From owner-freebsd-doc Sun Nov 11 6:10:17 2001 Delivered-To: freebsd-doc@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 3311337B416 for ; Sun, 11 Nov 2001 06:10:02 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id fABEA2A07967; Sun, 11 Nov 2001 06:10:02 -0800 (PST) (envelope-from gnats) Date: Sun, 11 Nov 2001 06:10:02 -0800 (PST) Message-Id: <200111111410.fABEA2A07967@freefall.freebsd.org> To: freebsd-doc@freebsd.org Cc: From: Martin Heinen Subject: Re: docs/31899: Markup changes for chapter Security Reply-To: Martin Heinen Sender: owner-freebsd-doc@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org The following reply was made to PR docs/31899; it has been noted by GNATS. From: Martin Heinen To: Giorgos Keramidas Cc: FreeBSD-gnats-submit@FreeBSD.ORG Subject: Re: docs/31899: Markup changes for chapter Security Date: Sun, 11 Nov 2001 15:06:26 +0100 --Bn2rw/3z4jIqBvZU Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Giorgos Keramidas wrote: > Martin Heinen wrote: > > > > >Description: > > changed literal " to , indented a paragraph, > > -> , > > info -> information, > > grunt -> grunt, > > added missing markup, > > localhost -> localhost > > Please do not mix whitespace and content changes :( > It is difficult to see the content changes when they are made at the > same time with indentation or other whitespace fixes. uups, thanks for reminding me to read the FDP-Primer regularly. Attached is a diff without whitespace changes. I will send a new PR to fix line breaks and identation. As Tom noted, the section about recognizing the crypt mechanism needs to be rewritten, so I dropped the corrections to this section. Martin -- Marxpitn --Bn2rw/3z4jIqBvZU Content-Type: text/plain; charset=us-ascii Content-Disposition: attachment; filename="sec.diff" Index: chapter.sgml =================================================================== RCS file: /u/cvs/doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml,v retrieving revision 1.96 diff -u -r1.96 chapter.sgml --- chapter.sgml 2001/10/29 11:02:50 1.96 +++ chapter.sgml 2001/11/11 11:17:28 @@ -1249,7 +1249,7 @@ s/key 97 fw13894 Password: - Or for OPIE: + Or for OPIE: &prompt.user; telnet example.com Trying 10.0.0.1... @@ -1345,7 +1345,7 @@ on the host name, user name, terminal port, or IP address of a login session. These restrictions can be found in the configuration file /etc/skey.access. The - &man.skey.access.5; manual page has more info on the complete + &man.skey.access.5; manual page has more information on the complete format of the file and also details some security cautions to be aware of before depending on this file for security. @@ -1460,7 +1460,7 @@ You should now edit the krb.conf and krb.realms files to define your Kerberos realm. In this case the realm will be EXAMPLE.COM and the - server is grunt.example.com. We edit or create + server is grunt.example.com. We edit or create the krb.conf file: &prompt.root; cat krb.conf @@ -2655,8 +2655,8 @@ elsewhere, and is not available for unrestricted use. IDEA is included in the OpenSSL sources in FreeBSD, but it is not built by default. If you wish to use it, and you comply with the - license terms, enable the MAKE_IDEA switch in /etc/make.conf and - rebuild your sources using 'make world'. + license terms, enable the MAKE_IDEA switch in /etc/make.conf and + rebuild your sources using make world. Today, the RSA algorithm is free for use in USA and other countries. In the past it was protected by a patent. @@ -2741,14 +2741,14 @@ From HOST B to HOST A, new AH and new ESP are combined. Now we should choose an algorithm to be used corresponding to - "AH"/"new AH"/"ESP"/"new ESP". Please refer to the &man.setkey.8; man + AH/new AH/ESP/new ESP. Please refer to the &man.setkey.8; man page to know algorithm names. Our choice is MD5 for AH, new-HMAC-SHA1 for new AH, and new-DES-expIV with 8 byte IV for new ESP. Key length highly depends on each algorithm. For example, key length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1, - and 8 for new-DES-expIV. Now we choose "MYSECRETMYSECRET", - "KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively. + and 8 for new-DES-expIV. Now we choose MYSECRETMYSECRET, + KAMEKAMEKAMEKAMEKAME, PASSWORD, respectively. OK, let us assign SPI (Security Parameter Index) for each protocol. Please note that we need 3 SPIs for this secure channel since three @@ -2842,9 +2842,9 @@ fec0::10 -------------------- fec0::11 - Encryption algorithm is blowfish-cbc whose key is "kamekame", and - authentication algorithm is hmac-sha1 whose key is "this is the test - key". Configuration at Host-A: + Encryption algorithm is blowfish-cbc whose key is kamekame, and + authentication algorithm is hmac-sha1 whose key is this is the test + key. Configuration at Host-A: &prompt.root; setkey -c <<EOF @@ -2888,7 +2888,7 @@ Tunnel mode between two security gateways Security protocol is old AH tunnel mode, i.e. specified by - RFC1826, with keyed-md5 whose key is "this is the test" as + RFC1826, with keyed-md5 whose key is this is the test as authentication algorithm. @@ -2914,8 +2914,8 @@ EOF - If the port number field is omitted such as above then "[any]" is - employed. `-m' specifies the mode of SA to be used. "-m any" means + If the port number field is omitted such as above then [any] is + employed. -m specifies the mode of SA to be used. -m any means wild-card of mode of security protocol. You can use this SA for both tunnel and transport mode. @@ -3105,7 +3105,7 @@ created using rlogin or telnet. SSH utilizes a key fingerprint system for verifying the authenticity of the server when the - client connects. The user is prompted to enter 'yes' only when + client connects. The user is prompted to enter yes only when connecting for the first time. Future attempts to login are all verified against the saved fingerprint key. The SSH client will alert you if the saved fingerprint differs from the @@ -3132,7 +3132,7 @@ scp - The scp command works similarly to rcp; + The scp command works similarly to rcp; it copies a file to or from a remote machine, except in a secure fashion. @@ -3293,14 +3293,14 @@ - An SSH tunnel works by creating a listen socket on localhost + An SSH tunnel works by creating a listen socket on localhost on the specified port. It then forwards any connection received on the local host/port via the SSH connection to the specified remote host and port. In the example, port 5023 on - localhost is being forwarded to port - 23 on localhost of the remote + localhost is being forwarded to port + 23 on localhost of the remote machine. Since 23 is telnet, this would create a secure telnet session through an SSH tunnel. --Bn2rw/3z4jIqBvZU-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message