Date: Fri, 9 Sep 2016 17:31:59 +0000 (UTC) From: Warren Block <wblock@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r49377 - head/en_US.ISO8859-1/books/handbook/security Message-ID: <201609091731.u89HVx01088667@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: wblock Date: Fri Sep 9 17:31:58 2016 New Revision: 49377 URL: https://svnweb.freebsd.org/changeset/doc/49377 Log: Change the ssh-keygen example to RSA. Remove mention of DSA. Clean up some of the stilted, halting language here, improving readability by 31.8%. Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Fri Sep 9 15:33:51 2016 (r49376) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Fri Sep 9 17:31:58 2016 (r49377) @@ -2599,32 +2599,55 @@ COPYRIGHT 100% |************* <para>Instead of using passwords, a client can be configured to connect to the remote machine using keys. To generate - <acronym>DSA</acronym> or <acronym>RSA</acronym> + <acronym>RSA</acronym> authentication keys, use <command>ssh-keygen</command>. To generate a public and private key pair, specify the type of key and follow the prompts. It is recommended to protect the keys with a memorable, but hard to guess passphrase.</para> - <screen>&prompt.user; <userinput>ssh-keygen -t <replaceable>dsa</replaceable></userinput> -Generating public/private dsa key pair. -Enter file in which to save the key (/home/user/.ssh/id_dsa): -Created directory '/home/user/.ssh'. -Enter passphrase (empty for no passphrase): <replaceable>type some passphrase here which can contain spaces</replaceable> -Enter same passphrase again: <replaceable>type some passphrase here which can contain spaces</replaceable> -Your identification has been saved in /home/user/.ssh/id_dsa. -Your public key has been saved in /home/user/.ssh/id_dsa.pub. + <screen>&prompt.user; <userinput>ssh-keygen -t rsa</userinput> +Generating public/private rsa key pair. +Enter file in which to save the key (/home/user/.ssh/id_rsa): +Enter passphrase (empty for no passphrase): <co xml:id="co-ssh-keygen-passphrase1"/> +Enter same passphrase again: <co xml:id="co-ssh-keygen-passphrase2"/> +Your identification has been saved in /home/user/.ssh/id_rsa. +Your public key has been saved in /home/user/.ssh/id_rsa.pub. The key fingerprint is: -bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8f:79:17 user@host.example.com</screen> - - <para>Depending upon the specified protocol, the private key - is stored in <filename>~/.ssh/id_dsa</filename> (or - <filename>~/.ssh/id_rsa</filename>), and the public key - is stored in <filename>~/.ssh/id_dsa.pub</filename> (or - <filename>~/.ssh/id_rsa.pub</filename>). The - <emphasis>public</emphasis> key must be first copied to +SHA256:54Xm9Uvtv6H4NOo6yjP/YCfODryvUU7yWHzMqeXwhq8 user@host.example.com +The key's randomart image is: ++---[RSA 2048]----+ +| | +| | +| | +| . o.. | +| .S*+*o | +| . O=Oo . . | +| = Oo= oo..| +| .oB.* +.oo.| +| =OE**.o..=| ++----[SHA256]-----+</screen> + + <calloutlist> + <callout arearefs="co-ssh-keygen-passphrase1"> + <para>Type a passphrase here. It can contain spaces and + symbols.</para> + </callout> + + <callout arearefs="co-ssh-keygen-passphrase2"> + <para>Retype the passphrase to verify it.</para> + </callout> + </calloutlist> + + + <para>The private key + is stored in <filename>~/.ssh/id_rsa</filename> + and the public key + is stored in <filename>~/.ssh/id_rsa.pub</filename>. + The + <emphasis>public</emphasis> key must be copied to <filename>~/.ssh/authorized_keys</filename> on the remote - machine in order for key-based authentication to + machine for key-based authentication to work.</para> <warning> @@ -2638,42 +2661,48 @@ bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8 passphrase. In addition, to better secure end users, <literal>from</literal> may be placed in the public key file. For example, adding - <literal>from="192.168.10.5"</literal> in the front of - <literal>ssh-rsa</literal> or <literal>rsa-dsa</literal> - prefix will only allow that specific user to login from + <literal>from="192.168.10.5"</literal> in front of the + <literal>ssh-rsa</literal> + prefix will only allow that specific user to log in from that <acronym>IP</acronym> address.</para> </warning> - <para>The various options and files can be different - according to the <application>OpenSSH</application> version. + <para>The options and files vary with different versions of + <application>OpenSSH</application>. To avoid problems, consult &man.ssh-keygen.1;.</para> - <para>If a passphrase is used, the user will be prompted for + <para>If a passphrase is used, the user is prompted for the passphrase each time a connection is made to the server. - To load <acronym>SSH</acronym> keys into memory, without - needing to type the passphrase each time, use + To load <acronym>SSH</acronym> keys into memory and remove + the need to type the passphrase each time, use &man.ssh-agent.1; and &man.ssh-add.1;.</para> <para>Authentication is handled by - <command>ssh-agent</command>, using the private key(s) that - are loaded into it. Then, <command>ssh-agent</command> - should be used to launch another application such as a + <command>ssh-agent</command>, using the private keys that + are loaded into it. <command>ssh-agent</command> + can be used to launch another application like a shell or a window manager.</para> <para>To use <command>ssh-agent</command> in a shell, start it - with a shell as an argument. Next, add the identity by - running <command>ssh-add</command> and providing it the - passphrase for the private key. Once these steps have been - completed, the user will be able to <command>ssh</command> + with a shell as an argument. Add the identity by + running <command>ssh-add</command> and entering the + passphrase for the private key. + The user will then be able to <command>ssh</command> to any host that has the corresponding public key installed. For example:</para> <screen>&prompt.user; ssh-agent <replaceable>csh</replaceable> &prompt.user; ssh-add -Enter passphrase for key '/usr/home/user/.ssh/id_dsa': <replaceable>type passphrase here</replaceable> -Identity added: /usr/home/user/.ssh/id_dsa (/usr/home/user/.ssh/id_dsa) +Enter passphrase for key '/usr/home/user/.ssh/id_rsa': <co xml:id="co-ssh-agent-passphrase"/> +Identity added: /usr/home/user/.ssh/id_rsa (/usr/home/user/.ssh/id_rsa) &prompt.user;</screen> + <calloutlist> + <callout arearefs="co-ssh-agent-passphrase"> + <para>Enter the passphrase for the key.</para> + </callout> + </calloutlist> + <para>To use <command>ssh-agent</command> in <application>&xorg;</application>, add an entry for it in <filename>~/.xinitrc</filename>. This provides the
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201609091731.u89HVx01088667>