Date: Fri, 21 Mar 2014 19:53:56 +0000 (UTC) From: Dru Lavigne <dru@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44322 - head/en_US.ISO8859-1/books/handbook/security Message-ID: <201403211953.s2LJruLM080204@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: dru Date: Fri Mar 21 19:53:55 2014 New Revision: 44322 URL: http://svnweb.freebsd.org/changeset/doc/44322 Log: Initial prep work for OpenSSH chapter. Divide sections into client stuff and server stuff. Still needs an editorial review and the last 2 hanging sub-sections need to be incorporated. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Fri Mar 21 19:42:49 2014 (r44321) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Fri Mar 21 19:53:55 2014 (r44322) @@ -2514,42 +2514,15 @@ racoon_enable="yes"</programlisting> compatible with both <acronym>SSH</acronym> version 1 and 2 protocols.</para> - <sect2> - <title>Advantages of Using - <application>OpenSSH</application></title> - <para>When data is sent over the network in an unencrypted form, network sniffers anywhere in between the client and server can steal user/password information or data transferred during the session. <application>OpenSSH</application> offers a variety of authentication and encryption methods to prevent this from happening.</para> - </sect2> <sect2> - <title>Enabling the SSH Server</title> - - <indexterm> - <primary>OpenSSH</primary> - <secondary>enabling</secondary> - </indexterm> - - <para>To see if &man.sshd.8; is enabled, check - <filename>/etc/rc.conf</filename> for this line:</para> - - <programlisting>sshd_enable="YES"</programlisting> - - <para>This will start &man.sshd.8;, the daemon program for - <application>OpenSSH</application>, the next time the system - initializes. Alternatively, it is possible to use - &man.service.8; to start <application>OpenSSH</application> - now:</para> - - <screen>&prompt.root; <userinput>service sshd start</userinput></screen> - </sect2> - - <sect2> - <title>The SSH Client</title> + <title>Using the SSH Client Utilities</title> <indexterm> <primary>OpenSSH</primary> @@ -2584,10 +2557,6 @@ user@example.com's password: <userinput> 1 or version 2, respectively. The version 1 compatibility is maintained in the client for backwards compatibility with older versions.</para> - </sect2> - - <sect2> - <title>Secure Copy</title> <indexterm> <primary>OpenSSH</primary> @@ -2617,28 +2586,9 @@ COPYRIGHT 100% |************* <acronym>SSH</acronym>, connection, one or more of the file arguments takes the form <option>user@host:<path_to_remote_file></option>.</para> - </sect2> - - <sect2> - <title>Configuration</title> - - <indexterm> - <primary>OpenSSH</primary> - <secondary>configuration</secondary> - </indexterm> - - <para>The system-wide configuration files for both the - <application>OpenSSH</application> daemon and client reside - in <filename>/etc/ssh</filename>.</para> - - <para><filename>ssh_config</filename> configures the client - settings, while <filename>sshd_config</filename> configures - the daemon. Each file has its own manual page which describes - the available configuration options.</para> - </sect2> - <sect2 xml:id="security-ssh-keygen"> - <title>&man.ssh-keygen.1;</title> + <sect3 xml:id="security-ssh-keygen"> + <title>Key-based Authentication</title> <para>Instead of using passwords, &man.ssh-keygen.1; can be used to generate <acronym>DSA</acronym> or <acronym>RSA</acronym> @@ -2690,23 +2640,15 @@ bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8 that host <acronym>IP</acronym>.</para> </warning> - <para>If a passphrase is used in &man.ssh-keygen.1;, the user - will be prompted for the passphrase each time in order to use - the private key. &man.ssh-agent.1; can alleviate the strain - of repeatedly entering long passphrases, and is explored in - <xref linkend="security-ssh-agent"/>.</para> - <warning> <para>The various options and files can be different according to the <application>OpenSSH</application> version. To avoid problems, consult &man.ssh-keygen.1;.</para> </warning> - </sect2> - - <sect2 xml:id="security-ssh-agent"> - <title>Using SSH Agent to Cache Keys</title> - <para>To load <acronym>SSH</acronym> keys into memory for use, + <para>If a passphrase is used in &man.ssh-keygen.1;, the user + will be prompted for the passphrase each time in order to use + the private key. To load <acronym>SSH</acronym> keys into memory for use, without needing to type the passphrase each time, use &man.ssh-agent.1; and &man.ssh-add.1;.</para> @@ -2745,9 +2687,9 @@ Identity added: /home/user/.ssh/id_dsa ( <application>&xorg;</application> has been restarted so that the changes can take effect, run &man.ssh-add.1; to load all of the <acronym>SSH</acronym> keys.</para> - </sect2> + </sect3> - <sect2 xml:id="security-ssh-tunneling"> + <sect3 xml:id="security-ssh-tunneling"> <title><acronym>SSH</acronym> Tunneling</title> <indexterm> @@ -2850,11 +2792,7 @@ Escape character is '^]'. run as a separate user.</para> </example> - <sect3> - <title>Practical <acronym>SSH</acronym> Tunneling - Examples</title> - - <sect4> + <example> <title>Secure Access of a POP3 Server</title> <para>In this example, there is an <acronym>SSH</acronym> @@ -2873,9 +2811,9 @@ user@ssh-server.example.com's password: <systemitem>localhost</systemitem> on port 2110. This connection will be forwarded securely across the tunnel to <systemitem>mail.example.com</systemitem>.</para> - </sect4> + </example> - <sect4> + <example> <title>Bypassing a Draconian Firewall</title> <para>Some network administrators impose firewall rules @@ -2897,12 +2835,30 @@ user@unfirewalled-system.example.org's p 8888, which will be forwarded over to <systemitem>music.example.com</systemitem> on port 8000, successfully bypassing the firewall.</para> - </sect4> + </example> </sect3> </sect2> <sect2> - <title>The <varname>AllowUsers</varname> Option</title> + <title>Enabling the SSH Server</title> + + <indexterm> + <primary>OpenSSH</primary> + <secondary>enabling</secondary> + </indexterm> + + <para>To see if &man.sshd.8; is enabled, check + <filename>/etc/rc.conf</filename> for this line:</para> + + <programlisting>sshd_enable="YES"</programlisting> + + <para>This will start &man.sshd.8;, the daemon program for + <application>OpenSSH</application>, the next time the system + initializes. Alternatively, it is possible to use + &man.service.8; to start <application>OpenSSH</application> + now:</para> + + <screen>&prompt.root; <userinput>service sshd start</userinput></screen> <para>It is often a good idea to limit which users can log in and from where using <literal>AllowUsers</literal>. For @@ -2936,6 +2892,24 @@ user@unfirewalled-system.example.org's p </sect2> <sect2> + <title>Configuration</title> + + <indexterm> + <primary>OpenSSH</primary> + <secondary>configuration</secondary> + </indexterm> + + <para>The system-wide configuration files for both the + <application>OpenSSH</application> daemon and client reside + in <filename>/etc/ssh</filename>.</para> + + <para><filename>ssh_config</filename> configures the client + settings, while <filename>sshd_config</filename> configures + the daemon. Each file has its own manual page which describes + the available configuration options.</para> + </sect2> + + <sect2> <title>Further Reading</title> <para>The <link
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201403211953.s2LJruLM080204>