From owner-svn-doc-projects@FreeBSD.ORG Mon Apr 29 12:44:23 2013
Return-Path:
Delivered-To: svn-doc-projects@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
[IPv6:2001:1900:2254:206a::19:1])
by hub.freebsd.org (Postfix) with ESMTP id D4920923;
Mon, 29 Apr 2013 12:44:23 +0000 (UTC) (envelope-from dru@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
[IPv6:2001:1900:2254:2068::e6a:0])
by mx1.freebsd.org (Postfix) with ESMTP id C65661266;
Mon, 29 Apr 2013 12:44:23 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r3TCiNE7004917;
Mon, 29 Apr 2013 12:44:23 GMT (envelope-from dru@svn.freebsd.org)
Received: (from dru@localhost)
by svn.freebsd.org (8.14.6/8.14.5/Submit) id r3TCiN1H004916;
Mon, 29 Apr 2013 12:44:23 GMT (envelope-from dru@svn.freebsd.org)
Message-Id: <201304291244.r3TCiN1H004916@svn.freebsd.org>
From: Dru Lavigne
Date: Mon, 29 Apr 2013 12:44:23 +0000 (UTC)
To: doc-committers@freebsd.org, svn-doc-projects@freebsd.org
Subject: svn commit: r41513 -
projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security
X-SVN-Group: doc-projects
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-doc-projects@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for doc projects trees
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
X-List-Received-Date: Mon, 29 Apr 2013 12:44:23 -0000
Author: dru
Date: Mon Apr 29 12:44:22 2013
New Revision: 41513
URL: http://svnweb.freebsd.org/changeset/doc/41513
Log:
First pass through this chapter. Due to its size, patch only addresses first 1/2 of chapter, fixing the following:
- &os;
- etc and you
- some acronym tags
- general tightening and grammo fixing
- removed note in 15.3 as this belongs in preface, not in a chapter
- fixed filesystems (which bled over into other part of chapter)
Approved by: gjb (mentor)
Modified:
projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml
Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml
==============================================================================
--- projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml Sat Apr 27 14:18:12 2013 (r41512)
+++ projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml Mon Apr 29 12:44:22 2013 (r41513)
@@ -24,31 +24,27 @@
Synopsis
- This chapter will provide a basic introduction to system
+ This chapter provides a basic introduction to system
security concepts, some general good rules of thumb, and some
- advanced topics under &os;. A lot of the topics covered here
- can be applied to system and Internet security in general as
- well. The Internet is no longer a friendly place
- in which everyone wants to be your kind neighbor. Securing your
- system is imperative to protect your data, intellectual
- property, time, and much more from the hands of hackers and the
- like.
-
- &os; provides an array of utilities and mechanisms to ensure
- the integrity and security of your system and network.
+ advanced topics under &os;. Many of the topics covered here
+ can be applied to system and Internet security in general.
+ Securing a system is imperative to protect data,
+ intellectual property, time, and much more from the hands of
+ hackers and the like.
+
+ &os; provides an array of utilities and mechanisms to
+ protect the integrity and security of the system and
+ network.After reading this chapter, you will know:
- Basic system security concepts, in respect to
- &os;.
+ Basic &os; system security concepts.
- About the various crypt mechanisms available in &os;,
- such as DES and
- MD5.
+ The various crypt mechanisms available in &os;.
@@ -61,41 +57,37 @@
- How to set up Kerberos5 on
+ How to set up Kerberos on
&os;.How to configure IPsec and create a
- VPN between &os;/&windows;
- machines.
+ VPN.
How to configure and use
- OpenSSH, &os;'s
- SSH implementation.
+ OpenSSH on &os;.
- What file system ACLs are and how to
- use them.
+ How to use filesystem ACLs.
- How to use the Portaudit
- utility to audit third party software packages installed
- from the Ports Collection.
+ How to use portaudit to
+ audit third party software packages installed from the
+ Ports Collection.
- How to utilize the &os; security advisories
- publications.
+ How to utilize &os; security advisories.
- Have an idea of what Process Accounting is and how to
- enable it on &os;.
+ What Process Accounting is and how to enable it on
+ &os;.
@@ -107,36 +99,26 @@
- Additional security topics are covered throughout this book.
- For example, Mandatory Access Control is discussed in and Internet Firewalls are discussed in .
+ Additional security topics are covered elsewhere in this
+ Handbook. For example, Mandatory Access Control is discussed in
+ and Internet firewalls are discussed in
+ .IntroductionSecurity is a function that begins and ends with the system
- administrator. While all BSD &unix; multi-user systems have
- some inherent security, the job of building and maintaining
- additional security mechanisms to keep those users
- honest is probably one of the single largest
- undertakings of the sysadmin. Machines are only as secure as
- you make them, and security concerns are ever competing with the
- human necessity for convenience. &unix; systems, in general,
- are capable of running a huge number of simultaneous processes
- and many of these processes operate as servers — meaning
- that external entities can connect and talk to them. As
- yesterday's mini-computers and mainframes become today's
- desktops, and as computers become networked and inter-networked,
- security becomes an even bigger issue.
+ administrator. While &os; provides some inherent security, the
+ job of configuring and maintaining additional security
+ mechanisms is probably one of the single largest undertakings of
+ the sysadmin.
System security also pertains to dealing with various forms
of attack, including attacks that attempt to crash, or otherwise
make a system unusable, but do not attempt to compromise the
- root account (break root).
- Security concerns can be split up into several
- categories:
+ root account. Security concerns can be
+ split up into several categories:
@@ -148,7 +130,7 @@
- Root compromise through accessible servers.
+ Root compromise through accessible services.
@@ -171,50 +153,36 @@
Denial of Service (DoS)
- A denial of service attack is an action that deprives the
- machine of needed resources. Typically, DoS attacks are
- brute-force mechanisms that attempt to crash or otherwise make a
- machine unusable by overwhelming its servers or network stack.
- Some DoS attacks try to take advantage of bugs in the networking
- stack to crash a machine with a single packet. The latter can
- only be fixed by applying a bug fix to the kernel. Attacks on
- servers can often be fixed by properly specifying options to
+ A Denial of Service DoS attack is an
+ action that deprives the machine of needed resources.
+ Typically, DoS attacks are brute-force
+ mechanisms that attempt to crash or otherwise make a machine
+ unusable by overwhelming its services or network stack. Attacks
+ on servers can often be fixed by properly specifying options to
limit the load the servers incur on the system under adverse
conditions. Brute-force network attacks are harder to deal
- with. A spoofed-packet attack, for example, is nearly
- impossible to stop, short of cutting your system off from the
- Internet. It may not be able to take your machine down, but it
- can saturate your Internet connection.
+ with. This type of attack may not be able to take the machine
+ down, but it can saturate the Internet connection.securityaccount compromises
- A user account compromise is even more common than a DoS
- attack. Many sysadmins still run standard
- telnetd,
- rlogind,
- rshd, and
- ftpd servers on their machines.
- These servers, by default, do not operate over encrypted
- connections. The result is that if you have any moderate-sized
- user base, one or more of your users logging into your system
- from a remote location (which is the most common and convenient
- way to login to a system) will have his or her password sniffed.
- The attentive system admin will analyze his remote access logs
- looking for suspicious source addresses even for successful
- logins.
-
- One must always assume that once an attacker has access to a
- user account, the attacker can break root.
- However, the reality is that in a well secured and maintained
- system, access to a user account does not necessarily give the
- attacker access to root. The distinction
- is important because without access to root
- the attacker cannot generally hide his tracks and may, at best,
- be able to do nothing more than mess with the user's files, or
- crash the machine. User account compromises are very common
+ A user account compromise is more common than a
+ DoS attack. Many sysadmins still run
+ unencrypted services, meaning that users logging into the
+ system from a remote location are vulnerable to having their
+ password sniffed. The attentive sysadmin analyzes the
+ remote access logs looking for suspicious source addresses and
+ suspicious logins.
+
+ In a well secured and maintained system, access to a user
+ account does not necessarily give the attacker access to
+ root. Without root
+ access, the attacker cannot generally hide his tracks and may,
+ at best, be able to do nothing more than mess with the user's
+ files or crash the machine. User account compromises are common
because users tend not to take the precautions that sysadmins
take.
@@ -223,27 +191,14 @@
backdoors
- System administrators must keep in mind that there are
- potentially many ways to break root on a
- machine. The attacker may know the root
- password, the attacker may find a bug in a root-run server and
- be able to break root over a network
- connection to that server, or the attacker may know of a bug in
- a suid-root program that allows the attacker to break
- root once he has broken into a user's
- account. If an attacker has found a way to break
- root on a machine, the attacker may not
- have a need to install a backdoor. Many of the
- root holes found and closed to date involve
- a considerable amount of work by the attacker to cleanup after
- himself, so most attackers install backdoors. A backdoor
- provides the attacker with a way to easily regain
- root access to the system, but it also
- gives the smart system administrator a convenient way to detect
- the intrusion. Making it impossible for an attacker to install
- a backdoor may actually be detrimental to your security, because
- it will not close off the hole the attacker found to break in
- the first place.
+ There are potentially many ways to break
+ root: the attacker may know the
+ root password, the attacker may exploit a
+ bug in a service which runs as root, or the
+ attacker may know of a bug in a SUID-root program. An attacker
+ may utilize a program known as a backdoor to search for
+ vulnerable systems, take advantage of unpatched exploits to
+ access a system, and hide traces of illegal activity.Security remedies should always be implemented with a
multi-layered onion peel approach and can be
@@ -251,26 +206,26 @@
- Securing root and staff
+ Secure root and staff
accounts.
- Securing root–run servers
- and suid/sgid binaries.
+ Secure root–run servers
+ and SUID/SGID binaries.
- Securing user accounts.
+ Secure user accounts.
- Securing the password file.
+ Secure the password file.
- Securing the kernel core, raw devices, and
- file systems.
+ Secure the kernel core, raw devices, and
+ filesystems.
@@ -283,8 +238,7 @@
- The next section of this chapter will cover the above bullet
- items in greater depth.
+ The next section covers these items in greater depth.
@@ -295,254 +249,141 @@
securing &os;
-
- Command Versus Protocol
-
- Throughout this document, we will use
- bold text to refer to an
- application, and a monospaced font to refer
- to specific commands. Protocols will use a normal font. This
- typographical distinction is useful for instances such as ssh,
- since it is a protocol as well as command.
-
-
- The sections that follow will cover the methods of securing
- your &os; system that were mentioned in the last section of this
- chapter.
+ This section describes methods for securing a &os; system
+ against the attacks that were mentioned in the previous section.
- Securing the root Account and
- Staff Accounts
+ Securing the root Accountsu
- First off, do not bother securing staff accounts if you
- have not secured the root account. Most
+ Most
systems have a password assigned to the
- root account. The first thing you do is
- assume that the password is always
- compromised. This does not mean that you should remove the
- password. The password is almost always necessary for console
- access to the machine. What it does mean is that you should
- not make it possible to use the password outside of the
- console or possibly even with the &man.su.1; command. For
- example, make sure that your ptys are specified as being
- insecure in the /etc/ttys file so that
- direct root logins via
- telnet or rlogin are
- disallowed. If using other login services such as
- sshd, make sure that direct
- root logins are disabled there as well.
- You can do this by editing your
- /etc/ssh/sshd_config file, and making
- sure that PermitRootLogin is set to
- no. Consider every access method —
- services such as FTP often fall through the cracks. Direct
- root logins should only be allowed via
- the system console.
+ root account. Assume that this password
+ is always at risk of being compromised.
+ This does not mean that the password should be disabled as the
+ password is almost always necessary for console access to the
+ machine. However, it should not be possible to use this
+ password outside of the console or possibly even with
+ &man.su.1;. For example, setting the entries in
+ /etc/ttys to insecure
+ prevents root logins to the specified
+ terminals. In &os;, root logins using
+ &man.ssh.1; are disabled by default as
+ PermitRootLogin is set to
+ no in
+ /etc/ssh/sshd_config. Consider every
+ access method as services such as FTP often fall through the
+ cracks. Direct root logins should only
+ be allowed via the system console.wheel
- Of course, as a sysadmin you have to be able to get to
- root, so we open up a few holes. But we
- make sure these holes require additional password verification
- to operate. One way to make root
- accessible is to add appropriate staff accounts to the
- wheel group (in
- /etc/group). The staff members placed in
- the wheel group are allowed to
- su to root. You
- should never give staff members native
- wheel access by putting them in the
- wheel group in their password entry.
- Staff accounts should be placed in a
- staff group, and then added to the
- wheel group via the
- /etc/group file. Only those staff
- members who actually need to have root
- access should be placed in the wheel
- group. It is also possible, when using an authentication
- method such as Kerberos, to use Kerberos'
- .k5login file in the
- root account to allow a &man.ksu.1; to
- root without having to place anyone at
- all in the wheel group. This may be
- the better solution since the wheel
- mechanism still allows an intruder to break
- root if the intruder has gotten hold of
- your password file and can break into a staff account. While
- having the wheel mechanism is better
- than having nothing at all, it is not necessarily the safest
- option.
+ Since a sysadmin needs access to
+ root, additional password verification
+ should be configured. One method is to add appropriate user
+ accounts to wheel in
+ /etc/group. Members of
+ wheel are allowed to
+ &man.su.1; to root. Only
+ those users who actually need to have
+ root access should be placed in
+ wheel. When using Kerberos for
+ authentication, create a .k5login in
+ the home directory of root to allow
+ &man.ksu.1; to be used without having to place anyone in
+ wheel.
- To lock an account completely, the &man.pw.8; command
- should be used:
+ To lock an account completely, use &man.pw.8;:&prompt.root; pw lock staff
- This will prevent the user from logging in using any
- mechanism, including &man.ssh.1;.
+ This will prevent the specified user from logging in using
+ any mechanism, including &man.ssh.1;.Another method of blocking access to accounts would be to
replace the encrypted password with a single
* character. This character
- would never match the encrypted password and thus block user
- access. For example, the following staff account:
+ would never match the encrypted password and thus blocks user
+ access. For example, the entry for the following
+ account:
foobar:R9DT/Fa1/LV9U:1000:1000::0:0:Foo Bar:/home/foobar:/usr/local/bin/tcsh
- Should be changed to this:
+ could be changed to this using &man.vipw.8;:foobar:*:1000:1000::0:0:Foo Bar:/home/foobar:/usr/local/bin/tcsh
- This will prevent the foobar user
- from logging in using conventional methods. This method for
- access restriction is flawed on sites using
+ This prevents foobar from logging in
+ using conventional methods. This method for access
+ restriction is flawed on sites using
Kerberos or in situations where the
user has set up keys with &man.ssh.1;.
- These security mechanisms also assume that you are logging
+ These security mechanisms assume that users are logging
in from a more restrictive server to a less restrictive
- server. For example, if your main box is running all sorts of
- servers, your workstation should not be running any. In order
- for your workstation to be reasonably secure you should run as
- few servers as possible, up to and including no servers at
- all, and you should run a password-protected screen blanker.
- Of course, given physical access to a workstation an attacker
- can break any sort of security you put on it. This is
- definitely a problem that you should consider, but you should
- also consider the fact that the vast majority of break-ins
- occur remotely, over a network, from people who do not have
- physical access to your workstation or servers.
-
- Using something like Kerberos also gives you the ability
- to disable or change the password for a staff account in one
- place, and have it immediately affect all the machines on
- which the staff member may have an account. If a staff
- member's account gets compromised, the ability to instantly
- change his password on all machines should not be underrated.
- With discrete passwords, changing a password on N machines can
- be a mess. You can also impose re-passwording restrictions
- with Kerberos: not only can a Kerberos ticket be made to
- timeout after a while, but the Kerberos system can require
- that the user choose a new password after a certain period of
- time (say, once a month).
+ server. For example, if the server is running network
+ services, the workstation should not be running any. In
+ order for a workstation to be reasonably secure, run zero or
+ as few services as possible and run a password-protected
+ screensaver. Of course, given physical access to any system,
+ an attacker can break any sort of security. Fortunately,
+ many break-ins occur remotely, over a network,
+ from people who do not have physical access to the
+ system.
+
+ Using Kerberos provides the ability to disable or change
+ the password for a user in one place, and have it immediately
+ affect all the machines on which the user has an account. If
+ an account is compromised, the ability to instantly change the
+ associated password on all machines should not be underrated.
+ Additional restrictions can be imposed with Kerberos: a
+ Kerberos ticket can be configured to timeout and the Kerberos
+ system can require that the user choose a new password after a
+ configurable period of time.Securing Root-run Servers and SUID/SGID Binaries
- ntalk
-
-
- comsat
-
-
- finger
-
- sandboxessshd
-
- telnetd
-
-
- rshd
-
-
- rlogind
-
- The prudent sysadmin only runs the servers he needs to, no
- more, no less. Be aware that third party servers are often
- the most bug-prone. For example, running an old version of
- imapd or
- popper is like giving a universal
- root ticket out to the entire world.
- Never run a server that you have not checked out carefully.
- Many servers do not need to be run as
- root. For example, the
- ntalk,
- comsat, and
- finger daemons can be run in
- special user sandboxes. A sandbox is
- not perfect, unless you go through a large amount of trouble,
- but the onion approach to security still stands: If someone is
- able to break in through a server running in a sandbox, they
- still have to break out of the sandbox. The more layers the
- attacker must break through, the lower the likelihood of his
- success. Root holes have historically been found in virtually
- every server ever run as root, including
- basic system servers. If you are running a machine through
- which people only login via sshd
- and never login via telnetd or
- rshd or
- rlogind, then turn off those
- services!
-
- &os; now defaults to running
- ntalkd,
- comsat, and
- finger in a sandbox. Another
- program which may be a candidate for running in a sandbox is
- &man.named.8;. /etc/defaults/rc.conf
- includes the arguments necessary to run
- named in a sandbox in a
- commented-out form. Depending on whether you are installing a
- new system or upgrading an existing system, the special user
- accounts used by these sandboxes may not be installed. The
- prudent sysadmin would research and implement sandboxes for
- servers whenever possible.
+ The prudent sysadmin only enables required services
+ and is aware that third party servers are often the most
+ bug-prone. Never run a server that has not been checked
+ out carefully. Think twice before running any service as
+ root as many daemons can be run as a
+ separate service account or can be started in a
+ sandbox. Do not activate insecure
+ services such as telnetd or
+ rlogind.
-
- sendmail
-
-
- There are a number of other servers that typically do not
- run in sandboxes: sendmail,
- popper,
- imapd,
- ftpd, and others. There are
- alternatives to some of these, but installing them may require
- more work than you are willing to perform (the convenience
- factor strikes again). You may have to run these servers as
- root and rely on other mechanisms to
- detect break-ins that might occur through them.
-
- The other big potential root holes in
- a system are the suid-root and sgid binaries installed on the
- system. Most of these binaries, such as
+ Another potential security hole is SUID-root and SGID
+ binaries. Most of these binaries, such as
rlogin, reside in /bin, /sbin, /usr/bin, or /usr/sbin. While nothing is
- 100% safe, the system-default suid and sgid binaries can be
- considered reasonably safe. Still, root
- holes are occasionally found in these binaries. A
- root hole was found in
- Xlib in 1998 that made
- xterm (which is typically suid)
- vulnerable. It is better to be safe than sorry and the
- prudent sysadmin will restrict suid binaries, that only staff
- should run, to a special group that only staff can access, and
- get rid of (chmod 000) any suid binaries
- that nobody uses. A server with no display generally does not
- need an xterm binary. Sgid
- binaries can be almost as dangerous. If an intruder can break
- an sgid-kmem binary, the intruder might be able to read
+ 100% safe, the system-default SUID and SGID binaries can be
+ considered reasonably safe. It is recommended to restrict
+ SUID binaries to a special group that only staff can access,
+ and to delete any unused SUID binaries. SGID binaries can be
+ almost as dangerous. If an intruder can break an SGID-kmem
+ binary, the intruder might be able to read
/dev/kmem and thus read the encrypted
- password file, potentially compromising any passworded
- account. Alternatively an intruder who breaks group
+ password file, potentially compromising user accounts.
+ Alternatively, an intruder who breaks group
kmem can monitor keystrokes sent through
ptys, including ptys used by users who login through secure
methods. An intruder that breaks the
@@ -558,226 +399,203 @@
Securing User AccountsUser accounts are usually the most difficult to secure.
- While you can impose draconian access restrictions on your
- staff and star out their passwords, you may not
- be able to do so with any general user accounts you might
- have. If you do have sufficient control, then you may win out
- and be able to secure the user accounts properly. If not, you
- simply have to be more vigilant in your monitoring of those
- accounts. Use of ssh and Kerberos for user accounts is more
- problematic, due to the extra administration and technical
- support required, but still a very good solution compared to a
- encrypted password file.
+ Be vigilant in the monitoring of user accounts. Use of
+ &man.ssh.1; and Kerberos for user accounts
+ requires extra administration and technical support, but
+ provides a good solution compared to an encrypted password
+ file.Securing the Password FileThe only sure fire way is to star out as many passwords as
- you can and use ssh or Kerberos for access to those accounts.
- Even though the encrypted password file
- (/etc/spwd.db) can only be read by
- root, it may be possible for an intruder
- to obtain read access to that file even if the attacker cannot
- obtain root-write access.
+ possible and use &man.ssh.1; or Kerberos
+ for access to those accounts. Even though the encrypted
+ password file (/etc/spwd.db) can only be
+ read by root, it may be possible for an
+ intruder to obtain read access to that file even if the
+ attacker cannot obtain root-write access.
- Your security scripts should always check for and report
- changes to the password file (see the Security scripts should be used to check for and report
+ changes to the password file as described in the Checking file integrity
- section below).
+ section.
Securing the Kernel Core, Raw Devices, and
- File Systems
+ Filesystems
- If an attacker breaks root he can do
- just about anything, but there are certain conveniences. For
- example, most modern kernels have a packet sniffing device
- driver built in. Under &os; it is called the
- bpf device. An intruder will
- commonly attempt to run a packet sniffer on a compromised
- machine. You do not need to give the intruder the capability
- and most systems do not have the need for the
- bpf device compiled in.
+ Most modern kernels have a packet sniffing device driver
+ built in. Under &os; it is called
+ bpf. This device is needed for DHCP,
+ but can be removed in the custom kernel configuration file of
+ systems that do not provide or use DHCP.sysctl
- But even if you turn off the bpf
- device, you still have /dev/mem and
- /dev/kmem to worry about. For that
- matter, the intruder can still write to raw disk devices.
- Also, there is another kernel feature called the module
- loader, &man.kldload.8;. An enterprising intruder can use a
- KLD module to install his own bpf
- device, or other sniffing device, on a running kernel. To
- avoid these problems you have to run the kernel at a higher
- secure level, at least securelevel 1.
-
- The secure level of the kernel can be set in a variety of
- ways. The simplest way of raising the secure level of a
- running kernel is through a sysctl on the
- kern.securelevel kernel variable:
+ Even if bpf is disabled,
+ /dev/mem and
+ /dev/kmem are still problematic. An
+ intruder can still write to raw disk devices. An enterprising
+ intruder can use &man.kldload.8; to install his own
+ bpf, or another sniffing device, on a
+ running kernel. To avoid these problems, run the kernel at a
+ higher security level, at least security level 1.
+
+ The security level of the kernel can be set in a variety
+ of ways. The simplest way of raising the security level of a
+ running kernel is to set
+ kern.securelevel:&prompt.root; sysctl kern.securelevel=1
- By default, the &os; kernel boots with a secure level of
- -1. The secure level will remain at -1 unless it is altered,
- either by the administrator or by &man.init.8; because of a
- setting in the start up scripts. The secure level may be
- raised during system startup by setting the
- kern_securelevel_enable variable to
- YES in the
- /etc/rc.conf file, and the value of the
- kern_securelevel variable to the desired
- secure level.
-
- The default secure level of a &os; system right after the
- startup scripts are done is -1. This is called
- insecure mode because immutable file flags may
- be turned off, all devices may be read from or written to, and
- so on.
+ By default, the &os; kernel boots with a security level of
+ -1. This is called insecure mode because
+ immutable file flags may be turned off and all devices may be
+ read from or written to. The security level will remain at -1
+ unless it is altered, either by the administrator or by
+ &man.init.8;, because of a setting in the startup scripts.
+ The security level may be raised during system startup by
+ setting
+ kern_securelevel_enable to
+ YES in /etc/rc.conf,
+ and the value of kern_securelevel to the
+ desired security level.
- Once the secure level is set to 1 or a higher value, the
+ Once the security level is set to 1 or a higher value, the
append-only and immutable files are honored, they cannot be
- turned off, and access to raw devices will be denied. Higher
+ turned off, and access to raw devices is denied. Higher
levels restrict even more operations. For a full description
- of the effect of various secure levels, please read the
- &man.security.7; manual page.
+ of the effect of various security levels, refer to
+ &man.security.7; and &man.init.8;.
- Bumping the secure level to 1 or higher may cause a few
- problems to X11 (access to /dev/io will
- be blocked), or to the installation of &os; built from
- source (the installworld part of
- the process needs to temporarily reset the append-only and
- immutable flags of some files), and in a few other cases.
- Sometimes, as in the case of X11, it may be possible to work
- around this by starting &man.xdm.1; pretty early in the boot
- process, when the securelevel is still low enough.
- Workarounds like this may not be possible for all secure
+ Bumping the security level to 1 or higher may cause a
+ few
+ problems to &xorg;, as access to
+ /dev/io will be blocked, or to the
+ installation of &os; built from source as
+ installworld needs to temporarily
+ reset the append-only and immutable flags of some files.
+ In the case of &xorg;, it may be
+ possible to work around this by starting &man.xdm.1; early
+ in the boot process, when the security level is still low
+ enough. Workarounds may not be possible for all secure
levels or for all the potential restrictions they enforce.
A bit of forward planning is a good idea. Understanding the
- restrictions imposed by each secure level is important as
+ restrictions imposed by each security level is important as
they severely diminish the ease of system use. It will also
make choosing a default setting much simpler and prevent any
surprises.
- If the kernel's secure level is raised to 1 or a higher
+ If the kernel's security level is raised to 1 or a higher
value, it may be useful to set the schg
- flag on critical startup binaries, directories, and script
- files (i.e., everything that gets run up to the point where
- the securelevel is set). This might be overdoing it, and
- upgrading the system is much more difficult when it operates
- at a high secure level. A less strict compromise is to run
- the system at a higher secure level but skip setting the
- schg flag for every system file and
- directory under the sun. Another possibility is to simply
+ flag on critical startup binaries, directories, script
+ files, and everything that gets run up to the point where
+ the security level is set. A less strict compromise is to run
+ the system at a higher security level but skip setting the
+ schg flag. Another possibility is to
mount / and /usr read-only. It should be
noted that being too draconian about what is permitted may
- prevent the all-important detection of an intrusion.
+ prevent detection of an intrusion.
- Checking File Integrity: Binaries, Configuration Files,
- Etc.
+ Checking File Integrity
- When it comes right down to it, you can only protect your
- core system configuration and control files so much before the
- convenience factor rears its ugly head. For example, using
- chflags to set the schg
- bit on most of the files in / and One can only protect the core system configuration and
+ control files so much before the convenience factor rears its
+ ugly head. For example, using &man.chflags.1; to
+ set the schg bit on most of the files in
+ / and /usr is probably
counterproductive, because while it may protect the files, it
- also closes a detection window. The last layer of your
- security onion is perhaps the most important —
- detection. The rest of your security is pretty much useless
- (or, worse, presents you with a false sense of security) if
- you cannot detect potential intrusions. Half the job of the
- onion is to slow down the attacker, rather than stop him, in
- order to be able to catch him in the act.
+ also closes an intrusion detection window. Security measures
+ are useless or, worse, present a false sense of security, if
+ potential intrusions cannot be detected. Half the job of
+ security is to slow down, not stop, an attacker, in order to
+ catch him in the act.
The best way to detect an intrusion is to look for
modified, missing, or unexpected files. The best way to look
- for modified files is from another (often centralized)
+ for modified files is from another, often centralized,
limited-access system. Writing your security scripts on the
- extra-secure limited-access system makes them mostly invisible
- to potential attackers, and this is important. In order to
- take maximum advantage you generally have to give the
- limited-access box significant access to the other machines in
- the business, usually either by doing a read-only NFS export
- of the other machines to the limited-access box, or by setting
- up ssh key-pairs to allow the limited-access box to ssh to the
- other machines. Except for its network traffic, NFS is the
- least visible method — allowing you to monitor the file
- systems on each client box virtually undetected. If your
- limited-access server is connected to the client boxes through
- a switch, the NFS method is often the better choice. If your
- limited-access server is connected to the client boxes through
- a hub, or through several layers of routing, the NFS method
- may be too insecure (network-wise) and using ssh may be the
- better choice even with the audit-trail tracks that ssh
- lays.
-
- Once you have given a limited-access box at least read
- access to the client systems it is supposed to monitor, you
- must write scripts to do the actual monitoring. Given an NFS
- mount, you can write scripts out of simple system utilities
- such as &man.find.1; and &man.md5.1;. It is best to
- physically md5 the client-box files at least once a day, and
+ extra-security limited-access system makes them mostly
+ invisible
+ to potential attackers. In order to take maximum advantage,
+ the limited-access box needs significant access to the other
+ machines, usually either through a read-only
+ NFS export or by setting up
+ &man.ssh.1; key-pairs. Except for its
+ network traffic, NFS is the least visible
+ method, allowing the administrator to monitor the filesystems
+ on each client box virtually undetected. If a limited-access
+ server is connected to the client boxes through
+ a switch, the NFS method is often the
+ better choice. If a limited-access server is connected to the
+ client boxes through several layers of routing, the
+ NFS method may be too insecure and
+ &man.ssh.1; may be the better
+ choice.
+
+ Once a limited-access box has been given at least read
+ access to the client systems it is supposed to monitor, create
+ the monitoring scripts. Given an NFS
+ mount, write scripts out of simple system utilities such as
+ &man.find.1; and &man.md5.1;. It is best to physically
+ &man.md5.1; the client system's files at least once a day, and
to test control files such as those found in /etc and /usr/local/etc even more often.
When mismatches are found, relative to the base md5
information the limited-access machine knows is valid, it
- should scream at a sysadmin to go check it out. A good
- security script will also check for inappropriate suid
- binaries and for new or deleted files on system partitions
- such as / and / and /usr.
- When using ssh rather than NFS, writing the security
- script is much more difficult. You essentially have to
- scp the scripts to the client box in order
- to run them, making them visible, and for safety you also need
- to scp the binaries (such as find) that
- those scripts use. The ssh client
- on the client box may already be compromised. All in all,
- using ssh may be necessary when running over insecure links,
- but it is also a lot harder to deal with.
-
- A good security script will also check for changes to user
- and staff members access configuration files:
- .rhosts, .shosts,
- .ssh/authorized_keys and so forth, files
- that might fall outside the purview of the
+ When using &man.ssh.1; rather than
+ NFS, writing the security script is more
+ difficult. For example, &man.scp.1; is needed to
+ send the scripts to the client box in order to run them. The
+ &man.ssh.1; client
+ on the client box may already be compromised. Using
+ &man.ssh.1; may be necessary when running
+ over insecure links, but it is harder to deal with.
+
+ A good security script will also check for changes to
+ hidden configuration files, such as
+ .rhosts and
+ .ssh/authorized_keys, as these files
+ might fall outside the purview of the
MD5 check.
- If you have a huge amount of user disk space, it may take
- too long to run through every file on those partitions. In
- this case, setting mount flags to disallow suid binaries is a
- good idea. The nosuid option (see
- &man.mount.8;) is what you want to look into. You should
- probably scan them anyway, at least once a week, since the
- object of this layer is to detect a break-in attempt, whether
- or not the attempt succeeds.
+ For a large amount of user disk space, it may take too
+ long to run through every file on those partitions. In this
+ case, consider setting mount flags to disallow SUID binaries
+ by using nosuid with &man.mount.8;. Scan
+ these partitions at least once a week, since the objective is
+ to detect a break-in attempt, whether or not the attempt
+ succeeds.Process accounting (see &man.accton.8;) is a relatively
- low-overhead feature of the operating system which might help
- as a post-break-in evaluation mechanism. It is especially
- useful in tracking down how an intruder has actually broken
- into a system, assuming the file is still intact after the
- break-in has occurred.
+ low-overhead feature of &os; which might help as a
+ post-break-in evaluation mechanism. It is especially useful
+ in tracking down how an intruder broke into a system, assuming
+ the file is still intact after the break-in has
+ occurred.
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
From owner-svn-doc-projects@FreeBSD.ORG Mon Apr 29 12:49:45 2013
Return-Path:
Delivered-To: svn-doc-projects@freebsd.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
by hub.freebsd.org (Postfix) with ESMTP id 9DB43A1E;
Mon, 29 Apr 2013 12:49:45 +0000 (UTC) (envelope-from dru@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
[IPv6:2001:1900:2254:2068::e6a:0])
by mx1.freebsd.org (Postfix) with ESMTP id 8F31812B0;
Mon, 29 Apr 2013 12:49:45 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r3TCnjt7005896;
Mon, 29 Apr 2013 12:49:45 GMT (envelope-from dru@svn.freebsd.org)
Received: (from dru@localhost)
by svn.freebsd.org (8.14.6/8.14.5/Submit) id r3TCnj71005895;
Mon, 29 Apr 2013 12:49:45 GMT (envelope-from dru@svn.freebsd.org)
Message-Id: <201304291249.r3TCnj71005895@svn.freebsd.org>
From: Dru Lavigne
Date: Mon, 29 Apr 2013 12:49:45 +0000 (UTC)
To: doc-committers@freebsd.org, svn-doc-projects@freebsd.org
Subject: svn commit: r41514 -
projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/ppp-and-slip
X-SVN-Group: doc-projects
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-doc-projects@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for doc projects trees
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
X-List-Received-Date: Mon, 29 Apr 2013 12:49:45 -0000
Author: dru
Date: Mon Apr 29 12:49:45 2013
New Revision: 41514
URL: http://svnweb.freebsd.org/changeset/doc/41514
Log:
This patch addresses the following:
- you
- some acronym tags
This chapter needs much more work, further patches pending.
Approved by: gjb (mentor)
Modified:
projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/ppp-and-slip/chapter.xml
Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/ppp-and-slip/chapter.xml
==============================================================================
--- projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/ppp-and-slip/chapter.xml Mon Apr 29 12:44:22 2013 (r41513)
+++ projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/ppp-and-slip/chapter.xml Mon Apr 29 12:49:45 2013 (r41514)
@@ -125,7 +125,7 @@
An account with an Internet Service Provider
- (ISP) which you connect to using
+ (ISP) for connecting using
PPP.
@@ -156,7 +156,7 @@
password
- Your login name and password. (Either a
+ A login name and password. (Either a
regular &unix; style login and password pair, or a PAP
or CHAP login and password pair).
@@ -167,14 +167,14 @@
The IP address of one or more name servers.
- Normally, you will be given two IP addresses by your
- ISP. If they have not given you at
- least one, use the enable dns command
- in ppp.conf and
- ppp will set the name
- servers. This feature depends on the
- ISP's PPP
- implementation supporting DNS negotiation.
+ Normally, the ISP will provide two
+ IP addresses. If it has not provided any IP addresses,
+ include enable dns in
+ ppp.conf and
+ ppp will set the name servers. This
+ feature requires the ISP's
+ PPP implementation to support DNS
+ negotiation.
@@ -184,13 +184,13 @@
- The IP address of your ISP's
- gateway. The gateway is the machine to which you will
- connect and will be set up as your default
- route. If you do not have this
- information, we can make one up and your
+ The IP address of the ISP's
+ gateway. The gateway is the machine to connect to
+ and will be set up as the default
+ route. When in doubt, make one up and the
ISP's PPP server
- will tell us the correct value when we connect.
+ will set the correct value during connection
+ setup.This IP number is referred to as
HISADDR by
@@ -198,9 +198,8 @@
- The netmask you should use. If the
- ISP has not provided you with one,
- you can safely use The netmask. If the ISP has not
+ provided one, use 255.255.255.255.
@@ -215,8 +214,8 @@
- If you do not have any of the required information,
- contact your ISP.
+ If any of the required information is missing, contact
+ the ISP.Throughout this section, many of the examples showing
@@ -243,13 +242,10 @@
Examples can be found in /usr/share/examples/ppp/.
- Configuring ppp requires that you
- edit a number of files, depending on your requirements.
- What you put in them depends to some extent on whether your
- ISP allocates IP addresses statically
- (i.e., you get given one IP address, and always use that
- one) or dynamically (i.e., your IP address changes each time
- you connect).
+ Configuring ppp requires a number of
+ files to be edited, depending on the requirements and
+ whether the ISP allocates IP addresses
+ statically or dynamically.PPP and Static IP
@@ -260,9 +256,8 @@
with static IP addresses
- You will need to edit the
- /etc/ppp/ppp.conf configuration file.
- It should look similar to the example below.
+ Edit /etc/ppp/ppp.conf so that it
+ looks similar to the example below.Lines that end in a : start in
@@ -347,9 +342,10 @@
Line 5:
- Sets the speed you want to connect at. If
- 115200 does not work (it should with any reasonably
- new modem), try 38400 instead.
+ Sets the connection speed. If
+ 115200 does not work (it should
+ with any reasonably new modem), try
+ 38400 instead.
@@ -411,10 +407,10 @@
Identifies an entry for a provider called
provider. This could be changed
- to the name of your ISP so
- that later you can use the to start
- the connection.
+ to the name of the ISP so
+ that can be
+ used to start the connection.
@@ -427,17 +423,16 @@
colon (:) or pipe character
(|) as a separator. The
difference between the two separators is described
- in &man.ppp.8;. To summarize, if you want to rotate
- through the numbers, use a colon. If you want to
- always attempt to dial the first number first and
- only use the other numbers if the first number
- fails, use the pipe character. Always quote the
- entire set of phone numbers as shown.
-
- You must enclose the phone number in quotation
- marks (") if there is any
- intention on using spaces in the phone number.
- This can cause a simple, yet subtle error.
+ in &man.ppp.8;. To summarize, to rotate through the
+ numbers, use a colon. To always attempt to dial the
+ first number first and only use the other numbers if
+ the first number fails, use the pipe character.
+ Always quote the entire set of phone numbers as
+ shown.
+
+ The phone number must be enclosed in quotation
+ marks (") if there are any spaces
+ in the phone number.
@@ -460,10 +455,9 @@
PAPCHAP
- If you are using PAP or CHAP, there will be no
- login at this point, and this line should be
- commented out or removed. See PAP and CHAP
+ When using PAP or CHAP, there will be no login
+ and this line should be commented out or removed.
+ See PAP and CHAP
authentication for further details.The login string is of the same chat-like
@@ -476,11 +470,12 @@ login: foo
password: bar
protocol: ppp
- You will need to alter this script to suit your
- own needs. When you write this script for the first
- time, you should ensure that you have enabled
- chat logging so you can determine if
- the conversation is going as expected.
+ Replace the login and password values with
+ those required by the ISP. When
+ writing this script for the first time, ensure that
+ chat logging is enabled in order to
+ determine if the conversation is going as
+ expected.
@@ -492,10 +487,9 @@ protocol: ppp
Sets the default idle timeout (in seconds) for
the connection. Here, the connection will be closed
- automatically after 300 seconds of inactivity. If
- you never want to timeout, set this value to zero
- or use the command line
- switch.
+ automatically after 300 seconds of inactivity. To
+ never timeout, set this value to zero or use the
+ command line switch.
@@ -506,15 +500,15 @@ protocol: ppp
Sets the interface addresses. The string
x.x.x.x should be
- replaced by the IP address that your provider has
- allocated to you. The string
+ replaced by the IP address the provider has
+ allocated. The string
y.y.y.y should be
replaced by the IP address of the
ISP's gateway. If the ISP has
- not given you a gateway address, use 10.0.0.2/0. If you need to
- use a guessed address, make sure that
- you create an entry in
+ not provided a gateway address, use 10.0.0.2/0. When using a
+ guessed address, make sure to create
+ an entry in
/etc/ppp/ppp.linkup as per the
instructions for PPP
@@ -536,20 +530,19 @@ protocol: ppp
otherwise HISADDR will not yet
be initialized.
- If you do not wish to run ppp
- in mode, this line should be
- moved to the ppp.linkup
- file.
+ When ppp is not run in
+ mode, this line should be
+ moved to ppp.linkup.It is not necessary to add an entry to
- ppp.linkup when you have a static
- IP address and are running ppp in
- mode as your routing table entries
- are already correct before you connect. You may however
- wish to create an entry to invoke programs after
+ ppp.linkup when using a static
+ IP address with ppp in
+ mode as the routing table entries
+ are already correct before a connection is established.
+ However, an entry can be created to invoke programs after
connection. This is explained later with the sendmail
example.
@@ -572,7 +565,7 @@ protocol: ppp
IPCP
- If your service provider does not assign static IP
+ If the service provider does not assign static IP
addresses, ppp can be configured to
negotiate the local and remote addresses. This is done by
guessing an IP address and allowing
@@ -596,10 +589,9 @@ protocol: ppp
The number after the /
character is the number of bits of the address that
- ppp will insist on. You may wish
- to use IP numbers more appropriate to your
- circumstances, but the above example will always
- work.
+ ppp will insist on. These
+ IP numbers can be replaced, but the above example
+ will always work.The last argument (0.0.0.0)
tells PPP to start negotiations
@@ -614,8 +606,8 @@ protocol: ppp
- If you are not running in mode,
- you will need to create an entry in
+ When not running in mode,
+ create an entry in
/etc/ppp/ppp.linkup.
ppp.linkup is used after a connection
has been established. At this point,
@@ -672,15 +664,14 @@ protocol: ppp
receiving incoming calls
- When you configure ppp to
- receive incoming calls on a machine connected to a LAN,
- you must decide if you wish to forward packets to the LAN.
- If you do, you should allocate the peer an IP number from
- your LAN's subnet, and use the command enable
- proxy in your
- /etc/ppp/ppp.conf file. You should
- also confirm that the /etc/rc.conf
- file contains the following:
+ When configuring ppp to receive
+ incoming calls on a machine connected to a LAN, decide if
+ packets should be forwarded to the LAN. If so, allocate
+ the peer an IP number from the LAN's subnet and use
+ enable proxy in
+ /etc/ppp/ppp.conf. Also, confirm
+ that /etc/rc.conf contains the
+ following:gateway_enable="YES"
@@ -699,15 +690,15 @@ protocol: ppp
designed with dial-up lines in mind.
The advantages of using mgetty is
- that it actively talks to modems,
- meaning if port is turned off in
- /etc/ttys then your modem will not
- answer the phone.
+ that it actively talks to modems.
+ If the port is turned off in
+ /etc/ttys, the modem will not answer
+ the phone.
Later versions of mgetty (from
0.99beta onwards) also support the automatic detection of
- PPP streams, allowing your clients
- script-less access to your server.
+ PPP streams, allowing clients
+ scriptless access to the server.
Refer to Mgetty and
AutoPPP for more information on
@@ -718,16 +709,14 @@ protocol: ppp
PPP PermissionsThe ppp command must normally be
- run as the root user. If however,
- you wish to allow ppp to run in
- server mode as a normal user by executing
- ppp as described below, that user
- must be given permission to run ppp
- by adding them to the network
- group in /etc/group.
+ run as the root user. To give a
+ user permission to run ppp in server
+ mode, add their user account to the
+ network group in
+ /etc/group.
- You will also need to give them access to one or more
- sections of the configuration file using the
+ Then, give the account access to one or more sections
+ of the configuration file using the
allow command:allow users fred mary
@@ -769,12 +758,12 @@ exec /usr/sbin/ppp -direct $IDENT&prompt.root; ln -s ppp-shell /etc/ppp/ppp-dialup
- You should use this script as the
- shell for all of your dialup users.
- This is an example from /etc/passwd
- for a dialup PPP user with username
- pchilds (remember do not directly
- edit the password file, use &man.vipw.8;).
+ Use this script as the shell for
+ all dialup users. This is an example from
+ /etc/passwd for a dialup
+ PPP user with the username
+ pchilds. Do not directly edit this
+ file, use &man.vipw.8;.pchilds:*:1011:300:Peter Childs PPP:/home/ppp:/etc/ppp/ppp-dialup
@@ -803,10 +792,10 @@ exec /usr/sbin/ppp -direct $IDENTppp-shell.
- For example, if you have three dialup customers,
+ Consider three dialup customers,
fred, sam,
- and mary, that you route /24 CIDR
- networks for, you would type the following:
+ and mary. In order to route /24
+ CIDR networks, type the following:&prompt.root; ln -s /etc/ppp/ppp-shell /etc/ppp/ppp-fred
&prompt.root; ln -s /etc/ppp/ppp-shell /etc/ppp/ppp-sam
@@ -845,7 +834,7 @@ ttyu1:
for each session. For each dialup line enabled in
/etc/ttys create an entry similar
to the one for ttyu0: above. Each
- line should get a unique IP address from your pool of
+ line should get a unique IP address from the pool of
IP addresses for dynamic users.
@@ -855,10 +844,8 @@ ttyu1:
Along with the contents of the sample
/usr/share/examples/ppp/ppp.conf
- above you should add a section for each of the
- statically assigned dialup users. We will continue with
- our fred, sam,
- and mary example.
+ above, add a section for each of the statically assigned
+ dialup users:
fred:
set ifaddr 203.14.100.1 203.14.101.1 255.255.255.255
@@ -916,9 +903,9 @@ mary:
role="package">comms/mgetty+sendfax port on
his system.
- Make sure your
+ Make sure
/usr/local/etc/mgetty+sendfax/login.config
- file has the following in it:
+ has the following:/AutoPPP/ - - /etc/ppp/ppp-pap-dialup
@@ -953,8 +940,8 @@ exec /usr/sbin/ppp -direct pap$IDENTenable passwdauth
- If you wish to assign some users a static IP number,
- you can specify the number as the third argument in
+ To assign some users a static IP, specify the IP
+ address as the third argument in
/etc/ppp/ppp.secret. See
/usr/share/examples/ppp/ppp.secret.sample
for examples.
@@ -1015,8 +1002,8 @@ set nbns 203.14.100.5
that the authentication part of the connection is done
using either the PAP or CHAP authentication mechanism. If
this is the case, the ISP will not give
- a login: prompt when you connect, but
- will start talking PPP
+ a login: during connection, but will
+ start talking PPP
immediately.PAP is less secure than CHAP, but security is not
@@ -1041,8 +1028,8 @@ set nbns 203.14.100.5
Line 13:
- This line specifies your PAP/CHAP user name.
- You will need to insert the correct value for
+ This line specifies the PAP/CHAP user name.
+ Insert the correct value for
MyUserName.
@@ -1052,10 +1039,10 @@ set nbns 203.14.100.5
password
- This line specifies your PAP/CHAP password.
- You will need to insert the correct value for
- MyPassword. You may
- want to add an additional line, such as:
+ This line specifies the PAP/CHAP password.
+ Insert the correct value for
+ MyPassword. An
+ additional line can be added, such as:16 accept PAP
@@ -1073,9 +1060,9 @@ set nbns 203.14.100.5
Line 15:
- Your ISP will not normally
- require you to log into the server when using PAP or
- CHAP. You must therefore disable your set
+ The ISP will not normally
+ require a login into the server when using PAP or
+ CHAP. Therefore, disable the set
login string.
@@ -1083,13 +1070,13 @@ set nbns 203.14.100.5
- Changing Your ppp Configuration
+ Changing the ppp Configuration
on the FlyIt is possible to talk to the ppp
program while it is running in the background, but only
if a suitable diagnostic port has been set up. To do
- this, add the following line to your configuration:
+ this, add the following line to the configuration:set server /var/run/ppp-tun%d DiagnosticPassword 0177
@@ -1127,8 +1114,8 @@ set nbns 203.14.100.5
ppp_nat, which is enabled by
default.
- If you use this feature, you may also find useful
- the following /etc/ppp/ppp.conf options
+ When using this feature, the following
+ /etc/ppp/ppp.conf options are useful
to enable incoming connections forwarding:nat port tcp 10.0.0.2:ftp ftp
@@ -1146,10 +1133,9 @@ nat port tcp 10.0.0.2:http httpPPPconfiguration
- You now have ppp configured, but
- there are a few more things to do before it is ready to
- work. They all involve editing the
- /etc/rc.conf file.
+ Now that ppp is configured, there are
+ a few more things to edit in
+ /etc/rc.conf.Working from the top down in this file, make sure the
hostname= line is set, e.g.:
@@ -1157,11 +1143,11 @@ nat port tcp 10.0.0.2:http httphostname="foo.example.com"If the ISP has supplied a static IP
- address and name, it is probably best that you use this name
- as your host name.
+ address and name, it is recommended to use this name as the
+ host name.Look for the network_interfaces
- variable. If you want to configure your system to dial your
+ variable. To configure the system to dial the
ISP on demand, make sure the
tun0 device is added to the list,
otherwise remove it.
@@ -1178,15 +1164,15 @@ ifconfig_tun0=
ppp -auto mysystemThis script is executed at network configuration time,
- starting your ppp daemon in
- mode. If you have a LAN for which
- this machine is a gateway, you may also wish to use the
+ starting the ppp daemon in
+ mode. If the machine functions as
+ a gateway for a LAN, consider using the
switch. Refer to the manual page
- for further details.
+ for details.
Make sure that the router program is set to
- NO with the following line in your
+ NO with the following line in
/etc/rc.conf:router_enable="NO"
@@ -1204,24 +1190,22 @@ ifconfig_tun0=
sendmail_flags line does not include the
option, otherwise
sendmail will attempt to do a network
- lookup every now and then, possibly causing your machine
- to dial out. You may try:
+ lookup every now and then, possibly causing the machine
+ to dial out. Try this command instead:
sendmail_flags="-bd"sendmail
- The downside of this is that you must force
- sendmail to re-examine the mail queue
- whenever the PPP link is up by
- typing:
+ The downside is that sendmail must be
+ forced to re-examine the mail queue whenever the
+ PPP link is up by typing:&prompt.root; /usr/sbin/sendmail -q
- You may wish to use the !bg command
- in ppp.linkup to do this
- automatically:
+ To automatically use the !bg command
+ in ppp.linkup:1 provider:
2 delete ALL
@@ -1232,20 +1216,20 @@ ifconfig_tun0=SMTP
- If you do not like this, it is possible to set up a
- dfilter to block SMTP traffic. Refer to the
- sample files for further details.
+ It is possible to set up a dfilter to
+ block SMTP traffic. Refer to the sample files for further
+ details.All that is left is to reboot the machine. After
- rebooting, you can now either type:
+ rebooting, either type:
&prompt.root; pppand then dial provider to start the
- PPP session, or, if you want
+ PPP session, or, to configure
ppp to establish sessions automatically
- when there is outbound traffic (and you have not created the
- start_if.tun0 script), type:
+ when there is outbound traffic and there is no existing
+ start_if.tun0 script, type:
&prompt.root; ppp -auto provider
@@ -1261,7 +1245,7 @@ ifconfig_tun0=
Ensure that the tun device
- is built into your kernel.
+ is built into the kernel.
@@ -1279,18 +1263,17 @@ ifconfig_tun0=
- If you have a dynamic IP address, create an entry in
+ When using a dynamic IP address, create an entry in
/etc/ppp/ppp.linkup.
- Update your /etc/rc.conf
- file.
+ Update /etc/rc.conf.Create a start_if.tun0 script
- if you require demand dialing.
+ if demand dialing is required.
@@ -1299,7 +1282,7 @@ ifconfig_tun0=
Ensure that the tun device
- is built into your kernel.
+ is built into the kernel.
@@ -1334,8 +1317,7 @@ ifconfig_tun0=
- Update your /etc/rc.conf
- file.
+ Update /etc/rc.conf.
@@ -1361,23 +1343,21 @@ ifconfig_tun0=
This section covers a few issues which may arise when
- using PPP over a modem connection. For
- instance, perhaps you need to know exactly what prompts the
- system you are dialing into will present. Some
+ using PPP over a modem connection. Some
ISPs present the
ssword prompt, and others will present
password; if the ppp
script is not written accordingly, the login attempt will
fail. The most common way to debug ppp
connections is by connecting manually. The following
- information will walk you through a manual connection step by
+ information walks through a manual connection step by
step.Check the Device NodesWhen using a custom kernel, make sure to include the
- following line in your kernel configuration file:
+ following line in the kernel configuration file:
device uart
@@ -1389,17 +1369,13 @@ ifconfig_tun0=
&prompt.root; dmesg | grep uart
- You should get some pertinent output about the
- uart devices. These are the COM
- ports we need. If your modem acts like a standard serial
- port then you should see it listed on
+ The uart devices should provide
+ some pertinent output about the COM ports. If the modem acts
+ like a standard serial port, it should be listed on
uart1, or
- COM2. If so, you are not required
- to rebuild the kernel. When matching up sio modem is on
- uart1 or
- COM2 if you are in DOS, then your
- modem device would be /dev/cuau1.
+ COM2. If so, a custom kernel is not
+ needed. In this configuration, the modem device would be
+ /dev/cuau1.
@@ -1407,42 +1383,39 @@ ifconfig_tun0=
Connecting to the Internet by manually controlling
ppp is quick, easy, and a great way to
- debug a connection or just get information on how your
+ debug a connection or just get information on how the
ISP treats ppp client
connections. Lets start PPP from
- the command line. Note that in all of our examples we will
- use example as the hostname of the
- machine running PPP. You start
- ppp by just typing
+ the command line. The following examples use
+ example as the hostname of the
+ machine running PPP. To start
ppp:&prompt.root; ppp
- We have now started ppp.
-
+ This sets the modem device to
+ cuau1:
+
ppp ON example> set device /dev/cuau1
- We set our modem device, in this case it is
- cuau1.
+ This sets the connection speed to 115,200
+ kbps:ppp ON example> set speed 115200
- Set the connection speed, in this case we
- are using 115,200 kbps.
-
- ppp ON example> enable dns
-
- Tell ppp to configure our
+ This tells ppp to configure the
resolver and add the nameserver lines to
/etc/resolv.conf. If
- ppp cannot determine our hostname, we can
- set one manually later.
+ ppp cannot determine the hostname, it can
+ manually be set later.
- ppp ON example> term
+ ppp ON example> enable dnsSwitch to terminal mode so that we can
manually control the modem.
+ ppp ON example> term
+
deflink: Entering terminal mode on /dev/cuau1
type '~h' for help
@@ -1451,7 +1424,7 @@ OK
atdt123456789Use at to initialize the modem,
- then use atdt and the number for your
+ then use atdt and the number for the
ISP to begin the dial in process.CONNECT
@@ -1462,8 +1435,8 @@ OK
ISP Login:myusername
- Here you are prompted for a username, return the
- prompt with the username that was provided by the
+ When prompted for a username, return the prompt with the
+ username that was provided by the
ISP.ISP Pass:mypassword
@@ -1475,7 +1448,7 @@ OK
Shell or PPP:ppp
- Depending on your ISP this prompt
+ Depending on the ISP, this prompt
may never appear. Here we are being asked if we wish to
use a shell on the provider, or to start
ppp. In this example, we have chosen
@@ -1504,47 +1477,45 @@ OK
Here we add our default route, we need to do this before
we can talk to the outside world as currently the only
established connection is with the peer. If this fails due to
- existing routes you can put a bang character
- ! in front of the .
- Alternatively, you can set this before making the actual
- connection and it will negotiate a new route
- accordingly.
+ existing routes, put a bang character
+ (!) in front of the .
+ Alternatively, set this before making the actual connection
+ and it will negotiate a new route accordingly.
- If everything went good we should now have an active
- connection to the Internet, which could be thrown into the
+ If everything went well, there is now an active
+ connection to the Internet which can be placed into the
background using CTRL
- z If you notice the
- PPP return to ppp then
- we have lost our connection. This is good to know because it
- shows our connection status. Capital P's show that we have a
- connection to the ISP and lowercase p's
- show that the connection has been lost for whatever reason.
- ppp only has these 2 states.
+ z. If
+ PPP instead returns to
+ ppp, the connection has been lost. An
+ uppercase P indicates a
+ connection to the ISP and a lowercase
+ p indicates that the connection has been
+ lost. ppp only has these 2 states.Debugging
- If you have a direct line and cannot seem to make a
- connection, then turn hardware flow
- CTS/RTS to off with the . This is mainly the case if you are
+ For a direct line that cannot seem to make a connection,
+ turn hardware flow CTS/RTS to off with
+ . This can occur when
connected to some PPP capable
- terminal servers, where PPP hangs
- when it tries to write data to your communication link, so
- it would be waiting for a CTS, or Clear
- To Send signal which may never come. If you use this option
- however, you should also use the
- option, which may be required to defeat hardware dependent
- on passing certain characters from end to end, most of the
- time XON/XOFF. See the &man.ppp.8; manual page for more
- information on this option, and how it is used.
-
- If you have an older modem, you may need to use the
- . Parity is set at none
- be default, but is used for error checking (with a large
+ terminal servers as PPP hangs
+ when it tries to write data to the communication link and
+ then waits for a Clear To Send (CTS)
+ signal which may never come. When using this option,
+ include , which may be required
+ to defeat hardware which is dependent on passing certain
+ characters from end to end, such as XON/XOFF. See
+ &man.ppp.8; for more information on how this option is
+ used.
+
+ For an older modem, may
+ be needed. Parity is set at none by
+ default, but is used for error checking (with a large
increase in traffic) on older modems and some
- ISPs. You may need this option for
+ ISPs. This option may be needed for
the Compuserve ISP.PPP may not return to the
@@ -1554,13 +1525,13 @@ OK
command will force ppp to start
sending the configuration information.
- If you never obtain a login prompt, then most likely you
- need to use PAP or
- CHAP authentication instead of the
- &unix; style in the example above. To use
- PAP or CHAP just add
- the following options to PPP
- before going into terminal mode:
+ If a login prompt never appears, try using
+ PAP or CHAP
+ authentication instead of the &unix; style in the example
+ above. To use PAP or
+ CHAP, add the following options to
+ PPP before going into terminal
+ mode:ppp ON example> set authname myusername
@@ -1574,17 +1545,16 @@ OK
replaced with the password that was assigned by the
ISP.
- If you connect fine, but cannot seem to find any domain
- name, try to use &man.ping.8; with an IP
- address and see if you can get any return information. If
- you experience 100 percent (100%) packet loss, then it is
- most likely that you were not assigned a default route.
- Double check that the option was set during the connection. If you
- can connect to a remote IP address then
- it is possible that a resolver address has not been added
- to the /etc/resolv.conf. This file
- should look like:
+ If the connection is active but cannot resolve any
+ domain names, try to &man.ping.8; an IP
+ address. If there is 100% packet loss, it is likely that a
+ default route was not assigned. Double check that
+ was set during the
+ connection. If a connection to a remote
+ IP address cannot be established, it is
+ possible that a resolver address has not been added to
+ /etc/resolv.conf. This file should
+ look like:domain example.com
nameserver x.x.x.x
@@ -1592,15 +1562,11 @@ nameserver y.y.y.yWhere x.x.x.x and
y.y.y.y should be replaced with
- the IP address of your
- ISP's DNS servers. This information may
- or may not have been provided when you signed up, but a
- quick call to your ISP should remedy
- that.
-
- You could also have &man.syslog.3; provide a logging
- function for your PPP connection.
- Just add:
+ the IP address of the
+ ISP's DNS servers.
+
+ To configure &man.syslog.3; to log
+ PPP connections, add:!ppp
*.* /var/log/ppp.log
@@ -1677,7 +1643,7 @@ name_of_service_provider:
Running ppp
- As root, you can run:
+ As root, run:&prompt.root; ppp -ddial name_of_service_provider
@@ -1686,8 +1652,8 @@ name_of_service_provider:
Starting ppp at Boot
- Add the following to your
- /etc/rc.conf file:
+ Add the following to
+ /etc/rc.conf:ppp_enable="YES"
ppp_mode="ddial"
@@ -1699,25 +1665,22 @@ ppp_profile="name_of_service_provider"
Using a PPPoE Service TagSometimes it will be necessary to use a service tag to
- establish your connection. Service tags are used to
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
From owner-svn-doc-projects@FreeBSD.ORG Mon Apr 29 22:06:39 2013
Return-Path:
Delivered-To: svn-doc-projects@freebsd.org
Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115])
by hub.freebsd.org (Postfix) with ESMTP id 6D4CCB86;
Mon, 29 Apr 2013 22:06:39 +0000 (UTC) (envelope-from dru@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
[IPv6:2001:1900:2254:2068::e6a:0])
by mx1.freebsd.org (Postfix) with ESMTP id 5F4931904;
Mon, 29 Apr 2013 22:06:39 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r3TM6d9F011957;
Mon, 29 Apr 2013 22:06:39 GMT (envelope-from dru@svn.freebsd.org)
Received: (from dru@localhost)
by svn.freebsd.org (8.14.6/8.14.5/Submit) id r3TM6dfb011955;
Mon, 29 Apr 2013 22:06:39 GMT (envelope-from dru@svn.freebsd.org)
Message-Id: <201304292206.r3TM6dfb011955@svn.freebsd.org>
From: Dru Lavigne
Date: Mon, 29 Apr 2013 22:06:39 +0000 (UTC)
To: doc-committers@freebsd.org, svn-doc-projects@freebsd.org
Subject: svn commit: r41522 -
projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/ppp-and-slip
X-SVN-Group: doc-projects
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-doc-projects@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for doc projects trees
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
X-List-Received-Date: Mon, 29 Apr 2013 22:06:39 -0000
Author: dru
Date: Mon Apr 29 22:06:38 2013
New Revision: 41522
URL: http://svnweb.freebsd.org/changeset/doc/41522
Log:
Fix command/application tags that should be man page entities.
Approved by: bcr (mentor)
Modified:
projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/ppp-and-slip/chapter.xml
Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/ppp-and-slip/chapter.xml
==============================================================================
--- projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/ppp-and-slip/chapter.xml Mon Apr 29 21:56:02 2013 (r41521)
+++ projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/ppp-and-slip/chapter.xml Mon Apr 29 22:06:38 2013 (r41522)
@@ -171,7 +171,7 @@
IP addresses. If it has not provided any IP addresses,
include enable dns in
ppp.conf and
- ppp will set the name servers. This
+ &man.ppp.8; will set the name servers. This
feature requires the ISP's
PPP implementation to support DNS
negotiation.
@@ -194,7 +194,7 @@
This IP number is referred to as
HISADDR by
- ppp.
+ &man.ppp.8;.
@@ -237,12 +237,13 @@
configuration
- ppp uses the configuration files
- located in /etc/ppp.
+ Several files located in /etc/ppp are used to
+ configure &man.ppp.8;.
Examples can be found in /usr/share/examples/ppp/.
- Configuring ppp requires a number of
+ Configuring &man.ppp.8; requires a number of
files to be edited, depending on the requirements and
whether the ISP allocates IP addresses
statically or dynamically.
@@ -292,7 +293,7 @@
Identifies the default entry. Commands in this
entry are executed automatically when
- ppp is
+ &man.ppp.8; is
run.
@@ -513,7 +514,7 @@ protocol: ppp
instructions for PPP
and Dynamic IP addresses. If this line is
- omitted, ppp cannot run in
+ omitted, &man.ppp.8; cannot run in
mode.
@@ -530,7 +531,7 @@ protocol: ppp
otherwise HISADDR will not yet
be initialized.
- When ppp is not run in
+ When &man.ppp.8; is not run in
mode, this line should be
moved to ppp.linkup.
@@ -539,7 +540,7 @@ protocol: ppp
It is not necessary to add an entry to
ppp.linkup when using a static
- IP address with ppp in
+ IP address with &man.ppp.8; in
mode as the routing table entries
are already correct before a connection is established.
However, an entry can be created to invoke programs after
@@ -566,10 +567,10 @@ protocol: ppp
If the service provider does not assign static IP
- addresses, ppp can be configured to
+ addresses, &man.ppp.8; can be configured to
negotiate the local and remote addresses. This is done by
guessing an IP address and allowing
- ppp to set it up correctly using the IP
+ &man.ppp.8; to set it up correctly using the IP
Configuration Protocol (IPCP) after connecting. The
ppp.conf configuration is the same as
PPP
@@ -589,7 +590,7 @@ protocol: ppp
The number after the /
character is the number of bits of the address that
- ppp will insist on. These
+ &man.ppp.8; will insist on. These
IP numbers can be replaced, but the above example
will always work.
@@ -611,7 +612,7 @@ protocol: ppp
/etc/ppp/ppp.linkup.
ppp.linkup is used after a connection
has been established. At this point,
- ppp will have assigned the interface
+ &man.ppp.8; will have assigned the interface
addresses and it will now be possible to add the routing
table entries:
@@ -624,7 +625,7 @@ protocol: ppp
On establishing a connection,
- ppp will look for an entry in
+ &man.ppp.8; will look for an entry in
ppp.linkup according to the
following rules: First, try to match the same label
as we used in ppp.conf. If
@@ -639,7 +640,7 @@ protocol: ppp
Line 2:
- This line tells ppp to add a
+ This line tells &man.ppp.8; to add a
default route that points to
HISADDR.
HISADDR will be replaced with the
@@ -664,7 +665,7 @@ protocol: ppp
receiving incoming calls
- When configuring ppp to receive
+ When configuring &man.ppp.8; to receive
incoming calls on a machine connected to a LAN, decide if
packets should be forwarded to the LAN. If so, allocate
the peer an IP number from the LAN's subnet and use
@@ -683,34 +684,34 @@ protocol: ppp
Dial-up Services provides a good description
on enabling dial-up services using &man.getty.8;.
- An alternative to getty is An alternative to &man.getty.8; is mgetty (from
comms/mgetty+sendfax
- port), a smarter version of getty
+ port), a smarter version of &man.getty.8;
designed with dial-up lines in mind.
- The advantages of using mgetty is
+ The advantages of using &man.getty.8; is
that it actively talks to modems.
If the port is turned off in
/etc/ttys, the modem will not answer
the phone.
- Later versions of mgetty (from
+ Later versions of &man.getty.8; (from
0.99beta onwards) also support the automatic detection of
PPP streams, allowing clients
scriptless access to the server.Refer to Mgetty and
AutoPPP for more information on
- mgetty.
+ &man.getty.8;.PPP Permissions
- The ppp command must normally be
+ Typically, &man.ppp.8; is
run as the root user. To give a
- user permission to run ppp in server
+ user permission to run &man.ppp.8; in server
mode, add their user account to the
network group in
/etc/group.
@@ -874,10 +875,10 @@ mary:
- mgetty and AutoPPP
+ &man.getty.8; and AutoPPP
- mgetty
+ &man.getty.8;
@@ -891,9 +892,9 @@ mary:
By default the comms/mgetty+sendfax port
comes with the AUTO_PPP option enabled
- allowing mgetty to detect the LCP
+ allowing &man.getty.8; to detect the LCP
phase of PPP connections and
- automatically spawn off a ppp shell.
+ automatically spawn off a &man.ppp.8; shell.
However, since the default login/password sequence does
not occur it is necessary to authenticate users using
either PAP or CHAP.
@@ -909,7 +910,7 @@ mary:
/AutoPPP/ - - /etc/ppp/ppp-pap-dialup
- This will tell mgetty to run the
+ This will tell &man.getty.8; to run the
ppp-pap-dialup script for detected
PPP connections.
@@ -1070,11 +1071,11 @@ set nbns 203.14.100.5
- Changing the ppp Configuration
+ Changing the &man.ppp.8; Configuration
on the Fly
- It is possible to talk to the ppp
- program while it is running in the background, but only
+ It is possible to talk to &man.ppp.8;
+ while it is running in the background, but only
if a suitable diagnostic port has been set up. To do
this, add the following line to the configuration:
@@ -1133,7 +1134,7 @@ nat port tcp 10.0.0.2:http httpPPPconfiguration
- Now that ppp is configured, there are
+ Now that &man.ppp.8; is configured, there are
a few more things to edit in
/etc/rc.conf.
@@ -1164,7 +1165,7 @@ ifconfig_tun0=
ppp -auto mysystemThis script is executed at network configuration time,
- starting the ppp daemon in
+ starting the &man.ppp.8; daemon in
mode. If the machine functions as
a gateway for a LAN, consider using the
switch. Refer to the manual page
@@ -1181,24 +1182,24 @@ ifconfig_tun0=
routed
- It is important that the routed
- daemon is not started, as routed tends
+ It is important that the &man.routed.8;
+ daemon is not started, as &man.routed.8; tends
to delete the default routing table entries created by
- ppp.
+ &man.ppp.8;.It is probably a good idea to ensure that the
sendmail_flags line does not include the
option, otherwise
- sendmail will attempt to do a network
+ &man.sendmail.8; will attempt to do a network
lookup every now and then, possibly causing the machine
to dial out. Try this command instead:sendmail_flags="-bd"
- sendmail
+ Sendmail
- The downside is that sendmail must be
+ The downside is that &man.sendmail.8; must be
forced to re-examine the mail queue whenever the
PPP link is up by typing:
@@ -1227,7 +1228,7 @@ ifconfig_tun0=
and then dial provider to start the
PPP session, or, to configure
- ppp to establish sessions automatically
+ &man.ppp.8; to establish sessions automatically
when there is outbound traffic and there is no existing
start_if.tun0 script, type:
@@ -1346,9 +1347,9 @@ ifconfig_tun0=
using PPP over a modem connection. Some
ISPs present the
ssword prompt, and others will present
- password; if the ppp
+ password; if the &man.ppp.8;
script is not written accordingly, the login attempt will
- fail. The most common way to debug ppp
+ fail. The most common way to debug &man.ppp.8;
connections is by connecting manually. The following
information walks through a manual connection step by
step.
@@ -1364,7 +1365,7 @@ ifconfig_tun0=
The uart device is already
included in the GENERIC kernel, so no
additional steps are necessary in this case. Just
- check the dmesg output for the modem
+ check the &man.dmesg.8; output for the modem
device with:&prompt.root; dmesg | grep uart
@@ -1382,14 +1383,13 @@ ifconfig_tun0=
Connecting ManuallyConnecting to the Internet by manually controlling
- ppp is quick, easy, and a great way to
+ &man.ppp.8; is quick, easy, and a great way to
debug a connection or just get information on how the
- ISP treats ppp client
- connections. Lets start PPP from
- the command line. The following examples use
+ ISP treats &man.ppp.8; client
+ connections. The following examples use
example as the hostname of the
- machine running PPP. To start
- ppp:
+ machine running &man.ppp.8;. To start
+ &man.ppp.8;:&prompt.root; ppp
@@ -1403,10 +1403,10 @@ ifconfig_tun0=
ppp ON example> set speed 115200
- This tells ppp to configure the
+ This tells &man.ppp.8; to configure the
resolver and add the nameserver lines to
/etc/resolv.conf. If
- ppp cannot determine the hostname, it can
+ &man.ppp.8; cannot determine the hostname, it can
manually be set later.ppp ON example> enable dns
@@ -1423,8 +1423,8 @@ type '~h' for help
OK
atdt123456789
- Use at to initialize the modem,
- then use atdt and the number for the
+ Use &man.at.1; to initialize the modem,
+ then type atdt and the number for the
ISP to begin the dial in process.CONNECT
@@ -1451,8 +1451,8 @@ OK
Depending on the ISP, this prompt
may never appear. Here we are being asked if we wish to
use a shell on the provider, or to start
- ppp. In this example, we have chosen
- to use ppp as we want an Internet
+ &man.ppp.8;. In this example, we have chosen
+ to use &man.ppp.8; as we want an Internet
connection.Ppp ON example>
@@ -1492,7 +1492,7 @@ OK
uppercase P indicates a
connection to the ISP and a lowercase
p indicates that the connection has been
- lost. ppp only has these 2 states.
+ lost. &man.ppp.8; only has these 2 states.Debugging
@@ -1522,7 +1522,7 @@ OK
command mode, which is usually a negotiation error where
the ISP is waiting for your side to start
negotiating. At this point, using the ~p
- command will force ppp to start
+ command will force &man.ppp.8; to start
sending the configuration information.If a login prompt never appears, try using
@@ -1617,7 +1617,7 @@ nameserver y.y.y.yNo kernel configuration is necessary for
PPPoE. If the necessary netgraph support
is not built into the kernel, it will be dynamically loaded by
- ppp.
+ &man.ppp.8;.
@@ -1641,7 +1641,7 @@ name_of_service_provider:
- Running ppp
+ Running &man.ppp.8;As root, run:
@@ -1650,7 +1650,7 @@ name_of_service_provider:
- Starting ppp at Boot
+ Starting &man.ppp.8; at BootAdd the following to
/etc/rc.conf:
@@ -1685,8 +1685,8 @@ ppp_profile="name_of_service_provider"
The profile name (service tag) will be used in the
PPPoE configuration entry in
ppp.conf as the provider part of the
- set device command (see the &man.ppp.8;
- manual page for full details). It should look like
+ set device command (refer to &man.ppp.8;
+ for details). It should look like
this:set device PPPoE:xl1:ISP
@@ -1801,7 +1801,7 @@ ppp_profile="name_of_service_provider"
usbd_enable="YES"It is also possible to set up
- ppp to dial up at startup. To do
+ &man.ppp.8; to dial up at startup. To do
this add the following lines to
/etc/rc.conf:
@@ -1993,7 +1993,7 @@ ng0: flags=88d1<UP,POINTOPOINT,RUNNIN
A tun virtual tunnel device
will be created for interaction between the
pptp and
- ppp processes. Once the prompt is
+ &man.ppp.8; processes. Once the prompt is
returned, or the pptp process has
confirmed a connection, examine the tunnel:
@@ -2004,7 +2004,7 @@ tun0: flags=8051<UP,POINTOPOINT,RUNNI
If unable to connect, check the router configuration,
which is usually accessible via
- telnet or a web browser. Examine
+ &man.telnet.1; or a web browser. Examine
the output of pptp and the contents of
/var/log/ppp.log for clues.
From owner-svn-doc-projects@FreeBSD.ORG Tue Apr 30 09:50:27 2013
Return-Path:
Delivered-To: svn-doc-projects@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
[IPv6:2001:1900:2254:206a::19:1])
by hub.freebsd.org (Postfix) with ESMTP id E535DF25;
Tue, 30 Apr 2013 09:50:27 +0000 (UTC)
(envelope-from gabor@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
[IPv6:2001:1900:2254:2068::e6a:0])
by mx1.freebsd.org (Postfix) with ESMTP id D53A6165C;
Tue, 30 Apr 2013 09:50:27 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r3U9oRG7063111;
Tue, 30 Apr 2013 09:50:27 GMT (envelope-from gabor@svn.freebsd.org)
Received: (from gabor@localhost)
by svn.freebsd.org (8.14.6/8.14.5/Submit) id r3U9oNqX063075;
Tue, 30 Apr 2013 09:50:23 GMT (envelope-from gabor@svn.freebsd.org)
Message-Id: <201304300950.r3U9oNqX063075@svn.freebsd.org>
From: Gabor Kovesdan
Date: Tue, 30 Apr 2013 09:50:23 +0000 (UTC)
To: doc-committers@freebsd.org, svn-doc-projects@freebsd.org
Subject: svn commit: r41526 - in projects/xml-tools: de_DE.ISO8859-1/articles
de_DE.ISO8859-1/articles/freebsd-update-server
de_DE.ISO8859-1/articles/port-mentor-guidelines
de_DE.ISO8859-1/books/handbook/cu...
X-SVN-Group: doc-projects
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-doc-projects@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for doc projects trees
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
X-List-Received-Date: Tue, 30 Apr 2013 09:50:28 -0000
Author: gabor
Date: Tue Apr 30 09:50:22 2013
New Revision: 41526
URL: http://svnweb.freebsd.org/changeset/doc/41526
Log:
- MFH
Added:
projects/xml-tools/de_DE.ISO8859-1/articles/freebsd-update-server/
- copied from r41525, head/de_DE.ISO8859-1/articles/freebsd-update-server/
projects/xml-tools/en_US.ISO8859-1/htdocs/internal/clusteradm.xml
- copied unchanged from r41525, head/en_US.ISO8859-1/htdocs/internal/clusteradm.xml
projects/xml-tools/en_US.ISO8859-1/htdocs/projects/2011-freebsd-gsoc-thumbnail.jpg
- copied unchanged from r41525, head/en_US.ISO8859-1/htdocs/projects/2011-freebsd-gsoc-thumbnail.jpg
projects/xml-tools/en_US.ISO8859-1/htdocs/projects/2013-freebsd-gsoc-thumbnail.jpg
- copied unchanged from r41525, head/en_US.ISO8859-1/htdocs/projects/2013-freebsd-gsoc-thumbnail.jpg
projects/xml-tools/en_US.ISO8859-1/htdocs/projects/2013-freebsd-gsoc.pdf
- copied unchanged from r41525, head/en_US.ISO8859-1/htdocs/projects/2013-freebsd-gsoc.pdf
projects/xml-tools/en_US.ISO8859-1/htdocs/security/reporting.xml
- copied unchanged from r41525, head/en_US.ISO8859-1/htdocs/security/reporting.xml
projects/xml-tools/en_US.ISO8859-1/htdocs/security/unsupported.xml
- copied unchanged from r41525, head/en_US.ISO8859-1/htdocs/security/unsupported.xml
projects/xml-tools/ja_JP.eucJP/htdocs/security/reporting.xml
- copied unchanged from r41525, head/ja_JP.eucJP/htdocs/security/reporting.xml
projects/xml-tools/ja_JP.eucJP/htdocs/security/unsupported.xml
- copied unchanged from r41525, head/ja_JP.eucJP/htdocs/security/unsupported.xml
projects/xml-tools/share/pgpkeys/asomers.key
- copied unchanged from r41525, head/share/pgpkeys/asomers.key
projects/xml-tools/share/pgpkeys/bhaga.key
- copied unchanged from r41525, head/share/pgpkeys/bhaga.key
projects/xml-tools/share/pgpkeys/bk.key
- copied unchanged from r41525, head/share/pgpkeys/bk.key
projects/xml-tools/share/pgpkeys/deb.key
- copied unchanged from r41525, head/share/pgpkeys/deb.key
projects/xml-tools/share/pgpkeys/dhw.key
- copied unchanged from r41525, head/share/pgpkeys/dhw.key
projects/xml-tools/share/pgpkeys/dutchdaemon.key
- copied unchanged from r41525, head/share/pgpkeys/dutchdaemon.key
projects/xml-tools/share/pgpkeys/hiren.key
- copied unchanged from r41525, head/share/pgpkeys/hiren.key
projects/xml-tools/share/pgpkeys/pgpkeys-other.xml
- copied unchanged from r41525, head/share/pgpkeys/pgpkeys-other.xml
projects/xml-tools/share/security/advisories/FreeBSD-SA-13:05.nfsserver.asc
- copied unchanged from r41525, head/share/security/advisories/FreeBSD-SA-13:05.nfsserver.asc
projects/xml-tools/share/security/patches/SA-13:05/
- copied from r41525, head/share/security/patches/SA-13:05/
Deleted:
projects/xml-tools/ja_JP.eucJP/htdocs/FAQ/
projects/xml-tools/ja_JP.eucJP/htdocs/availability.xml
projects/xml-tools/ja_JP.eucJP/htdocs/tutorials/
Modified:
projects/xml-tools/de_DE.ISO8859-1/articles/Makefile
projects/xml-tools/de_DE.ISO8859-1/articles/freebsd-update-server/article.xml
projects/xml-tools/de_DE.ISO8859-1/articles/port-mentor-guidelines/article.xml
projects/xml-tools/de_DE.ISO8859-1/books/handbook/cutting-edge/chapter.xml
projects/xml-tools/de_DE.ISO8859-1/books/porters-handbook/book.xml
projects/xml-tools/de_DE.ISO8859-1/htdocs/docs/books.xml
projects/xml-tools/de_DE.ISO8859-1/share/xml/news.xml
projects/xml-tools/de_DE.ISO8859-1/share/xml/release.l10n.ent
projects/xml-tools/en_US.ISO8859-1/articles/committers-guide/article.xml
projects/xml-tools/en_US.ISO8859-1/articles/contributors/contrib.additional.xml
projects/xml-tools/en_US.ISO8859-1/articles/contributors/contrib.committers.xml
projects/xml-tools/en_US.ISO8859-1/books/handbook/jails/chapter.xml
projects/xml-tools/en_US.ISO8859-1/books/handbook/kernelconfig/chapter.xml
projects/xml-tools/en_US.ISO8859-1/books/handbook/pgpkeys/chapter.xml
projects/xml-tools/en_US.ISO8859-1/books/handbook/ports/chapter.xml
projects/xml-tools/en_US.ISO8859-1/books/porters-handbook/book.xml
projects/xml-tools/en_US.ISO8859-1/books/porters-handbook/uses.xml
projects/xml-tools/en_US.ISO8859-1/htdocs/administration.xml
projects/xml-tools/en_US.ISO8859-1/htdocs/advocacy/myths.xml
projects/xml-tools/en_US.ISO8859-1/htdocs/docs/books.xml
projects/xml-tools/en_US.ISO8859-1/htdocs/internal/Makefile
projects/xml-tools/en_US.ISO8859-1/htdocs/portmgr/policies_eol.xml
projects/xml-tools/en_US.ISO8859-1/htdocs/projects/Makefile
projects/xml-tools/en_US.ISO8859-1/htdocs/projects/summerofcode.xml
projects/xml-tools/en_US.ISO8859-1/htdocs/releases/8.4R/schedule.xml
projects/xml-tools/en_US.ISO8859-1/htdocs/security/Makefile
projects/xml-tools/en_US.ISO8859-1/htdocs/security/security.xml
projects/xml-tools/en_US.ISO8859-1/htdocs/where.xml
projects/xml-tools/ja_JP.eucJP/books/handbook/kernelconfig/chapter.xml
projects/xml-tools/ja_JP.eucJP/books/handbook/ports/chapter.xml
projects/xml-tools/ja_JP.eucJP/htdocs/Makefile
projects/xml-tools/ja_JP.eucJP/htdocs/docs/books.xml
projects/xml-tools/ja_JP.eucJP/htdocs/internal/Makefile
projects/xml-tools/ja_JP.eucJP/htdocs/security/Makefile
projects/xml-tools/ja_JP.eucJP/htdocs/security/security.xml
projects/xml-tools/ja_JP.eucJP/htdocs/where.xml
projects/xml-tools/ja_JP.eucJP/share/xml/navibar.l10n.ent
projects/xml-tools/ja_JP.eucJP/share/xml/news.xml
projects/xml-tools/ru_RU.KOI8-R/articles/freebsd-questions/article.xml
projects/xml-tools/ru_RU.KOI8-R/articles/geom-class/article.xml
projects/xml-tools/ru_RU.KOI8-R/articles/hubs/article.xml
projects/xml-tools/ru_RU.KOI8-R/articles/pr-guidelines/article.xml
projects/xml-tools/ru_RU.KOI8-R/books/design-44bsd/Makefile
projects/xml-tools/ru_RU.KOI8-R/books/design-44bsd/book.xml
projects/xml-tools/ru_RU.KOI8-R/books/handbook/install/chapter.xml
projects/xml-tools/ru_RU.KOI8-R/books/handbook/ports/chapter.xml
projects/xml-tools/share/pgpkeys/pgpkeys-developers.xml
projects/xml-tools/share/pgpkeys/pgpkeys.ent
projects/xml-tools/share/xml/advisories.xml
projects/xml-tools/share/xml/authors.ent
projects/xml-tools/share/xml/commercial.consult.xml
projects/xml-tools/share/xml/commercial.isp.xml
projects/xml-tools/share/xml/developers.ent
projects/xml-tools/share/xml/navibar.ent
projects/xml-tools/share/xml/news.xml
projects/xml-tools/share/xml/release.ent
Directory Properties:
projects/xml-tools/ (props changed)
projects/xml-tools/de_DE.ISO8859-1/ (props changed)
projects/xml-tools/en_US.ISO8859-1/ (props changed)
projects/xml-tools/en_US.ISO8859-1/htdocs/projects/2009-freebsd-gsoc.pdf (props changed)
projects/xml-tools/en_US.ISO8859-1/htdocs/projects/2010-freebsd-gsoc.pdf (props changed)
projects/xml-tools/en_US.ISO8859-1/htdocs/projects/2011-freebsd-gsoc.pdf (props changed)
projects/xml-tools/ja_JP.eucJP/ (props changed)
projects/xml-tools/ru_RU.KOI8-R/ (props changed)
projects/xml-tools/share/ (props changed)
Modified: projects/xml-tools/de_DE.ISO8859-1/articles/Makefile
==============================================================================
--- projects/xml-tools/de_DE.ISO8859-1/articles/Makefile Tue Apr 30 01:29:18 2013 (r41525)
+++ projects/xml-tools/de_DE.ISO8859-1/articles/Makefile Tue Apr 30 09:50:22 2013 (r41526)
@@ -8,6 +8,7 @@
SUBDIR = contributing
SUBDIR+= contributing-ports
SUBDIR+= explaining-bsd
+SUBDIR+= freebsd-update-server
SUBDIR+= laptop
SUBDIR+= linux-comparison
SUBDIR+= nanobsd
Modified: projects/xml-tools/de_DE.ISO8859-1/articles/freebsd-update-server/article.xml
==============================================================================
--- head/de_DE.ISO8859-1/articles/freebsd-update-server/article.xml Tue Apr 30 01:29:18 2013 (r41525)
+++ projects/xml-tools/de_DE.ISO8859-1/articles/freebsd-update-server/article.xml Tue Apr 30 09:50:22 2013 (r41526)
@@ -1,8 +1,6 @@
-
-
-%entities;
+
+FreeBSD Update Server">
]>
@@ -836,14 +834,14 @@ the new builds.
# Build the world
log "Building world"
- cd /usr/src &&
- make -j 2 ${COMPATFLAGS} buildworld 2>&1
+ cd /usr/src &&
+ make -j 2 ${COMPATFLAGS} buildworld 2>&1
# Distribute the world
log "Distributing world"
- cd /usr/src/release &&
- make -j 2 obj &&
- make ${COMPATFLAGS} release.1 release.2 2>&1
+ cd /usr/src/release &&
+ make -j 2 obj &&
+ make ${COMPATFLAGS} release.1 release.2 2>&1
Modified: projects/xml-tools/de_DE.ISO8859-1/articles/port-mentor-guidelines/article.xml
==============================================================================
Binary file (source and/or target). No diff available.
Modified: projects/xml-tools/de_DE.ISO8859-1/books/handbook/cutting-edge/chapter.xml
==============================================================================
--- projects/xml-tools/de_DE.ISO8859-1/books/handbook/cutting-edge/chapter.xml Tue Apr 30 01:29:18 2013 (r41525)
+++ projects/xml-tools/de_DE.ISO8859-1/books/handbook/cutting-edge/chapter.xml Tue Apr 30 09:50:22 2013 (r41526)
@@ -379,7 +379,7 @@ MergeChanges /etc/ /var/named/etc/-p-Nummer, die von dem Kommando uname
-r ausgegeben wird) wird aus dieser Datei ausgelesen.
Die Neuinstallation des selbstkonfigurierten Kernels, selbst wenn
- sich daran nichts geädert hat, erlaubt es &man.uname.1;, den
+ sich daran nichts geändert hat, erlaubt es &man.uname.1;, den
aktuellen Patch-Level des Systems korrekt wiederzugeben. Dies ist
besonders hilfreich, wenn mehrere Systeme gewartet werden, da es
eine schnelle Einschätzung der installierten Aktualisierungen in
Modified: projects/xml-tools/de_DE.ISO8859-1/books/porters-handbook/book.xml
==============================================================================
--- projects/xml-tools/de_DE.ISO8859-1/books/porters-handbook/book.xml Tue Apr 30 01:29:18 2013 (r41525)
+++ projects/xml-tools/de_DE.ISO8859-1/books/porters-handbook/book.xml Tue Apr 30 09:50:22 2013 (r41526)
@@ -8,7 +8,7 @@
$FreeBSD$
$FreeBSDde: de-docproj/books/porters-handbook/book.xml,v 1.241 2011/10/08 16:18:17 jkois Exp $
- basiert auf: 1.1117
+ basiert auf: r37819
-->
@@ -15824,12 +15824,50 @@ Reference: <http://www.freebsd.org/po
+ 900040
+ 19. Juli 2011
+ Standardmäßige Erhöhung von MAXCPU für &os; auf
+ 64 für amd64 und ia64 und auf 128 für XLP
+ (mips).
+
+
+ 90004113. August 20119.0-CURRENT, nachdem Capsicum-Funktionalitäten
implementiert wurden. Zusätzlich wurde fget(9) um ein
Rechte-Argument erweitert.
+
+
+ 900042
+ 28. August 2011
+ Versionssprünge für Shared-Libraries deren ABI
+ sich geändert hat, in Vorbereitung für 9.0.
+
+
+
+ 900043
+ 2. September 2011
+ Automatische Erkennung von USB-Massenspeicher
+ Geräten, die das no synchronize cache SCSI Kommando
+ nicht unterstützen.
+
+
+
+ 900044
+ 10. September 2011
+ Re-factor auto-quirk.
+
+
+
+ 900045
+ 13. Oktober 2011
+ Allen nicht-kompatiblen
+ Systemaufruf-Einstiegspunkten wurde ein sys_
+ vorangestellt.
+
+
Modified: projects/xml-tools/de_DE.ISO8859-1/htdocs/docs/books.xml
==============================================================================
--- projects/xml-tools/de_DE.ISO8859-1/htdocs/docs/books.xml Tue Apr 30 01:29:18 2013 (r41525)
+++ projects/xml-tools/de_DE.ISO8859-1/htdocs/docs/books.xml Tue Apr 30 09:50:22 2013 (r41526)
@@ -1,9 +1,9 @@
+
-
+
@@ -256,7 +256,7 @@
(mh)
Eine Einführung in das MH-Mailprogramm.
NanoBSD
(nanobsd)
Informationen zu den NanoBSD-Werkzeugen, mit deren Hilfe
sich FreeBSD-Images für den Einsatz in eingebetteten
Modified: projects/xml-tools/de_DE.ISO8859-1/share/xml/news.xml
==============================================================================
--- projects/xml-tools/de_DE.ISO8859-1/share/xml/news.xml Tue Apr 30 01:29:18 2013 (r41525)
+++ projects/xml-tools/de_DE.ISO8859-1/share/xml/news.xml Tue Apr 30 09:50:22 2013 (r41526)
@@ -4,7 +4,7 @@
@@ -16,7 +16,7 @@
Modified: projects/xml-tools/en_US.ISO8859-1/articles/committers-guide/article.xml
==============================================================================
--- projects/xml-tools/en_US.ISO8859-1/articles/committers-guide/article.xml Tue Apr 30 01:29:18 2013 (r41525)
+++ projects/xml-tools/en_US.ISO8859-1/articles/committers-guide/article.xml Tue Apr 30 09:50:22 2013 (r41526)
@@ -143,7 +143,6 @@
Branches
- stable/7 (7.X-STABLE),
stable/8 (8.X-STABLE),
stable/9 (9.X-STABLE),
head (-CURRENT)
@@ -2426,10 +2425,10 @@ ControlPersist yes
- &a.simon;
+ &a.des;
- Simon is the
+ Dag-Erling is the
FreeBSD Security
Officer
and oversees the &a.security-officer;.
Modified: projects/xml-tools/en_US.ISO8859-1/articles/contributors/contrib.additional.xml
==============================================================================
--- projects/xml-tools/en_US.ISO8859-1/articles/contributors/contrib.additional.xml Tue Apr 30 01:29:18 2013 (r41525)
+++ projects/xml-tools/en_US.ISO8859-1/articles/contributors/contrib.additional.xml Tue Apr 30 09:50:22 2013 (r41526)
@@ -2086,6 +2086,11 @@
+ Daniel Levai
+ leva@ecentrum.hu
+
+
+ Daniel J. O'Connor
darius@dons.net.au
Modified: projects/xml-tools/en_US.ISO8859-1/articles/contributors/contrib.committers.xml
==============================================================================
--- projects/xml-tools/en_US.ISO8859-1/articles/contributors/contrib.committers.xml Tue Apr 30 01:29:18 2013 (r41525)
+++ projects/xml-tools/en_US.ISO8859-1/articles/contributors/contrib.committers.xml Tue Apr 30 09:50:22 2013 (r41526)
@@ -1088,6 +1088,10 @@
+ &a.hiren;
+
+
+ &a.hmp;
@@ -1376,6 +1380,10 @@
+ &a.asomers;
+
+
+ &a.brian;
Modified: projects/xml-tools/en_US.ISO8859-1/books/handbook/jails/chapter.xml
==============================================================================
--- projects/xml-tools/en_US.ISO8859-1/books/handbook/jails/chapter.xml Tue Apr 30 01:29:18 2013 (r41525)
+++ projects/xml-tools/en_US.ISO8859-1/books/handbook/jails/chapter.xml Tue Apr 30 09:50:22 2013 (r41526)
@@ -556,7 +556,6 @@ jail_www_devf
usage of its features. If the presented steps below look
too complicated, it is advised to take a look at a simpler
system such as sysutils/qjail or sysutils/ezjail, which provides
an easier method of administering &os; jails and is not as
sophisticated as this setup.
Modified: projects/xml-tools/en_US.ISO8859-1/books/handbook/kernelconfig/chapter.xml
==============================================================================
--- projects/xml-tools/en_US.ISO8859-1/books/handbook/kernelconfig/chapter.xml Tue Apr 30 01:29:18 2013 (r41525)
+++ projects/xml-tools/en_US.ISO8859-1/books/handbook/kernelconfig/chapter.xml Tue Apr 30 09:50:22 2013 (r41526)
@@ -493,14 +493,16 @@ options IPDIVERTGENERIC will be also be added to the local
kernel unless they are specifically prevented using
nooptions or nodevice.
- The remainder of this chapter addresses the contents of a
+ A comprehensive list of configuration directives and their
+ descriptions may be found in &man.config.5;.
+
+ The remainder of this chapter addresses the contents of a
typical configuration file and the role various options and
devices play.To build a file which contains all available options,
run the following command as root:
-
&prompt.root; cd /usr/src/sys/i386/conf && make LINT
Modified: projects/xml-tools/en_US.ISO8859-1/books/handbook/pgpkeys/chapter.xml
==============================================================================
--- projects/xml-tools/en_US.ISO8859-1/books/handbook/pgpkeys/chapter.xml Tue Apr 30 01:29:18 2013 (r41525)
+++ projects/xml-tools/en_US.ISO8859-1/books/handbook/pgpkeys/chapter.xml Tue Apr 30 09:50:22 2013 (r41526)
@@ -37,4 +37,10 @@
§ion.pgpkeys-developers;
+
+
+ Other Cluster Account Holders
+
+ §ion.pgpkeys-other;
+
Modified: projects/xml-tools/en_US.ISO8859-1/books/handbook/ports/chapter.xml
==============================================================================
--- projects/xml-tools/en_US.ISO8859-1/books/handbook/ports/chapter.xml Tue Apr 30 01:29:18 2013 (r41525)
+++ projects/xml-tools/en_US.ISO8859-1/books/handbook/ports/chapter.xml Tue Apr 30 09:50:22 2013 (r41526)
@@ -1337,7 +1337,7 @@ Deinstalling ca_root_nss-3.13.5... done<
Once the compile is complete, you are returned to the
prompt. The next step is to install the port using
- make install:
+ make install:
&prompt.root; make install
===> Installing for lsof-4.57
@@ -1778,7 +1778,8 @@ ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/
The portsclean utility is part of the
- portupgrade suite.
+ ports-mgmt/portupgrade
+ suite.
directly supports the window system. Do not put
regular X applications here; most of them should go
into other x11-* categories
- (see below). If your port is
- an X application, define USE_XLIB
- (implied by USE_IMAKE) and put it
- in the appropriate category.
+ (see below).
@@ -3866,17 +3863,6 @@ ALWAYS_KEEP_DISTFILES= yes
- USE_CDRTOOLS
- The port requires
- cdrecord either from
- sysutils/cdrtools or
- sysutils/cdrtools-cjk,
- according to the user's preference.
-
-
- USE_GCCThe port requires a specific version of
gcc to build. The exact version
@@ -5775,69 +5761,18 @@ CMAKE_SOURCE_PATH= ${WRKSRC}/subp
-
- Using pkg-config
-
- If your ports requires pkg-config,
- just set USE_PKGCONFIG to the following
- possible values:
-
- Values for USE_PKGCONFIG
-
-
-
-
- Definition
- Description
-
-
-
-
-
- USE_PKGCONFIG= yes
- The ports uses pkg-config only at build
- time
-
-
-
- USE_PKGCONFIG= build
- The ports uses pkg-config only at build
- time
-
-
-
- USE_PKGCONFIG= run
- The ports uses pkg-config only at run
- time
-
-
-
- USE_PKGCONFIG= both
- The ports uses pkg-config both at build and run
- time
-
-
-
-
-
-
Using GNU gettextBasic Usage
- If your port requires gettext,
- just set USE_GETTEXT to
- yes, and your port will grow the
- dependency on devel/gettext. The value of
- USE_GETTEXT can also specify the required
- version of the libintl library, the basic
- part of gettext, but using this feature
- is strongly discouraged: Your port
- should work with just the current version of devel/gettext.
+ If your port requires gettext, set
+ USES= gettext, and your
+ port will inherit a dependency on devel/gettext. Other values for
+ gettext usage are listed in .A rather common case is a port using
gettext and configure.
@@ -5848,7 +5783,7 @@ CMAKE_SOURCE_PATH= ${WRKSRC}/subp
CPPFLAGS and LDFLAGS as
follows:
- USE_GETTEXT= yes
+ USES= gettext
CPPFLAGS+= -I${LOCALBASE}/include
LDFLAGS+= -L${LOCALBASE}/lib
@@ -5857,7 +5792,7 @@ GNU_CONFIGURE= yesOf course, the code can be more compact if there are no
more flags to pass to configure:
- USE_GETTEXT= yes
+ USES= gettext
GNU_CONFIGURE= yes
@@ -5878,7 +5813,7 @@ GNU_CONFIGURE= yes
.include <bsd.port.options.mk>
.if ${PORT_OPTIONS:MNLS}
-USE_GETTEXT= yes
+USES+= gettext
PLIST_SUB+= NLS=""
.else
CONFIGURE_ARGS+= --disable-nls
@@ -6134,25 +6069,12 @@ PLIST_SUB+= NLS="@comment "
USE_GL= glu
- Some ports define USE_XLIB, which
- makes the port depend on all the 50 or so libraries. This
- variable exists for backwards compatibility, as it predates
- modular X.Org, and should not be used on new ports.
-
Variables for Ports That Use X
- USE_XLIB
- The port uses the X libraries. Deprecated -
- use a list of X.Org components in
- USE_XORG variable
- instead.
-
-
- USE_IMAKEThe port uses imake.
Modified: projects/xml-tools/en_US.ISO8859-1/books/porters-handbook/uses.xml
==============================================================================
--- projects/xml-tools/en_US.ISO8859-1/books/porters-handbook/uses.xml Tue Apr 30 01:29:18 2013 (r41525)
+++ projects/xml-tools/en_US.ISO8859-1/books/porters-handbook/uses.xml Tue Apr 30 09:50:22 2013 (r41526)
@@ -40,15 +40,51 @@
+ desktop-file-utils
+ none
+
+ Implies that the port uses the
+ update-desktop-database from
+ devel/desktop-file-utils.
+ This uses will automatically add a post-install step in such a way
+ that the port itself still can specify there own post-install step
+ if needed. It also insert lines into the plist for package
+ install and removal to run
+ update-desktop-database.
+
+
+fusenoneImplies the port will depend on the FUSE library and handle
- the the dependency on the kernel module depending on the version
+ the dependency on the kernel module depending on the version
of &os;.
+ gettext
+ none, lib, build,
+ run
+ Implies that the port uses devel/gettext in one way or another. By
+ default, with no arguments or with the lib
+ argument, implies gettext with build-time and
+ run-time dependencies, build implies a build-time
+ dependency, and run implies a run-time
+ dependency.
+
+
+
+ iconv
+ none
+ Implies that the port uses converters/libiconv as build-time and
+ run-time dependency.
+
+
+
+pathfixnoneLook for the Makefile.in and
@@ -58,6 +94,21 @@
+ pkgconfig
+
+ none, build, run,
+ both
+
+ Implies that the port uses devel/pkgconf in one way or another.
+ With no arguments or with the build
+ argument, it implies pkg-config as a build-time
+ dependency; run implies a run-time dependency;
+ and both implies both run-time and build-time
+ dependencies.
+
+
+qmailnone, build, run,
both, vars
@@ -72,6 +123,21 @@
+ shared-mime-info
+ none
+
+ Implies that the port uses
+ update-mime-database from
+ misc/shared-mime-info. This
+ uses will automatically add a post-install step in such a way that
+ the port itself still can specify there own post-install step if
+ needed. It also insert lines into the plist for package install
+ and removal to run
+ update-mime-data with the correct
+ arguments.
+
+
+zenossnoneImplies the port uses &a.tabthorpe; <tabthorpe@FreeBSD.org>
The Cluster Administrators consists of the people responsible for
administrating the machines that the project relies on for its
distributed work and communication to be synchronised. It
consists mainly of those people who have physical access to the servers.
Issues concerning the projects infrastructure or setting up new
- machines should be directed to the cluster administrators.
+ machines should be directed to the cluster administrators. This
+ team is led by the lead cluster administrator whose duties and
+ responsbilities are described in the cluster administration charter
+ in greater detail.
@@ -88,8 +88,8 @@
from the Internet, 24 hours a day. You don't need to wait for
someone else to roll a release.
-
FreeBSD, NetBSD: An installable snapshot of the current
- progress is made every 24 hours. These snapshots can be installed
+
FreeBSD: An installable snapshot of the current
+ progress is made weekly. These snapshots can be installed
exactly like an ordinary release, and do not require installation
over an existing system.
@@ -105,13 +105,6 @@
released, simply because for most *BSD users it is an every day
event.
-
All the *BSD Projects use CVS to maintain their source code.
-
-
All the *BSD Projects: make a CVS tree available for anyone to
- browse and download, 24 hours a day. The tree can be retrieved using
- Anonymous CVS, CVSup, CVSupit, CTM (by e-mail), or through simple
- FTP.
-
Anyone can submit patches, bug reports, documentation, and
other contributions. They can do this by using the send-pr
program installed on their *BSD system, or by using a web based
@@ -185,8 +178,7 @@
TinyBSD is
a set of tools made up of shell scripts designed to allow easy
- development of Embedded Systems based on FreeBSD 5.x and
- 6.x.
+ development of Embedded Systems based on FreeBSD.
ThinBSD is a small
FreeBSD based boot image that allows a standard PC to act as
@@ -258,40 +250,8 @@
outdated nor dying. Many professional users like the stability that years
of testing has provided FreeBSD.
-
Technological enhancements continue to be added to *BSD, including,
- but not limited to;
-
-
-
SMP: Symmetric Multi-Processing, making use of systems with
- multiple CPUs.
-
-
SoftUpdates: Makes the BSD filesystem at least as fast as the
- Linux filesystem, without needing to enable
- asynchronous writes, with their associated risk.
-
-
VM system: The VM (Virtual Memory) subsystem continues to be
- refined. The merged VM/cache design helps systems like
- wcarchive.cdrom.com juggle thousands (literally, more than 10,000)
- simultaneous FTP connections without falling over.
-
-
Architecture ports: FreeBSD supports seven main architectures
- currently: Alpha, AMD64, i386, Itanium, PC-98, PowerPC and UltraSPARC.
- There are also ongoing works to port the project for further
- architectures. See the Supported Platforms page
- for more information.
-
-
MAC Framework: FreeBSD supports Mandatory Access Control, a feature
- usually found in trusted operating systems available for high
- prices. FreeBSD gives you advanced security for free! The
- TrustedBSD Project
- provides further trusted operating system extensions.
-
-
GEOM classess: GEOM is a modular disk framework that lets
- you concatenate, mirror, stripe, or encrypt disks. It is rich
- in functionality and keeps your data safe.
Modified: projects/xml-tools/en_US.ISO8859-1/htdocs/docs/books.xml
==============================================================================
--- projects/xml-tools/en_US.ISO8859-1/htdocs/docs/books.xml Tue Apr 30 01:29:18 2013 (r41525)
+++ projects/xml-tools/en_US.ISO8859-1/htdocs/docs/books.xml Tue Apr 30 09:50:22 2013 (r41526)
@@ -257,6 +257,11 @@
A guide to the PAM system and modules under
FreeBSD.
+
+ Port Mentor Guidelines (port-mentor-guidelines)
+ Guidelines for new and/or potential port mentors and
+ mentees.
+
Package
building procedures (portbuild)
Describes the approach used by the FreeBSD port
Modified: projects/xml-tools/en_US.ISO8859-1/htdocs/internal/Makefile
==============================================================================
--- projects/xml-tools/en_US.ISO8859-1/htdocs/internal/Makefile Tue Apr 30 01:29:18 2013 (r41525)
+++ projects/xml-tools/en_US.ISO8859-1/htdocs/internal/Makefile Tue Apr 30 09:50:22 2013 (r41526)
@@ -9,6 +9,7 @@
DOCS= about.xml
DOCS+= bylaws.xml
+DOCS+= clusteradm.xml
DOCS+= core-vote.xml
DOCS+= data.xml
DOCS+= developer.xml
Copied: projects/xml-tools/en_US.ISO8859-1/htdocs/internal/clusteradm.xml (from r41525, head/en_US.ISO8859-1/htdocs/internal/clusteradm.xml)
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ projects/xml-tools/en_US.ISO8859-1/htdocs/internal/clusteradm.xml Tue Apr 30 09:50:22 2013 (r41526, copy of r41525, head/en_US.ISO8859-1/htdocs/internal/clusteradm.xml)
@@ -0,0 +1,105 @@
+
+
+]>
+
+
+ &title;
+
+ $FreeBSD$
+
+
+
+
+
+
Lead cluster administrator is a delegated officer role (aka. "hat")
+ that answers to the &os; Core Team and ultimately the &os; community
+ at large. This person shall have the operational authority over the
+ &os; cluster infrastructure (to the extent that the Core Team can
+ delegate this authority) and will be responsible for the following in
+ general:
+
+
+
Ensure the reliable operation of the Project's equipment and
+ network resources.
+
+
Ensure that the Project's resources are suitably and effectively
+ used to serve the Project's interests.
+
+
Ensure that reasonable security precautions and mitigations are
+ implemented within the constraints of the nature of a highly
+ distributed project.
+
+
Delegate to and coordinating with both the site-specific admin
+ teams and the admins at large.
+
+
Ensure that standard operating procedures, rules, guidelines etc
+ are documented and understandable.
+
+
Take measures to ensure that a competent administrator would be
+ expected to be able to adopt a predecessor's work in a reasonable
+ amount of time.
+
+
Contingency planning and implementation to ensure continuity
+ across site specific problems (including donated site withdrawal or
+ outages).
+
+
Keep the interested parties (Core Team, Security Team, &os;
+ Foundation, Port Management Team, etc), project members and community
+ members appropriately informed.
+
+
Give timely and authoritive answers to questions, or a direct
+ referral to the appropriate party.
+
+
Aid other hat wearers and cluster administrators to get their job
+ done.
+
+
Where practical and appropriate, use the Project's own product as
+ a proving ground.
+
+
Make sure that it is easy for developers to know what hardware
+ resources they have access to for project purposes.
+
+
+
The lead cluster administrator answers to the &os; Core Team. If a
+ party is unhappy with a position that the hat wearer takes and is
+ unable to change their mind, they may take the issue to the Core Team.
+ The Core Team has the final say in the matter. If the lead cluster
+ administrator is a member of the Core Team then a complaint may be
+ made in confidence via the core secretary or another member if
+ desired.
+
+
Any of the following still require a sign-off from the Core Team:
+
+
+
New public facing services.
+
+
Planned withdrawal of public facing services.
+
+
New team members.
+
+
+
Notable interaction with other hats:
+
+
+
The lead cluster administrator will consult with the Security
+ Officer and the Security Team where appropriate but will be
+ responsible for making decisions. However, the Security Officer may
+ respond to security emergencies involving project infrastructure as
+ necessary.
+
+
The Port Management Team has a large resource footprint and
+ arrangements will be made with them to effectively operate their
+ resources within the constraints of the overall cluster
+ operation.
+
+
+
Earmarked resources:
+
+
Some site resources are provided for specific purposes. Any such
+ earmarking or use restrictions will be documented to make sure such
+ resources are used as intended.
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
From owner-svn-doc-projects@FreeBSD.ORG Thu May 2 14:22:16 2013
Return-Path:
Delivered-To: svn-doc-projects@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
[IPv6:2001:1900:2254:206a::19:1])
by hub.freebsd.org (Postfix) with ESMTP id 5FD2E40D;
Thu, 2 May 2013 14:22:16 +0000 (UTC) (envelope-from dru@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
[IPv6:2001:1900:2254:2068::e6a:0])
by mx1.freebsd.org (Postfix) with ESMTP id 5120B1FA5;
Thu, 2 May 2013 14:22:16 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r42EMGtb080646;
Thu, 2 May 2013 14:22:16 GMT (envelope-from dru@svn.freebsd.org)
Received: (from dru@localhost)
by svn.freebsd.org (8.14.6/8.14.5/Submit) id r42EMGne080645;
Thu, 2 May 2013 14:22:16 GMT (envelope-from dru@svn.freebsd.org)
Message-Id: <201305021422.r42EMGne080645@svn.freebsd.org>
From: Dru Lavigne
Date: Thu, 2 May 2013 14:22:16 +0000 (UTC)
To: doc-committers@freebsd.org, svn-doc-projects@freebsd.org
Subject: svn commit: r41541 -
projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security
X-SVN-Group: doc-projects
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-doc-projects@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for doc projects trees
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
X-List-Received-Date: Thu, 02 May 2013 14:22:16 -0000
Author: dru
Date: Thu May 2 14:22:15 2013
New Revision: 41541
URL: http://svnweb.freebsd.org/changeset/doc/41541
Log:
This patch addresses the following in the second half of this chapter:
- you
- &os;
- some acronym tags
- the remaining command/application tags that should be man page entities
- some grammar fixes
Approved by: bcr (mentor)
Modified:
projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml
Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml
==============================================================================
--- projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml Thu May 2 13:02:26 2013 (r41540)
+++ projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml Thu May 2 14:22:15 2013 (r41541)
@@ -53,7 +53,7 @@
How to configure TCP Wrappers for use
- with inetd.
+ with &man.inetd.8;.
@@ -257,7 +257,7 @@
Securing the root Account
- su
+ &man.su.1;Most
@@ -355,7 +355,7 @@
sandboxes
- sshd
+ &man.sshd.8;The prudent sysadmin only enables required services
@@ -365,12 +365,12 @@
root as many daemons can be run as a
separate service account or can be started in a
sandbox. Do not activate insecure
- services such as telnetd or
- rlogind.
+ services such as &man.telnetd.8; or
+ &man.rlogind.8;.Another potential security hole is SUID-root and SGID
binaries. Most of these binaries, such as
- rlogin, reside in /bin, /sbin, /usr/bin, or
- sysctl
+ &man.sysctl.8;Even if bpf is disabled,
@@ -525,7 +525,7 @@
The best way to detect an intrusion is to look for
modified, missing, or unexpected files. The best way to look
for modified files is from another, often centralized,
- limited-access system. Writing your security scripts on the
+ limited-access system. Writing security scripts on the
extra-security limited-access system makes them mostly
invisible
to potential attackers. In order to take maximum advantage,
@@ -657,7 +657,7 @@
&man.inetd.8; carefully and pay specific attention to
, , and
. Spoofed IP attacks will circumvent
- to inetd, so
+ to &man.inetd.8;, so
typically a combination of options must be used. Some
standalone servers have self-fork-limitation
parameters.
@@ -681,7 +681,7 @@
reasonable MaxDaemonChildren to prevent
cascade failures.
- Syslogd can be attacked
+ &man.syslogd.8; can be attacked
directly and it is strongly recommended to use
whenever possible, and
otherwise.
@@ -722,10 +722,10 @@
with ICMP responses. This type of attack can crash the
server by running it out of memory, especially if the server
cannot drain the ICMP responses it generates fast enough. Use
- the sysctl variable
+ the &man.sysctl.8; variable
net.inet.icmp.icmplim to limit these
attacks. The last major class of springboard attacks is
- related to certain internal inetd
+ related to certain internal &man.inetd.8;
services such as the UDP echo service. An attacker spoofs a
UDP packet with a source address of server A's echo port
and a destination address of server B's echo port, where
@@ -744,7 +744,7 @@
parameters. A spoofed packet attack that uses a random source
IP will cause the kernel to generate a temporary cached route
in the route table, viewable with netstat -rna |
- fgrep W3. These routes typically timeout in 1600
+ fgrep W3. These routes typically timeout in 1600
seconds or so. If the kernel detects that the cached route
table has gotten too big, it will dynamically reduce the
rtexpire but will never decrease it to less
@@ -774,15 +774,15 @@
- Access Issues with Kerberos and SSH
+ Access Issues with Kerberos and &man.ssh.1;
- ssh
+ &man.ssh.1;There are a few issues with both Kerberos and
&man.ssh.1; that need to be addressed if
they are used. Kerberos is an excellent authentication
- protocol, but there are bugs in the kerberized
- &man.telnet.1; and &man.rlogin.1; applications that make them
+ protocol, but there are bugs in the kerberized versions of
+ &man.telnet.1; and &man.rlogin.1; that make them
unsuitable for dealing with binary streams. By default,
Kerberos does not encrypt a session unless
is used whereas &man.ssh.1;
@@ -801,13 +801,14 @@
It is recommended that &man.ssh.1; is
used in combination with Kerberos whenever possible for staff
- logins and &man.ssh.1; can be compiled with
+ logins and &man.ssh.1; can be compiled with
Kerberos support. This reduces reliance on potentially
- exposed ssh keys while protecting passwords via Kerberos.
+ exposed SSH keys while protecting
+ passwords via Kerberos.
Keys should only be used for automated tasks from secure
machines as this is something that Kerberos is unsuited to.
It is recommended to either turn off key-forwarding in the
- ssh configuration, or to make use
+ SSH configuration, or to make use
of from=IP/DOMAIN in
authorized_keys to make the key only
usable to entities logging in from specific machines.
@@ -971,7 +972,7 @@
Secure Connection InitializationTo initialize OPIE for the first time,
- execute opiepasswd:
+ execute &man.opiepasswd.1;:&prompt.user; opiepasswd -c
[grimreaper] ~ $ opiepasswd -f -c
@@ -1173,7 +1174,7 @@ Enter secret pass phrase: <
Initial ConfigurationTo enable TCP Wrappers in &os;, ensure
- the inetd server is started from
+ the &man.inetd.8; server is started from
/etc/rc.conf with
. Then, properly configure
/etc/hosts.allow.
@@ -1189,7 +1190,7 @@ Enter secret pass phrase: <
are set to either be permitted or blocked depending on the
options in /etc/hosts.allow. The default
configuration in &os; is to allow a connection to every daemon
- started with inetd.
+ started with &man.inetd.8;.Basic configuration usually takes the form of
daemon : address : action, where
@@ -1213,7 +1214,7 @@ Enter secret pass phrase: <
# This line is required for POP3 connections:
qpopper : ALL : allow
- After adding this line, inetd
+ After adding this line, &man.inetd.8;
needs to be restarted:&prompt.root; service inetd restart
@@ -1575,7 +1576,7 @@ Verifying password - Password: KDC is functioning by obtaining and
- listing a ticket for the principal (user) that you just
+ listing a ticket for the principal (user) that was just
created from the command-line of the KDC
itself:
@@ -2134,31 +2135,31 @@ kadmind5_server_enable="YES"OpenSSL
- One feature that many users overlook is the
- OpenSSL toolkit included in &os;.
- OpenSSL provides an encryption
- transport layer on top of the normal communications layer;
- thus allowing it to be intertwined with many network
+ The
+ OpenSSL toolkit is included in &os;.
+ It provides an encryption
+ transport layer on top of the normal communications layer,
+ allowing it to be intertwined with many network
applications and services.Some uses of OpenSSL may
- include encrypted authentication of mail clients, web based
- transactions such as credit card payments and more. Many
+ include encrypted authentication of mail clients and web based
+ transactions such as credit card payments. Many
ports such as
www/apache22, and
- mail/claws-mail will offer
+ mail/claws-mail offer
compilation support for building with
OpenSSL.
- In most cases the Ports Collection will attempt to build
+ In most cases, the Ports Collection will attempt to build
the security/openssl
- port unless the WITH_OPENSSL_BASE make
- variable is explicitly set to yes.
+ port unless WITH_OPENSSL_BASE
+ is explicitly set to yes.The version of OpenSSL included
- in &os; supports Secure Sockets Layer v2/v3 (SSLv2/SSLv3),
+ in &os; supports Secure Sockets Layer v2/v3 (SSLv2/SSLv3) and
Transport Layer Security v1 (TLSv1) network security protocols
and can be used as a general cryptographic library.
@@ -2168,7 +2169,7 @@ kadmind5_server_enable="YES"MAKE_IDEA variable must be set in
- make.conf.
+ /etc/make.conf.One of the most common uses of
@@ -2176,15 +2177,14 @@ kadmind5_server_enable="YES"Certificate
- Authorities, or CAs, a warning is
- usually produced. A Certificate Authority is a company, such
+ been verified by a Certificate
+ Authority (CA), a warning is
+ produced. A CA is a company, such
as VeriSign,
- which will sign certificates in order to validate credentials
+ signs certificates in order to validate the credentials
of individuals or companies. This process has a cost
- associated with it and is definitely not a requirement for
- using certificates; however, it can put some of the more
- paranoid users at ease.
+ associated with it and is not a requirement for
+ using certificates; however, it can put users at ease.
Generating Certificates
@@ -2226,22 +2226,23 @@ An optional company name []:<
Notice the response directly after the
Common Name prompt shows a domain name. This
prompt requires a server name to be entered for verification
- purposes; placing anything but a domain name would yield a
- useless certificate. Other options, for instance expire
- time, alternate encryption algorithms, etc. are available.
- A complete list may be obtained by viewing the
- &man.openssl.1; manual page.
-
- Two files should now exist in the directory in which the
- aforementioned command was issued. The certificate request,
- req.pem, may be sent to a certificate
- authority who will validate the credentials that you
- entered, sign the request and return the certificate to you.
- The second file created will be named
+ purposes and placing anything but a domain name yields a
+ useless certificate. Other options, such as the expire
+ time and alternate encryption algorithms, are available.
+ A complete list of options is described in
+ &man.openssl.1;.
+
+ Two files should now exist in the directory in which this
+ command was issued. The certificate request,
+ req.pem, may be sent to a
+ CA
+ who will validate the entered credentials,
+ sign the request, and return the signed certificate.
+ The second file is named
cert.pem and is the private key for the
- certificate and should be protected at all costs; if this
+ certificate and should be protected at all costs. If this
falls in the hands of others it can be used to impersonate
- you (or your server).
+ the user or the server.
In cases where a signature from a CA
is not required, a self signed certificate can be created.
@@ -2263,30 +2264,31 @@ An optional company name []:<
new.crt. These should be placed in a
directory, preferably under
/etc, which is readable
- only by root. Permissions of 0700 should
- be fine for this and they can be set with the
- chmod utility.
+ only by root. Permissions of 0700 are
+ appropriate and can be set using
+ &man.chmod.1;.
- Using Certificates, an Example
+ Using Certificates
- So what can these files do? A good use would be to
+ One use for a certificate is to
encrypt connections to the
Sendmail MTA.
- This would dissolve the use of clear text authentication for
+ This prevents the use of clear text authentication for
users who send mail via the local
MTA.
- This is not the best use in the world as some
- MUAs will present the user with an
- error if they have not installed the certificate locally.
+ Some
+ MUAs will display
+ error if the user has not installed the certificate locally.
Refer to the documentation included with the software for
more information on certificate installation.
- The following lines should be placed inside the local
+ To configure Sendmail, the
+ following lines should be placed in the local
.mc file:dnl SSL Options
@@ -2296,24 +2298,24 @@ define(`confSERVER_CERT',`/etc/certs/new
define(`confSERVER_KEY',`/etc/certs/myca.key')dnl
define(`confTLS_SRV_OPTIONS', `V')dnl
- Where /etc/certs/
- is the directory to be used for storing the certificate and
- key files locally. The last few requirements are a rebuild
- of the local .cf file. This is easily
- achieved by typing make
- install within the
- /etc/mail directory.
+ In this example, /etc/certs/
+ stores the certificate and
+ key files locally. After saving the edits, rebuild
+ the local .cf file by typing
+ make install
+ within /etc/mail.
Follow that up with make
restart which should
start the Sendmail daemon.
- If all went well there will be no error messages in the
- /var/log/maillog file and
+ If all went well, there will be no error messages in
+ /var/log/maillog and
Sendmail will show up in the
process list.
- For a simple test, simply connect to the mail server
- using the &man.telnet.1; utility:
+ For a simple test, connect to the mail server
+ using &man.telnet.1;:&prompt.root; telnet example.com 25
Trying 192.0.34.166...
@@ -2337,7 +2339,7 @@ Escape character is '^]'.
Connection closed by foreign host.If the STARTTLS line appears in the
- output then everything is working correctly.
+ output, everything is working correctly.
@@ -2355,15 +2357,12 @@ Connection closed by foreign host.
- VPN over IPsec
+ VPN over IPsecIPsec
- Creating a VPN between two networks, separated by the
- Internet, using FreeBSD gateways.
-
@@ -2380,18 +2379,19 @@ Connection closed by foreign host.Understanding IPsec
- This section will guide you through the process of
- setting up IPsec. In order to set up IPsec, it is necessary
- that you are familiar with the concepts of building a custom
+ This section demonstrates the process of
+ setting up IPsec. It assumes
+ familiarity with the concepts of building a custom
kernel (see ).IPsec is a protocol which sits on
- top of the Internet Protocol (IP) layer. It allows two or
- more hosts to communicate in a secure manner (hence the
- name). The FreeBSD IPsec network stack is
+ top of the Internet Protocol (IP) layer.
+ It allows two or
+ more hosts to communicate in a secure manner.
+ The &os; IPsec network stack is
based on the KAME
- implementation, which has support for both protocol
- families, IPv4 and IPv6.
+ implementation, which has support for both IPv4 and
+ IPv6.IPsec
@@ -2408,16 +2408,18 @@ Connection closed by foreign host.
Encapsulated Security Payload
- ESP), protects the IP packet data from
- third party interference, by encrypting the contents
- using symmetric cryptography algorithms (like Blowfish,
- 3DES).
+ ESP): this protocol
+ protects the IP packet data from
+ third party interference by encrypting the contents
+ using symmetric cryptography algorithms such as Blowfish
+ and 3DES.
- Authentication Header (AH),
+ Authentication Header
+ (AH): this protocol
protects the IP packet header from third party
- interference and spoofing, by computing a cryptographic
+ interference and spoofing by computing a cryptographic
checksum and hashing the IP packet header fields with a
secure hashing function. This is then followed by an
additional header that contains the hash, to allow the
@@ -2439,18 +2441,17 @@ Connection closed by foreign host.
IPsec can either be used to directly encrypt the traffic
- between two hosts (known as Transport
- Mode); or to build virtual
- tunnels between two subnets, which could be used for
- secure communication between two corporate networks (known
- as Tunnel Mode). The latter is more
+ between two hosts using Transport
+ Mode or to build virtual
+ tunnels using
+ Tunnel Mode. The latter mode is more
commonly known as a Virtual Private Network
- (VPN). The &man.ipsec.4; manual page should be
- consulted for detailed information on the IPsec subsystem in
- FreeBSD.
+ (VPN). Consult &man.ipsec.4;
+ for detailed information on the IPsec subsystem in
+ &os;.
- To add IPsec support to your kernel, add the following
- options to your kernel configuration file:
+ To add IPsec support to the kernel, add the following
+ options to the custom kernel configuration file:kernel options
@@ -2474,40 +2475,30 @@ options IPSEC_DEBUG #debug for IP sec
- The Problem
-
- There is no standard for what constitutes a VPN. VPNs
- can be implemented using a number of different technologies,
- each of which have their own strengths and weaknesses. This
- section presents a scenario, and the strategies used for
- implementing a VPN for this scenario.
-
-
-
- The Scenario: Two networks, one home based and one
- corporate based. Both are connected to the Internet, and
- expected, via this VPN to behave as
- one.
+ VPN Between a Home and Corporate
+ NetworkVPNcreating
- The premise is as follows:
+ There is no standard for what constitutes a
+ VPN. VPNs can be
+ implemented using a number of different technologies, each
+ of which has their own strengths and weaknesses. This
+ section presents the strategies used for implementing a
+ VPN for the following scenario:
- You have at least two sites
-
-
-
- Both sites are using IP internally
+ There are at least two sites where each site is using
+ IP internally.
- Both sites are connected to the Internet, through a
- gateway that is running FreeBSD.
+ Both sites are connected to the Internet through a
+ gateway that is running &os;.
@@ -2517,15 +2508,15 @@ options IPSEC_DEBUG #debug for IP sec
The internal addresses of the two networks can be
- public or private IP addresses, it does not matter.
- They just may not collide; e.g.: may not both use
+ either public or private IP addresses. However, the
+ address space must not collide. For example, both
+ networks cannot use
192.168.1.x.
-
-
-
+
+ Tom
@@ -2536,23 +2527,24 @@ options IPSEC_DEBUG #debug for IP sec
Written by
-
+
Configuring IPsec on &os;
- To begin, the
+ To begin,
security/ipsec-tools
- must be installed from the Ports Collection. This third
- party software package provides a number of applications
- which will help support the configuration.
+ must be installed from the Ports Collection. This
+ software provides a number of applications
+ which support the configuration.The next requirement is to create two &man.gif.4;
pseudo-devices which will be used to tunnel packets and
allow both networks to communicate properly. As
root, run the following commands,
- replacing the internal and
- external items with the real
- internal and external gateways:
+ replacing internal and
+ external with the real IP
+ addresses of the
+ internal and external interfaces of the two gateways:
&prompt.root; ifconfig gif0 create
@@ -2560,18 +2552,19 @@ options IPSEC_DEBUG #debug for IP sec
&prompt.root; ifconfig gif0 tunnel external1 external2
- For example, the corporate LAN's
- public IP is
- 172.16.5.4 having a private
- IP of
+ In this example, the corporate LAN's
+ external IP address is
+ 172.16.5.4 and its internal
+ IP address is
10.246.38.1. The home
- LAN's public IP is
- 192.168.1.12 with an internal
- private IP of
+ LAN's external IP
+ address is
+ 192.168.1.12 and its internal
+ private IP address is
10.0.0.5.
- This may seem confusing, so review the following example
- output from the &man.ifconfig.8; command:
+ If this is confusing, review the following example output
+ from &man.ifconfig.8;:Gateway 1:
@@ -2587,9 +2580,8 @@ tunnel inet 192.168.1.12 --> 172.16.5
inet 10.0.0.5 --> 10.246.38.1 netmask 0xffffff00
inet6 fe80::250:bfff:fe3a:c1f%gif0 prefixlen 64 scopeid 0x4
- Once complete, both private IPs
- should be reachable using the &man.ping.8; command like
- the following output suggests:
+ Once complete, both internal IP
+ addresses should be reachable using &man.ping.8;:priv-net# ping 10.0.0.5
PING 10.0.0.5 (10.0.0.5): 56 data bytes
@@ -2629,8 +2621,8 @@ round-trip min/avg/max/stddev = 28.106/9
At this point, internal machines should be reachable
from each gateway as well as from machines behind the
- gateways. This is easily determined from the following
- example:
+ gateways. Again, use &man.ping.8; to
+ confirm:corp-net# ping 10.0.0.8
PING 10.0.0.8 (10.0.0.8): 56 data bytes
@@ -2655,12 +2647,13 @@ PING 10.246.38.1 (10.246.38.107): 56 dat
round-trip min/avg/max/stddev = 21.145/31.721/53.491/12.179 msSetting up the tunnels is the easy part. Configuring
- a secure link is a much more in depth process. The
+ a secure link is a more in depth process. The
following configuration uses pre-shared
- (PSK) RSA keys. Aside
- from the IP addresses, both
- /usr/local/etc/racoon/racoon.conf files
- will be identical and look similar to
+ (PSK) RSA keys. Other than
+ the IP addresses, the
+ /usr/local/etc/racoon/racoon.conf on
+ both gateways
+ will be identical and look similar to:
path pre_shared_key "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file
log debug; #log verbosity setting: set to 'notify' when testing and debugging is complete
@@ -2720,19 +2713,18 @@ sainfo (address 10.246.38.0/24 any addr
compression_algorithm deflate;
}
- Explaining every available option, along with those
- listed in these examples is beyond the scope of this
- document. There is plenty of relevant information in the
- racoon configuration manual
- page.
-
- The SPD policies need to be
- configured so &os; and racoon is
- able to encrypt and decrypt network traffic between
+ For descriptions of each available option, refer to the
+ manual
+ page for racoon.conf.
+
+ The Security Policy Database (SPD)
+ needs to be configured so that &os; and
+ racoon are
+ able to encrypt and decrypt network traffic between the
hosts.
- This task may be undertaken with a simple shell script
- similar to the following which is on the corporate gateway.
+ This can be achieved with a shell script,
+ similar to the following, on the corporate gateway.
This file will be used during system initialization and
should be saved as
/usr/local/etc/racoon/setkey.conf.
@@ -2767,12 +2759,12 @@ Foreground mode.
another console and use &man.tcpdump.1; to view network
traffic using the following command. Replace
em0 with the network interface card as
- required.
+ required:&prompt.root; tcpdump -i em0 host 172.16.5.4 and dst 192.168.1.12Data similar to the following should appear on the
- console. If not, there is an issue, and debugging the
+ console. If not, there is an issue and debugging the
returned data will be required.01:47:32.021683 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xa)
@@ -2781,9 +2773,9 @@ Foreground mode.
At this point, both networks should be available and
seem to be part of the same network. Most likely both
- networks are protected by a firewall, as they should be. To
+ networks are protected by a firewall. To
allow traffic to flow between them, rules need to be added
- to pass packets back and forth. For the &man.ipfw.8;
+ to pass packets. For the &man.ipfw.8;
firewall, add the following lines to the firewall
configuration file:
@@ -2819,7 +2811,8 @@ pass out quick on gif0 from any to any
ipsec_program="/usr/local/sbin/setkey"
ipsec_file="/usr/local/etc/racoon/setkey.conf" # allows setting up spd policies on boot
racoon_enable="yes"
-
+
+
@@ -2844,65 +2837,63 @@ racoon_enable="yes"
OpenSSH is a set of network
connectivity tools used to access remote machines securely.
- It can be used as a direct replacement for
- rlogin, rsh,
- rcp, and telnet.
Additionally, TCP/IP connections can be tunneled/forwarded
- securely through SSH. OpenSSH
+ securely through SSH connections.
+ OpenSSH
encrypts all traffic to effectively eliminate eavesdropping,
connection hijacking, and other network-level attacks.OpenSSH is maintained by the
- OpenBSD project, and is based upon SSH v1.2.12 with all the
- recent bug fixes and updates. It is compatible with both SSH
- protocols 1 and 2.
+ OpenBSD project and is installed by default in &os;. It is
+ compatible with both SSH version
+ 1 and 2 protocols.
- Advantages of Using OpenSSH
-
- Normally, when using &man.telnet.1; or &man.rlogin.1;,
- data is sent over the network in a clear, un-encrypted form.
- Network sniffers anywhere in between the client and server
- can steal your user/password information or data transferred
- in your session. OpenSSH offers
+ Advantages of Using
+ OpenSSH
+
+ When
+ data is sent over the network in an unencrypted form,
+ network sniffers anywhere in between the client and server
+ can steal user/password information or data transferred
+ during the session. OpenSSH offers
a variety of authentication and encryption methods to
prevent this from happening.
- Enabling sshd
+ Enabling &man.sshd.8;OpenSSHenabling
- The sshd is an option
- presented during a Standard install of
- &os;. To see if sshd is enabled,
- check the rc.conf file for:
+ To see if &man.sshd.8; is enabled,
+ check /etc/rc.conf for this line:sshd_enable="YES"
- This will load &man.sshd.8;, the daemon program for
- OpenSSH, the next time your
+ This will start &man.sshd.8;, the daemon program for
+ OpenSSH, the next time the
system initializes. Alternatively, it is possible to use
&man.service.8; to
- start OpenSSH:
+ start OpenSSH now:&prompt.root; service sshd start
- SSH Client
+ &man.ssh.1; ClientOpenSSHclient
- The &man.ssh.1; utility works similarly to
- &man.rlogin.1;.
+ To use &man.ssh.1; to connect to a system running
+ &man.sshd.8;, specify the username and host to log
+ into:&prompt.root; ssh user@example.com
Host key not found from the list of known hosts.
@@ -2910,22 +2901,19 @@ Are you sure you want to continue connec
Host 'example.com' added to the list of known hosts.
user@example.com's password: *******
- The login will continue just as it would have if a
- session was created using rlogin or
- telnet. SSH utilizes a key fingerprint
- system for verifying the authenticity of the server when the
- client connects. The user is prompted to enter
- yes only when connecting for the first
- time. Future attempts to login are all verified against the
- saved fingerprint key. The SSH client will alert you if the
+ SSH utilizes a key fingerprint
+ system to verify the authenticity of the server when the
+ client connects. The user is prompted to type
+ yes when connecting for the first
+ time. Future attempts to login are verified against the
+ saved fingerprint key and the &man.ssh.1; client will display
+ an alert if the
saved fingerprint differs from the received fingerprint on
future login attempts. The fingerprints are saved in
- ~/.ssh/known_hosts, or
- ~/.ssh/known_hosts2 for SSH v2
- fingerprints.
+ ~/.ssh/known_hosts.
- By default, recent versions of the
- OpenSSH servers only accept SSH
+ By default, recent versions of &man.sshd.8; only accept
+ SSH
v2 connections. The client will use version 2 if possible
and will fall back to version 1. The client can also be
forced to use one or the other by passing it the
@@ -2943,11 +2931,11 @@ user@example.com's password: secure copy
- scp
+ &man.scp.1;
- The &man.scp.1; command works similarly to &man.rcp.1;;
- it copies a file to or from a remote machine, except in a
+ Use &man.scp.1; to
+ copy a file to or from a remote machine in a
secure fashion.&prompt.root; scp user@example.com:/COPYRIGHT COPYRIGHT
@@ -2961,10 +2949,12 @@ COPYRIGHT 100% |*************
here.The arguments passed to &man.scp.1; are similar to
- &man.cp.1;, with the file or files in the first argument,
+ &man.cp.1;, with the file or files to copy in the first
+ argument,
and the destination in the second. Since the file is
- fetched over the network, through SSH, one or more of the
- file arguments takes on the form
+ fetched over the network, through an SSH,
+ connection, one or more of the
+ file arguments takes the form
.
@@ -2978,24 +2968,20 @@ COPYRIGHT 100% |*************
The system-wide configuration files for both the
OpenSSH daemon and client reside
- within the /etc/ssh
- directory.
+ in /etc/ssh.
ssh_config configures the client
settings, while sshd_config configures
- the daemon.
-
- Additionally, the
- (/usr/sbin/sshd by default), and
- rc.conf
- options can provide more levels of configuration.
+ the daemon. Each file has its own manual page which describes
+ the available configuration options.
- ssh-keygen
+ &man.ssh-keygen.1;Instead of using passwords, &man.ssh-keygen.1; can
- be used to generate DSA or RSA keys to authenticate a
+ be used to generate DSA or
+ RSA keys to authenticate a
user:&prompt.user; ssh-keygen -t dsa
@@ -3014,7 +3000,7 @@ bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8
in ~/.ssh/id_dsa or
~/.ssh/id_rsa, whereas the public key
is stored in ~/.ssh/id_dsa.pub or
- ~/.ssh/id_rsa.pub, respectively for
+ ~/.ssh/id_rsa.pub, respectively for the
DSA and RSA key types.
The public key must be placed in the
~/.ssh/authorized_keys file of the
@@ -3022,43 +3008,42 @@ bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8
DSA keys in order for the setup to
work.
- This will allow connection to the remote machine based
- upon SSH keys instead of passwords.
+ This setup allows connections to the remote machine based
+ upon SSH keys instead of passwords.If a passphrase is used in &man.ssh-keygen.1;, the user
- will be prompted for a password each time in order to use
+ will be prompted for the passphrase each time in order to use
the private key. &man.ssh-agent.1; can alleviate the strain
of repeatedly entering long passphrases, and is explored in
- the section
- below.
+ .
The various options and files can be different
according to the OpenSSH
- version you have on your system; to avoid problems you
- should consult the &man.ssh-keygen.1; manual page.
+ version. To avoid problems,
+ consult &man.ssh-keygen.1;.
- ssh-agent and ssh-add
+ &man.ssh-agent.1; and &man.ssh-add.1;
- The &man.ssh-agent.1; and &man.ssh-add.1; utilities
- provide methods for SSH keys to
- be loaded into memory for use, without needing to type the
- passphrase each time.
-
- The &man.ssh-agent.1; utility will handle the
- authentication using the private key(s) that are loaded into
- it. &man.ssh-agent.1; should be used to launch another
+ To load SSH
+ keys into memory for use, without needing to type the
+ passphrase each time, use &man.ssh-agent.1; and
+ &man.ssh-add.1;.
+
+ Authentication is handled by &man.ssh-agent.1;, using the
+ private key(s) that are loaded into
+ it. Then, &man.ssh-agent.1; should be used to launch another
application. At the most basic level, it could spawn a
- shell or at a more advanced level, a window manager.
+ shell or a window manager.
- To use &man.ssh-agent.1; in a shell, first it will need
- to be spawned with a shell as an argument. Secondly, the
- identity needs to be added by running &man.ssh-add.1; and
+ To use &man.ssh-agent.1; in a shell, start it
+ with a shell as an argument. Next, add the identity
+ by running &man.ssh-add.1; and
providing it the passphrase for the private key. Once these
- steps have been completed the user will be able to
+ steps have been completed, the user will be able to
&man.ssh.1; to any host that has the corresponding public
key installed. For example:
@@ -3068,24 +3053,28 @@ Enter passphrase for /home/user/.ssh/id_
Identity added: /home/user/.ssh/id_dsa (/home/user/.ssh/id_dsa)
&prompt.user;
- To use &man.ssh-agent.1; in X11, a call to
- &man.ssh-agent.1; will need to be placed in
- ~/.xinitrc. This will provide the
- &man.ssh-agent.1; services to all programs launched in X11.
+ To use &man.ssh-agent.1; in
+ &xorg;, a call to
+ &man.ssh-agent.1; needs to be placed in
+ ~/.xinitrc. This provides the
+ &man.ssh-agent.1; services to all programs launched in
+ &xorg;.
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
From owner-svn-doc-projects@FreeBSD.ORG Thu May 2 15:47:18 2013
Return-Path:
Delivered-To: svn-doc-projects@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
[IPv6:2001:1900:2254:206a::19:1])
by hub.freebsd.org (Postfix) with ESMTP id 1E5631CC;
Thu, 2 May 2013 15:47:18 +0000 (UTC) (envelope-from dru@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
[IPv6:2001:1900:2254:2068::e6a:0])
by mx1.freebsd.org (Postfix) with ESMTP id 0F6E714DC;
Thu, 2 May 2013 15:47:18 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r42FlItg009980;
Thu, 2 May 2013 15:47:18 GMT (envelope-from dru@svn.freebsd.org)
Received: (from dru@localhost)
by svn.freebsd.org (8.14.6/8.14.5/Submit) id r42FlIcE009979;
Thu, 2 May 2013 15:47:18 GMT (envelope-from dru@svn.freebsd.org)
Message-Id: <201305021547.r42FlIcE009979@svn.freebsd.org>
From: Dru Lavigne
Date: Thu, 2 May 2013 15:47:18 +0000 (UTC)
To: doc-committers@freebsd.org, svn-doc-projects@freebsd.org
Subject: svn commit: r41542 -
projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/eresources
X-SVN-Group: doc-projects
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-doc-projects@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for doc projects trees
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
X-List-Received-Date: Thu, 02 May 2013 15:47:18 -0000
Author: dru
Date: Thu May 2 15:47:17 2013
New Revision: 41542
URL: http://svnweb.freebsd.org/changeset/doc/41542
Log:
Initial pass, further patches needed. This patch addresses the following:
- &os;
- you/we, e.g.
- fix Project and filesystems
- removes deprecated KDE list
Approved by: bcr (mentor)
Modified:
projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/eresources/chapter.xml
Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/eresources/chapter.xml
==============================================================================
--- projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/eresources/chapter.xml Thu May 2 14:22:15 2013 (r41541)
+++ projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/eresources/chapter.xml Thu May 2 15:47:17 2013 (r41542)
@@ -8,18 +8,18 @@
Resources on the Internet
- The rapid pace of FreeBSD progress makes print media
+ The rapid pace of &os; progress makes print media
impractical as a means of following the latest developments.
Electronic resources are the best, if not often the only, way
- to stay informed of the latest advances. Since FreeBSD is a
+ to stay informed of the latest advances. Since &os; is a
volunteer effort, the user community itself also generally serves
as a technical support department of sorts, with
electronic mail, web forums, and USENET news being the most
effective way of reaching that community.
- The most important points of contact with the FreeBSD user
- community are outlined below. If you are aware of other resources
- not mentioned here, please send them to the &a.doc; so that they
+ The most important points of contact with the &os; user
+ community are outlined below. Please send other resources
+ not mentioned here to the &a.doc; so that they
may also be included.
@@ -27,23 +27,23 @@
The mailing lists are the most direct way of addressing
questions or opening a technical discussion to a concentrated
- FreeBSD audience. There are a wide variety of lists on a number
- of different FreeBSD topics. Addressing your questions to the
+ &os; audience. There are a wide variety of lists on a number
+ of different &os; topics. Sending questions to the
most appropriate mailing list will invariably assure a faster
and more accurate response.The charters for the various lists are given at the bottom
of this document. Please read the charter before
- joining or sending mail to any list. Most of our
- list subscribers now receive many hundreds of FreeBSD related
- messages every day, and by setting down charters and rules for
- proper use we are striving to keep the signal-to-noise ratio
+ joining or sending mail to any list. Most
+ list subscribers receive many hundreds of &os; related
+ messages every day, and the charters and rules for
+ use are meant to keep the signal-to-noise ratio
of the lists high. To do less would see the mailing lists
ultimately fail as an effective communications medium for the
- project.
+ Project.
- If you wish to test your ability to send to
+ To test the ability to send email to
&os; lists, send a test message to &a.test.name;.
Please do not send test messages to any other list.
@@ -61,11 +61,11 @@
Archives are kept for all of the mailing lists and can be
searched using the FreeBSD World Wide Web
+ url="&url.base;/search/index.html">&os; World Wide Web
server. The keyword searchable archive offers an
excellent way of finding answers to frequently asked questions
and should be consulted before posting a question. Note that
- this also means that messages sent to FreeBSD mailing lists
+ this also means that messages sent to &os; mailing lists
are archived in perpetuity. When protecting privacy is a
concern, consider using a disposable secondary email address
and posting only public information.
@@ -89,12 +89,13 @@
&a.advocacy.name;
- FreeBSD Evangelism
+ &os; Evangelism&a.announce.name;
- Important events and project milestones (moderated)
+ Important events and Project milestones
+(moderated)
@@ -105,7 +106,7 @@
&a.bugbusters.name;Discussions pertaining to the maintenance of
- the FreeBSD problem report database and related
+ the &os; problem report database and related
tools
@@ -116,13 +117,13 @@
&a.chat.name;
- Non-technical items related to the FreeBSD
+ Non-technical items related to the &os;
community&a.chromium.name;
- FreeBSD-specific Chromium issues
+ &os;-specific Chromium issues
@@ -134,12 +135,12 @@
&a.isp.name;Issues for Internet Service Providers using
- FreeBSD
+ &os;
&a.jobs.name;
- FreeBSD employment and consulting
+ &os; employment and consulting
opportunities
@@ -161,7 +162,7 @@
&a.test.name;
- Where to send your test messages instead of
+ Where to send test messages instead of to
one of the actual lists
@@ -169,7 +170,7 @@
Technical lists: The following
- lists are for technical discussion. You should read the
+ lists are for technical discussion. Read the
charter for each list carefully before joining or sending
mail to one as there are firm guidelines for their use and
content.
@@ -191,7 +192,7 @@
&a.afs.name;
- Porting AFS to FreeBSD
+ Porting AFS to &os;
@@ -202,7 +203,7 @@
&a.amd64.name;
- Porting FreeBSD to AMD64 systems (moderated)
+ Porting &os; to AMD64 systems (moderated)
@@ -214,22 +215,22 @@
&a.arm.name;
- Porting FreeBSD to &arm; processors
+ Porting &os; to &arm; processors&a.atm.name;
- Using ATM networking with FreeBSD
+ Using ATM networking with &os;&a.bluetooth.name;
- Using &bluetooth; technology in FreeBSD
+ Using &bluetooth; technology in &os;&a.cluster.name;
- Using FreeBSD in a clustered environment
+ Using &os; in a clustered environment
@@ -240,7 +241,7 @@
&a.database.name;Discussing database use and development under
- FreeBSD
+ &os;
@@ -250,7 +251,7 @@
&a.doc.name;
- Creating FreeBSD related documents
+ Creating &os; related documents
@@ -260,19 +261,19 @@
&a.eclipse.name;
- FreeBSD users of Eclipse IDE, tools, rich client
+ &os; users of Eclipse IDE, tools, rich client
applications and ports.&a.embedded.name;
- Using FreeBSD in embedded applications
+ Using &os; in embedded applications&a.eol.name;
- Peer support of FreeBSD-related software that
- is no longer supported by the FreeBSD project.
+ Peer support of &os;-related software that
+ is no longer supported by the &os; Project.
@@ -283,7 +284,7 @@
&a.firewire.name;
- FreeBSD &firewire; (iLink, IEEE 1394) technical
+ &os; &firewire; (iLink, IEEE 1394) technical
discussion
@@ -318,29 +319,29 @@
&a.hardware.name;General discussion of hardware for running
- FreeBSD
+ &os;
&a.i18n.name;
- FreeBSD Internationalization
+ &os; Internationalization&a.ia32.name;
- FreeBSD on the IA-32 (&intel; x86)
+ &os; on the IA-32 (&intel; x86)
platform&a.ia64.name;
- Porting FreeBSD to &intel;'s upcoming IA64
+ Porting &os; to &intel;'s upcoming IA64
systems&a.infiniband.name;
- Infiniband on FreeBSD
+ Infiniband on &os;
@@ -363,23 +364,17 @@
&a.java.name;&java; developers and people porting &jdk;s to
- FreeBSD
-
-
-
- &a.kde.name;
- Porting KDE and
- KDE applications
+ &os;
&a.lfs.name;
- Porting LFS to FreeBSD
+ Porting LFS to &os;&a.mips.name;
- Porting FreeBSD to &mips;
+ Porting &os; to &mips;
@@ -389,13 +384,13 @@
&a.mono.name;
- Mono and C# applications on FreeBSD
+ Mono and C# applications on &os;&a.mozilla.name;Porting Mozilla to
- FreeBSD
+ &os;
@@ -468,18 +463,18 @@
&a.ppc.name;
- Porting FreeBSD to the &powerpc;
+ Porting &os; to the &powerpc;&a.proliant.name;
- Technical discussion of FreeBSD on HP ProLiant
+ Technical discussion of &os; on HP ProLiant
server platforms&a.python.name;
- FreeBSD-specific Python issues
+ &os;-specific Python issues
@@ -492,12 +487,12 @@
&a.realtime.name;Development of realtime extensions to
- FreeBSD
+ &os;
&a.ruby.name;
- FreeBSD-specific Ruby discussions
+ &os;-specific Ruby discussions
@@ -507,12 +502,12 @@
&a.security.name;
- Security issues affecting FreeBSD
+ Security issues affecting &os;&a.small.name;
- Using FreeBSD in embedded applications
+ Using &os; in embedded applications
(obsolete; use &a.embedded.name; instead)
@@ -523,12 +518,12 @@
&a.sparc.name;
- Porting FreeBSD to &sparc; based systems
+ Porting &os; to &sparc; based systems&a.standards.name;
- FreeBSD's conformance to the C99 and the &posix;
+ &os;'s conformance to the C99 and the &posix;
standards
@@ -539,23 +534,23 @@
&a.tcltk.name;
- FreeBSD-specific Tcl/Tk discussions
+ &os;-specific Tcl/Tk discussions&a.threads.name;
- Threading in FreeBSD
+ Threading in &os;&a.tilera.name;
- Porting FreeBSD to the Tilera family of
+ Porting &os; to the Tilera family of
CPUs&a.tokenring.name;
- Support Token Ring in FreeBSD
+ Support Token Ring in &os;
@@ -582,7 +577,7 @@
&a.x11.name;
- Maintenance and support of X11 on FreeBSD
+ Maintenance and support of X11 on &os;
@@ -610,7 +605,7 @@
are for more specialized (and demanding) audiences and are
probably not of interest to the general public. It is also
a good idea to establish a presence in the technical lists
- before joining one of these limited lists so that you will
+ before joining one of these limited lists in order to
understand the communications etiquette involved.
@@ -636,7 +631,7 @@
&a.wip-status.name;
- FreeBSD Work-In-Progress Status
+ &os; Work-In-Progress Status
@@ -650,7 +645,7 @@
Digest lists: All of the above lists
are available in a digest format. Once subscribed to a list,
- you can change your digest options in your account options
+ the digest options can be changed in the account options
section.SVN lists: The following lists
@@ -834,38 +829,38 @@
How to Subscribe
- To subscribe to a list, click on the list name above or
- go to &a.mailman.lists.link; and click on the list that you
- are interested in. The list page should contain all of the
- necessary subscription instructions.
+ To subscribe to a list, click the list name at
+ &a.mailman.lists.link;.
+ The page that is displayed should contain all of the
+ necessary subscription instructions for that list.To actually post to a given list, send mail to
listname@FreeBSD.org.
It will then be redistributed to mailing list members
world-wide.
- To unsubscribe yourself from a list, click on the URL
+ To unsubscribe from a list, click on the URL
found at the bottom of every email received from the list.
It is also possible to send an email to
listname-unsubscribe@FreeBSD.org
- to unsubscribe yourself.
+ to unsubscribe.
- Again, we would like to request that you keep discussion
- in the technical mailing lists on a technical track. If you
- are only interested in important announcements then it is
- suggested that you join the &a.announce;, which is intended
- only for infrequent traffic.
+ It is important to keep discussion
+ in the technical mailing lists on a technical track. To
+ only receive important announcements, instead
+ join the &a.announce;, which is intended
+ for infrequent traffic.List Charters
- All FreeBSD mailing lists have
+ All &os; mailing lists have
certain basic rules which must be adhered to by anyone using
them. Failure to comply with these guidelines will result
- in two (2) written warnings from the FreeBSD Postmaster
+ in two (2) written warnings from the &os; Postmaster
postmaster@FreeBSD.org, after which, on a
- third offense, the poster will removed from all FreeBSD
+ third offense, the poster will removed from all &os;
mailing lists and filtered from further posting to them. We
regret that such rules and measures are necessary at all,
but today's Internet is a pretty harsh environment, it would
@@ -877,8 +872,8 @@
The topic of any posting should adhere to the basic
- charter of the list it is posted to, e.g., if the list
- is about technical issues then your posting should contain
+ charter of the list it is posted to. If the list
+ is about technical issues, the posting should contain
technical discussion. Ongoing irrelevant chatter or
flaming only detracts from the value of the mailing list
for everyone on it and will not be tolerated. For
@@ -893,11 +888,11 @@
a great deal of subscriber overlap and except for the most
esoteric mixes (say -stable & -scsi),
there really is no reason to post to more than one list at
- a time. If a message is sent to you in such a way that
- multiple mailing lists appear on the Cc
- line then the Cc line should also be
- trimmed before sending it out again. You are
- still responsible for your own cross-postings, no matter
+ a time. If a message is received with
+ multiple mailing lists on the Cc
+ line, trim the Cc line
+ before replying. The person who replies is
+ still responsible for cross-posting, no matter
who the originator might have been.
@@ -915,7 +910,7 @@
- Advertising of non-FreeBSD related products or
+ Advertising of non-&os; related products or
services is strictly prohibited and will result in an
immediate ban if it is clear that the offender is
advertising by spam.
@@ -954,10 +949,10 @@
milestonesThis is the mailing list for people interested
- only in occasional announcements of significant FreeBSD
+ only in occasional announcements of significant &os;
events. This includes announcements about snapshots
and other releases. It contains announcements of new
- FreeBSD capabilities. It may contain calls for
+ &os; capabilities. It may contain calls for
volunteers etc. This is a low volume, strictly
moderated mailing list.
@@ -970,7 +965,7 @@
Architecture and design
discussions
- This list is for discussion of the FreeBSD
+ This list is for discussion of the &os;
architecture. Messages will mostly be kept strictly
technical in nature. Examples of suitable topics
are:
@@ -1003,9 +998,9 @@
&a.bluetooth.name;
- &bluetooth; in FreeBSD
+ &bluetooth; in &os;
- This is the forum where FreeBSD's &bluetooth; users
+ This is the forum where &os;'s &bluetooth; users
congregate. Design issues, implementation details,
patches, bug reports, status reports, feature requests,
and all matters related to &bluetooth; are fair
@@ -1035,7 +1030,7 @@
Bug reportsThis is the mailing list for reporting bugs in
- FreeBSD. Whenever possible, bugs should be submitted
+ &os;. Whenever possible, bugs should be submitted
using the &man.send-pr.1; command or the WEB
interface to it.
@@ -1046,7 +1041,7 @@
&a.chat.name;
- Non technical items related to the FreeBSD
+ Non technical items related to the &os;
communityThis list contains the overflow from the other
@@ -1066,11 +1061,11 @@
&a.chromium.name;
- FreeBSD-specific Chromium
+ &os;-specific Chromium
issuesThis is a list for the discussion of Chromium
- support for FreeBSD. This is a technical list to
+ support for &os;. This is a technical list to
discuss development and installation of Chromium.
@@ -1079,11 +1074,11 @@
&a.core.name;
- FreeBSD core team
+ &os; core teamThis is an internal mailing list for use by the core
members. Messages can be sent to it when a serious
- FreeBSD-related matter requires arbitration or
+ &os;-related matter requires arbitration or
high-level scrutiny.
@@ -1109,10 +1104,10 @@
&a.cvsweb.name;
- FreeBSD CVSweb Project
+ &os; CVSweb ProjectTechnical discussions about use, development and
- maintenance of FreeBSD-CVSweb.
+ maintenance of &os;-CVSweb.
@@ -1134,12 +1129,12 @@
&a.doc.name;
- Documentation project
+ Documentation ProjectThis mailing list is for the discussion of issues
and projects related to the creation of documentation
- for FreeBSD. The members of this mailing list are
- collectively referred to as The FreeBSD
+ for &os;. The members of this mailing list are
+ collectively referred to as The &os;
Documentation Project. It is an open list;
feel free to join and contribute!
@@ -1189,13 +1184,13 @@
&a.embedded.name;
- Using FreeBSD in embedded
+ Using &os; in embedded
applications
- This list discusses topics related to using FreeBSD
+ This list discusses topics related to using &os;
in embedded systems. This is a technical mailing list
for which strictly technical content is expected. For
- the purpose of this list we define embedded systems as
+ the purpose of this list, embedded systems are
those computing devices which are not desktops and which
usually serve a single purpose as opposed to being
general computing environments. Examples include, but
@@ -1223,15 +1218,15 @@
&a.eol.name;
- Peer support of FreeBSD-related software
- that is no longer supported by the FreeBSD
- project.
+ Peer support of &os;-related software
+ that is no longer supported by the &os;
+ Project.This list is for those interested in providing or
- making use of peer support of FreeBSD-related software
- for which the FreeBSD project no longer provides
- official support (e.g., in the form of security
- advisories and patches).
+ making use of peer support of &os;-related software
+ for which the &os; Project no longer provides
+ official support in the form of security
+ advisories and patches.
@@ -1244,7 +1239,7 @@
This is a mailing list for discussion of the design
and implementation of a &firewire; (aka IEEE 1394 aka
- iLink) subsystem for FreeBSD. Relevant topics
+ iLink) subsystem for &os;. Relevant topics
specifically include the standards, bus devices and
their protocols, adapter boards/cards/chips sets, and
the architecture and implementation of code for their
@@ -1258,7 +1253,7 @@
File systems
- Discussions concerning FreeBSD file systems.
+ Discussions concerning &os; filesystems.
This is a technical mailing list for which strictly
technical content is expected.
@@ -1300,7 +1295,7 @@
Discussions concerning The
GNOME Desktop Environment
- for FreeBSD systems. This is a technical mailing list
+ for &os; systems. This is a technical mailing list
for which strictly technical content is expected.
@@ -1324,7 +1319,7 @@
This is the forum for technical discussions
concerning the redesign of the IP firewall code in
- FreeBSD. This is a technical mailing list for which
+ &os;. This is a technical mailing list for which
strictly technical content is expected.
@@ -1333,10 +1328,10 @@
&a.ia64.name;
- Porting FreeBSD to IA64
+ Porting &os; to IA64This is a technical mailing list for individuals
- actively working on porting FreeBSD to the IA-64
+ actively working on porting &os; to the IA-64
platform from &intel;, to bring up problems or discuss
alternative solutions. Individuals interested in
following the technical discussion are also
@@ -1351,7 +1346,7 @@
ISDN CommunicationsThis is the mailing list for people discussing the
- development of ISDN support for FreeBSD.
+ development of ISDN support for &os;.
@@ -1363,7 +1358,7 @@
This is the mailing list for people discussing the
development of significant &java; applications for
- FreeBSD and the porting and maintenance of
+ &os; and the porting and maintenance of
&jdk;s.
@@ -1375,17 +1370,17 @@
Jobs offered and soughtThis is a forum for posting employment notices
- and resumes specifically related to &os;, e.g., if you
- are seeking &os;-related employment or have a job
- involving &os; to advertise then this is the right
- place. This is not a mailing list
+ specifically related to &os; and resumes from those
+ seeking &os;-related employment. This is
+ not a mailing list
for general employment issues since adequate forums
for that already exist elsewhere.Note that this list, like other FreeBSD.org mailing lists,
- is distributed worldwide. Thus, you need to be clear
- about location and the extent to which telecommuting or
+ is distributed worldwide. Be clear
+ about the geographic location and the extent to which
+ telecommuting or
assistance with relocation is available.Email should use open formats only —
@@ -1404,7 +1399,7 @@
KDEDiscussions concerning
- KDE on FreeBSD systems.
+ KDE on &os; systems.
This is a technical mailing list for which strictly
technical content is expected.
@@ -1417,8 +1412,8 @@
Technical discussionsThis is a forum for technical discussions related
- to FreeBSD. This is the primary technical mailing list.
- It is for individuals actively working on FreeBSD, to
+ to &os;. This is the primary technical mailing list.
+ It is for individuals actively working on &os;, to
bring up problems or discuss alternative solutions.
Individuals interested in following the technical
discussion are also welcome. This is a technical
@@ -1431,11 +1426,11 @@
&a.hardware.name;
- General discussion of FreeBSD
+ General discussion of &os;
hardwareGeneral discussion about the types of hardware
- that FreeBSD runs on, various problems and suggestions
+ that &os; runs on, various problems and suggestions
concerning what to buy or avoid.
@@ -1447,7 +1442,7 @@
Mirror sitesAnnouncements and discussion for people who run
- FreeBSD mirror sites.
+ &os; mirror sites.
@@ -1459,7 +1454,7 @@
ProvidersThis mailing list is for discussing topics relevant
- to Internet Service Providers (ISPs) using FreeBSD.
+ to Internet Service Providers (ISPs) using &os;.
This is a technical mailing list for which strictly
technical content is expected.
@@ -1470,7 +1465,7 @@
Mono and C# applications on
- FreeBSD
+ &os;This is a list for discussions related to the Mono
development framework on &os;. This is a technical
@@ -1503,7 +1498,7 @@
AnnouncementsThis is the mailing list for people interested in
- changes and issues related to the FreeBSD.org project
+ changes and issues related to the FreeBSD.org Project
infrastructure.This moderated list is strictly for announcements: no replies,
@@ -1515,21 +1510,21 @@
&a.performance.name;
- Discussions about tuning or speedingup
- FreeBSD
+ Discussions about tuning or speeding up
+ &os;This mailing list exists to provide a place for
hackers, administrators, and/or concerned parties to
discuss performance related topics pertaining to
- FreeBSD. Acceptable topics includes talking about
- FreeBSD installations that are either under high load,
+ &os;. Acceptable topics includes talking about
+ &os; installations that are either under high load,
are experiencing performance problems, or are pushing
- the limits of FreeBSD. Concerned parties that are
+ the limits of &os;. Concerned parties that are
willing to work toward improving the performance of
- FreeBSD are highly encouraged to subscribe to this list.
+ &os; are highly encouraged to subscribe to this list.
This is a highly technical list ideally suited for
- experienced FreeBSD users, hackers, or administrators
- interested in keeping FreeBSD fast, robust, and
+ experienced &os; users, hackers, or administrators
+ interested in keeping &os; fast, robust, and
scalable. This list is not a question-and-answer list
that replaces reading through documentation, but it is a
place to make contributions or inquire about unanswered
@@ -1546,7 +1541,7 @@
filter firewall systemDiscussion concerning the packet filter (pf)
- firewall system in terms of FreeBSD. Technical
+ firewall system in terms of &os;. Technical
discussion and user questions are both welcome. This
list is also a place to discuss the ALTQ QoS
framework.
@@ -1581,8 +1576,8 @@
Porting to Non &intel;
platforms
- Cross-platform FreeBSD issues, general discussion
- and proposals for non &intel; FreeBSD ports. This is
+ Cross-platform &os; issues, general discussion
+ and proposals for non &intel; &os; ports. This is
a technical mailing list for which strictly technical
content is expected.
@@ -1595,7 +1590,7 @@
Discussion of
ports
- Discussions concerning FreeBSD's ports
+ Discussions concerning &os;'s ports
collection (/usr/ports),
ports infrastructure, and general ports coordination
efforts. This is a technical mailing list for which
@@ -1628,7 +1623,7 @@
Discussion of
ports bugs
- Discussions concerning problem reports for FreeBSD's
+ Discussions concerning problem reports for &os;'s
ports collection
(/usr/ports), proposed ports, or
modifications to ports. This is a technical mailing
@@ -1641,11 +1636,11 @@
&a.proliant.name;
- Technical discussion of FreeBSD on HP
+ Technical discussion of &os; on HP
ProLiant server platformsThis mailing list is to be used for the technical
- discussion of the usage of FreeBSD on HP ProLiant
+ discussion of the usage of &os; on HP ProLiant
servers, including the discussion of ProLiant-specific
drivers, management software, configuration tools, and
BIOS updates. As such, this is the primary place to
@@ -1658,13 +1653,13 @@
&a.python.name;
- Python on FreeBSD
+ Python on &os;This is a list for discussions related to improving
- Python-support on FreeBSD. This is a technical mailing
+ Python-support on &os;. This is a technical mailing
list. It is for individuals working on porting Python,
its 3rd party modules and
- Zope stuff to FreeBSD.
+ Zope stuff to &os;.
Individuals interested in following the technical
discussion are also welcome.
@@ -1677,9 +1672,9 @@
User questionsThis is the mailing list for questions about
- FreeBSD. You should not send how to
- questions to the technical lists unless you consider
- the question to be pretty technical.
+ &os;. Do not send how to
+ questions to the technical lists unless
+ the question is quite technical.
@@ -1687,11 +1682,11 @@
&a.ruby.name;
- FreeBSD-specific Ruby
+ &os;-specific Ruby
discussionsThis is a list for discussions related to the Ruby
- support on FreeBSD. This is a technical mailing
+ support on &os;. This is a technical mailing
list. It is for individuals working on Ruby ports,
3rd party libraries and frameworks.
@@ -1707,7 +1702,7 @@
SCSI subsystemThis is the mailing list for people working on
- the SCSI subsystem for FreeBSD. This is a technical
+ the SCSI subsystem for &os;. This is a technical
mailing list for which strictly technical content is
expected.
@@ -1719,7 +1714,7 @@
Security issues
- FreeBSD computer security issues (DES, Kerberos,
+ &os; computer security issues (DES, Kerberos,
known security holes and fixes, etc). This is a
technical mailing list for which strictly technical
discussion is expected. Note that this is not a
@@ -1734,7 +1729,7 @@
Security Notifications
- Notifications of FreeBSD security problems and
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
From owner-svn-doc-projects@FreeBSD.ORG Fri May 3 12:16:08 2013
Return-Path:
Delivered-To: svn-doc-projects@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
[IPv6:2001:1900:2254:206a::19:1])
by hub.freebsd.org (Postfix) with ESMTP id 1DEE29BB;
Fri, 3 May 2013 12:16:08 +0000 (UTC) (envelope-from dru@FreeBSD.org)
Received: from svn.freebsd.org (svn.freebsd.org
[IPv6:2001:1900:2254:2068::e6a:0])
by mx1.freebsd.org (Postfix) with ESMTP id 0FCF81CEA;
Fri, 3 May 2013 12:16:08 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r43CG78S047076;
Fri, 3 May 2013 12:16:07 GMT (envelope-from dru@svn.freebsd.org)
Received: (from dru@localhost)
by svn.freebsd.org (8.14.6/8.14.5/Submit) id r43CG72x047075;
Fri, 3 May 2013 12:16:07 GMT (envelope-from dru@svn.freebsd.org)
Message-Id: <201305031216.r43CG72x047075@svn.freebsd.org>
From: Dru Lavigne
Date: Fri, 3 May 2013 12:16:07 +0000 (UTC)
To: doc-committers@freebsd.org, svn-doc-projects@freebsd.org
Subject: svn commit: r41544 -
projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security
X-SVN-Group: doc-projects
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-doc-projects@freebsd.org
X-Mailman-Version: 2.1.14
Precedence: list
List-Id: SVN commit messages for doc projects trees
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
X-List-Received-Date: Fri, 03 May 2013 12:16:08 -0000
Author: dru
Date: Fri May 3 12:16:07 2013
New Revision: 41544
URL: http://svnweb.freebsd.org/changeset/doc/41544
Log:
White space fix only. Translators can ignore.
Approved by: bcr (mentor)
Modified:
projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml
Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml
==============================================================================
--- projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml Fri May 3 08:43:29 2013 (r41543)
+++ projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml Fri May 3 12:16:07 2013 (r41544)
@@ -27,10 +27,10 @@
This chapter provides a basic introduction to system
security concepts, some general good rules of thumb, and some
advanced topics under &os;. Many of the topics covered here
- can be applied to system and Internet security in general.
- Securing a system is imperative to protect data,
- intellectual property, time, and much more from the hands of
- hackers and the like.
+ can be applied to system and Internet security in general.
+ Securing a system is imperative to protect data, intellectual
+ property, time, and much more from the hands of hackers and the
+ like.&os; provides an array of utilities and mechanisms to
protect the integrity and security of the system and
@@ -173,8 +173,8 @@
DoS attack. Many sysadmins still run
unencrypted services, meaning that users logging into the
system from a remote location are vulnerable to having their
- password sniffed. The attentive sysadmin analyzes the
- remote access logs looking for suspicious source addresses and
+ password sniffed. The attentive sysadmin analyzes the remote
+ access logs looking for suspicious source addresses and
suspicious logins.In a well secured and maintained system, access to a user
@@ -289,10 +289,9 @@
should be configured. One method is to add appropriate user
accounts to wheel in
/etc/group. Members of
- wheel are allowed to
- &man.su.1; to root. Only
- those users who actually need to have
- root access should be placed in
+ wheel are allowed to &man.su.1; to
+ root. Only those users who actually need
+ to have root access should be placed in
wheel. When using Kerberos for
authentication, create a .k5login in
the home directory of root to allow
@@ -333,9 +332,8 @@
as few services as possible and run a password-protected
screensaver. Of course, given physical access to any system,
an attacker can break any sort of security. Fortunately,
- many break-ins occur remotely, over a network,
- from people who do not have physical access to the
- system.
+ many break-ins occur remotely, over a network, from people who
+ do not have physical access to the system.Using Kerberos provides the ability to disable or change
the password for a user in one place, and have it immediately
@@ -358,21 +356,19 @@
&man.sshd.8;
- The prudent sysadmin only enables required services
- and is aware that third party servers are often the most
- bug-prone. Never run a server that has not been checked
- out carefully. Think twice before running any service as
+ The prudent sysadmin only enables required services and is
+ aware that third party servers are often the most bug-prone.
+ Never run a server that has not been checked out carefully.
+ Think twice before running any service as
root as many daemons can be run as a
separate service account or can be started in a
sandbox. Do not activate insecure
- services such as &man.telnetd.8; or
- &man.rlogind.8;.
+ services such as &man.telnetd.8; or &man.rlogind.8;.Another potential security hole is SUID-root and SGID
- binaries. Most of these binaries, such as
- &man.rlogin.1;, reside in /bin, /sbin, /bin,
+ /sbin, /usr/bin, or /usr/sbin. While nothing is
100% safe, the system-default SUID and SGID binaries can be
@@ -400,22 +396,21 @@
User accounts are usually the most difficult to secure.
Be vigilant in the monitoring of user accounts. Use of
- &man.ssh.1; and Kerberos for user accounts
- requires extra administration and technical support, but
- provides a good solution compared to an encrypted password
- file.
+ &man.ssh.1; and Kerberos for user accounts requires extra
+ administration and technical support, but provides a good
+ solution compared to an encrypted password file.Securing the Password FileThe only sure fire way is to star out as many passwords as
- possible and use &man.ssh.1; or Kerberos
- for access to those accounts. Even though the encrypted
- password file (/etc/spwd.db) can only be
- read by root, it may be possible for an
- intruder to obtain read access to that file even if the
- attacker cannot obtain root-write access.
+ possible and use &man.ssh.1; or Kerberos for access to those
+ accounts. Even though the encrypted password file
+ (/etc/spwd.db) can only be read by
+ root, it may be possible for an intruder
+ to obtain read access to that file even if the attacker cannot
+ obtain root-write access.Security scripts should be used to check for and report
changes to the password file as described in the
Bumping the security level to 1 or higher may cause a
- few
- problems to &xorg;, as access to
- /dev/io will be blocked, or to the
+ few problems to &xorg;, as access
+ to /dev/io will be blocked, or to the
installation of &os; built from source as
installworld needs to temporarily
reset the append-only and immutable flags of some files.
@@ -495,9 +489,9 @@
If the kernel's security level is raised to 1 or a higher
value, it may be useful to set the schg
- flag on critical startup binaries, directories, script
- files, and everything that gets run up to the point where
- the security level is set. A less strict compromise is to run
+ flag on critical startup binaries, directories, script files,
+ and everything that gets run up to the point where the
+ security level is set. A less strict compromise is to run
the system at a higher security level but skip setting the
schg flag. Another possibility is to
mount / and One can only protect the core system configuration and
control files so much before the convenience factor rears its
- ugly head. For example, using &man.chflags.1; to
- set the schg bit on most of the files in
- / and schg bit on most of the files in / and /usr is probably
counterproductive, because while it may protect the files, it
also closes an intrusion detection window. Security measures
@@ -527,21 +521,19 @@
for modified files is from another, often centralized,
limited-access system. Writing security scripts on the
extra-security limited-access system makes them mostly
- invisible
- to potential attackers. In order to take maximum advantage,
- the limited-access box needs significant access to the other
- machines, usually either through a read-only
+ invisible to potential attackers. In order to take maximum
+ advantage, the limited-access box needs significant access to
+ the other machines, usually either through a read-only
NFS export or by setting up
- &man.ssh.1; key-pairs. Except for its
- network traffic, NFS is the least visible
- method, allowing the administrator to monitor the filesystems
- on each client box virtually undetected. If a limited-access
- server is connected to the client boxes through
- a switch, the NFS method is often the
- better choice. If a limited-access server is connected to the
- client boxes through several layers of routing, the
- NFS method may be too insecure and
- &man.ssh.1; may be the better
+ &man.ssh.1; key-pairs. Except for its network traffic,
+ NFS is the least visible method, allowing
+ the administrator to monitor the filesystems on each client
+ box virtually undetected. If a limited-access server is
+ connected to the client boxes through a switch, the
+ NFS method is often the better choice. If
+ a limited-access server is connected to the client boxes
+ through several layers of routing, the NFS
+ method may be too insecure and &man.ssh.1; may be the better
choice.Once a limited-access box has been given at least read
@@ -561,14 +553,13 @@
class="directory">/ and /usr.
- When using &man.ssh.1; rather than
- NFS, writing the security script is more
- difficult. For example, &man.scp.1; is needed to
- send the scripts to the client box in order to run them. The
- &man.ssh.1; client
- on the client box may already be compromised. Using
- &man.ssh.1; may be necessary when running
- over insecure links, but it is harder to deal with.
+ When using &man.ssh.1; rather than NFS,
+ writing the security script is more difficult. For example,
+ &man.scp.1; is needed to send the scripts to the client box in
+ order to run them. The &man.ssh.1; client on the client box
+ may already be compromised. Using &man.ssh.1; may be
+ necessary when running over insecure links, but it is harder
+ to deal with.A good security script will also check for changes to
hidden configuration files, such as
@@ -613,8 +604,7 @@
thought. More importantly, a security administrator should
mix it up a bit. If recommendations, such as those mentioned
in this section, are applied verbatim, those methodologies are
- given to
- the prospective attacker who also has access to this
+ given to the prospective attacker who also has access to this
document.
@@ -657,10 +647,9 @@
&man.inetd.8; carefully and pay specific attention to
, , and
. Spoofed IP attacks will circumvent
- to &man.inetd.8;, so
- typically a combination of options must be used. Some
- standalone servers have self-fork-limitation
- parameters.
+ to &man.inetd.8;, so typically a
+ combination of options must be used. Some standalone servers
+ have self-fork-limitation parameters.Sendmail provides
, which tends to work
@@ -681,13 +670,12 @@
reasonable MaxDaemonChildren to prevent
cascade failures.
- &man.syslogd.8; can be attacked
- directly and it is strongly recommended to use
+ &man.syslogd.8; can be attacked directly and it is
+ strongly recommended to use
whenever possible, and
otherwise.
- Be careful with connect-back
- services such as
+ Be careful with connect-back services such as
reverse-identd, which can be attacked directly. The
reverse-ident feature of
TCP Wrappers is not recommended for
@@ -701,7 +689,7 @@
exclusive firewall which denies everything by default except
for traffic which is explicitly allowed. The range of port
numbers used for dynamic binding in &os; is controlled by
- several net.inet.ip.portrange
+ several net.inet.ip.portrange
&man.sysctl.8; variables.Another common DoS attack, called a
@@ -725,26 +713,26 @@
the &man.sysctl.8; variable
net.inet.icmp.icmplim to limit these
attacks. The last major class of springboard attacks is
- related to certain internal &man.inetd.8;
- services such as the UDP echo service. An attacker spoofs a
- UDP packet with a source address of server A's echo port
- and a destination address of server B's echo port, where
- server A and B on the same LAN. The two servers bounce this
- one packet back and forth between each other. The attacker
- can overload both servers and the LAN by injecting a few
- packets in this manner. Similar problems exist with the
+ related to certain internal &man.inetd.8; services such as the
+ UDP echo service. An attacker spoofs a UDP packet with a
+ source address of server A's echo port and a destination
+ address of server B's echo port, where server A and B on the
+ same LAN. The two servers bounce this one packet back and
+ forth between each other. The attacker can overload both
+ servers and the LAN by injecting a few packets in this manner.
+ Similar problems exist with the
chargen port. These inetd-internal
test services should remain disabled.
- Spoofed packet attacks may be used to overload the
- kernel route cache. Refer to the
+ Spoofed packet attacks may be used to overload the kernel
+ route cache. Refer to the
net.inet.ip.rtexpire,
rtminexpire, and
- rtmaxcache &man.sysctl.8;
- parameters. A spoofed packet attack that uses a random source
- IP will cause the kernel to generate a temporary cached route
- in the route table, viewable with netstat -rna |
- fgrep W3. These routes typically timeout in 1600
+ rtmaxcache &man.sysctl.8; parameters. A
+ spoofed packet attack that uses a random source IP will cause
+ the kernel to generate a temporary cached route in the route
+ table, viewable with netstat -rna | fgrep
+ W3. These routes typically timeout in 1600
seconds or so. If the kernel detects that the cached route
table has gotten too big, it will dynamically reduce the
rtexpire but will never decrease it to less
@@ -768,9 +756,9 @@
better, it may be prudent to manually override both
rtexpire and rtminexpire
via &man.sysctl.8;. Never set either parameter to zero
- as this could crash the machine. Setting both
- parameters to 2 seconds should be sufficient to protect the
- route table from attack.
+ as this could crash the machine. Setting both parameters to 2
+ seconds should be sufficient to protect the route table from
+ attack.
@@ -778,36 +766,32 @@
&man.ssh.1;
- There are a few issues with both Kerberos and
- &man.ssh.1; that need to be addressed if
- they are used. Kerberos is an excellent authentication
- protocol, but there are bugs in the kerberized versions of
- &man.telnet.1; and &man.rlogin.1; that make them
- unsuitable for dealing with binary streams. By default,
- Kerberos does not encrypt a session unless
- is used whereas &man.ssh.1;
- encrypts everything.
-
- While &man.ssh.1; works well, it
- forwards encryption keys by default. This introduces a
- security risk to a user who uses
- &man.ssh.1; to access an insecure
- machine from a secure workstation. The keys themselves are
- not exposed, but &man.ssh.1; installs a
- forwarding port for the duration of the login. If an attacker
- has broken root on the insecure machine,
- he can utilize that port to gain access to any other machine
- that those keys unlock.
-
- It is recommended that &man.ssh.1; is
- used in combination with Kerberos whenever possible for staff
- logins and &man.ssh.1; can be compiled with
- Kerberos support. This reduces reliance on potentially
- exposed SSH keys while protecting
- passwords via Kerberos.
- Keys should only be used for automated tasks from secure
- machines as this is something that Kerberos is unsuited to.
- It is recommended to either turn off key-forwarding in the
+ There are a few issues with both Kerberos and &man.ssh.1;
+ that need to be addressed if they are used. Kerberos is an
+ excellent authentication protocol, but there are bugs in the
+ kerberized versions of &man.telnet.1; and &man.rlogin.1; that
+ make them unsuitable for dealing with binary streams. By
+ default, Kerberos does not encrypt a session unless
+ is used whereas &man.ssh.1; encrypts
+ everything.
+
+ While &man.ssh.1; works well, it forwards encryption keys
+ by default. This introduces a security risk to a user who
+ uses &man.ssh.1; to access an insecure machine from a secure
+ workstation. The keys themselves are not exposed, but
+ &man.ssh.1; installs a forwarding port for the duration of the
+ login. If an attacker has broken root on
+ the insecure machine, he can utilize that port to gain access
+ to any other machine that those keys unlock.
+
+ It is recommended that &man.ssh.1; is used in combination
+ with Kerberos whenever possible for staff logins and
+ &man.ssh.1; can be compiled with Kerberos support. This
+ reduces reliance on potentially exposed SSH
+ keys while protecting passwords via Kerberos. Keys should
+ only be used for automated tasks from secure machines as this
+ is something that Kerberos is unsuited to. It is recommended
+ to either turn off key-forwarding in the
SSH configuration, or to make use
of from=IP/DOMAIN in
authorized_keys to make the key only
@@ -853,11 +837,11 @@
Originally, the only secure way to encrypt passwords in
&unix; was based on the Data Encryption Standard
(DES). Since the source code for
- DES could not be exported
- outside the US, &os; had to find a way to both comply with US
- law and retain compatibility with other &unix; variants that
- used DES. The solution was MD5 which is
- believed to be more secure than DES.
+ DES could not be exported outside the US,
+ &os; had to find a way to both comply with US law and retain
+ compatibility with other &unix; variants that used
+ DES. The solution was MD5 which is believed
+ to be more secure than DES.Recognizing the Crypt Mechanism
@@ -943,30 +927,27 @@
OPIE must be reinitialized.There are a few programs involved in this process.
- &man.opiekey.1; accepts an iteration count, a seed,
- and a secret password, and generates a one-time password or a
- consecutive list of one-time passwords. In addition to
- initializing OPIE,
- &man.opiepasswd.1; is used to change passwords,
- iteration counts, or seeds. It takes either a secret
+ &man.opiekey.1; accepts an iteration count, a seed, and a secret
+ password, and generates a one-time password or a consecutive
+ list of one-time passwords. In addition to initializing
+ OPIE, &man.opiepasswd.1; is used to change
+ passwords, iteration counts, or seeds. It takes either a secret
passphrase, or an iteration count, seed, and a one-time
password. The relevant credential files in
/etc/opiekeys are examined by
- &man.opieinfo.1; which prints out the invoking user's
- current iteration count and seed.
+ &man.opieinfo.1; which prints out the invoking user's current
+ iteration count and seed.There are four different sorts of operations. The first is
- to use &man.opiepasswd.1; over a secure connection to
- set up one-time-passwords for the first time, or to change the
- password or seed. The second operation is to use
- &man.opiepasswd.1; over an insecure connection, in
- conjunction with &man.opiekey.1; over a secure
- connection, to do the same. The third is to use
- &man.opiekey.1; to log in over an insecure
- connection. The fourth is to use &man.opiekey.1; to
- generate a number of keys which can be written down or printed
- out to carry to insecure locations in order to make a connection
- to anywhere.
+ to use &man.opiepasswd.1; over a secure connection to set up
+ one-time-passwords for the first time, or to change the password
+ or seed. The second operation is to use &man.opiepasswd.1; over
+ an insecure connection, in conjunction with &man.opiekey.1; over
+ a secure connection, to do the same. The third is to use
+ &man.opiekey.1; to log in over an insecure connection. The
+ fourth is to use &man.opiekey.1; to generate a number of keys
+ which can be written down or printed out to carry to insecure
+ locations in order to make a connection to anywhere.Secure Connection Initialization
@@ -1005,11 +986,11 @@ MOS MALL GOAT ARM AVID COED
To initialize or change the secret password over an
insecure connection, a secure connection is needed to some
- place where &man.opiekey.1; can be run. This might
- be a shell prompt on a trusted machine. An iteration count
- is needed, where 100 is probably a good value, and the seed
- can either be specified or the randomly-generated one used.
- On the insecure connection, the machine being initialized, use
+ place where &man.opiekey.1; can be run. This might be a shell
+ prompt on a trusted machine. An iteration count is needed,
+ where 100 is probably a good value, and the seed can either be
+ specified or the randomly-generated one used. On the insecure
+ connection, the machine being initialized, use
&man.opiepasswd.1;:&prompt.user; opiepasswd
@@ -1070,10 +1051,10 @@ Password: At this point, generate the one-time password to answer
this login prompt. This must be done on a trusted system
- where it is safe to run &man.opiekey.1;. There
- are versions of this command for &windows;, &macos; and &os;.
- This command needs the iteration count and the seed as command
- line options. Use cut-and-paste from the login prompt on the
+ where it is safe to run &man.opiekey.1;. There are versions
+ of this command for &windows;, &macos; and &os;. This command
+ needs the iteration count and the seed as command line
+ options. Use cut-and-paste from the login prompt on the
machine being logged in to.On the trusted system:
@@ -1093,8 +1074,8 @@ GAME GAG WELT OUT DOWN CHAT
Sometimes there is no access to a trusted machine or
secure connection. In this case, it is possible to use
- &man.opiekey.1; to generate a number of one-time
- passwords beforehand. For example:
+ &man.opiekey.1; to generate a number of one-time passwords
+ beforehand. For example:&prompt.user; opiekey -n 5 30 zz99999
Using the MD5 algorithm to compute response.
@@ -1158,12 +1139,12 @@ Enter secret pass phrase: <
TCP Wrappers extends the abilities of
to provide support for every
server daemon under its control. It can be configured
- to provide logging support, return messages to
- connections, and permit a daemon to only accept internal
- connections. While some of these features can be provided
- by implementing a firewall, TCP Wrappers adds
- an extra layer of protection and goes beyond the amount of
- control a firewall can provide.
+ to provide logging support, return messages to connections, and
+ permit a daemon to only accept internal connections. While some
+ of these features can be provided by implementing a firewall,
+ TCP Wrappers adds an extra layer of
+ protection and goes beyond the amount of control a firewall can
+ provide.TCP Wrappers should not be considered a
replacement for a properly configured firewall.
@@ -1194,9 +1175,8 @@ Enter secret pass phrase: <
Basic configuration usually takes the form of
daemon : address : action, where
- daemon is the daemon which
- &man.inetd.8; started,
- address is a valid hostname,
+ daemon is the daemon which &man.inetd.8;
+ started, address is a valid hostname,
IP address, or an IPv6 address enclosed in
brackets ([ ]), and action is
either allow or deny.
@@ -1205,17 +1185,16 @@ Enter secret pass phrase: <
ascending order for a matching rule. When a match is found,
the rule is applied and the search process stops.
- For example, to
- allow POP3 connections via the
- mail/qpopper daemon,
- the following lines should be appended to
+ For example, to allow POP3 connections
+ via the mail/qpopper
+ daemon, the following lines should be appended to
hosts.allow:# This line is required for POP3 connections:
qpopper : ALL : allow
- After adding this line, &man.inetd.8;
- needs to be restarted:
+ After adding this line, &man.inetd.8; needs to be
+ restarted:&prompt.root; service inetd restart
@@ -1224,12 +1203,12 @@ qpopper : ALL : allow
Advanced ConfigurationTCP Wrappers provides advanced options
- to allow more control over the way connections are
- handled. In some cases, it may be appropriate to return a
- comment to certain hosts or daemon connections. In other
- cases, a log entry should be recorded or an email sent
- to the administrator. Other situations may require the use of
- a service for local connections only. This is all possible
+ to allow more control over the way connections are handled.
+ In some cases, it may be appropriate to return a comment to
+ certain hosts or daemon connections. In other cases, a log
+ entry should be recorded or an email sent to the
+ administrator. Other situations may require the use of a
+ service for local connections only. This is all possible
through the use of configuration options known as
wildcards, expansion characters and
external command execution.
@@ -1241,8 +1220,8 @@ qpopper : ALL : allow
should be denied yet a reason should be sent to the
individual who attempted to establish that connection. That
action is possible with . When a
- connection attempt is made,
- executes a shell command or script. An example exists in
+ connection attempt is made, executes
+ a shell command or script. An example exists in
hosts.allow:# The rest of the daemons are protected.
@@ -1250,15 +1229,14 @@ ALL : ALL \
: severity auth.info \
: twist /bin/echo "You are not welcome to use %d from %h."
- In this example, the message
- You are not allowed to use daemon
- from hostname. will be returned
- for any daemon not previously configured in the access file.
- This is useful for sending a reply back to the
- connection initiator right after the established connection
- is dropped. Any message returned must
- be wrapped in quote (")
- characters.
+ In this example, the message You are not allowed
+ to use daemon from
+ hostname. will be returned for
+ any daemon not previously configured in the access file.
+ This is useful for sending a reply back to the connection
+ initiator right after the established connection is dropped.
+ Any message returned must be wrapped in
+ quote (") characters.It may be possible to launch a denial of service
@@ -1268,13 +1246,13 @@ ALL : ALL \
Another possibility is to use .
- Like ,
- implicitly denies the
- connection and may be used to run external shell commands or
- scripts. Unlike ,
- will not send a reply back to the
- individual who established the connection. For example,
- consider the following configuration line:
+ Like ,
+ implicitly denies the connection and may be used to run
+ external shell commands or scripts. Unlike
+ , will not send
+ a reply back to the individual who established the
+ connection. For example, consider the following
+ configuration line:# We do not allow connections from example.com:
ALL : .example.com \
@@ -1283,9 +1261,9 @@ ALL : .example.com \
: denyThis will deny all connection attempts from *.example.com and log
- the hostname, IP address, and the
- daemon to which access was attempted to
+ role="fqdn">*.example.com and log the hostname,
+ IP address, and the daemon to which
+ access was attempted to
/var/log/connections.log.This example uses the substitution characters
@@ -1298,17 +1276,16 @@ ALL : .example.com \
The ALL option may be used to match
every instance of a daemon, domain, or an
- IP address. Another wildcard
- is PARANOID which may be used to match
+ IP address. Another wildcard is
+ PARANOID which may be used to match
any host which provides an IP address
that may be forged. For example,
PARANOID may be used to define an action
to be taken whenever a connection is made from an
IP address that differs from its
hostname. In this example, all connection requests to
- &man.sendmail.8; which have an
- IP address that varies from its hostname
- will be denied:
+ &man.sendmail.8; which have an IP address
+ that varies from its hostname will be denied:# Block possibly spoofed requests to sendmail:
sendmail : PARANOID : deny
@@ -1355,23 +1332,22 @@ sendmail : PARANOID : denyKerberos can be described as an
identity-verifying proxy system. It can also be described as a
- trusted third-party authentication system. After a
- user authenticates with Kerberos,
- their communications can be encrypted to assure privacy and data
+ trusted third-party authentication system. After a user
+ authenticates with Kerberos, their
+ communications can be encrypted to assure privacy and data
integrity.
- The only function of
- Kerberos is to provide
- the secure authentication of users on the network. It
- does not provide authorization functions (what users are allowed
- to do) or auditing functions (what those users did). It is
- recommended that
- Kerberos be used with other security
- methods which provide authorization and audit services.
-
- This section provides a guide on how to
- set up Kerberos as distributed for
- &os;. Refer to the relevant manual pages for more complete
+ The only function of Kerberos is
+ to provide the secure authentication of users on the network.
+ It does not provide authorization functions (what users are
+ allowed to do) or auditing functions (what those users did). It
+ is recommended that Kerberos be used
+ with other security methods which provide authorization and
+ audit services.
+
+ This section provides a guide on how to set up
+ Kerberos as distributed for &os;.
+ Refer to the relevant manual pages for more complete
descriptions.For purposes of demonstrating a
@@ -1416,8 +1392,8 @@ sendmail : PARANOID : denyKerberos is both the name of a
network authentication protocol and an adjective to describe
programs that implement it, such as
- Kerberos telnet.
- The current version of the protocol is version 5, described in
+ Kerberos telnet. The current
+ version of the protocol is version 5, described in
RFC 1510.Several free implementations of this protocol are
@@ -1427,24 +1403,22 @@ sendmail : PARANOID : denyKerberos was originally developed,
continues to develop their Kerberos
package. It is commonly used in the US as
- a cryptography product, and has historically been
- affected by US export regulations. The
+ a cryptography product, and has historically been affected by
+ US export regulations. The
MIT Kerberos is
available as the security/krb5 package or port.
- Heimdal
- Kerberos is another version 5
- implementation, and was explicitly developed outside of the
+ role="package">security/krb5 package or port.
+ Heimdal Kerberos is another version
+ 5 implementation, and was explicitly developed outside of the
US to avoid export regulations. The
Heimdal Kerberos distribution is
available as a the security/heimdal package or port,
- and a minimal installation is included in the base &os;
+ and a minimal installation is included in the base &os;
install.
- These instructions
- assume the use of the Heimdal distribution included in
- &os;.
+ These instructions assume the use of the Heimdal
+ distribution included in &os;.
@@ -1464,11 +1438,10 @@ sendmail : PARANOID : denyKerberos realm, and thus has
heightened security concerns.
- While running the
- Kerberos server requires very few
- computing resources, a dedicated machine acting only as a
- KDC is recommended for security
- reasons.
+ While running the Kerberos
+ server requires very few computing resources, a dedicated
+ machine acting only as a KDC is recommended
+ for security reasons.To begin setting up a KDC, ensure that
/etc/rc.conf contains the correct
@@ -1493,15 +1466,14 @@ kadmind5_server_enable="YES"This /etc/krb5.conf implies that the
KDC will use the fully-qualified hostname
- kerberos.example.org.
- Add a CNAME (alias) entry to the zone file to accomplish this
- if the KDC has a different
- hostname.
+ kerberos.example.org. Add a
+ CNAME (alias) entry to the zone file to accomplish this
+ if the KDC has a different hostname.For large networks with a properly configured
- DNS server, the
- above example could be trimmed to:
+ DNS server, the above example could be
+ trimmed to:[libdefaults]
default_realm = EXAMPLE.ORG
@@ -1526,33 +1498,28 @@ _kerberos IN TXT EXAMPLE.
server.
- Next, create the
- Kerberos database which
- contains the keys of all principals encrypted with a master
- password. It is not required to remember this password as it
- will be stored in
+ Next, create the Kerberos
+ database which contains the keys of all principals encrypted
+ with a master password. It is not required to remember this
+ password as it will be stored in
/var/heimdal/m-key. To create the
- master key, run &man.kstash.8; and enter a
- password.
+ master key, run &man.kstash.8; and enter a password.
- Once the master key has been created, initialize
- the database using kadmin -l.
- This option instructs
- &man.kadmin.8; to modify the local database files
- directly rather than going through the
- &man.kadmind.8; network service. This handles the
- chicken-and-egg problem of trying to connect to the database
- before it is created. At the &man.kadmin.8;
- prompt, use init to create the realm's
- initial database.
-
- Lastly, while still in &man.kadmin.8;, create
- the first principal using add.
- Stick to the default options for the principal for now, as
- these can be changed later with modify.
- Type ? at the
- &man.kadmin.8; prompt to see the available
- options.
+ Once the master key has been created, initialize the
+ database using kadmin -l. This option
+ instructs &man.kadmin.8; to modify the local database files
+ directly rather than going through the &man.kadmind.8; network
+ service. This handles the chicken-and-egg problem of trying
+ to connect to the database before it is created. At the
+ &man.kadmin.8; prompt, use init to create
+ the realm's initial database.
+
+ Lastly, while still in &man.kadmin.8;, create the first
+ principal using add. Stick to the default
+ options for the principal for now, as these can be changed
+ later with modify. Type
+ ? at the &man.kadmin.8; prompt to see the
+ available options.A sample database creation session is shown below:
@@ -1570,12 +1537,12 @@ Attributes []:
Password: xxxxxxxx
Verifying password - Password: xxxxxxxx
- Next, start the KDC
- services. Run service kerberos start and
+ Next, start the KDC services. Run
+ service kerberos start and
service kadmind start to bring up the
services. While there will not be any kerberized daemons
- running at this point, it is possible to confirm that
- the KDC is functioning by obtaining and
+ running at this point, it is possible to confirm that the
+ KDC is functioning by obtaining and
listing a ticket for the principal (user) that was just
created from the command-line of the KDC
itself:
@@ -1611,9 +1578,9 @@ Aug 27 15:37:58 Aug 28 01:37:58 krbtgt
media.Next, create /etc/krb5.keytab.
- This is the major difference between a server
- providing Kerberos enabled
- daemons and a workstation: the server must have a
+ This is the major difference between a server providing
+ Kerberos enabled daemons and a
+ workstation: the server must have a
keytab. This file contains the
server's host key, which allows it and the
KDC to verify each others identity. It
@@ -1622,31 +1589,28 @@ Aug 27 15:37:58 Aug 28 01:37:58 krbtgt
public.Typically, the keytab is transferred
- to the server using &man.kadmin.8;.
- This is handy because the host principal, the
- KDC end of the
+ to the server using &man.kadmin.8;. This is handy because the
+ host principal, the KDC end of the
krb5.keytab, is also created using
&man.kadmin.8;.
- A ticket must already be obtained and
- this ticket must be allowed to use the
- &man.kadmin.8; interface in the
+ A ticket must already be obtained and this ticket must be
+ allowed to use the &man.kadmin.8; interface in the
kadmind.acl. See the section titled
Remote administration ininfo
heimdal for details on designing access control
- lists. Instead of enabling remote &man.kadmin.8;
- access, the administrator can
- securely connect to the KDC via the
- local console or &man.ssh.1;, and
- perform administration locally using
+ lists. Instead of enabling remote &man.kadmin.8; access, the
+ administrator can securely connect to the
+ KDC via the local console or &man.ssh.1;,
+ and perform administration locally using
kadmin -l.After installing /etc/krb5.conf,
use add --random-key from the
Kerberos server. This adds
the server's host principal. Then, use ext
- to extract the server's host
- principal to its own keytab. For example:
+ to extract the server's host principal to its own keytab. For
+ example:&prompt.root; kadmin
kadmin> add --random-key host/myserver.example.org
@@ -1659,8 +1623,8 @@ kadmin> exitNote that ext stores the extracted key
in /etc/krb5.keytab by default.
- If &man.kadmind.8; is not running on
- the KDC and there is no access to
+ If &man.kadmind.8; is not running on the
+ KDC and there is no access to
&man.kadmin.8; remotely, add the host principal
(host/myserver.EXAMPLE.ORG) directly on
the KDC and then extract it to a
@@ -1673,18 +1637,16 @@ kadmin> ext --keytab=/tmp/exa
kadmin> exitThe keytab can then be securely copied to the server
- using &man.scp.1; or a removable media.
- Be sure to specify a non-default keytab name to
- avoid overwriting the keytab on the
+ using &man.scp.1; or a removable media. Be sure to specify a
+ non-default keytab name to avoid overwriting the keytab on the
KDC.At this point, the server can communicate with the
KDC using
krb5.conf and it can prove its
- own identity with krb5.keytab.
- It is now ready for the
- Kerberos services to be enabled.
- For this example, the &man.telnetd.8; service
+ own identity with krb5.keytab. It is now
+ ready for the Kerberos services to
+ be enabled. For this example, the &man.telnetd.8; service
is enabled in /etc/inetd.conf and
&man.inetd.8; has been restarted with service inetd
restart:
@@ -1692,8 +1654,8 @@ kadmin> exittelnet stream tcp nowait root /usr/libexec/telnetd telnetd -a user
The critical change is that the
- authentication type is set to user. Refer to
- &man.telnetd.8; for more details.
+ authentication type is set to user. Refer to &man.telnetd.8;
+ for more details.
@@ -1710,16 +1672,15 @@ kadmin> exitKDC.
- Test the client by attempting to use
- &man.kinit.1;, &man.klist.1;, and
- &man.kdestroy.1; from the client to obtain, show,
- and then delete a ticket for the principal created
+ Test the client by attempting to use &man.kinit.1;,
+ &man.klist.1;, and &man.kdestroy.1; from the client to obtain,
+ show, and then delete a ticket for the principal created
above. Kerberos applications
- should also be able to connect
- to Kerberos enabled servers.
- If that does not work but obtaining a ticket does, the
- problem is likely with the server and not with the client or
- the KDC.
+ should also be able to connect to
+ Kerberos enabled servers. If that
+ does not work but obtaining a ticket does, the problem is
+ likely with the server and not with the client or the
+ KDC.When testing a Kerberized application, try using a packet
sniffer such as &man.tcpdump.1; to confirm that the password
@@ -1727,16 +1688,14 @@ kadmin> exitVarious non-core Kerberos
client applications are available. The minimal
- installation in &os; installs &man.telnetd.8; as the
- only Kerberos enabled
- service.
+ installation in &os; installs &man.telnetd.8; as the only
+ Kerberos enabled service.
The Heimdal port installs
- Kerberos enabled
- versions of &man.ftpd.8;, &man.rshd.8;,
- &man.rcp.1;, &man.rlogind.8;, and a few
- other less common programs. The MIT port
- also contains a full suite of
+ Kerberos enabled versions of
+ &man.ftpd.8;, &man.rshd.8;, &man.rcp.1;, &man.rlogind.8;, and
+ a few other less common programs. The MIT
+ port also contains a full suite of
Kerberos client
applications.
@@ -1755,29 +1714,28 @@ kadmin> exitUsers within a realm typically have their
Kerberos principal mapped to a
- local user account. Occasionally, one needs to grant
- access to a
- local user account to someone who does not have a matching
- Kerberos principal. For example,
- tillman@EXAMPLE.ORG may need access to
- the local user account webdevelopers.
- Other principals may also need access to that local
- account.
*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***