svn commit: r49377 - head/en_US.ISO8859-1/books/handbook/security

Fri Sep 9 17:32:00 UTC 2016

Author: wblock
Date: Fri Sep  9 17:31:58 2016
New Revision: 49377
URL: https://svnweb.freebsd.org/changeset/doc/49377

Log:
  Change the ssh-keygen example to RSA.  Remove mention of DSA.  Clean up
  some of the stilted, halting language here, improving readability by 31.8%.

Modified:
  head/en_US.ISO8859-1/books/handbook/security/chapter.xml

Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml
==============================================================================

--- head/en_US.ISO8859-1/books/handbook/security/chapter.xml	Fri Sep  9 15:33:51 2016	(r49376)
+++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml	Fri Sep  9 17:31:58 2016	(r49377)
@@ -2599,32 +2599,55 @@ COPYRIGHT            100% |*************
 
 	<para>Instead of using passwords, a client can be configured
 	  to connect to the remote machine using keys.  To generate
-	  <acronym>DSA</acronym> or <acronym>RSA</acronym>
+	  <acronym>RSA</acronym>
 	  authentication keys, use <command>ssh-keygen</command>.  To
 	  generate a public and private key pair, specify the type of
 	  key and follow the prompts.  It is recommended to protect
 	  the keys with a memorable, but hard to guess
 	  passphrase.</para>
 
-	<screen>&prompt.user; <userinput>ssh-keygen -t <replaceable>dsa</replaceable></userinput>
-Generating public/private dsa key pair.
-Enter file in which to save the key (/home/user/.ssh/id_dsa):
-Created directory '/home/user/.ssh'.
-Enter passphrase (empty for no passphrase): <replaceable>type some passphrase here which can contain spaces</replaceable>
-Enter same passphrase again: <replaceable>type some passphrase here which can contain spaces</replaceable>
-Your identification has been saved in /home/user/.ssh/id_dsa.
-Your public key has been saved in /home/user/.ssh/id_dsa.pub.
+	<screen>&prompt.user; <userinput>ssh-keygen -t rsa</userinput>
+Generating public/private rsa key pair.
+Enter file in which to save the key (/home/user/.ssh/id_rsa):
+Enter passphrase (empty for no passphrase):  <co xml:id="co-ssh-keygen-passphrase1"/>
+Enter same passphrase again:                 <co xml:id="co-ssh-keygen-passphrase2"/>
+Your identification has been saved in /home/user/.ssh/id_rsa.
+Your public key has been saved in /home/user/.ssh/id_rsa.pub.
 The key fingerprint is:
-bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8f:79:17 user at host.example.com</screen>
-
-	<para>Depending upon the specified protocol, the private key
-	  is stored in <filename>~/.ssh/id_dsa</filename> (or
-	  <filename>~/.ssh/id_rsa</filename>), and the public key
-	  is stored in <filename>~/.ssh/id_dsa.pub</filename> (or
-	  <filename>~/.ssh/id_rsa.pub</filename>).  The
-	  <emphasis>public</emphasis> key must be first copied to
+SHA256:54Xm9Uvtv6H4NOo6yjP/YCfODryvUU7yWHzMqeXwhq8 user at host.example.com
+The key's randomart image is:
++---[RSA 2048]----+
+|                 |
+|                 |
+|                 |
+|        . o..    |
+|       .S*+*o    |
+|      . O=Oo . . |
+|       = Oo= oo..|
+|      .oB.* +.oo.|
+|       =OE**.o..=|
++----[SHA256]-----+</screen>
+
+	<calloutlist>
+	  <callout arearefs="co-ssh-keygen-passphrase1">
+	    <para>Type a passphrase here.  It can contain spaces and
+	      symbols.</para>
+	  </callout>
+
+	  <callout arearefs="co-ssh-keygen-passphrase2">
+	    <para>Retype the passphrase to verify it.</para>
+	  </callout>
+	</calloutlist>
+
+
+	<para>The private key
+	  is stored in <filename>~/.ssh/id_rsa</filename>
+	  and the public key
+	  is stored in <filename>~/.ssh/id_rsa.pub</filename>.
+	  The
+	  <emphasis>public</emphasis> key must be copied to
 	  <filename>~/.ssh/authorized_keys</filename> on the remote
-	  machine in order for key-based authentication to
+	  machine for key-based authentication to
 	  work.</para>
 
 	<warning>
@@ -2638,42 +2661,48 @@ bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8
 	    passphrase.  In addition, to better secure end users,
 	    <literal>from</literal> may be placed in the public key
 	    file.  For example, adding
-	    <literal>from="192.168.10.5"</literal> in the front of
-	    <literal>ssh-rsa</literal> or <literal>rsa-dsa</literal>
-	    prefix will only allow that specific user to login from
+	    <literal>from="192.168.10.5"</literal> in front of the
+	    <literal>ssh-rsa</literal>
+	    prefix will only allow that specific user to log in from
 	    that <acronym>IP</acronym> address.</para>
 	</warning>
 
-	<para>The various options and files can be different
-	  according to the <application>OpenSSH</application> version.
+	<para>The options and files vary with different versions of
+	  <application>OpenSSH</application>.
 	  To avoid problems, consult &man.ssh-keygen.1;.</para>
 
-	<para>If a passphrase is used, the user will be prompted for
+	<para>If a passphrase is used, the user is prompted for
 	  the passphrase each time a connection is made to the server.
-	  To load <acronym>SSH</acronym> keys into memory, without
-	  needing to type the passphrase each time, use
+	  To load <acronym>SSH</acronym> keys into memory and remove
+	  the need to type the passphrase each time, use
 	  &man.ssh-agent.1; and &man.ssh-add.1;.</para>
 
 	<para>Authentication is handled by
-	  <command>ssh-agent</command>, using the private key(s) that
-	  are loaded into it.  Then, <command>ssh-agent</command>
-	  should be used to launch another application such as a
+	  <command>ssh-agent</command>, using the private keys that
+	  are loaded into it.  <command>ssh-agent</command>
+	  can be used to launch another application like a
 	  shell or a window manager.</para>
 
 	<para>To use <command>ssh-agent</command> in a shell, start it
-	  with a shell as an argument.  Next, add the identity by
-	  running <command>ssh-add</command> and providing it the
-	  passphrase for the private key.  Once these steps have been
-	  completed, the user will be able to <command>ssh</command>
+	  with a shell as an argument.  Add the identity by
+	  running <command>ssh-add</command> and entering the
+	  passphrase for the private key.
+	  The user will then be able to <command>ssh</command>
 	  to any host that has the corresponding public key installed.
 	  For example:</para>
 
 	<screen>&prompt.user; ssh-agent <replaceable>csh</replaceable>
 &prompt.user; ssh-add
-Enter passphrase for key '/usr/home/user/.ssh/id_dsa': <replaceable>type passphrase here</replaceable>
-Identity added: /usr/home/user/.ssh/id_dsa (/usr/home/user/.ssh/id_dsa)
+Enter passphrase for key '/usr/home/user/.ssh/id_rsa':  <co xml:id="co-ssh-agent-passphrase"/>
+Identity added: /usr/home/user/.ssh/id_rsa (/usr/home/user/.ssh/id_rsa)
 &prompt.user;</screen>
 
+	<calloutlist>
+	  <callout arearefs="co-ssh-agent-passphrase">
+	    <para>Enter the passphrase for the key.</para>
+	  </callout>
+	</calloutlist>
+
 	<para>To use <command>ssh-agent</command> in
 	  <application>&xorg;</application>, add an entry for it in
 	  <filename>~/.xinitrc</filename>.  This provides the
