From owner-svn-doc-all@FreeBSD.ORG Fri Mar 21 19:07:01 2014 Return-Path: Delivered-To: svn-doc-all@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 5B18AAD4; Fri, 21 Mar 2014 19:07:01 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 462193A0; Fri, 21 Mar 2014 19:07:01 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.8/8.14.8) with ESMTP id s2LJ71fA060127; Fri, 21 Mar 2014 19:07:01 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.8/8.14.8/Submit) id s2LJ71Qh060125; Fri, 21 Mar 2014 19:07:01 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201403211907.s2LJ71Qh060125@svn.freebsd.org> From: Dru Lavigne Date: Fri, 21 Mar 2014 19:07:01 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r44320 - head/en_US.ISO8859-1/books/handbook/security X-SVN-Group: doc-head MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-all@freebsd.org X-Mailman-Version: 2.1.17 Precedence: list List-Id: "SVN commit messages for the entire doc trees \(except for " user" , " projects" , and " translations" \)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 21 Mar 2014 19:07:01 -0000 Author: dru Date: Fri Mar 21 19:07:00 2014 New Revision: 44320 URL: http://svnweb.freebsd.org/changeset/doc/44320 Log: White space fix only. Translators can ignore. Sponsored by: iXsystems Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Fri Mar 21 18:39:06 2014 (r44319) +++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Fri Mar 21 19:07:00 2014 (r44320) @@ -5,7 +5,9 @@ $FreeBSD$ --> - Security + + Security + @@ -17,8 +19,6 @@ - - security @@ -123,9 +123,9 @@ The CIA triad is a bedrock concept of computer security, customers and end users expect privacy of their data. They expect orders they place to not be changed - or their information altered behind the scenes. They also expect - access to information at all times. Together they make up the - confidentiality, integrity, and availability of the + or their information altered behind the scenes. They also + expect access to information at all times. Together they make + up the confidentiality, integrity, and availability of the system. To protect CIA, security professionals @@ -143,21 +143,22 @@ What is a threat as pertaining to computer security? For years it was assumed that threats are remote attackers, people - whom will attempt to access the system without permission, from - a remote location. In today's world, this definition has been - expanded to include employees, malicious software, rogue + whom will attempt to access the system without permission, + from a remote location. In today's world, this definition has + been expanded to include employees, malicious software, rogue network devices, natural disasters, security vulnerabilities, and even competing corporations. - Every day thousands of systems and networks are attacked and - several hundred are accessed without permission. Sometimes - by simple accident, others by remote attackers, and in some - cases, corporate espionage or former employees. As a system - user, it is important to prepare for and admit when a mistake - has lead to a security breach and report possible issues to - the security team. As an administrator, it is important to - know of the threats and be prepared to mitigate them. - + Every day thousands of systems and networks are attacked + and several hundred are accessed without permission. + Sometimes by simple accident, others by remote attackers, and + in some cases, corporate espionage or former employees. As a + system user, it is important to prepare for and admit when a + mistake has lead to a security breach and report possible + issues to the security team. As an administrator, it is + important to know of the threats and be prepared to mitigate + them. + A Ground Up Approach @@ -169,14 +170,14 @@ is in these latter configuration aspects that system policy and procedures should take place. - Many places of business already have a security policy that - covers the configuration technology devices in use. They + Many places of business already have a security policy + that covers the configuration technology devices in use. They should contain, at minimal, the security configuration of end user workstations and desktops, mobile devices such as phones and laptops, and both production and development servers. In - many cases, when applying computer security, standard operating - procedures (SOPs) already exist. When in - doubt, ask the security team. + many cases, when applying computer security, standard + operating procedures (SOPs) already exist. + When in doubt, ask the security team. @@ -199,7 +200,7 @@ This command will change the account from this toor:*:0:0::0:0:Bourne-again Superuser:/root: to toor:*LOCKED**:0:0::0:0:Bourne-again - Superuser:/root: + Superuser:/root: In some cases, this is not possible, perhaps because of an additional service. In those cases, login access @@ -209,7 +210,7 @@ &prompt.root; chsh -s /usr/sbin/nologin toor - Only super users are able to change the shell for + Only super users are able to change the shell for other users. Attempting to perform this as a regular user will fail. @@ -219,37 +220,37 @@ toor:*:0:0::0:0:Bourne-again Superuser:/root:/usr/sbin/nologin - The /usr/sbin/nologin shell will block - the &man.login.1; command from assigning a shell to this + The /usr/sbin/nologin shell will + block the &man.login.1; command from assigning a shell to this user. - + Permitted Account Escalation - In some cases, system administration access needs to - be shared with other users. &os; has two methods to - handle this. The first one, which is not recommended, - is a shared root password and adding users to the - wheel group. - To achieve this, edit the /etc/group - and add the user to the end of the first group. This - user must be separated by a comma character. + In some cases, system administration access needs to be + shared with other users. &os; has two methods to handle this. + The first one, which is not recommended, is a shared root + password and adding users to the wheel group. To achieve + this, edit the /etc/group and add the + user to the end of the first group. This user must be + separated by a comma character. The correct way to permit this privilege escalation is using the security/sudo port which will - provide additional auditing, more fine grained user - control, and even lock users into running only single, - privileged commands such as &man.service.8; + provide additional auditing, more fine grained user control, + and even lock users into running only single, privileged + commands such as &man.service.8; After installation, edit the /usr/local/etc/sudoers file by using the visudo interface. In this example, - a new webadmin group will be added, the user - trhodes to that - group, and then give the user - access to restart apache24, the following - procedure may be followed: + a new webadmin group will be added, the user trhodes to that group, and + then give the user access to restart + apache24, the following procedure may be + followed: &prompt.root; pw groupadd webadmin -M trhodes -g 6000 @@ -268,10 +269,10 @@ Passwords - Passwords are a necessary evil of technology. In the cases - they must be used, not only should the password be extremely - complex, but also use a powerful hash mechanism to protect it. - At the time of this writing, &os; supports + Passwords are a necessary evil of technology. In the + cases they must be used, not only should the password be + extremely complex, but also use a powerful hash mechanism to + protect it. At the time of this writing, &os; supports DES, MD5, Blowfish, SHA256, and SHA512 in the crypt() library. The default is @@ -288,8 +289,8 @@ At the time of this writing, Blowfish is not part of - AES nor is it considered compliant - with any FIPS (Federal Information + AES nor is it considered compliant with + any FIPS (Federal Information Processing Standards) standard and its use may not be permitted in some environments. @@ -307,7 +308,7 @@ their network. - Password Policy and Enforcement + Password Policy and Enforcement Enforcing a strong password policy for local accounts is a fundamental aspect of local system security and policy. @@ -328,8 +329,8 @@ password requisite pam_passwdqc.so min=disabled,disabled,disabled,12,10 similar=deny retry=3 enforce=users - There is already a commented out line for this module and - it may be altered to the version above. This statement + There is already a commented out line for this module + and it may be altered to the version above. This statement basically sets several requirements. First, a minimal password length is disabled, allowing for a password of any length. Using only two character classes are disabled, @@ -346,7 +347,7 @@ particular to understand what character classes are. After this change is made and the file saved, any user - changing their password will see a message similar to the + changing their password will see a message similar to the following. This message might also clear up some confusion about the configuration. @@ -371,13 +372,14 @@ Enter new password: again In most password policies, a password aging requirement - is normally set. This means that a every password must expire - after so many days after it has been set. To set a password - age time in &os;, set the in + is normally set. This means that a every password must + expire after so many days after it has been set. To set a + password age time in &os;, set the + in /etc/login.conf. Most users when added to the system just fall into the - default group which is where this variable could be added and - the database rebuilt using: + default group which is where this variable could be added + and the database rebuilt using: &prompt.root; cap_mkdb /etc/login.conf @@ -386,8 +388,9 @@ Enter new password: &prompt.root; pw usermod -p 30-apr-2014 -n trhodes - As seen here, an expiration date is set in the form of day, - month, year. For more information, see &man.pw.8; + As seen here, an expiration date is set in the form of + day, month, year. For more information, see + &man.pw.8; @@ -419,8 +422,8 @@ Enter new password: After the process complete, which will require some manual pressing of the ENTER key, a status message will be printed to the screen. This message will include the - amount of files checked, suspect files, possible rootkits, - and more. During the check, some generic security warnings may + amount of files checked, suspect files, possible rootkits, and + more. During the check, some generic security warnings may be produced about hidden files, the OpenSSH protocol selection, and occasionally known vulnerable versions of installed software. @@ -450,24 +453,24 @@ Enter new password: Detection System or IDS. &os; provides native support for a basic - IDS system. In fact, as part of the nightly - &man.periodic.8; security emails will notify an administrator - of changes. Since the information is stored locally, there is - a change a malicious user could modify and spoof - the information. As such, it is recommended to create a - separate set of binary signatures and store them on a read - only, root owned directory or, preferably, off system such - as a USB disk or - rsync server. + IDS system. In fact, as part of the + nightly &man.periodic.8; security emails will notify an + administrator of changes. Since the information is stored + locally, there is a change a malicious user could modify and + spoof the information. As such, it is + recommended to create a separate set of binary signatures and + store them on a read only, root owned directory or, + preferably, off system such as a USB disk + or rsync server. To being, a seed needs to be generated. This is a numeric constant that will be used as to help generate the hash values - and to check the hash values. Lacking this seed value will make - faking or checking the checksum values of files difficult it not - impossible. In the following example, the key will be passed - with the flag. First, generate a set of - hashes and checksums for /bin using the - following command: + and to check the hash values. Lacking this seed value will + make faking or checking the checksum values of files difficult + it not impossible. In the following example, the key will be + passed with the flag. First, generate a + set of hashes and checksums for /bin + using the following command: &prompt.root; mtree -s 3483151339707503 -c -K cksum,sha256digest -p /bin > bin_chksum_mtree @@ -513,20 +516,24 @@ Enter new password: This should produce the same checksum for /bin that was produced when the command - was originally ran. Since no changes occurred in the time these - commands were ran, the bin_chksum_output - output will be empty. To simulate a change, change the date - on the /bin/cat file using - &man.touch.1; and run the verification command again: + was originally ran. Since no changes occurred in the time + these commands were ran, the + bin_chksum_output output will be empty. + To simulate a change, change the date on the + /bin/cat file using &man.touch.1; and run + the verification command again: &prompt.root; touch /bin/cat + &prompt.root; mtree -s 3483151339707503 -p /bin < bin_chksum_mtree >> bin_chksum_output + &prompt.root; cat bin_chksum_output + cat changed modification time expected Fri Sep 27 06:32:55 2013 found Mon Feb 3 10:28:43 2014 - More advanced IDS systems exist, such as - security/aide but in most cases, + More advanced IDS systems exist, such + as security/aide but in most cases, &man.mtree.8; provides the functionality administrators need. It is important to keep the seed value and the checksum output hidden from malicious users. @@ -541,9 +548,9 @@ Enter new password: (DOS) style attacks. Some of the more important will be covered here. Any time a setting is changed with &man.sysctl.8;, the chance to cause undesired harm is - increased affecting the availability of the system. Considering - the CIA of the system should be done during - any system-wide configuration change. + increased affecting the availability of the system. + Considering the CIA of the system should be + done during any system-wide configuration change. The following is a list of &man.sysctl.8;'s and a short description of what effects the changes will have on the @@ -574,11 +581,11 @@ Enter new password: ports will be dropped with no return RST response. The normal behavior is to return an RST to show a port is closed. These will - provide some level of protection against stealth - scans against a system. Set the net.inet.tcp.blackhole to - 2 and the net.inet.udp.blackhole to - 1 and review the information in &man.blackhole.4; - for more information. + provide some level of protection against + stealth scans against a system. Set the + net.inet.tcp.blackhole to 2 and the + net.inet.udp.blackhole to 1 and review the + information in &man.blackhole.4; for more information. Additionally the net.inet.icmp.drop_redirect and net.inet.ip.redirect should be set as well. These two @@ -607,7 +614,7 @@ Enter new password: Some additional &man.sysctl.8;s are documented in &man.security.7; and it is recommended it be consulted for additional information. - + @@ -630,28 +637,25 @@ Enter new password: implementation uses the MD5 hash by default. - OPIE uses three different types of passwords. The first is - the usual &unix; or Kerberos password. The second is the - one-time password which is generated by opiekey. - The third - type of password is the secret password which is used - to generate + OPIE uses three different types of + passwords. The first is the usual &unix; or Kerberos password. + The second is the one-time password which is generated by + opiekey. The third type of password is the + secret password which is used to generate one-time passwords. The secret password has nothing to do with, - and should be different from, the &unix; - password. + and should be different from, the &unix; password. - There are two other pieces of data - that are important to OPIE. One is the - seed or key, consisting of two - letters and five digits. The other is the iteration - count, a number between 1 and 100. - OPIE creates the one-time password by - concatenating the seed and the secret password, applying the MD5 - hash as many times as specified by the iteration count, and - turning the result into six short English words which represent - the one-time password. The authentication - system keeps track of the last one-time password - used, and the user is authenticated if the hash of the + There are two other pieces of data that are important to + OPIE. One is the seed or + key, consisting of two letters and five digits. + The other is the iteration count, a number + between 1 and 100. OPIE creates the one-time + password by concatenating the seed and the secret password, + applying the MD5 hash as many times as + specified by the iteration count, and turning the result into + six short English words which represent the one-time password. + The authentication system keeps track of the last one-time + password used, and the user is authenticated if the hash of the user-provided password is equal to the previous password. Because a one-way hash is used, it is impossible to generate future one-time passwords if a successfully used password is @@ -660,26 +664,23 @@ Enter new password: When the iteration count gets down to 1, OPIE must be reinitialized. - There are a few programs involved in this process. - A one-time password, or a consecutive - list of one-time passwords, is generated by passing an iteration - count, a seed, and a secret + There are a few programs involved in this process. A + one-time password, or a consecutive list of one-time passwords, + is generated by passing an iteration count, a seed, and a secret password to &man.opiekey.1;. In addition to initializing OPIE, &man.opiepasswd.1; is used to change - passwords, iteration counts, or seeds. The relevant credential files in - /etc/opiekeys are examined by + passwords, iteration counts, or seeds. The relevant credential + files in /etc/opiekeys are examined by &man.opieinfo.1; which prints out the invoking user's current iteration count and seed. - This section describes four different sorts of operations. The first is - how to set up - one-time-passwords for the first time - over a secure connection. The second is how to use opiepasswd over - an insecure connection. The third is how to - log in over an insecure connection. The - fourth is how to generate a number of keys - which can be written down or printed out to use at insecure - locations. + This section describes four different sorts of operations. + The first is how to set up one-time-passwords for the first time + over a secure connection. The second is how to use + opiepasswd over an insecure connection. The + third is how to log in over an insecure connection. The fourth + is how to generate a number of keys which can be written down or + printed out to use at insecure locations. Initializing <acronym>OPIE</acronym> @@ -706,36 +707,34 @@ MOS MALL GOAT ARM AVID COED SSH session to a computer under the user's control. - When prompted, enter the secret - password which will be + When prompted, enter the secret password which will be used to generate the one-time login keys. This password should be difficult to guess and should be different than the - password which is associated with the user's login - account. It must be between 10 and 127 characters long. - Remember this password. - - The - ID line lists - the login name (unfurl), default iteration count + password which is associated with the user's login account. + It must be between 10 and 127 characters long. Remember this + password. + + The ID line lists the login name + (unfurl), default iteration count (499), and default seed - (to4268). When logging in, - the system will remember these parameters and display them, - meaning that they do not have to be memorized. The last line - lists the generated one-time password which corresponds to - those parameters and the secret password. At the next login, - use this one-time password. + (to4268). When logging in, the system will + remember these parameters and display them, meaning that they + do not have to be memorized. The last line lists the + generated one-time password which corresponds to those + parameters and the secret password. At the next login, use + this one-time password. Insecure Connection Initialization To initialize or change the secret password on an - insecure system, a secure connection is needed to some - place where opiekey can be run. This might be a shell - prompt on a trusted machine. An iteration count is needed, - where 100 is probably a good value, and the seed can either be - specified or the randomly-generated one used. On the insecure - connection, the machine being initialized, use + insecure system, a secure connection is needed to some place + where opiekey can be run. This might be a + shell prompt on a trusted machine. An iteration count is + needed, where 100 is probably a good value, and the seed can + either be specified or the randomly-generated one used. On + the insecure connection, the machine being initialized, use &man.opiepasswd.1;: &prompt.user; opiepasswd @@ -762,8 +761,8 @@ Reminder: Do not use opiekey from telnet Enter secret pass phrase: GAME GAG WELT OUT DOWN CHAT - Switch back over to the insecure connection, and copy - the generated one-time password over to the relevant + Switch back over to the insecure connection, and copy the + generated one-time password over to the relevant program. @@ -867,14 +866,15 @@ Enter secret pass phrase: < - TCP Wrappers + + TCP Wrappers + - TomRhodesWritten by + TomRhodesWritten + by - - TCP Wrappers TCP Wrappers extends the abilities of @@ -919,16 +919,16 @@ Enter secret pass phrase: < daemon is the daemon which &man.inetd.8; started, address is a valid hostname, IP address, or an IPv6 address enclosed in - brackets ([ ]), and action is - either allow or deny. + brackets ([ ]), and action is either + allow or deny. TCP Wrappers uses a first rule match semantic, meaning that the configuration file is scanned in ascending order for a matching rule. When a match is found, the rule is applied and the search process stops. For example, to allow POP3 connections - via the mail/qpopper - daemon, the following lines should be appended to + via the mail/qpopper daemon, the following + lines should be appended to hosts.allow: # This line is required for POP3 connections: @@ -1001,9 +1001,10 @@ ALL : .example.com \ /var/log/connections.log) \ : deny - This will deny all connection attempts from *.example.com and log the hostname, - IP address, and the daemon to which - access was attempted to + This will deny all connection attempts from *.example.com and log + the hostname, IP address, and the daemon + to which access was attempted to /var/log/connections.log. This example uses the substitution characters @@ -1048,17 +1049,19 @@ sendmail : PARANOID : deny - <application>Kerberos5</application> + + <application>Kerberos5</application> + - TillmanHodgsonContributed by + TillmanHodgsonContributed + by - MarkMurrayBased on a contribution by + MarkMurrayBased + on a contribution by - - Kerberos is a network add-on system/protocol that allows users to authenticate themselves through the services of a secure server. @@ -1089,7 +1092,8 @@ sendmail : PARANOID : deny The DNS domain (zone) - will be example.org. + will be example.org. @@ -1138,14 +1142,14 @@ sendmail : PARANOID : denyUS export regulations. The MIT Kerberos is - available as the security/krb5 package or port. - Heimdal Kerberos is another version - 5 implementation, and was explicitly developed outside of the - US to avoid export regulations. The + available as the security/krb5 package or + port. Heimdal Kerberos is another + version 5 implementation, and was explicitly developed outside + of the US to avoid export regulations. The Heimdal Kerberos distribution is - available as a the security/heimdal package or port, - and a minimal installation is included in the base &os; - install. + available as a the security/heimdal package + or port, and a minimal installation is included in the base + &os; install. These instructions assume the use of the Heimdal distribution included in &os;. @@ -1196,8 +1200,9 @@ kadmind5_server_enable="YES"This /etc/krb5.conf implies that the KDC will use the fully-qualified hostname - kerberos.example.org. Add a - CNAME (alias) entry to the zone file to accomplish this + kerberos.example.org. Add + a CNAME (alias) entry to the zone file to accomplish this if the KDC has a different hostname. @@ -1209,7 +1214,9 @@ kadmind5_server_enable="YES" With the following lines being appended to the - example.org zone file: + example.org zone + file: _kerberos._udp IN SRV 01 00 88 kerberos.example.org. _kerberos._tcp IN SRV 01 00 88 kerberos.example.org. @@ -1355,10 +1362,10 @@ kadmin> exitIf &man.kadmind.8; is not running on the KDC and there is no access to - &man.kadmin.8; remotely, add the host principal - (host/myserver.EXAMPLE.ORG) directly on - the KDC and then extract it to a - temporary file to avoid overwriting the + &man.kadmin.8; remotely, add the host principal (host/myserver.EXAMPLE.ORG) + directly on the KDC and then extract it to + a temporary file to avoid overwriting the /etc/krb5.keytab on the KDC, using something like this: @@ -1447,19 +1454,20 @@ kadmin> exitKerberos principal. For - example, tillman@EXAMPLE.ORG may need - access to the local user account - webdevelopers. Other principals may also - need access to that local account. + example, tillman@EXAMPLE.ORG may need + access to the local user account webdevelopers. Other + principals may also need access to that local account. The .k5login and .k5users files, placed in a user's home directory, can be used to solve this problem. For example, if .k5login with the following contents is - placed in the home directory of - webdevelopers, both principals listed - will have access to that account without requiring a shared - password.: + placed in the home directory of webdevelopers, both principals + listed will have access to that account without requiring a + shared password.: tillman@example.org jdoe@example.org @@ -1476,8 +1484,8 @@ jdoe@example.org When using either the Heimdal or MIT - KerberosKerberos5troubleshooting ports, ensure that - the PATH lists the + KerberosKerberos5troubleshooting + ports, ensure that the PATH lists the Kerberos versions of the client applications before the system versions. @@ -1496,11 +1504,12 @@ jdoe@example.org - If the hostname is changed, the - host/ principal must be changed and - the keytab updated. This also applies to special keytab - entries like the www/ principal - used for Apache's www/mod_auth_kerb. + If the hostname is changed, the host/ principal must be + changed and the keytab updated. This also applies to + special keytab entries like the www/ principal used for + Apache's www/mod_auth_kerb. @@ -1517,8 +1526,9 @@ jdoe@example.org Some operating systems that act as clients to the KDC do not set the permissions for - &man.ksu.1; to be setuid root. This - means that &man.ksu.1; does not work. This is not a + &man.ksu.1; to be setuid root. This means that + &man.ksu.1; does not work. This is not a KDC error. @@ -1528,10 +1538,10 @@ jdoe@example.org principal to have a ticket life longer than the default ten hours, use modify_principal at the &man.kadmin.8; prompt to change the maxlife of both the - principal in question and the - krbtgt principal. Then the - principal can use kinit -l to request a - ticket with a longer lifetime. + principal in question and the krbtgt principal. Then + the principal can use kinit -l to + request a ticket with a longer lifetime. @@ -1611,16 +1621,18 @@ jdoe@example.org The client applications may also use slightly different command line options to accomplish the same tasks. Following the instructions on the MIT - Kerberos web site is - recommended. Be careful of path issues: the - MIT port installs into /usr/local/ by default, and the + Kerberos web + site is recommended. Be careful of path issues: the + MIT port installs into + /usr/local/ by default, and the normal system applications run instead of MIT versions if PATH lists the system directories first. - With the &os; MIT security/krb5 port, be sure to - read + With the &os; MIT + security/krb5 port, be sure to read /usr/local/share/doc/krb5/README.FreeBSD installed by the port to understand why logins via &man.telnetd.8; and klogind behave @@ -1642,8 +1654,7 @@ kadmind5_server_enable="YES"This is done because the applications for MIT Kerberos installs binaries in the - /usr/local - hierarchy. + /usr/local hierarchy. @@ -1656,8 +1667,8 @@ kadmind5_server_enable="YES" - <application>Kerberos</application> is an - All or Nothing Approach + <application>Kerberos</application> is an All or + Nothing Approach Every service enabled on the network must be modified to work with Kerberos, or be @@ -1675,10 +1686,10 @@ kadmind5_server_enable="YES"In a multi-user environment, Kerberos is less secure. This is - because it stores the tickets in /tmp, which is readable by - all users. If a user is sharing a computer with other - users, it is possible that the user's tickets can be stolen - or copied by another user. + because it stores the tickets in /tmp, + which is readable by all users. If a user is sharing a + computer with other users, it is possible that the user's + tickets can be stolen or copied by another user. This can be overcome with the -c command-line option or, preferably, the @@ -1724,8 +1735,8 @@ kadmind5_server_enable="YES"KDC to the users, hosts or services. This means that a trojanned &man.kinit.1; could record all user names and passwords. Filesystem integrity checking - tools like security/tripwire can alleviate - this. + tools like security/tripwire can + alleviate this. @@ -1777,31 +1788,36 @@ kadmind5_server_enable="YES" - + The Kerberos FAQ - Designing + Designing an Authentication System: a Dialog in Four Scenes - RFC + RFC 1510, The Kerberos Network Authentication Service (V5) - MIT + MIT Kerberos home page - Heimdal + Heimdal Kerberos home page @@ -1810,14 +1826,15 @@ kadmind5_server_enable="YES" - OpenSSL + + OpenSSL + - TomRhodesWritten by + TomRhodesWritten + by - - security OpenSSL @@ -1833,15 +1850,14 @@ kadmind5_server_enable="YES"www/apache22, and - mail/claws-mail offer - compilation support for building with - OpenSSL. + mail/claws-mail offer compilation support for + building with OpenSSL. In most cases, the Ports Collection will attempt to build - the security/openssl - port unless WITH_OPENSSL_BASE is explicitly - set to yes. + the security/openssl port unless + WITH_OPENSSL_BASE is explicitly set to + yes. The version of OpenSSL included @@ -1865,7 +1881,8 @@ kadmind5_server_enable="YES"Certificate Authority (CA), a warning is produced. A - CA is a company, such as VeriSign, signs + CA is a company, such as VeriSign, signs certificates in order to validate the credentials of individuals or companies. This process has a cost associated with it and is not a requirement for using certificates; however, it can put @@ -1946,8 +1963,9 @@ An optional company name []:A certificate authority signature file, myca.key and the certificate itself, new.crt. These should be placed in a - directory, preferably under /etc, which is readable only by - root. Permissions of 0700 are + directory, preferably under /etc, which + is readable only by root. Permissions of 0700 are appropriate and can be set using &man.chmod.1;. @@ -2022,7 +2040,9 @@ Connection closed by foreign host. - <acronym>VPN</acronym> over IPsec + + <acronym>VPN</acronym> over IPsec + NikClayton
nik@FreeBSD.org
@@ -2030,23 +2050,22 @@ Connection closed by foreign host. - - IPsec - Understanding IPsec + + Understanding IPsec + - Hiten M.Pandya + Hiten + M.Pandya
hmp@FreeBSD.org
Written by - - This section demonstrates the process of setting up IPsec. It assumes familiarity with the concepts of building a custom kernel (see ). @@ -2055,8 +2074,9 @@ Connection closed by foreign host.IP) layer. It allows two or more hosts to communicate in a secure manner. The &os; IPsec network stack is based on the - KAME implementation, - which has support for both IPv4 and IPv6. + KAME + implementation, which has support for both IPv4 and + IPv6. IPsec @@ -2171,13 +2191,15 @@ device crypto The internal addresses of the two networks can be either public or private IP addresses. However, the address space must not collide. For example, both - networks cannot use - 192.168.1.x. + networks cannot use 192.168.1.x. *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***