Date: Tue, 21 May 2013 15:55:44 +0000 (UTC) From: Tom Rhodes <trhodes@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-projects@freebsd.org Subject: svn commit: r41700 - projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security Message-ID: <201305211555.r4LFtiR8049638@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: trhodes Date: Tue May 21 15:55:43 2013 New Revision: 41700 URL: http://svnweb.freebsd.org/changeset/doc/41700 Log: Add a warning about using passphrase-less keys, a method an admin may use to verify the passphrase is in use on a keyfile, and how to use the "from=" keyword to limit user specific login hosts. I'm surprised this wasn't here before, what are we teaching the young users of today. :P Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml Mon May 20 14:17:49 2013 (r41699) +++ projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml Tue May 21 15:55:43 2013 (r41700) @@ -2927,6 +2927,25 @@ bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8 <para>This setup allows connections to the remote machine based upon <acronym>SSH</acronym> keys instead of passwords.</para> + <warning> + <para>Many users believe that keys are secure by design and + will use a key without a passphrase. This is + <emphasis>dangerous</emphasis> behavior and the method + an administrator may use to verify keys have a passphrase + is to view the key manually. If the private key file + contains the word <literal>ENCRYPTED</literal> the key + owner is using a passphrase. While it may still be a weak + passphrase, at least if the system is compromised, access + to other sites will still require some level of password + guessing. In addition, to better secure end users, the + <literal>from</literal> may be placed in the public key + file. For example, adding + <literal>from="192.168.10.5</literal> in the front of + <literal>ssh-rsa</literal> or <literal>rsa-dsa</literal> + prefix will only allow that specific user to login from + that host <acronym>IP</acronym>.</para> + </warning> + <para>If a passphrase is used in &man.ssh-keygen.1;, the user will be prompted for the passphrase each time in order to use the private key. &man.ssh-agent.1; can alleviate the strain
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201305211555.r4LFtiR8049638>