ietf
[Top] [All Lists]

Re: WG Review: CURves, Deprecating and a Little more Encryption (curdle)

2015-12-09 18:16:28
On Wed, Dec 9, 2015 at 3:30 PM Phillip Hallam-Baker 
<phill(_at_)hallambaker(_dot_)com>
wrote:

On Wed, Dec 9, 2015 at 12:08 PM, tom p. <daedulus(_at_)btconnect(_dot_)com> 
wrote:



Phillip

By divisive, I mean that the expertise, the knowledge, the skills will
be divided.  I see the SSH list as the best source of information on
SSH, its use and development.  Setting up another list to discuss such
matters will divide that expertise; some will join the new list, others
will not - the expertise will be divided and so weakened.

Tom Petch


The only action item I see here is to make sure that the proposal is
forwarded to the SSH list.

Right now, the biggest pains in using SSH are that there are three
different private key formats and authorized_keys has the whole key rather
than a fingerprint. So cut and paste really doesn't work very easily.


... and, while we are discussing this...

My biggest SSH complaint is a usability nit which causes security issues.
It may be an implementation / convention issue - I keep meaning to file a
bug, but instead I'll just kvetch here...

In my .ssh directory there some keys. As an example, the RSA key I use for
IETF NOC stuff:
-r--------   1 wkumari  staff   1675 Mar 13  2015 id_rsa_ietf_noc
-r--------   1 wkumari  staff    385 Mar 13  2015 id_rsa_ietf_noc.pub

I want to be able to use this key to login to routers and servers, so I
need to share the public key with folk / copy it to a server so I can
append it to an authorized_keys file / etc.

So, how do I do that?
Well, chances are I'm in a rush, so I do:
echo ~/.ssh/id_rsa_ie<tab tab> | email $someone
or
scp ~/.ssh/id_rsa_ie<tab> server.meeting.ietf.org:~/tmp

and, I've just emailed / copied off my *private* key.
The issue here is that the private key has no extension (and the public one
does), and so tab completion helpfully completes to the private key.
This could be easily solved by making private keys be called
id_rsa_ietf_noc.priv or something.

I guess I should really go file a bug, somewhere...




Those are both problems that I for one think are most likely to be fixed
if these 'experts' get some outside perspective.


Yah.



I really could not care less what the format that they had chosen is. But
having to juggle three when one would have been enough only makes the whole
process less reliable and less user friendly.


Fully agree. And, making tab completion not complete to the private key
would also be a user friendliness win...