From owner-svn-doc-all@FreeBSD.ORG Thu Apr 10 19:09:17 2014 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id D39BDFDD; Thu, 10 Apr 2014 19:09:17 +0000 (UTC) Received: from dmz-mailsec-scanner-5.mit.edu (dmz-mailsec-scanner-5.mit.edu [18.7.68.34]) by mx1.freebsd.org (Postfix) with ESMTP id 1C1441827; Thu, 10 Apr 2014 19:09:16 +0000 (UTC) X-AuditID: 12074422-f79186d00000135a-2c-5346eb2af4ff Received: from mailhub-auth-3.mit.edu ( [18.9.21.43]) (using TLS with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) by dmz-mailsec-scanner-5.mit.edu (Symantec Messaging Gateway) with SMTP id 71.5C.04954.A2BE6435; Thu, 10 Apr 2014 15:04:10 -0400 (EDT) Received: from outgoing.mit.edu (outgoing-auth-1.mit.edu [18.9.28.11]) by mailhub-auth-3.mit.edu (8.13.8/8.9.2) with ESMTP id s3AJ49pr023500; Thu, 10 Apr 2014 15:04:10 -0400 Received: from multics.mit.edu (system-low-sipb.mit.edu [18.187.2.37]) (authenticated bits=56) (User authenticated as kaduk@ATHENA.MIT.EDU) by outgoing.mit.edu (8.13.8/8.12.4) with ESMTP id s3AJ47eC021565 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT); Thu, 10 Apr 2014 15:04:09 -0400 Received: (from kaduk@localhost) by multics.mit.edu (8.12.9.20060308) id s3AJ46dL005515; Thu, 10 Apr 2014 15:04:06 -0400 (EDT) Date: Thu, 10 Apr 2014 15:04:06 -0400 (EDT) From: Benjamin Kaduk To: Dru Lavigne Subject: Re: svn commit: r44520 - head/en_US.ISO8859-1/books/handbook/security In-Reply-To: <201404101805.s3AI5XFJ061345@svn.freebsd.org> Message-ID: References: <201404101805.s3AI5XFJ061345@svn.freebsd.org> User-Agent: Alpine 1.10 (GSO 962 2008-03-14) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; format=flowed; charset=US-ASCII X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrEIsWRmVeSWpSXmKPExsUixCmqrav12i3Y4PUPJYsfHw8xWXQ1qVrc WLSfyWJ3fy+zA4vHjE/zWQIYo7hsUlJzMstSi/TtErgyOpYcZyuYJ1bx581z9gbGv4JdjJwc EgImEmcX/maFsMUkLtxbz9bFyMUhJDCbSaLj8VFWCGcjo8Sm31vYIZxDTBILP+6HKmtglHj4 6RMjSD+LgLbEknu9YLPYBFQkZr7ZyAZiiwgoSjz9uheshlkgSmLP0kawGmGBAIkzcxrYQWxO ASuJK72XwWp4BRwl7v3bCGYLCVhKnFqxhAnEFhXQkVi9fwoLRI2gxMmZT1ggZlpK/Fv7i3UC o+AsJKlZSFILGJlWMcqm5Fbp5iZm5hSnJusWJyfm5aUW6Zrq5WaW6KWmlG5iBAUtu4vSDsaf B5UOMQpwMCrx8B645BYsxJpYVlyZe4hRkoNJSZT323OgEF9SfkplRmJxRnxRaU5q8SFGCQ5m JRHe9FdAOd6UxMqq1KJ8mJQ0B4uSOO9ba6tgIYH0xJLU7NTUgtQimKwMB4eSBG8ySKNgUWp6 akVaZk4JQpqJgxNkOA/QcGuw4cUFibnFmekQ+VOMilLivGkgCQGQREZpHlwvLKm8YhQHekWY NwikigeYkOC6XwENZgIanGrnAjK4JBEhJdXAaOdnt6pyU1+/UEWpdejx/6rTLOdbni2bviVl Ld+R95FTRE3nbX3O1uKh8fa/xL79Dqpre+Z2RxyXVTrOMElkp2yrxZdL4g0MUion/gV1XwzR eRP+4vRFxorMXfmX7qo9jFz8rXvGI+OqF2xbEjgvZy1zC1dyuxT88KTXkR2hjz4e7ivd8F7U VImlOCPRUIu5qDgRAKCSR2QFAwAA Cc: svn-doc-head@freebsd.org, svn-doc-all@freebsd.org, doc-committers@freebsd.org X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Apr 2014 19:09:17 -0000 On Thu, 10 Apr 2014, Dru Lavigne wrote: > Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml > ============================================================================== > --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Thu Apr 10 16:57:57 2014 (r44519) > +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Thu Apr 10 18:05:32 2014 (r44520) > @@ -2464,34 +2469,39 @@ racoon_enable="yes" > client > > > - To use &man.ssh.1; to connect to a system running > - &man.sshd.8;, specify the username and host to log > - into: > + To log into a SSH server, use > + ssh and specify a username that exists on > + that server and the IP address or hostname > + of the server. If this is the first time a connection has > + been made to the specified server, the user will be prompted > + to first verify the server's fingerprint: There are a few cases where the user will not be prompted to verify the server's fingerprint on the first connection (and also some where the user will be prompted on not-the-first connection). They are probably uncommon enough that we don't need to document them, but for the record, the ones I can think of are: Successful GSSAPIKeyExchange will avoid the need for a prompt VerifyHostKeyDNS in ssh_config in combination with SSHFP records from DNSSEC can be configured to validate the key without prompting the user If there is a software upgrade on either client or server such that the negotiated key-exchange algorithm changes (e.g., from RSA to ECDSA), the user will be re-prompted for the new key, even though an old key for a different mechanism is saved. > + Since the fingerprint was already verified for this host, > + the server's key is automatically checked before prompting for > + the user's password. > + > + The arguments passed to scp are similar to > + cp. The file or files to copy is the first It is probably worth noting a glaring discrepancy between scp(1) and cp(1)'s arguments, here, namely with respect to recursive copies. scp takes -r, but cp takes -R. > + argument and the destination to copy to is the second. Since the file > + is fetched over the network, one or more of the file > arguments takes the form > . > [...] > + Instead of using passwords, a client can be configured > + to connect to the remote machine > + using keys instead of > + passwords. To generate DSA or "instead of [using] passwords" is duplicated in this sentence. -Ben