? Examples (note: *just* examples)
>>
>> rsa with new key format, preferred bits, explicit passphrase
>>
>> -o -t rsa -b <whateverwewant> -N <passprhase>
>>
>> ed25519 with new key format, explicit passphrase
>>
>> -t ed25519 -o -N <passphrase> (new format)
>>
>> These might help ensure people don't accidentally (or through lack of
>> knowledge) create keys without passphrases, and provide a bump up on the
>> (openssh) defaults.
>>
>> I'd be happy to write something short and sweet up in the wiki for
>> review first if needed, as well as get input from secteam and other
>> people as well.
> 
> Agreed.  Without recommendations, inexperienced users are just going to
> accept the defaults.  Which is fine, if the defaults are good.

One thing I'd definitely like to see added is to advise people that if
they want to use a RSA key, they should set the bit-length to 2048 at
minimum and preferably use 4096.

Not sure about recommended lengths for ECDSA -- personally I like
ED25519 where the whole question of key length is a non-issue.

There is some prior-art we might refer to:

https://wiki.mozilla.org/Security/Guidelines/OpenSSH
https://stribika.github.io/2015/01/04/secure-secure-shell.html

which mostly talk about hardening SSH servers, but there are some good
passages about client-side configuration.

	Cheers,

	Matthew




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 972 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/svn-doc-all/attachments/20160804/c56338c8/attachment.sig>

More information about the svn-doc-all mailing list