svn commit: r41700 - projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security

Warren Block wblock at wonkity.com
Tue May 21 18:37:40 UTC 2013 

On Tue, 21 May 2013, Tom Rhodes wrote:

> Author: trhodes
> Date: Tue May 21 15:55:43 2013
> New Revision: 41700
> URL: http://svnweb.freebsd.org/changeset/doc/41700
>
> Log:
>  Add a warning about using passphrase-less keys,
>  a method an admin may use to verify the passphrase
>  is in use on a keyfile, and how to use the "from="
>  keyword to limit user specific login hosts.  I'm
>  surprised this wasn't here before, what are we
>  teaching the young users of today.  :P
>
> Modified:
>  projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml
>
> Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml
> ==============================================================================
> --- projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml	Mon May 20 14:17:49 2013	(r41699)
> +++ projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml	Tue May 21 15:55:43 2013	(r41700)
> @@ -2927,6 +2927,25 @@ bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8
>       <para>This setup allows connections to the remote machine based
> 	upon <acronym>SSH</acronym> keys instead of passwords.</para>
>
> +      <warning>
> +	<para>Many users believe that keys are secure by design and
> +	  will use a key without a passphrase.  This is
> +	  <emphasis>dangerous</emphasis> behavior and the method
> +	  an administrator may use to verify keys have a passphrase
> +	  is to view the key manually.  If the private key file
> +	  contains the word <literal>ENCRYPTED</literal> the key
> +	  owner is using a passphrase.

Some commas needed, but it might be better to just break up and 
rearrange some of the sentences.  For example:

   <para>Users sometimes believe that keys are secure by design and use
     keys without a passphrase.  <emphasis>This is dangerous
       behavior!</emphasis>  Administrators may verify that keys have
     passphrases by checking the private key file.  If it contains the
     string <literal>ENCRYPTED</literal>, a passphrase has been
     used.</para>

>  While it may still be a weak
> +	  passphrase, at least if the system is compromised, access
> +	  to other sites will still require some level of password
> +	  guessing.  In addition, to better secure end users, the
> +	  <literal>from</literal> may be placed in the public key
> +	  file.  For example, adding
> +	  <literal>from="192.168.10.5</literal> in the front of

How about "before" instead of "in the front of"?

> +	  <literal>ssh-rsa</literal> or <literal>rsa-dsa</literal>
> +	  prefix will only allow that specific user to login from
> +	  that host <acronym>IP</acronym>.</para>
> +      </warning>

"login" looks funny to me there, usually refers to a username rather 
than an action.

>       <para>If a passphrase is used in &man.ssh-keygen.1;, the user

"in" is weird.  How about

   If a passphrase was used when with &man.ssh-keygen.1;, the user

> 	will be prompted for the passphrase each time in order to use
> 	the private key.  &man.ssh-agent.1; can alleviate the strain
>

Thank you for working on this!

More information about the svn-doc-projects mailing list