svn commit: r49211 - head/en_US.ISO8859-1/articles/committers-guide

Warren Block wblock at wonkity.com
Thu Aug 4 15:07:19 UTC 2016 

On Thu, 4 Aug 2016, Kubilay Kocak wrote:

> On 4/08/2016 1:43 AM, Benedict Reuschling wrote:
>> Author: bcr
>> Date: Wed Aug  3 15:43:10 2016
>> New Revision: 49211
>> URL: https://svnweb.freebsd.org/changeset/doc/49211
>>
>> Log:
>>   Remove mention of specific key types to discourage the generation
>>   of old and potentially insecure keys.
>>
>>   Discussed with:	    David Wolfskill
>>
>> Modified:
>>   head/en_US.ISO8859-1/articles/committers-guide/article.xml
>>
>> Modified: head/en_US.ISO8859-1/articles/committers-guide/article.xml
>> ==============================================================================
>> --- head/en_US.ISO8859-1/articles/committers-guide/article.xml	Wed Aug  3 13:59:21 2016	(r49210)
>> +++ head/en_US.ISO8859-1/articles/committers-guide/article.xml	Wed Aug  3 15:43:10 2016	(r49211)
>> @@ -3105,7 +3105,7 @@ Relnotes:           yes</programlisting>
>>      <procedure>
>>        <step>
>>  	<para>If you do not wish to type your password in every time
>> -	  you use &man.ssh.1;, and you use RSA or DSA keys to
>> +	  you use &man.ssh.1;, and you use keys to
>>  	  authenticate, &man.ssh-agent.1; is there for your
>>  	  convenience.  If you want to use &man.ssh-agent.1;, make
>>  	  sure that you run it before running other applications.  X
>
> Without making a bikeshed out of it, could we provide some basic
> recommendations here? Examples (note: *just* examples)
>
> rsa with new key format, preferred bits, explicit passphrase
>
> -o -t rsa -b <whateverwewant> -N <passprhase>
>
> ed25519 with new key format, explicit passphrase
>
> -t ed25519 -o -N <passphrase> (new format)
>
> These might help ensure people don't accidentally (or through lack of
> knowledge) create keys without passphrases, and provide a bump up on the
> (openssh) defaults.
>
> I'd be happy to write something short and sweet up in the wiki for
> review first if needed, as well as get input from secteam and other
> people as well.

Agreed.  Without recommendations, inexperienced users are just going to 
accept the defaults.  Which is fine, if the defaults are good.

More information about the svn-doc-head mailing list