Arch Linux

Tétrapyle

Member

Registered: 2014-01-03

Posts: 53

[solved] wiki ssh-keygen page lacks references to -o flag

Hi all.

I would like to draw attention on the following.

The wiki page SSH Keys states that one should use ssh-keygen with the -o flag for better security if they want to use a password.
But this flag is not documented in the manual of info page of ssh-keygen. It seems, however, to be implemented or recognized.

The discussion related to this wiki page links to some technical web page stating that, without this -o flag, default OpenSSH key encryption is worse than plaintext (quite sensationalist imho).

I understand that who wrote this and the wiki have much better knowledge than I do about these topics.
However, we should seriously feel most uncomfortable using undocumented features for managing the kind of security as is provided by ssh keys.

I'd like to suggest adding a comment about it in the wiki, deleting it, or providing more references.

Last edited by Tétrapyle (2018-11-01 19:02:42)

qinohe

Member

From: Netherlands

Registered: 2012-06-20

Posts: 1,494

Re: [solved] wiki ssh-keygen page lacks references to -o flag

Hi, goto

man -P 'less -p " -O"' ssh-keygen

That part/chapter is valid till '-P passphrase'

edit: changed command

Last edited by qinohe (2018-11-01 12:22:25)

/dev/zero

Member

From: Melbourne, Australia

Registered: 2011-10-20

Posts: 1,247

Re: [solved] wiki ssh-keygen page lacks references to -o flag

Hi, goto

man -P 'less -p " -O"' ssh-keygen

That seems to search for "-O" with a capital-O. That deals with certificate options when signing a key, not the private key format. I believe Tetrapyle really meant the case-sensitive lowercase-o: "-o".

But this flag is not documented in the manual of info page of ssh-keygen. It seems, however, to be implemented or recognized.

A little Googling shows it is a BSD-ism, and it seems like the Linux manpage hasn't caught up yet: https://www.freebsd.org/cgi/man.cgi?que … th=OpenBSD

From that page:

-o	     Causes ssh-keygen to save private keys using the new OpenSSH for-
	     mat rather	than the more compatible PEM format.  The new format
	     has increased resistance to brute-force password cracking but is
	     not supported by versions of OpenSSH prior	to 6.5.	 Ed25519 keys
	     always use	the new	private	key format.

If I understand correctly, the OpenSSH development team focus first on the BSDs, and port their product to Linux later as a kind gesture So, it is not surprising that a little documentation ends up out of sync at times.

I think the most correct solution would be, rather than worrying overly much about the wiki, instead see what steps can be made to make the most accurate manpage available in Arch Linux. That would probably involve inspecting the most recent Linux sources to verify it ships with an outdated manpage; if so, go to the OpenSSH development mailing list and see whether anything can be done about bringing the Linux manpage into line with the OpenBSD one.

Last edited by /dev/zero (2018-11-01 16:42:58)

qinohe

Member

From: Netherlands

Registered: 2012-06-20

Posts: 1,494

Re: [solved] wiki ssh-keygen page lacks references to -o flag

@/dev/zero, yes you're right, sorry for providing you with wrong info @Tétrapyle..

Tétrapyle

Member

Registered: 2014-01-03

Posts: 53

Re: [solved] wiki ssh-keygen page lacks references to -o flag

Thanks you all,

Yes qinohe, I meant not . No, I mean -o, not -O .

/dev/zero you're certainly right about the most correct solution. Well, most unfortunately, I really don't have any time left for the OpenSSH development mailing list right now. I just added a comment in the wiki's discussion page. I'm not sure it's worth adding a link to the BSD's manpage int the wiki page itself, since it would probably stay forgotten there while the linux man page got updated.

But as far as it is, with some info in the discussion page, I consider the initial issue solved.

Last edited by Tétrapyle (2018-11-01 19:03:17)