making the passphrase prompt more clear

mancha mancha1 at
Wed Sep 3 10:00:18 EST 2014

On Tue, Sep 02, 2014 at 04:11:52PM -0700, Eitan Adler wrote:
> On 2 September 2014 15:52, Aidan Feldman <aidan.feldman at>
> wrote:
> > I am going to preface this email by saying that I know very little
> > about OpenSSH internals, the protocol, etc.
> >
> > I do a lot of work with novice programmers, and one step that comes
> > up relatively early is generating SSH keys.  In case you haven't
> > done it in a while, the output looks like this:
> >
> > $ ssh-keygen -t rsa Generating public/private rsa key pair.  Enter
> > file in which to save the key (/Users/aidan/.ssh/id_rsa): Enter
> > passphrase (empty for no passphrase):
> >
> > When that last step comes up, I am regularly asked, "Does it mean
> > the system password, or a new one?"  A slight tweak of the language
> > could easily eliminate that confusion... something like "Enter
> > passphrase for the new key" or "Enter new passphrase".
> Perhaps "Enter new passphrase to encrypt the key (empty for no
> encryption):"
> This makes it clear that it needs to be a new phrase, and what it will
> be used for.

You might also consider helping your users get into the good habit of
reading documentation.

Not all software suites have good docs but OpenSSH does a pretty job of

Take for example this excerpt from the ssh-keygen manpage:

  "The program also asks for a passphrase. The passphrase may be empty
   to indicate no passphrase (host keys must have an empty passphrase),
   or it may be a string of arbitrary length. A passphrase is similar
   to a password, except it can be a phrase with a series of words,
   punctuation, numbers..."

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 819 bytes
Desc: not available
URL: <>

More information about the openssh-unix-dev mailing list