[Bug 2788] New: ssh(1) man page should note id_rsa encryption now uses AES, not 3DES

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Wed Oct 4 23:00:16 AEDT 2017


https://bugzilla.mindrot.org/show_bug.cgi?id=2788

            Bug ID: 2788
           Summary: ssh(1) man page should note id_rsa encryption now uses
                    AES, not 3DES
           Product: Portable OpenSSH
           Version: 7.6p1
          Hardware: Other
               URL: https://bugs.debian.org/614818
                OS: Linux
            Status: NEW
          Severity: minor
          Priority: P5
         Component: Documentation
          Assignee: unassigned-bugs at mindrot.org
          Reporter: cjwatson at debian.org

In https://bugs.debian.org/614818, Calum Mackay reported the following,
and I've checked that this is still the case in 7.6p1:


In the FILES section of ssh(1), it says:

     ~/.ssh/id_rsa
             Contains the private key for authentication.  These files
contain
             sensitive data and should be readable by the user but not
acces‐
             sible by others (read/write/execute).  ssh will simply
ignore a
             private key file if it is accessible by others.  It is
possible
             to specify a passphrase when generating the key which will
be
             used to encrypt the sensitive part of this file using
3DES.

However, in a recent release, ssh-keygen has switched to using AES, not
3DES, to encrpyt the private key. This is noted in the ssh-keygen(1)
page,
in this same pkg:

     ~/.ssh/id_rsa
             Contains the protocol version 2 DSA, ECDSA or RSA
authentication
             identity of the user.  This file should not be readable by
anyone
             but the user.  It is possible to specify a passphrase when
gener‐
             ating the key; that passphrase will be used to encrypt the
pri‐
             vate part of this file using 128-bit AES.  [...]


This section should probably be the same across both man pages.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list