svn commit: r41700 - projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security

Tom Rhodes trhodes at FreeBSD.org
Tue May 21 15:55:44 UTC 2013 

Author: trhodes
Date: Tue May 21 15:55:43 2013
New Revision: 41700
URL: http://svnweb.freebsd.org/changeset/doc/41700

Log:
  Add a warning about using passphrase-less keys,
  a method an admin may use to verify the passphrase
  is in use on a keyfile, and how to use the "from="
  keyword to limit user specific login hosts.  I'm
  surprised this wasn't here before, what are we
  teaching the young users of today.  :P

Modified:
  projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml

Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml
==============================================================================
--- projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml	Mon May 20 14:17:49 2013	(r41699)
+++ projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml	Tue May 21 15:55:43 2013	(r41700)
@@ -2927,6 +2927,25 @@ bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8
       <para>This setup allows connections to the remote machine based
 	upon <acronym>SSH</acronym> keys instead of passwords.</para>
 
+      <warning>
+	<para>Many users believe that keys are secure by design and
+	  will use a key without a passphrase.  This is
+	  <emphasis>dangerous</emphasis> behavior and the method
+	  an administrator may use to verify keys have a passphrase
+	  is to view the key manually.  If the private key file
+	  contains the word <literal>ENCRYPTED</literal> the key
+	  owner is using a passphrase.  While it may still be a weak
+	  passphrase, at least if the system is compromised, access
+	  to other sites will still require some level of password
+	  guessing.  In addition, to better secure end users, the
+	  <literal>from</literal> may be placed in the public key
+	  file.  For example, adding
+	  <literal>from="192.168.10.5</literal> in the front of
+	  <literal>ssh-rsa</literal> or <literal>rsa-dsa</literal>
+	  prefix will only allow that specific user to login from
+	  that host <acronym>IP</acronym>.</para>
+      </warning>
+
       <para>If a passphrase is used in &man.ssh-keygen.1;, the user
 	will be prompted for the passphrase each time in order to use
 	the private key.  &man.ssh-agent.1; can alleviate the strain

More information about the svn-doc-projects mailing list