From owner-svn-doc-head@FreeBSD.ORG  Fri Mar 21 19:53:56 2014
Return-Path: <owner-svn-doc-head@FreeBSD.ORG>
Delivered-To: svn-doc-head@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org
 [IPv6:2001:1900:2254:206a::19:1])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id 9BF6287C;
 Fri, 21 Mar 2014 19:53:56 +0000 (UTC)
Received: from svn.freebsd.org (svn.freebsd.org
 [IPv6:2001:1900:2254:2068::e6a:0])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (No client certificate requested)
 by mx1.freebsd.org (Postfix) with ESMTPS id 7C637B27;
 Fri, 21 Mar 2014 19:53:56 +0000 (UTC)
Received: from svn.freebsd.org ([127.0.1.70])
 by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s2LJruA0080205;
 Fri, 21 Mar 2014 19:53:56 GMT (envelope-from dru@svn.freebsd.org)
Received: (from dru@localhost)
 by svn.freebsd.org (8.14.8/8.14.8/Submit) id s2LJruLM080204;
 Fri, 21 Mar 2014 19:53:56 GMT (envelope-from dru@svn.freebsd.org)
Message-Id: <201403211953.s2LJruLM080204@svn.freebsd.org>
From: Dru Lavigne <dru@FreeBSD.org>
Date: Fri, 21 Mar 2014 19:53:56 +0000 (UTC)
To: doc-committers@freebsd.org, svn-doc-all@freebsd.org,
 svn-doc-head@freebsd.org
Subject: svn commit: r44322 - head/en_US.ISO8859-1/books/handbook/security
X-SVN-Group: doc-head
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-BeenThere: svn-doc-head@freebsd.org
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: SVN commit messages for the doc tree for head
 <svn-doc-head.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/svn-doc-head>,
 <mailto:svn-doc-head-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/svn-doc-head/>
List-Post: <mailto:svn-doc-head@freebsd.org>
List-Help: <mailto:svn-doc-head-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/svn-doc-head>,
 <mailto:svn-doc-head-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 21 Mar 2014 19:53:56 -0000

Author: dru
Date: Fri Mar 21 19:53:55 2014
New Revision: 44322
URL: http://svnweb.freebsd.org/changeset/doc/44322

Log:
  Initial prep work for OpenSSH chapter.
  Divide sections into client stuff and server stuff.
  Still needs an editorial review and the last 2 hanging sub-sections
  need to be incorporated.
  
  Sponsored by: iXsystems

Modified:
  head/en_US.ISO8859-1/books/handbook/security/chapter.xml

Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/security/chapter.xml	Fri Mar 21 19:42:49 2014	(r44321)
+++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml	Fri Mar 21 19:53:55 2014	(r44322)
@@ -2514,42 +2514,15 @@ racoon_enable="yes"</programlisting>
       compatible with both <acronym>SSH</acronym> version 1 and 2
       protocols.</para>
 
-    <sect2>
-      <title>Advantages of Using
-	<application>OpenSSH</application></title>
-
       <para>When data is sent over the network in an unencrypted form,
 	network sniffers anywhere in between the client and server
 	can steal user/password information or data transferred
 	during the session.  <application>OpenSSH</application> offers
 	a variety of authentication and encryption methods to prevent
 	this from happening.</para>
-    </sect2>
 
     <sect2>
-      <title>Enabling the SSH Server</title>
-
-      <indexterm>
-	<primary>OpenSSH</primary>
-	<secondary>enabling</secondary>
-      </indexterm>
-
-      <para>To see if &man.sshd.8; is enabled, check
-	<filename>/etc/rc.conf</filename> for this line:</para>
-
-      <programlisting>sshd_enable="YES"</programlisting>
-
-      <para>This will start &man.sshd.8;, the daemon program for
-	<application>OpenSSH</application>, the next time the system
-	initializes.  Alternatively, it is possible to use
-	&man.service.8; to start <application>OpenSSH</application>
-	now:</para>
-
-      <screen>&prompt.root; <userinput>service sshd start</userinput></screen>
-    </sect2>
-
-    <sect2>
-      <title>The SSH Client</title>
+      <title>Using the SSH Client Utilities</title>
 
       <indexterm>
 	<primary>OpenSSH</primary>
@@ -2584,10 +2557,6 @@ user@example.com's password: <userinput>
 	1 or version 2, respectively.  The version 1 compatibility is
 	maintained in the client for backwards compatibility with
 	older versions.</para>
-    </sect2>
-
-    <sect2>
-      <title>Secure Copy</title>
 
       <indexterm>
 	<primary>OpenSSH</primary>
@@ -2617,28 +2586,9 @@ COPYRIGHT            100% |*************
 	<acronym>SSH</acronym>, connection, one or more of the file
 	arguments takes the form
 	<option>user@host:&lt;path_to_remote_file&gt;</option>.</para>
-    </sect2>
-
-    <sect2>
-      <title>Configuration</title>
-
-      <indexterm>
-	<primary>OpenSSH</primary>
-	<secondary>configuration</secondary>
-      </indexterm>
-
-      <para>The system-wide configuration files for both the
-	<application>OpenSSH</application> daemon and client reside
-	in <filename>/etc/ssh</filename>.</para>
-
-      <para><filename>ssh_config</filename> configures the client
-	settings, while <filename>sshd_config</filename> configures
-	the daemon.  Each file has its own manual page which describes
-	the available configuration options.</para>
-    </sect2>
 
-    <sect2 xml:id="security-ssh-keygen">
-      <title>&man.ssh-keygen.1;</title>
+    <sect3 xml:id="security-ssh-keygen">
+      <title>Key-based Authentication</title>
 
       <para>Instead of using passwords, &man.ssh-keygen.1; can be used
 	to generate <acronym>DSA</acronym> or <acronym>RSA</acronym>
@@ -2690,23 +2640,15 @@ bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8
 	  that host <acronym>IP</acronym>.</para>
       </warning>
 
-      <para>If a passphrase is used in &man.ssh-keygen.1;, the user
-	will be prompted for the passphrase each time in order to use
-	the private key.  &man.ssh-agent.1; can alleviate the strain
-	of repeatedly entering long passphrases, and is explored in
-	<xref linkend="security-ssh-agent"/>.</para>
-
       <warning>
 	<para>The various options and files can be different according
 	  to the <application>OpenSSH</application> version.  To avoid
 	  problems, consult &man.ssh-keygen.1;.</para>
       </warning>
-    </sect2>
-
-    <sect2 xml:id="security-ssh-agent">
-      <title>Using SSH Agent to Cache Keys</title>
 
-      <para>To load <acronym>SSH</acronym> keys into memory for use,
+      <para>If a passphrase is used in &man.ssh-keygen.1;, the user
+	will be prompted for the passphrase each time in order to use
+	the private key.  To load <acronym>SSH</acronym> keys into memory for use,
 	without needing to type the passphrase each time, use
 	&man.ssh-agent.1; and &man.ssh-add.1;.</para>
 
@@ -2745,9 +2687,9 @@ Identity added: /home/user/.ssh/id_dsa (
 	<application>&xorg;</application> has been restarted so that
 	the changes can take effect, run &man.ssh-add.1; to load all
 	of the <acronym>SSH</acronym> keys.</para>
-    </sect2>
+    </sect3>
 
-    <sect2 xml:id="security-ssh-tunneling">
+    <sect3 xml:id="security-ssh-tunneling">
       <title><acronym>SSH</acronym> Tunneling</title>
 
       <indexterm>
@@ -2850,11 +2792,7 @@ Escape character is '^]'.
 	  run as a separate user.</para>
       </example>
 
-      <sect3>
-	<title>Practical <acronym>SSH</acronym> Tunneling
-	  Examples</title>
-
-	<sect4>
+      <example>
 	  <title>Secure Access of a POP3 Server</title>
 
 	  <para>In this example, there is an <acronym>SSH</acronym>
@@ -2873,9 +2811,9 @@ user@ssh-server.example.com's password: 
 	    <systemitem>localhost</systemitem> on port 2110.  This
 	    connection will be forwarded securely across the tunnel to
 	    <systemitem>mail.example.com</systemitem>.</para>
-	</sect4>
+	</example>
 
-	<sect4>
+	<example>
 	  <title>Bypassing a Draconian Firewall</title>
 
 	  <para>Some network administrators impose firewall rules
@@ -2897,12 +2835,30 @@ user@unfirewalled-system.example.org's p
 	    8888, which will be forwarded over to
 	    <systemitem>music.example.com</systemitem> on port 8000,
 	    successfully bypassing the firewall.</para>
-	</sect4>
+	</example>
       </sect3>
     </sect2>
 
     <sect2>
-      <title>The <varname>AllowUsers</varname> Option</title>
+      <title>Enabling the SSH Server</title>
+
+      <indexterm>
+	<primary>OpenSSH</primary>
+	<secondary>enabling</secondary>
+      </indexterm>
+
+      <para>To see if &man.sshd.8; is enabled, check
+	<filename>/etc/rc.conf</filename> for this line:</para>
+
+      <programlisting>sshd_enable="YES"</programlisting>
+
+      <para>This will start &man.sshd.8;, the daemon program for
+	<application>OpenSSH</application>, the next time the system
+	initializes.  Alternatively, it is possible to use
+	&man.service.8; to start <application>OpenSSH</application>
+	now:</para>
+
+      <screen>&prompt.root; <userinput>service sshd start</userinput></screen>
 
       <para>It is often a good idea to limit which users can log in
 	and from where using <literal>AllowUsers</literal>.  For
@@ -2936,6 +2892,24 @@ user@unfirewalled-system.example.org's p
     </sect2>
 
     <sect2>
+      <title>Configuration</title>
+
+      <indexterm>
+	<primary>OpenSSH</primary>
+	<secondary>configuration</secondary>
+      </indexterm>
+
+      <para>The system-wide configuration files for both the
+	<application>OpenSSH</application> daemon and client reside
+	in <filename>/etc/ssh</filename>.</para>
+
+      <para><filename>ssh_config</filename> configures the client
+	settings, while <filename>sshd_config</filename> configures
+	the daemon.  Each file has its own manual page which describes
+	the available configuration options.</para>
+    </sect2>
+
+    <sect2>
       <title>Further Reading</title>
 
       <para>The <link