From owner-svn-doc-projects@FreeBSD.ORG Tue May 21 15:55:44 2013 Return-Path: Delivered-To: svn-doc-projects@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id A10C3C12; Tue, 21 May 2013 15:55:44 +0000 (UTC) (envelope-from trhodes@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 79A6FADB; Tue, 21 May 2013 15:55:44 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r4LFtiCo049639; Tue, 21 May 2013 15:55:44 GMT (envelope-from trhodes@svn.freebsd.org) Received: (from trhodes@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r4LFtiR8049638; Tue, 21 May 2013 15:55:44 GMT (envelope-from trhodes@svn.freebsd.org) Message-Id: <201305211555.r4LFtiR8049638@svn.freebsd.org> From: Tom Rhodes Date: Tue, 21 May 2013 15:55:44 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-projects@freebsd.org Subject: svn commit: r41700 - projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security X-SVN-Group: doc-projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-projects@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for doc projects trees List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 May 2013 15:55:44 -0000 Author: trhodes Date: Tue May 21 15:55:43 2013 New Revision: 41700 URL: http://svnweb.freebsd.org/changeset/doc/41700 Log: Add a warning about using passphrase-less keys, a method an admin may use to verify the passphrase is in use on a keyfile, and how to use the "from=" keyword to limit user specific login hosts. I'm surprised this wasn't here before, what are we teaching the young users of today. :P Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml Mon May 20 14:17:49 2013 (r41699) +++ projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml Tue May 21 15:55:43 2013 (r41700) @@ -2927,6 +2927,25 @@ bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8 This setup allows connections to the remote machine based upon SSH keys instead of passwords. + + Many users believe that keys are secure by design and + will use a key without a passphrase. This is + dangerous behavior and the method + an administrator may use to verify keys have a passphrase + is to view the key manually. If the private key file + contains the word ENCRYPTED the key + owner is using a passphrase. While it may still be a weak + passphrase, at least if the system is compromised, access + to other sites will still require some level of password + guessing. In addition, to better secure end users, the + from may be placed in the public key + file. For example, adding + from="192.168.10.5 in the front of + ssh-rsa or rsa-dsa + prefix will only allow that specific user to login from + that host IP. + + If a passphrase is used in &man.ssh-keygen.1;, the user will be prompted for the passphrase each time in order to use the private key. &man.ssh-agent.1; can alleviate the strain