From owner-svn-doc-all@freebsd.org Thu Aug 4 15:54:24 2016 Return-Path: Delivered-To: svn-doc-all@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id B3E73BAF7E1 for ; Thu, 4 Aug 2016 15:54:24 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from smtp.infracaninophile.co.uk (smtp.infracaninophile.co.uk [IPv6:2001:8b0:151:1:c4ea:bd49:619b:6cb3]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "smtp.infracaninophile.co.uk", Issuer "infracaninophile.co.uk" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4B3611AA8 for ; Thu, 4 Aug 2016 15:54:24 +0000 (UTC) (envelope-from matthew@FreeBSD.org) Received: from zero-gravitas.local (unknown [85.199.232.226]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: m.seaman@infracaninophile.co.uk) by smtp.infracaninophile.co.uk (Postfix) with ESMTPSA id 6948E8AF8 for ; Thu, 4 Aug 2016 15:54:18 +0000 (UTC) Authentication-Results: smtp.infracaninophile.co.uk; dmarc=none header.from=FreeBSD.org Authentication-Results: smtp.infracaninophile.co.uk/6948E8AF8; dkim=none; dkim-atps=neutral Subject: Re: svn commit: r49211 - head/en_US.ISO8859-1/articles/committers-guide To: svn-doc-all@freebsd.org References: <201608031543.u73FhA70048459@repo.freebsd.org> From: Matthew Seaman Message-ID: Date: Thu, 4 Aug 2016 16:54:11 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="ldD9vX0oFeFpUn8o9JKuHwnLbjoR41plI" X-Spam-Status: No, score=-0.4 required=5.0 tests=BAYES_00,RDNS_NONE, SPF_SOFTFAIL autolearn=no autolearn_force=no version=3.4.1 X-Spam-Checker-Version: SpamAssassin 3.4.1 (2015-04-28) on smtp.infracaninophile.co.uk X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 04 Aug 2016 15:54:24 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --ldD9vX0oFeFpUn8o9JKuHwnLbjoR41plI Content-Type: multipart/mixed; boundary="NhwAqJxFrNrcaRE8Mo1OwSxuUhoFN8CFi" From: Matthew Seaman To: svn-doc-all@freebsd.org Message-ID: Subject: Re: svn commit: r49211 - head/en_US.ISO8859-1/articles/committers-guide References: <201608031543.u73FhA70048459@repo.freebsd.org> In-Reply-To: --NhwAqJxFrNrcaRE8Mo1OwSxuUhoFN8CFi Content-Type: text/plain; charset=windows-1252 Content-Transfer-Encoding: quoted-printable On 2016/08/04 16:07, Warren Block wrote: > On Thu, 4 Aug 2016, Kubilay Kocak wrote: >=20 >> On 4/08/2016 1:43 AM, Benedict Reuschling wrote: >>> Author: bcr >>> Date: Wed Aug 3 15:43:10 2016 >>> New Revision: 49211 >>> URL: https://svnweb.freebsd.org/changeset/doc/49211 >>> >>> Log: >>> Remove mention of specific key types to discourage the generation >>> of old and potentially insecure keys. >>> >>> Discussed with: David Wolfskill >>> >>> Modified: >>> head/en_US.ISO8859-1/articles/committers-guide/article.xml >>> >>> Modified: head/en_US.ISO8859-1/articles/committers-guide/article.xml >>> =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D >>> >>> --- head/en_US.ISO8859-1/articles/committers-guide/article.xml Wed= >>> Aug 3 13:59:21 2016 (r49210) >>> +++ head/en_US.ISO8859-1/articles/committers-guide/article.xml Wed= >>> Aug 3 15:43:10 2016 (r49211) >>> @@ -3105,7 +3105,7 @@ Relnotes: yes >>> >>> >>> If you do not wish to type your password in every time >>> - you use &man.ssh.1;, and you use RSA or DSA keys to >>> + you use &man.ssh.1;, and you use keys to >>> authenticate, &man.ssh-agent.1; is there for your >>> convenience. If you want to use &man.ssh-agent.1;, make >>> sure that you run it before running other applications. X >> >> Without making a bikeshed out of it, could we provide some basic >> recommendations here? Examples (note: *just* examples) >> >> rsa with new key format, preferred bits, explicit passphrase >> >> -o -t rsa -b -N >> >> ed25519 with new key format, explicit passphrase >> >> -t ed25519 -o -N (new format) >> >> These might help ensure people don't accidentally (or through lack of >> knowledge) create keys without passphrases, and provide a bump up on t= he >> (openssh) defaults. >> >> I'd be happy to write something short and sweet up in the wiki for >> review first if needed, as well as get input from secteam and other >> people as well. >=20 > Agreed. Without recommendations, inexperienced users are just going to= > accept the defaults. Which is fine, if the defaults are good. One thing I'd definitely like to see added is to advise people that if they want to use a RSA key, they should set the bit-length to 2048 at minimum and preferably use 4096. Not sure about recommended lengths for ECDSA -- personally I like ED25519 where the whole question of key length is a non-issue. There is some prior-art we might refer to: https://wiki.mozilla.org/Security/Guidelines/OpenSSH https://stribika.github.io/2015/01/04/secure-secure-shell.html which mostly talk about hardening SSH servers, but there are some good passages about client-side configuration. Cheers, Matthew --NhwAqJxFrNrcaRE8Mo1OwSxuUhoFN8CFi-- --ldD9vX0oFeFpUn8o9JKuHwnLbjoR41plI Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Comment: GPGTools - https://gpgtools.org iQJ8BAEBCgBmBQJXo2UpXxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQxOUYxNTRFQ0JGMTEyRTUwNTQ0RTNGMzAw MDUxM0YxMEUwQTlFNEU3AAoJEABRPxDgqeTnixgP/iOPqvto3p6r8kA3WUnzz0gw yKAjJiRJMVEFZo6fyfyxmRNopwWNffLJny/s7S7dl1yPNM0U7ddRMAh++tnDNT8o X+wEUMIn9v+r92oLuVtUQFKAzT4L239v8G6B4mAl9nCg2nlSeKGaMkPwol+v4Bhh AXYnM+LJkLKL/MMbnB1kAnDMkC66FfOpkaaeQ0Y5JCXXCHEFtl0L+dKzHj3zqoyG Vm+2hGNMXhD3Rlyqv5+DktSMywsCfhiZOh9OM3oHEOej3wRc5jcYxrNRmKy9OVXH V2l1gPHEujvhEfoP9VnWtzAPQ/5LBgr8s5m7ybrI+/wAbFqV8Ys23arwG5+dXMKE 3Tal1jUgwqDmXQVz8/ZfWmjAQhozWTNDt0eeV4Ca1W42rLTyZHbiZ7mZ7GEEOif3 KcegLleO6pFhZTYEUeCqVa4UjVPQnA18mxAM8f6dbMCuwcue8xmROgseCiYDHAMI SDVixu71B3W4+CRvHgU0HIH0SIPy8JobjEqR+mCyZ+dDLV9wgFJ0SwnFg2+4ocTy cJ8vm5M/1G5pEvr0DYo666DfufET6RIyXchoNqT4un+VFRUKWh+/FCvkqCMVEiFm TBnGgLb+PrO59Us//Q18hS9xPzctL6Jf4qr8QNe+M9hB3Yop53mYbrxoJ4sFar/n gXYuJU3kfhz1p+M1CUCm =lxLl -----END PGP SIGNATURE----- --ldD9vX0oFeFpUn8o9JKuHwnLbjoR41plI--