Date: Fri, 2 Jun 2017 18:26:37 +0000 (UTC) From: Ruey-Cherng Yu <rcyu@FreeBSD.org> To: doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org Subject: svn commit: r50316 - head/zh_TW.UTF-8/books/handbook Message-ID: <201706021826.v52IQbZb070030@repo.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: rcyu Date: Fri Jun 2 18:26:37 2017 New Revision: 50316 URL: https://svnweb.freebsd.org/changeset/doc/50316 Log: - Update po file with newest handbook document. - Translation of the following sections: 13.3. One-time Passwords 13.8. OpenSSH 13.14. Shared Administration with Sudo 21.5. FreeBSD as a Guest on VirtualBox™ 21.6. FreeBSD as a Host with VirtualBox 23.5. Updating FreeBSD from Source 23.6. Tracking for Multiple Machines Submitted by: cwlin@gmail.com Differential Revision: https://reviews.freebsd.org/D10888 Modified: head/zh_TW.UTF-8/books/handbook/book.xml head/zh_TW.UTF-8/books/handbook/zh_TW.po Modified: head/zh_TW.UTF-8/books/handbook/book.xml ============================================================================== --- head/zh_TW.UTF-8/books/handbook/book.xml Fri Jun 2 08:47:45 2017 (r50315) +++ head/zh_TW.UTF-8/books/handbook/book.xml Fri Jun 2 18:26:37 2017 (r50316) @@ -129,6 +129,7 @@ <!ENTITY pgpkey.davide SYSTEM "davide.key"> <!ENTITY pgpkey.davidxu SYSTEM "davidxu.key"> <!ENTITY pgpkey.db SYSTEM "db.key"> +<!ENTITY pgpkey.dbaio SYSTEM "dbaio.key"> <!ENTITY pgpkey.dbn SYSTEM "dbn.key"> <!ENTITY pgpkey.dchagin SYSTEM "dchagin.key"> <!ENTITY pgpkey.dcs SYSTEM "dcs.key"> @@ -141,6 +142,7 @@ <!ENTITY pgpkey.demon SYSTEM "demon.key"> <!ENTITY pgpkey.den SYSTEM "den.key"> <!ENTITY pgpkey.des SYSTEM "des.key"> +<!ENTITY pgpkey.dexter SYSTEM "dexter.key"> <!ENTITY pgpkey.dfr SYSTEM "dfr.key"> <!ENTITY pgpkey.dhartmei SYSTEM "dhartmei.key"> <!ENTITY pgpkey.dhn SYSTEM "dhn.key"> @@ -164,6 +166,7 @@ <!ENTITY pgpkey.emax SYSTEM "emax.key"> <!ENTITY pgpkey.erj SYSTEM "erj.key"> <!ENTITY pgpkey.erwin SYSTEM "erwin.key"> +<!ENTITY pgpkey.eugen SYSTEM "eugen.key"> <!ENTITY pgpkey.fabient SYSTEM "fabient.key"> <!ENTITY pgpkey.fanf SYSTEM "fanf.key"> <!ENTITY pgpkey.farrokhi SYSTEM "farrokhi.key"> @@ -250,6 +253,7 @@ <!ENTITY pgpkey.johans SYSTEM "johans.key"> <!ENTITY pgpkey.jon SYSTEM "jon.key"> <!ENTITY pgpkey.jonathan SYSTEM "jonathan.key"> +<!ENTITY pgpkey.joneum SYSTEM "joneum.key"> <!ENTITY pgpkey.josef SYSTEM "josef.key"> <!ENTITY pgpkey.jpaetzel SYSTEM "jpaetzel.key"> <!ENTITY pgpkey.jrm SYSTEM "jrm.key"> @@ -412,6 +416,7 @@ <!ENTITY pgpkey.rafan SYSTEM "rafan.key"> <!ENTITY pgpkey.rakuco SYSTEM "rakuco.key"> <!ENTITY pgpkey.ray SYSTEM "ray.key"> +<!ENTITY pgpkey.rcyu SYSTEM "rcyu.key"> <!ENTITY pgpkey.rdivacky SYSTEM "rdivacky.key"> <!ENTITY pgpkey.rea SYSTEM "rea.key"> <!ENTITY pgpkey.rees SYSTEM "rees.key"> @@ -535,6 +540,7 @@ <!ENTITY pgpkey.wollman SYSTEM "wollman.key"> <!ENTITY pgpkey.woodsb02 SYSTEM "woodsb02.key"> <!ENTITY pgpkey.wosch SYSTEM "wosch.key"> +<!ENTITY pgpkey.wulf SYSTEM "wulf.key"> <!ENTITY pgpkey.wxs SYSTEM "wxs.key"> <!ENTITY pgpkey.xmj SYSTEM "xmj.key"> <!ENTITY pgpkey.xride SYSTEM "xride.key"> @@ -640,6 +646,7 @@ <year>2014</year> <year>2015</year> <year>2016</year> + <year>2017</year> <holder>The FreeBSD Documentation Project</holder> </copyright> @@ -1588,7 +1595,7 @@ <listitem> <para><link xlink:href="http://www.ixsystems.com/">iXsystems</link> <indexterm> <primary>iXsystems</primary> - </indexterm> - 統合存儲 (Unified Storage) 設備的 TrueNAS 產品線是以 FreeBSD 為基礎。除了該公司自己的商業產品外,iXsystems 也管理著 PC-BSD 和 FreeNAS 兩個開源計劃的開發。</para> + </indexterm> - 統合存儲 (Unified Storage) 設備的 TrueNAS 產品線是以 FreeBSD 為基礎。除了該公司自己的商業產品外,iXsystems 也管理著 TrueOS 和 FreeNAS 兩個開源計劃的開發。</para> </listitem> <listitem> @@ -1616,9 +1623,13 @@ </listitem> <listitem> - <para><link xlink:href="http://www.sandvine.com/">Sandvine</link> <indexterm> + <para xml:lang="en"><link xlink:href="http://www.sandvine.com/">Sandvine</link> + <indexterm xml:lang="en"> <primary>Sandvine</primary> - </indexterm> - Sandvine 使用 FreeBSD 作為它們的高性能即時網路處理平台,來建立它們的智慧網路策略控制產品。</para> + </indexterm> - Sandvine uses FreeBSD as the basis of their + high performance real-time network processing platforms + that make up their intelligent network policy control + products.</para> </listitem> <listitem> @@ -1643,7 +1654,7 @@ <para><link xlink:href="https://www.stormshield.eu">Stormshield</link> <indexterm> <primary>Stormshield</primary> - </indexterm> - Stormshield 網路安全設備使用了硬體化版本的 FreeBSD 做為基礎,BSD 授權條款讓我們我們的智慧財產與系統可以整合,並同時回饋大量有趣的發展給社群。</para> + </indexterm> - Stormshield 網路安全設備使用了硬體化版本的 FreeBSD 做為基礎,BSD 授權條款讓他們可將其智慧財產與系統整合並同時回饋大量有趣的發展給社群。</para> </listitem> <listitem> @@ -1721,8 +1732,8 @@ </listitem> <listitem> - <para><link xlink:href="http://www.pcbsd.org/">PC-BSD</link> <indexterm> - <primary>PC-BSD</primary> + <para><link xlink:href="http://www.pcbsd.org/">TrueOS</link> <indexterm> + <primary>TrueOS</primary> </indexterm> - 訂製版本的 FreeBSD,裝備了給桌面使用者使用的圖型化工具來展示 FreeBSD 強大的功能給所有使用者,專門設計來緩解使用者在 Windows 與 OS X 間的過渡。</para> </listitem> @@ -2100,7 +2111,7 @@ <para>一般來說,本章所寫的安裝說明是針對 <trademark>i386</trademark> 和 <acronym>AMD64</acronym> 架構。如果可以用於其他平台,將會列表說明。 安裝程式和本章所敘述的內容可能會有些微差異,所以請將本章視為通用的指引,而不是完全照著來做。</para> <note> - <para>喜歡用圖形化安裝程式安裝 FreeBSD 的使用者, 可能會對 <application>pc-sysinstall</application> 有興趣,這是 PC-BSD 計畫所使用的。 他可以用來安裝圖形化桌面 (PC-BSD) 或是指令列版本的 FreeBSD。 細節請參考 PC-BSD 使用者 Handbook (<link xlink:href="http://wiki.pcbsd.org/index.php/Colophon">http://wiki.pcbsd.org/index.php/Colophon</link>)。</para> + <para>喜歡用圖形化安裝程式安裝 FreeBSD 的使用者, 可能會對 <application>pc-sysinstall</application> 有興趣,這是 TrueOS 計畫所使用的。 他可以用來安裝圖形化桌面 (TrueOS) 或是指令列版本的 FreeBSD。 細節請參考 TrueOS 使用者 Handbook (<link xlink:href="https://www.trueos.org/handbook/trueos.html">https://www.trueos.org/handbook/trueos.html</link>)。</para> </note> <para>讀完這章,您將了解︰</para> @@ -2356,7 +2367,7 @@ <step> <title>取得 <application>Image Writer <trademark class="registered">Windows</trademark> 版</application></title> - <para><application>Image Writer <trademark class="registered">Windows</trademark> 版</application> 是一個免費的應用程式,可以正確地將映像檔寫入隨身碟。 從 <uri xlink:href="https://launchpad.net/win32-image-writer/">https://launchpad.net/win32-image-writer/</uri> 下載,並解壓縮到一個資料夾。</para> + <para><application>Image Writer <trademark class="registered">Windows</trademark> 版</application> 是一個免費的應用程式,可以正確地將映像檔寫入隨身碟。可從 <uri xlink:href="https://sourceforge.net/projects/win32diskimager/">https://sourceforge.net/projects/win32diskimager/</uri> 下載,並解壓縮到一個資料夾。</para> </step> <step> @@ -2721,7 +2732,7 @@ Ethernet address 0:3:ba:b:92:d4, Host ID: 830b92d4.</s <para>有時在 <filename>/var/tmp</filename> 會需要較多的空間,當新軟體安裝,套件工具會從套件中取出暫存的複本置於 <filename>/var/tmp</filename>。若在 <filename>/var/tmp</filename> 沒有足夠的空間,要安裝大型軟體套件,例如 <application>Firefox</application>, <application>Apache OpenOffice</application> 或 <application>LibreOffice</application> 會很困難。</para> </note> - <para><filename>/usr</filename> 分割區會保存許多支持系統運作的檔案,包含 FreeBSD Port 套件集以及系統原始碼。這個分割區建議至少要有 2 GB 的空間。</para> + <para><filename>/usr</filename> 分割區保存了許多支持系統運作的檔案,包含 FreeBSD Port 套件集以及系統原始碼,這個分割區建議至少要有 2 GB 的空間。</para> <para>在規劃分割區大小時,請牢記空間需求,當因某個分割區空間不足時要改使用其他分割區時會很麻煩。</para> @@ -2982,7 +2993,7 @@ Ethernet address 0:3:ba:b:92:d4, Host ID: 830b92d4.</s </mediaobject> </figure> - <para>選擇 <keycap>T</keycap> 來設定儲存池類型 (<literal>Pool Type</literal>) 以及要組成儲存池的磁碟。自動 <acronym>ZFS</acronym> 安裝程式目前僅支援建立單一頂層 vdev,除了在串連 (Stripe) 模式。要建立更複雜的儲存池,需使用 <xref linkend="bsdinstall-part-shell"/> 的操作來建立儲存池。安裝程式支援建立各種儲存池類型,包含串連 Stripe (不建議,沒有備援功能)、鏡像 Mirror (效能較佳,但可用空間較少) 以及 RAID-Z 1, 2, 與 3 (分別有能力承受同時 1, 2 與 3 個磁碟的損壞)。在選擇儲存池類型時會有提示顯示在螢幕的下方,提示所需要的磁碟數以及在使用 RAID-Z 時,每個配置最佳的磁碟數。</para> + <para>選擇 <keycap>T</keycap> 來設定儲存池類型 (<literal>Pool Type</literal>) 以及要組成儲存池的磁碟。自動 <acronym>ZFS</acronym> 安裝程式目前僅支援建立單一頂層 vdev,除了在串連 (Stripe) 模式。要建立更複雜的儲存池,需使用 <xref linkend="bsdinstall-part-shell"/> 的操作來建立儲存池。安裝程式支援建立各種儲存池類型,包含串連 Stripe (不建議,沒有備援功能)、鏡像 Mirror (效能較佳,但可用空間較少) 以及 RAID-Z 1, 2, 與 3 (分別有能力承受同時 1, 2 與 3 個磁碟的損壞)。在選擇儲存池類型時會在螢幕的下方提示所需的磁碟數量,以及在使用 RAID-Z 時,每種配置最佳的磁碟數。</para> <figure xml:id="bsdinstall-zfs-vdev_type"> <title><acronym>ZFS</acronym> 儲存池類型</title> @@ -6127,7 +6138,7 @@ subversion-static-<replaceable>1.8.8_2</replaceable> subversion16-<replaceable>1.6.23_4</replaceable> subversion17-<replaceable>1.7.16_2</replaceable></screen> - <para>套件名稱包含版本編號,且若 Port 使用 Python 為基礎,也會包含用來編譯該套件的 Python 版本。有些 Port 會有多個版本可使用,如 <application>subversion</application> ,因編譯選項不同,有多個版本可用,這個例子中即指靜態連結版本的 <application>subversion</application>。在指定要安裝的套件時,最好使用 Port 來源來指定該應用程式,Port 來源是指應用程式在 Port 樹中的路徑。再輸入一次 <command>pkg search</command> 並加上 <option>-o</option> 來列出每個套件來源:</para> + <para>套件名稱包含版本編號,且若 Port 使用 Python 為基礎,也會包含用來編譯該套件的 Python 版本。有些 Port 會有多個版本可使用,如 <application>Subversion</application> ,因編譯選項不同,有多個版本可用,這個例子中即指靜態連結版本的 <application>Subversion</application>。在指定要安裝的套件時,最好使用 Port 來源來指定該應用程式,Port 來源是指應用程式在 Port 樹中的路徑。再輸入一次 <command>pkg search</command> 並加上 <option>-o</option> 來列出每個套件來源:</para> <screen xml:lang="en"><prompt>#</prompt> <userinput>pkg search -o <replaceable>subversion</replaceable></userinput> devel/git-subversion @@ -6218,7 +6229,7 @@ Info: Lists information about open files (similar to <screen xml:lang="en"><prompt>#</prompt> <userinput>/usr/sbin/pkg</userinput></screen> - <para>您必須有網際網路連線供啟動程式使用。</para> + <para>您必須有可用的網際網路連線供啟動程式使用方可成功。</para> <para>否則,要安裝 Port 套件,則須執行:</para> @@ -6577,7 +6588,7 @@ Deinstalling ca_root_nss-3.15.1_1... done</screen> <sect3> <title>自訂 Port 安裝</title> - <para>部份 Port 提供編譯選項,可用來開啟或關閉應用程式中的元件、安全選項、或其他允許自訂的項目。這類的應用程式例子包括 <package>www/firefox</package>, <package>security/gpgme</package> 以及 <package>mail/sylpheed-claws</package>。若 Port 相依的其他 Port 有可設定的選項時,預設的模式會提示使用者選擇選單中的選項,這可能會讓安裝的過程暫停讓使用者操作數次。要避免這個情況,可在 Port skeleton 中執行 <command>make config-recursive</command> 來一次設定所有選項。然後再執行 <command>make install [clean]</command> 編譯與安裝該 Port。</para> + <para>部份 Port 提供編譯選項,可用來開啟或關閉應用程式中的元件、安全選項、或其他允許自訂的項目。這類的應用程式例子包括 <package>www/firefox</package>, <package>security/gpgme</package> 以及 <package>mail/sylpheed-claws</package>。若 Port 相依的其他 Port 有可設定的選項時,預設的模式會提示使用者選擇選單中的選項,這可能會讓安裝的過程暫停讓使用者操作數次。要避免這個情況,可一次設定所有選項,只要在 Port skeleton 中執行 <command>make config-recursive</command>,然後再執行 <command>make install [clean]</command> 編譯與安裝該 Port。</para> <tip> <para>使用 <buildtarget>config-recursive</buildtarget> 時,會使用 <buildtarget>all-depends-list</buildtarget> Target 來收集所有要設定 Port 清單。建議執行 <command>make config-recursive</command> 直到所有相依的 Port 選項都已定義,直到 Port 的選項畫面不會再出現,來確定所有相依的選項都已經設定。</para> @@ -7085,7 +7096,7 @@ ports-mgmt/pkg <term>視窗管理程式 (Window Manager)</term> <listitem> - <para>X 並不規定螢幕上的視窗該長什麼樣、要如何移動滑鼠指標、 要用什麼鍵來在視窗切換、每個視窗的標題列長相,及是否該有關閉按鈕,等等。事實上,X 把這部分交給所謂的視窗管理程式來管理。可用的<link xlink:href="http://xwinman.org/">視窗管理程式有很多種</link>,每一種視窗管理程式都提供不同的使用介面風格:有些支援虛擬桌面,有些允許自訂組合鍵來管理桌面,有些 <quote>開始</quote> 鈕,有些則是可更換佈景主題,可自行安裝新的佈景主題以更換外觀。 視窗管理程式可在 Port 套件集的 <filename>x11-wm</filename> 分類找到。</para> + <para>X 並不規定螢幕上的視窗該長什麼樣、要如何移動滑鼠指標、 要用什麼鍵來在視窗切換、每個視窗的標題列長相,及是否該有關閉按鈕,等等。事實上,X 把這部分交給所謂的視窗管理程式來管理。可用的<link xlink:href="http://www.xwinman.org/">視窗管理程式有很多種</link>,每一種視窗管理程式都提供不同的使用介面風格:有些支援虛擬桌面,有些允許自訂組合鍵來管理桌面,有些 <quote>開始</quote> 鈕,有些則是可更換佈景主題,可自行安裝新的佈景主題以更換外觀。 視窗管理程式可在 Port 套件集的 <filename>x11-wm</filename> 分類找到。</para> <para>每個視窗管理程式也各有其不同的設定機制,有些需要手動修改設定檔, 而有的則可透過圖型化工具來完成大部分的設定工作。</para> </listitem> @@ -7773,10 +7784,7 @@ EndSection</programlisting> <para>編輯 <filename>local.conf</filename> 完之後,請確認有使用 <literal></fontconfig></literal> 標籤結尾,若沒有使用會讓所做的更改被忽略。</para> - <para xml:lang="en">Users can add personalized settings by creating their own - <filename>~/.config/fontconfig/fonts.conf</filename>. This - file uses the same <acronym>XML</acronym> format described - above.</para> + <para>使用者可透過建立自己的 <filename>~/.config/fontconfig/fonts.conf</filename> 來加入個人化的設定,此檔案使用與上述說明相同的 <acronym>XML</acronym> 格式。</para> <indexterm xml:lang="en"><primary>LCD screen</primary></indexterm> <indexterm xml:lang="en"><primary>Fonts</primary> @@ -8437,7 +8445,7 @@ EndSection</programlisting> <para>隨著 FreeBSD 優越的效能及穩定性越來越熱門,它同時適合作為每日使用的桌面系統。FreeBSD 套件或 Port 有超過 24,000 個可用的應用程式,可以簡單的建立一個自訂的桌面環境來執行各種不同的桌面應用程式。本章將示範如何安裝數個桌面應用程式,包含網頁瀏覽器、辦工軟體、文件閱覽程式以及財務軟體。</para> <note> - <para>比起重頭設定,更偏好安裝預先編譯好桌面環境的 FreeBSD 版本的使用者可參考 <link xlink:href="http://www.pcbsd.org/">pcbsd.org 網站</link></para> + <para>比起重頭設定與編譯,較偏好使用 FreeBSD 桌面環境已預先編譯好版本的使用者可參考 <link xlink:href="http://www.trueos.org/">trueos.org 網站</link>。</para> </note> <para>在閱讀這章之前,你必須了解如何:</para> @@ -9219,7 +9227,7 @@ EndSection</programlisting> <sect1 xml:id="multimedia-synopsis"> <title>概述</title> - <para>FreeBSD 廣泛地支援各種音效卡, 讓您可以享受來自電腦上的高傳真音質(Hi-Fi), 此外還包括了錄製和播放 MPEG Audio Layer 3 (<acronym>MP3</acronym>)、 Waveform Audio File (<acronym>WAV</acronym>)、Ogg Vorbis 以及其他許多種格式聲音的能力。同時 FreeBSD Port 套件集也包含了許多可讓您可以錄音、編修音效以及控制 MIDI 配備的應用程式。</para> + <para>FreeBSD 廣泛地支援各種音效卡, 讓使用者可以享受來自電腦上的高傳真音質(Hi-Fi), 此外還包括了錄製和播放 MPEG Audio Layer 3 (<acronym>MP3</acronym>)、 Waveform Audio File (<acronym>WAV</acronym>)、Ogg Vorbis 以及其他許多種格式聲音的能力。同時 FreeBSD Port 套件集也包含了許多可讓您可以錄音、編修音效以及控制 MIDI 配備的應用程式。</para> <para> FreeBSD 也能播放一般的視訊檔和 <acronym>DVD</acronym>。 FreeBSD Port 套件集中含有可編碼、轉換以及播放格種影像媒體的應用程式。</para> @@ -12930,7 +12938,7 @@ lp: <screen xml:lang="en"><prompt>#</prompt> <userinput>kldload linux</userinput></screen> - <para xml:lang="en">For 64-bit compatibility:</para> + <para>對 64-位元的相容性:</para> <screen xml:lang="en"><prompt>#</prompt> <userinput>kldload linux64</userinput></screen> @@ -12951,8 +12959,7 @@ lp: <programlisting xml:lang="en">linux_enable="YES"</programlisting> - <para xml:lang="en">On 64-bit machines, <filename>/etc/rc.d/abi</filename> will - automatically load the module for 64-bit emulation.</para> + <para>在 64-位元的機器上,<filename>/etc/rc.d/abi</filename> 會自動載入用來做 64-位元模擬的模組。</para> <indexterm><primary>核心選項</primary> <secondary>COMPAT_LINUX</secondary></indexterm> @@ -16924,7 +16931,7 @@ boot:</screen> <entry xml:lang="en">boot <optional><replaceable>-options</replaceable></optional> <optional><replaceable>kernelname</replaceable></optional></entry> - <entry>使用指定的選項或核心名稱立即啟動核心。由指令列指定核心名稱前必須先執行 <command>unload</command>,否則會使用先前載入過的核心。若 <emphasis>kernelname</emphasis> 不是完整的路徑則會搜尋 <emphasis>/boot/kernel</emphasis> 及 <emphasis>/boot/modules</emphasis> 底下。</entry> + <entry>使用任何指定的選項或核心名稱立即啟動核心,要由指令列指定核心名稱必須先執行 <command>unload</command>,否則會使用先前載入過的核心。若 <emphasis>kernelname</emphasis> 不是完整的路徑則會搜尋 <emphasis>/boot/kernel</emphasis> 及 <emphasis>/boot/modules</emphasis> 底下。</entry> </row> <row> @@ -17602,67 +17609,20 @@ cat changed <secondary>one-time passwords</secondary> </indexterm> - <para xml:lang="en">By default, FreeBSD includes support for One-time Passwords In - Everything (<acronym>OPIE</acronym>). <acronym>OPIE</acronym> - is designed to prevent replay attacks, in which an attacker - discovers a user's password and uses it to access a system. - Since a password is only used once in <acronym>OPIE</acronym>, a - discovered password is of little use to an attacker. - <acronym>OPIE</acronym> uses a secure hash and a - challenge/response system to manage passwords. The FreeBSD - implementation uses the <acronym>MD5</acronym> hash by - default.</para> + <para>預設 FreeBSD 已內建一次性密碼 (One-time Passwords In Everything, <acronym>OPIE</acronym>)。<acronym>OPIE</acronym> 設計用來避免重送攻擊 (Replay attack),重送攻擊指的是攻擊者發現了某位使用者的密碼,然後使用該密碼來存取系統。由於在 <acronym>OPIE</acronym> 的環境下,一組密碼只能被使用一次,被發現的密碼對攻擊者而言便沒有什麼作用。<acronym>OPIE</acronym> 使用了安全的加密方式與詰問/回應系統 (Challenge/response system) 來管理密碼。FreeBSD 在實作上預設採用 <acronym>MD5</acronym> 加密。</para> - <para xml:lang="en"><acronym>OPIE</acronym> uses three different types of - passwords. The first is the usual <trademark class="registered">UNIX</trademark> or Kerberos password. - The second is the one-time password which is generated by - <command>opiekey</command>. The third type of password is the - <quote>secret password</quote> which is used to generate - one-time passwords. The secret password has nothing to do with, - and should be different from, the <trademark class="registered">UNIX</trademark> password.</para> + <para><acronym>OPIE</acronym> 使用了三種不同類型的密碼,第一種是一般的 <trademark class="registered">UNIX</trademark> 或 Kerberos 密碼,第二種是由 <command>opiekey</command> 所產生的一次性密碼,第三種是用來生一次性密碼的 <quote>秘密密碼 (Secret password)</quote>,秘密密碼與 <trademark class="registered">UNIX</trademark> 密碼無關且不應相同。</para> - <para xml:lang="en">There are two other pieces of data that are important to - <acronym>OPIE</acronym>. One is the <quote>seed</quote> or - <quote>key</quote>, consisting of two letters and five digits. - The other is the <quote>iteration count</quote>, a number - between 1 and 100. <acronym>OPIE</acronym> creates the one-time - password by concatenating the seed and the secret password, - applying the <acronym>MD5</acronym> hash as many times as - specified by the iteration count, and turning the result into - six short English words which represent the one-time password. - The authentication system keeps track of the last one-time - password used, and the user is authenticated if the hash of the - user-provided password is equal to the previous password. - Because a one-way hash is used, it is impossible to generate - future one-time passwords if a successfully used password is - captured. The iteration count is decremented after each - successful login to keep the user and the login program in sync. - When the iteration count gets down to <literal>1</literal>, - <acronym>OPIE</acronym> must be reinitialized.</para> + <para>對 <acronym>OPIE</acronym> 來說還有另外兩個部份的資料很重要。其中一個是<quote>種子碼 (Seed)</quote> 或稱<quote>金鑰 (Key)</quote>,由兩個字母與五個數字組成。另一個則是<quote>疊代次數 (Iteration count)</quote>,是一個介於 1 到 100 間的數字。<acronym>OPIE</acronym> 會將種子碼與秘密密碼串連後,套用 <acronym>MD5</acronym> 加密數次後 (根據疊代次數),再將結果轉換成六個簡短的英文單字來產生一次性密碼。認証系統會持續追蹤最後使用的一次性密碼,若使用者提供的密碼加密後與前一次的密碼相同則可通過認証。由於採用了單向的加密方式,若使用過的密碼被成功擷取也無法拿來產生之後的一次性密碼。疊代次數會在每一次登入成功之後減少,來保持使用者與登入程式間的同步。當疊代次數減少至 <literal>1</literal> 時,<acronym>OPIE</acronym> 便要重新初始化。</p ara> - <para xml:lang="en">There are a few programs involved in this process. A - one-time password, or a consecutive list of one-time passwords, - is generated by passing an iteration count, a seed, and a secret - password to <citerefentry><refentrytitle>opiekey</refentrytitle><manvolnum>1</manvolnum></citerefentry>. In addition to initializing - <acronym>OPIE</acronym>, <citerefentry><refentrytitle>opiepasswd</refentrytitle><manvolnum>1</manvolnum></citerefentry> is used to change - passwords, iteration counts, or seeds. The relevant credential - files in <filename>/etc/opiekeys</filename> are examined by - <citerefentry><refentrytitle>opieinfo</refentrytitle><manvolnum>1</manvolnum></citerefentry> which prints out the invoking user's current - iteration count and seed.</para> + <para>這個整個程序會牽涉到幾個程式。傳送疊代次數、種子碼與秘密密碼來產生一組一次性密碼或數個一次性密碼的 <citerefentry><refentrytitle>opiekey</refentrytitle><manvolnum>1</manvolnum></citerefentry>。除了初始化 <acronym>OPIE</acronym> 之外,用來更改密碼、疊代次數或種子碼的 <citerefentry><refentrytitle>opiepasswd</refentrytitle><manvolnum>1</manvolnum></citerefentry>。會讀取放在 <filename>/etc/opiekeys</filename> 的相關憑証檔來列出使用者目前的疊代次數與種子碼的 <citerefentry><refentrytitle>opieinfo</refentrytitle><manvolnum>1</manvolnum></citerefentry>。</para> - <para xml:lang="en">This section describes four different sorts of operations. - The first is how to set up one-time-passwords for the first time - over a secure connection. The second is how to use - <command>opiepasswd</command> over an insecure connection. The - third is how to log in over an insecure connection. The fourth - is how to generate a number of keys which can be written down or - printed out to use at insecure locations.</para> + <para>本章節將介紹四種不同的操作,第一是如何在安全連線下做第一次的一次性密碼設定,第二是如何使用在不安全的連線下使用 <command>opiepasswd</command>,第三是如何在不安全的連線下登入系統,第四是如何產生數個可以被記錄或列印下來在不安全的場所使的金鑰。</para> <sect2> <title>初始化 <acronym>OPIE</acronym></title> - <para xml:lang="en">To initialize <acronym>OPIE</acronym> for the first time, - run this command from a secure location:</para> + <para>第一次要初始化 <acronym>OPIE</acronym>,要在安全的場所執行以下指令:</para> <screen xml:lang="en"><prompt>%</prompt> <userinput>opiepasswd -c</userinput> Adding unfurl: @@ -17676,41 +17636,17 @@ Again new secret pass phrase: ID unfurl OTP key is 499 to4268 MOS MALL GOAT ARM AVID COED</screen> - <para xml:lang="en">The <option>-c</option> sets console mode which assumes - that the command is being run from a secure location, such as - a computer under the user's control or a - <acronym>SSH</acronym> session to a computer under the user's - control.</para> + <para><option>-c</option> 會設定採用假設指令在安全場所執行的 Console 模式,如在使用者掌控之中的電腦或者透過 <acronym>SSH</acronym> 連線到一台在使用者掌控之中的電腦。</para> - <para xml:lang="en">When prompted, enter the secret password which will be - used to generate the one-time login keys. This password - should be difficult to guess and should be different than the - password which is associated with the user's login account. - It must be between 10 and 127 characters long. Remember this - password.</para> + <para>提示出現後,輸入用來產生一次性登入金鑰的秘密密碼,應使用一個不容易被猜出來的密碼,且應與使用者登入帳號所使用的密碼不同,密碼必須介於 10 到 127 個字元長度之間,然後請記住這個密碼。</para> - <para xml:lang="en">The <literal>ID</literal> line lists the login name - (<literal>unfurl</literal>), default iteration count - (<literal>499</literal>), and default seed - (<literal>to4268</literal>). When logging in, the system will - remember these parameters and display them, meaning that they - do not have to be memorized. The last line lists the - generated one-time password which corresponds to those - parameters and the secret password. At the next login, use - this one-time password.</para> + <para><literal>ID</literal> 行會列出登入名稱 (<literal>unfurl</literal>)、預設的疊代次數 (<literal>499</literal>) 以及預設的種子碼 (<literal>to4268</literal>)。在進行登入時,系統會記住這些參數並且顯示出來,這也代表不需要另外記錄這些資訊。最後一行會列出根據這些參數與秘密密碼所產生出來的一次性密碼,在下一次登入時便要使用這個一次性密碼。</para> </sect2> <sect2> - <title>不安全連線初始化</title> + <title>在不安全連線下做初始化</title> - <para xml:lang="en">To initialize or change the secret password on an - insecure system, a secure connection is needed to some place - where <command>opiekey</command> can be run. This might be a - shell prompt on a trusted machine. An iteration count is - needed, where 100 is probably a good value, and the seed can - either be specified or the randomly-generated one used. On - the insecure connection, the machine being initialized, use - <citerefentry><refentrytitle>opiepasswd</refentrytitle><manvolnum>1</manvolnum></citerefentry>:</para> + <para>要在不安全的系統上初始化或更改秘密密碼會需要某個可使用安全的連線的地方執行 <command>opiekey</command>,這可能是在某一台信任的主機上的 Shell。初始化需要設定疊代次數,100 可能是不錯的數字,種子碼可以自行指定或隨機產生,在不安全連線下要被初始化主機須使用 <citerefentry><refentrytitle>opiepasswd</refentrytitle><manvolnum>1</manvolnum></citerefentry>:</para> <screen xml:lang="en"><prompt>%</prompt> <userinput>opiepasswd</userinput> @@ -17726,9 +17662,7 @@ New secret pass phrase: ID mark OTP key is 499 gr4269 LINE PAP MILK NELL BUOY TROY</screen> - <para xml:lang="en">To accept the default seed, press <keycap>Return</keycap>. - Before entering an access password, move over to the secure - connection and give it the same parameters:</para> + <para>要採用預設的種子碼,可直接按下 <keycap>Return</keycap> 做初始化。接著在輸入回應之前移到安全的連線然後給予相同的加密參數產生密碼:</para> <screen xml:lang="en"><prompt>%</prompt> <userinput>opiekey 498 to4268</userinput> Using the MD5 algorithm to compute response. @@ -17736,16 +17670,13 @@ Reminder: Do not use opiekey from telnet or dial-in se Enter secret pass phrase: GAME GAG WELT OUT DOWN CHAT</screen> - <para xml:lang="en">Switch back over to the insecure connection, and copy the - generated one-time password over to the relevant - program.</para> + <para>切換回不安全的連線,然後複製產生的一次性密碼貼上。</para> </sect2> <sect2> <title>產生單組一次性密碼</title> - <para xml:lang="en">After initializing <acronym>OPIE</acronym> and logging in, - a prompt like this will be displayed:</para> + <para>在初始化 <acronym>OPIE</acronym> 之後進行登入會顯示如下的提示訊息:</para> <screen xml:lang="en"><prompt>%</prompt> <userinput>telnet example.com</userinput> Trying 10.0.0.1... @@ -17758,25 +17689,15 @@ login: <userinput><username></userinput> otp-md5 498 gr4269 ext Password: </screen> - <para xml:lang="en">The <acronym>OPIE</acronym> prompts provides a useful - feature. If <keycap>Return</keycap> is pressed at the - password prompt, the prompt will turn echo on and display - what is typed. This can be useful when attempting to type in - a password by hand from a printout.</para> + <para><acronym>OPIE</acronym> 的提示提供了一個很有用的功能,若在密碼提示時按下 <keycap>Return</keycap>,便會開啟回應功能並顯示輸入的內容,這個功能在嘗試手工輸入列印出來的密碼時很有用。</para> <indexterm xml:lang="en"><primary>MS-DOS</primary></indexterm> <indexterm xml:lang="en"><primary>Windows</primary></indexterm> <indexterm xml:lang="en"><primary>MacOS</primary></indexterm> - <para xml:lang="en">At this point, generate the one-time password to answer - this login prompt. This must be done on a trusted system - where it is safe to run <citerefentry><refentrytitle>opiekey</refentrytitle><manvolnum>1</manvolnum></citerefentry>. There are versions - of this command for <trademark class="registered">Windows</trademark>, <trademark class="registered">Mac OS</trademark> and FreeBSD. This command - needs the iteration count and the seed as command line - options. Use cut-and-paste from the login prompt on the - machine being logged in to.</para> + <para>此時,要產生一次性密碼來回應登入時的提示,這必須在受信任且可安全執行 <citerefentry><refentrytitle>opiekey</refentrytitle><manvolnum>1</manvolnum></citerefentry> 的系統上完成。這個指令有提供 <trademark class="registered">Windows</trademark>, <trademark class="registered">Mac OS</trademark> 與 FreeBSD 版本,使用時需要疊代次數與種子碼做為在指令列的參數,剪下在要登入主機在登入時所提示的訊息。</para> - <para xml:lang="en">On the trusted system:</para> + <para>在信任的系統上執行:</para> <screen xml:lang="en"><prompt>%</prompt> <userinput>opiekey 498 to4268</userinput> Using the MD5 algorithm to compute response. @@ -17784,17 +17705,13 @@ Reminder: Do not use opiekey from telnet or dial-in se Enter secret pass phrase: GAME GAG WELT OUT DOWN CHAT</screen> - <para xml:lang="en">Once the one-time password is generated, continue to log - in.</para> + <para>在產生一次性密碼後,回到登入畫面繼續登入。</para> </sect2> <sect2> <title>產生多組一次性密碼</title> - <para xml:lang="en">Sometimes there is no access to a trusted machine or - secure connection. In this case, it is possible to use - <citerefentry><refentrytitle>opiekey</refentrytitle><manvolnum>1</manvolnum></citerefentry> to generate a number of one-time passwords - beforehand. For example:</para> + <para>有時會無法存取信任的主機或沒有安全的連線,在這種情況下,可以使用 <citerefentry><refentrytitle>opiekey</refentrytitle><manvolnum>1</manvolnum></citerefentry> 來預先產生多個一次性密碼,例如:</para> <screen xml:lang="en"><prompt>%</prompt> <userinput>opiekey -n 5 30 zz99999</userinput> Using the MD5 algorithm to compute response. @@ -17806,37 +17723,21 @@ Enter secret pass phrase: <userinput><secret passwo 29: RIO ODIN GO BYE FURY TIC 30: GREW JIVE SAN GIRD BOIL PHI</screen> - <para xml:lang="en">The <option>-n 5</option> requests five keys in sequence, - and <option>30</option> specifies what the last iteration - number should be. Note that these are printed out in - <emphasis>reverse</emphasis> order of use. The really - paranoid might want to write the results down by hand; - otherwise, print the list. Each line shows both the iteration - count and the one-time password. Scratch off the passwords as - they are used.</para> + <para><option>-n 5</option> 會請求產生連續五個金鑰,而 <option>30</option> 則是指定最後一個疊代的編號。注意這些列印出的結果的順序與使用的順序<emphasis>相反</emphasis>。十足的偏執狂可能會想要用手寫下結果,否則就列印出清單。每一行會同時顯示疊代次數及一次性密碼,在密碼使用過後便可劃掉。</para> </sect2> <sect2> <title>限制使用 <trademark class="registered">UNIX</trademark> 密碼</title> - <para xml:lang="en"><acronym>OPIE</acronym> can restrict the use of <trademark class="registered">UNIX</trademark> - passwords based on the IP address of a login session. The - relevant file is <filename>/etc/opieaccess</filename>, which - is present by default. Refer to <citerefentry><refentrytitle>opieaccess</refentrytitle><manvolnum>5</manvolnum></citerefentry> for more - information on this file and which security considerations to - be aware of when using it.</para> + <para><acronym>OPIE</acronym> 可以根據登入階段的 IP 位置限制使用 <trademark class="registered">UNIX</trademark> 密碼,相關的檔案為 <filename>/etc/opieaccess</filename>,這個檔案預設便存在。請參考 <citerefentry><refentrytitle>opieaccess</refentrytitle><manvolnum>5</manvolnum></citerefentry> 來取得更多有關此檔案的資訊以及當使用時要考量的安全性問題。</para> - <para xml:lang="en">Here is a sample <filename>opieaccess</filename>:</para> + <para>這裡有一個範本 <filename>opieaccess</filename>:</para> <programlisting xml:lang="en">permit 192.168.0.0 255.255.0.0</programlisting> - <para xml:lang="en">This line allows users whose IP source address (which is - vulnerable to spoofing) matches the specified value and mask, - to use <trademark class="registered">UNIX</trademark> passwords at any time.</para> + <para>這一行允許來源 IP 位址 (容易受到詐騙的位址) 符合指定值與遮罩的使用者在任何時間可使用 <trademark class="registered">UNIX</trademark> 密碼登入。</para> - <para xml:lang="en">If no rules in <filename>opieaccess</filename> are - matched, the default is to deny non-<acronym>OPIE</acronym> - logins.</para> + <para>若在 <filename>opieaccess</filename> 中沒有符合的規則,預設會拒絕非 <acronym>OPIE</acronym> 的登入。</para> </sect2> </sect1> @@ -19382,34 +19283,13 @@ racoon_enable="yes"</programlisting> <secondary>OpenSSH</secondary> </indexterm> - <para xml:lang="en"><application>OpenSSH</application> is a set of network - connectivity tools used to provide secure access to remote - machines. Additionally, <acronym>TCP/IP</acronym> connections - can be tunneled or forwarded securely through - <acronym>SSH</acronym> connections. - <application>OpenSSH</application> encrypts all traffic to - effectively eliminate eavesdropping, connection hijacking, and - other network-level attacks.</para> + <para><application>OpenSSH</application> 是一套網路連線工具,可安全的存取遠端的主機,此外,透過 <acronym>SSH</acronym> 連線可以建立 <acronym>TCP/IP</acronym> 連線通道或安全的轉送 <acronym>TCP/IP</acronym> 的封包。<application>OpenSSH</application> 會對所有傳輸的資料做加密,可有效的避免竊聽 (Eavesdropping)、或連線劫持 (Connection hijacking) 與其他網路層的攻擊。</para> - <para xml:lang="en"><application>OpenSSH</application> is maintained by the - OpenBSD project and is installed by default in FreeBSD. It is - compatible with both <acronym>SSH</acronym> version 1 and 2 - protocols.</para> + <para><application>OpenSSH</application> 由 OpenBSD 專案所維護且在 FreeBSD 預設會安裝,它可同時相容 <acronym>SSH</acronym> 版本 1 與 2 通訊協定。</para> - <para xml:lang="en">When data is sent over the network in an unencrypted form, - network sniffers anywhere in between the client and server can - steal user/password information or data transferred during the - session. <application>OpenSSH</application> offers a variety of - authentication and encryption methods to prevent this from - happening. More information about - <application>OpenSSH</application> is available from <link xlink:href="http://www.openssh.com/">http://www.openssh.com/</link>.</para> + <para>當以未加密的方式在網路上傳送資料時,任何在客戶端與伺服器之間的網路竊聽程式 (Network sniffer) 皆可竊取使用者/密碼資訊或者在連線階段傳送的資料,<application>OpenSSH</application> 提供了數種認証與加密方式來避免這種事情發生。更多有關 <application>OpenSSH</application> 的資訊可於 <link xlink:href="http://www.openssh.com/">http://www.openssh.com/</link> 取得。</para> - <para xml:lang="en">This section provides an overview of the built-in client - utilities to securely access other systems and securely transfer - files from a FreeBSD system. It then describes how to configure a - <acronym>SSH</acronym> server on a FreeBSD system. More - information is available in the man pages mentioned in this - chapter.</para> + <para>本節會簡單介紹如何使用內建的客戶端工具安全的存取其他系統及安全的傳輸檔案到 FreeBSD 系統,然後會說明如何設定在 FreeBSD 系統上的 <acronym>SSH</acronym> 伺服器。更多的資訊可於本章節所提及的操作手冊 (Man page) 取得。</para> <sect2> <title>使用 SSH 客戶端工具</title> @@ -19419,12 +19299,7 @@ racoon_enable="yes"</programlisting> <secondary>client</secondary> </indexterm> - <para xml:lang="en">To log into a <acronym>SSH</acronym> server, use - <command>ssh</command> and specify a username that exists on - that server and the <acronym>IP</acronym> address or hostname - of the server. If this is the first time a connection has - been made to the specified server, the user will be prompted - to first verify the server's fingerprint:</para> + <para>要登入一台 <acronym>SSH</acronym> 伺服器,可使用 <command>ssh</command> 然後指定在伺服器上存在的使用者名稱與 <acronym>IP</acronym> 位址或伺服器的主機名稱。若這是第一次連線到指定的伺服器,會提示該使用者伺服器的指紋做第一次檢驗:</para> <screen xml:lang="en"><prompt>#</prompt> <userinput>ssh <replaceable>user@example.com</replaceable></userinput> The authenticity of host 'example.com (10.0.0.1)' can't be established. @@ -19433,26 +19308,9 @@ Are you sure you want to continue connecting (yes/no)? Permanently added 'example.com' (ECDSA) to the list of known hosts. Password for user@example.com: <userinput><replaceable>user_password</replaceable></userinput></screen> - <para xml:lang="en"><acronym>SSH</acronym> utilizes a key fingerprint system - to verify the authenticity of the server when the client - connects. When the user accepts the key's fingerprint by - typing <literal>yes</literal> when connecting for the first - time, a copy of the key is saved to - <filename>.ssh/known_hosts</filename> in the user's home - directory. Future attempts to login are verified against the - saved key and <command>ssh</command> will display an alert if - the server's key does not match the saved key. If this - occurs, the user should first verify why the key has changed - before continuing with the connection.</para> + <para><acronym>SSH</acronym> 會在客戶端連線時利用金鑰指紋 (Key fingerprint) 系統來驗證伺服器的真偽,當使用者在第一次連線時輸入 <literal>yes</literal> 接受了這個金鑰指紋,便會將該金鑰的複本儲存到使用者家目錄的 <filename>.ssh/known_hosts</filename>,未來嘗試登入時便會以這個存好的金鑰來驗證,若伺服器的金鑰與儲存的金鑰不同將會顯示警告訊息。若出現這個警告時,使用者應在繼續連線之前檢查金鑰變動的原因。</para> - <para xml:lang="en">By default, recent versions of - <application>OpenSSH</application> only accept - <acronym>SSH</acronym>v2 connections. By default, the client - will use version 2 if possible and will fall back to version 1 - if the server does not support version 2. To force - <command>ssh</command> to only use the specified protocol, - include <option>-1</option> or <option>-2</option>. - Additional options are described in <citerefentry><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para> + <para>最近版本的 <application>OpenSSH</application> 預設只會接受 <acronym>SSH</acronym>v2 的連線。客戶端預設會盡可能使用版本 2 的通訊協定,若伺服器不支援版本 2 的通訊協定便會向下相容版本 1 的協定。要強制 <command>ssh</command> 只能使用指定的通訊協定,可使用 <option>-1</option> 或 <option>-2</option>,其他的選項在 <citerefentry><refentrytitle>ssh</refentrytitle><manvolnum>1</manvolnum></citerefentry> 中有說明。</para> <indexterm xml:lang="en"> <primary>OpenSSH</primary> @@ -19462,11 +19320,7 @@ Password for user@example.com: <userinput><replaceable <primary><citerefentry><refentrytitle>scp</refentrytitle><manvolnum>1</manvolnum></citerefentry></primary> </indexterm> - <para xml:lang="en">Use <citerefentry><refentrytitle>scp</refentrytitle><manvolnum>1</manvolnum></citerefentry> to securely copy a file to or from a - remote machine. This example copies - <filename>COPYRIGHT</filename> on the remote system to a file - of the same name in the current directory of the local - system:</para> + <para>使用 <citerefentry><refentrytitle>scp</refentrytitle><manvolnum>1</manvolnum></citerefentry> 可從遠端主機安全的複製一個檔案,以下範例會複製在遠端主機的 <filename>COPYRIGHT</filename> 到本地主機的目前目錄:</para> <screen xml:lang="en"><prompt>#</prompt> <userinput>scp <replaceable>user@example.com:/COPYRIGHT COPYRIGHT</replaceable></userinput> Password for user@example.com: <userinput><replaceable>*******</replaceable></userinput> @@ -19474,36 +19328,16 @@ COPYRIGHT 100% |*************************** 00:00 <prompt>#</prompt></screen> - <para xml:lang="en">Since the fingerprint was already verified for this host, - the server's key is automatically checked before prompting for - the user's password.</para> + <para>由於這個主機的指紋已驗證過,在提示用者輸入密碼之前伺服器的金鑰已自動檢查。</para> - <para xml:lang="en">The arguments passed to <command>scp</command> are similar - to <command>cp</command>. The file or files to copy is the - first argument and the destination to copy to is the second. - Since the file is fetched over the network, one or more of the - file arguments takes the form - <option>user@host:<path_to_remote_file></option>. Be - aware when copying directories recursively that - <command>scp</command> uses <option>-r</option>, whereas - <command>cp</command> uses <option>-R</option>.</para> + <para>傳給 <command>scp</command> 的參數與傳給 <command>cp</command> 的參數相似。第一個參數是要複製的檔案,第二個參數是目地,由於檔案是透過網路取得,檔案參數需要使用 <option>user@host:<path_to_remote_file></option> 格式。注意,在 <command>scp</command> 要遞迴複製目錄是使用 <option>-r</option>,如同 <command>cp</command> 使用 <option>-R</option>。</para> - <para xml:lang="en">To open an interactive session for copying files, use - <command>sftp</command>. Refer to <citerefentry><refentrytitle>sftp</refentrytitle><manvolnum>1</manvolnum></citerefentry> for a list of - available commands while in an <command>sftp</command> - session.</para> + <para>要開啟可互動的連線來複製檔案可使用 <command>sftp</command>,請參考 <citerefentry><refentrytitle>sftp</refentrytitle><manvolnum>1</manvolnum></citerefentry> 來取得在 <command>sftp</command> 連線時可用的指令清單。</para> <sect3 xml:id="security-ssh-keygen"> <title>以金鑰為基礎的認證</title> - <para xml:lang="en">Instead of using passwords, a client can be configured - to connect to the remote machine using keys. To generate - <acronym>RSA</acronym> - authentication keys, use <command>ssh-keygen</command>. To - generate a public and private key pair, specify the type of - key and follow the prompts. It is recommended to protect - the keys with a memorable, but hard to guess - passphrase.</para> + <para>除了使用密碼之外,客戶端可以設定成使用金鑰來連線到遠端的主機。要產生 <acronym>RSA</acronym> 認証金鑰可使用 <command>ssh-keygen</command>。要產生成對的公鑰與私鑰,可指定金鑰的類型並依提示操作。建議使用容易記住但較難猜出的密碼來保護這個金鑰。</para> <screen xml:lang="en"><prompt>%</prompt> <userinput>ssh-keygen -t rsa</userinput> Generating public/private rsa key pair. @@ -19529,66 +19363,28 @@ The key's randomart image is: <calloutlist> <callout arearefs="co-ssh-keygen-passphrase1"> - <para xml:lang="en">Type a passphrase here. It can contain spaces and - symbols.</para> + <para>在此輸入密碼,密碼不可含有空白或符號。</para> </callout> <callout arearefs="co-ssh-keygen-passphrase2"> - <para xml:lang="en">Retype the passphrase to verify it.</para> + <para>再輸入一次密碼驗證。</para> </callout> </calloutlist> - <para xml:lang="en">The private key - is stored in <filename>~/.ssh/id_rsa</filename> - and the public key - is stored in <filename>~/.ssh/id_rsa.pub</filename>. - The - <emphasis>public</emphasis> key must be copied to - <filename>~/.ssh/authorized_keys</filename> on the remote - machine for key-based authentication to - work.</para> + <para>私鑰會儲存於 <filename>~/.ssh/id_rsa</filename> 而公鑰會儲存於 <filename>~/.ssh/id_rsa.pub</filename>。<emphasis>公鑰</emphasis>必須複製到遠端主機的<filename>~/.ssh/authorized_keys</filename> 來讓以金鑰為基礎的認証可以運作。</para> <warning> - <para xml:lang="en">Many users believe that keys are secure by design and - will use a key without a passphrase. This is - <emphasis>dangerous</emphasis> behavior. An - administrator can verify that a key pair is protected by a - passphrase by viewing the private key manually. If the - private key file contains the word - <literal>ENCRYPTED</literal>, the key owner is using a - passphrase. In addition, to better secure end users, - <literal>from</literal> may be placed in the public key - file. For example, adding - <literal>from="192.168.10.5"</literal> in front of the - <literal>ssh-rsa</literal> - prefix will only allow that specific user to log in from - that <acronym>IP</acronym> address.</para> + <para>許多使用者認為金鑰的設計是安全的並在產生金鑰時未使用密碼,這樣的行為其實很<emphasis>危險</emphasis>。管理者可以手動查看私鑰來檢查金鑰對是否受密碼保護,如果私鑰檔案中包含 <literal>ENCRYPTED</literal> 字詞,則代表金鑰的擁有者有使用密碼。此外,要更進一步保護最終使用者的安全,可在公鑰檔案中放入 <literal>from</literal>,例如,在 <literal>ssh-rsa</literal> 前加上 <literal>from="192.168.10.5"</literal> 將只允許指定的使用者由該 IP 位址登入。</para> </warning> - <para xml:lang="en">The options and files vary with different versions of - <application>OpenSSH</application>. - To avoid problems, consult <citerefentry><refentrytitle>ssh-keygen</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para> + <para>不同版本 <application>OpenSSH</application> 的選項與檔案會不同,要避免發生問題請參考 <citerefentry><refentrytitle>ssh-keygen</refentrytitle><manvolnum>1</manvolnum></citerefentry>。</para> - <para xml:lang="en">If a passphrase is used, the user is prompted for - the passphrase each time a connection is made to the server. - To load <acronym>SSH</acronym> keys into memory and remove - the need to type the passphrase each time, use - <citerefentry><refentrytitle>ssh-agent</refentrytitle><manvolnum>1</manvolnum></citerefentry> and <citerefentry><refentrytitle>ssh-add</refentrytitle><manvolnum>1</manvolnum></citerefentry>.</para> + <para>若使用了密碼,在每次連線到伺服器時都會提示使用者輸入密碼。要將 <acronym>SSH</acronym> 金鑰載入到記憶體並讓每次連線時不必再輸入密碼,可使用 <citerefentry><refentrytitle>ssh-agent</refentrytitle><manvolnum>1</manvolnum></citerefentry> 與 <citerefentry><refentrytitle>ssh-add</refentrytitle><manvolnum>1</manvolnum></citerefentry>。</para> - <para xml:lang="en">Authentication is handled by - <command>ssh-agent</command>, using the private keys that - are loaded into it. <command>ssh-agent</command> - can be used to launch another application like a - shell or a window manager.</para> + <para>認証可用 <command>ssh-agent</command> 來管理,只要將私鑰載入,<command>ssh-agent</command> 可用在執行其他應用程式,如 Shell 或視窗管理程式。</para> - <para xml:lang="en">To use <command>ssh-agent</command> in a shell, start it - with a shell as an argument. Add the identity by - running <command>ssh-add</command> and entering the - passphrase for the private key. - The user will then be able to <command>ssh</command> - to any host that has the corresponding public key installed. - For example:</para> + <para>要在 Shell 使用 <command>ssh-agent</command>,使用 Shell 做為參數來啟動 <command>ssh-agent</command>。執行 <command>ssh-add</command> 來加入識別碼,然後輸入私鑰的密碼。使用者將可使用 <command>ssh</command> 連線到任何有安裝對應公鑰的主機,例如:</para> <screen xml:lang="en"><prompt>%</prompt> ssh-agent <replaceable>csh</replaceable> <prompt>%</prompt> ssh-add @@ -19598,25 +19394,15 @@ Identity added: /usr/home/user/.ssh/id_rsa (/usr/home/ <calloutlist> <callout arearefs="co-ssh-agent-passphrase"> - <para xml:lang="en">Enter the passphrase for the key.</para> + <para>輸入金鑰的密碼。</para> </callout> </calloutlist> - <para xml:lang="en">To use <command>ssh-agent</command> in - <application>Xorg</application>, add an entry for it in - <filename>~/.xinitrc</filename>. This provides the - <command>ssh-agent</command> services to all programs - launched in <application>Xorg</application>. An example - <filename>~/.xinitrc</filename> might look like this:</para> + <para>要在 <application>Xorg</application> 使用 <command>ssh-agent</command> 可在 <filename>~/.xinitrc</filename> 加入一個設定項目,這可讓 <command>ssh-agent</command> 對所有在 <application>Xorg</application> 中執行的程式提供服務。<filename>~/.xinitrc</filename> 範例如下:</para> <programlisting xml:lang="en">exec ssh-agent <replaceable>startxfce4</replaceable></programlisting> - <para xml:lang="en">This launches <command>ssh-agent</command>, which in - turn launches <application>XFCE</application>, every time - <application>Xorg</application> starts. Once - <application>Xorg</application> has been restarted so that - the changes can take effect, run <command>ssh-add</command> - to load all of the <acronym>SSH</acronym> keys.</para> + <para>這會在每次啟動 <application>Xorg</application> 時,反過來先執行 <command>ssh-agent</command> 再由執行 <application>XFCE</application>,一但 <application>Xorg</application> 被重新啟動,要讓所有變更生效需執行 <command>ssh-add</command> 來載入所有的 <acronym>SSH</acronym> 金鑰。</para> </sect3> <sect3 xml:id="security-ssh-tunneling"> @@ -19627,26 +19413,21 @@ Identity added: /usr/home/user/.ssh/id_rsa (/usr/home/ <secondary>tunneling</secondary> </indexterm> - <para xml:lang="en"><application>OpenSSH</application> has the ability to - create a tunnel to encapsulate another protocol in an - encrypted session.</para> + <para><application>OpenSSH</application> 可以建立一個通道 (Tunnel) 來封裝其他通訊協定到一個加密的連線。</para> - <para xml:lang="en">The following command tells <command>ssh</command> to - create a tunnel for - <application>telnet</application>:</para> + <para>以下指令會告訴 <command>ssh</command> 建立一個供 <application>telnet</application> 使用的通道:</para> <screen xml:lang="en"><prompt>%</prompt> <userinput>ssh -2 -N -f -L <replaceable>5023:localhost:23 user@foo.example.com</replaceable></userinput> <prompt>%</prompt></screen> - <para xml:lang="en">This example uses the following options:</para> + <para>這個例子使用了以下選項:</para> <variablelist> <varlistentry> <term xml:lang="en"><option>-2</option></term> <listitem> - <para xml:lang="en">Forces <command>ssh</command> to use version 2 to - connect to the server.</para> + <para>強制 <command>ssh</command> 使用版本 2 的通訊協定連線到伺服器。</para> </listitem> </varlistentry> @@ -19654,9 +19435,7 @@ Identity added: /usr/home/user/.ssh/id_rsa (/usr/home/ <term xml:lang="en"><option>-N</option></term> <listitem> - <para xml:lang="en">Indicates no command, or tunnel only. If omitted, - <command>ssh</command> initiates a normal - session.</para> + <para>代表不需下指令、只建立通道。若省略這個選項 <command>ssh</command> 會初始化一個正常的連線。</para> </listitem> </varlistentry> @@ -19664,8 +19443,7 @@ Identity added: /usr/home/user/.ssh/id_rsa (/usr/home/ <term xml:lang="en"><option>-f</option></term> <listitem> - <para xml:lang="en">Forces <command>ssh</command> to run in the - background.</para> + <para>強制 <command>ssh</command> 在背景執行。</para> </listitem> </varlistentry> @@ -19673,9 +19451,7 @@ Identity added: /usr/home/user/.ssh/id_rsa (/usr/home/ <term xml:lang="en"><option>-L</option></term> <listitem> - <para xml:lang="en">Indicates a local tunnel in - <replaceable>localport:remotehost:remoteport</replaceable> - format.</para> + <para>代表這是一個本地通道,使用 <replaceable>localport:remotehost:remoteport</replaceable> 格式。</para> </listitem> </varlistentry> @@ -19683,29 +19459,14 @@ Identity added: /usr/home/user/.ssh/id_rsa (/usr/home/ <term xml:lang="en"><option>user@foo.example.com</option></term> <listitem> - <para xml:lang="en">The login name to use on the specified remote - <acronym>SSH</acronym> server.</para> + <para>在指定的遠端 <acronym>SSH</acronym> 伺服器要使用的登入名稱。</para> </listitem> </varlistentry> </variablelist> - <para xml:lang="en">An <acronym>SSH</acronym> tunnel works by creating a - listen socket on <systemitem>localhost</systemitem> on the - specified <literal>localport</literal>. It then forwards - any connections received on <literal>localport</literal> via - the <acronym>SSH</acronym> connection to the specified - <literal>remotehost:remoteport</literal>. In the example, - port <literal>5023</literal> on the client is forwarded to - port <literal>23</literal> on the remote machine. Since - port 23 is used by <application>telnet</application>, this - creates an encrypted <application>telnet</application> - session through an <acronym>SSH</acronym> tunnel.</para> + <para>SSH 通道會建立一個傾聽 <systemitem>localhost</systemitem> 指定 <literal>localport</literal> 的 Socket ,然後會透過 <acronym>SSH</acronym> 連線轉送任何在 <literal>localport</literal> 接收的連線。以這個例子來說在客戶端的 Port <literal>5023</literal> 會被轉送到遠端主機的 Port <literal>23</literal>,由於 Port 23 是由 <application>telnet</application> 使用,所以這會透過 <acronym>SSH</acronym> 通道建立一個加密的 <application>telnet</application> 連線。</para> - <para xml:lang="en">This method can be used to wrap any number of insecure - <acronym>TCP</acronym> protocols such as - <acronym>SMTP</acronym>, <acronym>POP3</acronym>, and - <acronym>FTP</acronym>, as seen in the following - examples.</para> + <para>這個方法可用來包裝許多不安全的 <acronym>TCP</acronym> 通訊協定,例如 <acronym>SMTP</acronym>, <acronym>POP3</acronym> 以及 <acronym>FTP</acronym>,如下例所示。</para> <example> <title>建立供 <acronym>SMTP</acronym> 使用的安全通道</title> @@ -19718,58 +19479,31 @@ Connected to localhost. Escape character is '^]'. 220 mailserver.example.com ESMTP</screen> - <para xml:lang="en">This can be used in conjunction with - <command>ssh-keygen</command> and additional user accounts - to create a more seamless <acronym>SSH</acronym> tunneling - environment. Keys can be used in place of typing a - password, and the tunnels can be run as a separate - user.</para> + <para>這可配合 <command>ssh-keygen</command> 與另一個使用者帳號與來建立一個更無縫的 <acronym>SSH</acronym> 通道環境,可使用金鑰來代替手動輸入密碼,然後該通道便可以另一個使用者執行。</para> </example> <example> <title>安全存取 <acronym>POP3</acronym> 伺服器</title> - <para xml:lang="en">In this example, there is an <acronym>SSH</acronym> - server that accepts connections from the outside. On the - same network resides a mail server running a - <acronym>POP3</acronym> server. To check email in a - secure manner, create an <acronym>SSH</acronym> connection - to the <acronym>SSH</acronym> server and tunnel through to - the mail server:</para> + <para>在這個例子中有一個 <acronym>SSH</acronym> 伺服器會接受來自外部的連線,在同個網段下有一個郵件伺服器執行 <acronym>POP3</acronym> 伺服器。要使用較安全的方式檢查有沒有新郵件可建立一個 <acronym>SSH</acronym> 連線到 <acronym>SSH</acronym> 伺服器然後透過通道連線到郵件伺服器:</para> <screen xml:lang="en"><prompt>%</prompt> <userinput>ssh -2 -N -f -L <replaceable>2110:mail.example.com:110 user@ssh-server.example.com</replaceable></userinput> user@ssh-server.example.com's password: <userinput>******</userinput></screen> - <para xml:lang="en">Once the tunnel is up and running, point the email - client to send <acronym>POP3</acronym> requests to - <systemitem>localhost</systemitem> on port 2110. This - connection will be forwarded securely across the tunnel to - <systemitem>mail.example.com</systemitem>.</para> + <para>一但通道啟動並執行後,指定郵件客戶端將 <acronym>POP3</acronym> 請求傳送到 <systemitem>localhost</systemitem> 的 Port 2110,這個連線將會被安全的透過通道轉送到 <systemitem>mail.example.com</systemitem>。</para> </example> <example> <title>跳過防火牆</title> - <para xml:lang="en">Some firewalls - filter both incoming and outgoing connections. For - example, a firewall might limit access from remote - machines to ports 22 and 80 to only allow - <acronym>SSH</acronym> and web surfing. This prevents - access to any other service which uses a port other than - 22 or 80.</para> + <para>有些防火牆會同時過濾傳入與傳出的連線。例如,防火牆很可能會限制來自遠端主機只能存取 Port 22 與 80 來只讓 <acronym>SSH</acronym> 與網頁瀏覽器連線,這會使得 Port 使用 22 或 80 以外的服務無法存取。</para> - <para xml:lang="en">The solution is to create an <acronym>SSH</acronym> - connection to a machine outside of the network's firewall - and use it to tunnel to the desired service:</para> + <para>這問題的解決方法是建立一個 <acronym>SSH</acronym> 連線到在防火牆防護之外主機然後使用該連線的通道連到想要使用的服務:</para> <screen xml:lang="en"><prompt>%</prompt> <userinput>ssh -2 -N -f -L <replaceable>8888:music.example.com:8000 user@unfirewalled-system.example.org</replaceable></userinput> user@unfirewalled-system.example.org's password: <userinput>*******</userinput></screen> - <para xml:lang="en">In this example, a streaming Ogg Vorbis client can now - be pointed to <systemitem>localhost</systemitem> port - 8888, which will be forwarded over to - <systemitem>music.example.com</systemitem> on port 8000, - successfully bypassing the firewall.</para> + <para>在這個例子中,串流 Ogg Vorbis 客戶端現在可以指向 <systemitem>localhost</systemitem> Port 8888,連線將會被轉送到 <systemitem>music.example.com</systemitem> 於 Port 8000,成功的跳過防火牆。</para> </example> </sect3> </sect2> @@ -19782,112 +19516,59 @@ user@unfirewalled-system.example.org's password: <user <secondary>enabling</secondary> </indexterm> - <para xml:lang="en">In addition to providing built-in <acronym>SSH</acronym> - client utilities, a FreeBSD system can be configured as an - <acronym>SSH</acronym> server, accepting connections from - other <acronym>SSH</acronym> clients.</para> + <para>除了提供內建的 <acronym>SSH</acronym> 客戶端工具外,還可以設定 FreeBSD 系統為一個 <acronym>SSH</acronym> 伺服器,以接受來自其他 <acronym>SSH</acronym> 客戶端的連線。</para> - <para xml:lang="en">To see if <application>sshd</application> is operating, - use the <citerefentry><refentrytitle>service</refentrytitle><manvolnum>8</manvolnum></citerefentry> command:</para> + <para>要查看 <application>sshd</application> 是否正在運作,可使用 <citerefentry><refentrytitle>service</refentrytitle><manvolnum>8</manvolnum></citerefentry> 指令:</para> <screen xml:lang="en"><prompt>#</prompt> <userinput>service sshd status</userinput></screen> - <para xml:lang="en">If the service is not running, add the following line to - <filename>/etc/rc.conf</filename>.</para> + <para>若服務未執行,請加入下行到 <filename>/etc/rc.conf</filename>。</para> <programlisting xml:lang="en">sshd_enable="YES"</programlisting> - <para xml:lang="en">This will start <application>sshd</application>, the - daemon program for <application>OpenSSH</application>, the - next time the system boots. To start it now:</para> + <para>這會讓下次系統開機時啟動 <application>OpenSSH</application> 的 Daemon 程式 <application>sshd</application>。若要立即啟動:</para> <screen xml:lang="en"><prompt>#</prompt> <userinput>service sshd start</userinput></screen> - <para xml:lang="en">The first time <application>sshd</application> starts on a - FreeBSD system, the system's host keys will be automatically - created and the fingerprint will be displayed on the console. - Provide users with the fingerprint so that they can verify it - the first time they connect to the server.</para> + <para>在 FreeBSD 系統第一次啟動 <application>sshd</application> 時便會自動產生系統的主機金鑰且會顯示指紋在 Console 上,這個指紋可供使用者在第一次連線到伺服器時驗證用。</para> - <para xml:lang="en">Refer to <citerefentry><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry> for the list of available options - when starting <application>sshd</application> and a more - complete discussion about authentication, the login process, - and the various configuration files.</para> + <para>請參考 <citerefentry><refentrytitle>sshd</refentrytitle><manvolnum>8</manvolnum></citerefentry> 可取得在啟動 <application>sshd</application> 時可用選項的清單以及更多完整有關認証、登入程序與各種設定檔的資訊。</para> - <para xml:lang="en">At this point, the <application>sshd</application> should - be available to all users with a username and password on - the system.</para> + <para>現在,<application>sshd</application> 應可供所有在系統上有使用者名稱及密碼的使用者使用。</para> </sect2> <sect2> <title>SSH 伺服器安全性</title> - <para xml:lang="en">While <application>sshd</application> is the most widely - used remote administration facility for FreeBSD, brute force - and drive by attacks are common to any system exposed to - public networks. Several additional parameters are available - to prevent the success of these attacks and will be described - in this section.</para> + <para>在 FreeBSD 廣泛使用 <application>sshd</application> 做為遠端管理基礎設施的同時,所有暴露在公有網路上的系統也會時常受到暴力攻擊 (Brute force attack) 與路過攻擊 (Drive by attack)。在本節會介紹一些可用來避免這些攻擊的參數。</para> - <para xml:lang="en">It is a good idea to limit which users can log into the - <acronym>SSH</acronym> server and from where using the - <literal>AllowUsers</literal> keyword in the - <application>OpenSSH</application> server configuration file. - For example, to only allow <systemitem class="username">root</systemitem> to log in from - <systemitem class="ipaddress">192.168.1.32</systemitem>, add - this line to <filename>/etc/ssh/sshd_config</filename>:</para> + <para>使用在 <application>OpenSSH</application> 伺服器設定檔的 <literal>AllowUsers</literal> 關鍵字限制可以登入到 <acronym>SSH</acronym> 伺服器的使用者及來源是一個不錯的方式。例如要只允許來自 <systemitem class="ipaddress">192.168.1.32</systemitem> 的 <systemitem class="username">root</systemitem> 登入,可加入下行到 <filename>/etc/ssh/sshd_config</filename>:</para> <programlisting xml:lang="en">AllowUsers root@192.168.1.32</programlisting> - <para xml:lang="en">To allow <systemitem class="username">admin</systemitem> - to log in from anywhere, list that user without specifying an - <acronym>IP</acronym> address:</para> + <para>要允許來自任何地方的 <systemitem class="username">admin</systemitem> 登入,可只列出使用者名稱,不指定 <acronym>IP</acronym> 位址:</para> <programlisting xml:lang="en">AllowUsers admin</programlisting> - <para xml:lang="en">Multiple users should be listed on the same line, like - so:</para> + <para>有多位使用者也應列在同一行,例如:</para> <programlisting xml:lang="en">AllowUsers root@192.168.1.32 admin</programlisting> - <para xml:lang="en">After making changes to - <filename>/etc/ssh/sshd_config</filename>, - tell <application>sshd</application> to reload its - configuration file by running:</para> + <para>在對 <filename>/etc/ssh/sshd_config</filename> 做完變更後,執行以下指令告訴 <application>sshd</application> 重新載入設定檔: + </para> <screen xml:lang="en"><prompt>#</prompt> <userinput>service sshd reload</userinput></screen> <note> - <para xml:lang="en">When this keyword is used, it is important to list each - user that needs to log into this machine. Any user that is - not specified in that line will be locked out. Also, the - keywords used in the <application>OpenSSH</application> - server configuration file are case-sensitive. If the - keyword is not spelled correctly, including its case, it - will be ignored. Always test changes to this file to make - sure that the edits are working as expected. Refer to - <citerefentry><refentrytitle>sshd_config</refentrytitle><manvolnum>5</manvolnum></citerefentry> to verify the spelling and use of the - available keywords.</para> + <para>在使用了這個關鍵字時,列出每一位需要登入此主機的使用者很重要,任何未被在該行指定的使用者將無法登入。同時,在 <application>OpenSSH</application> 伺服器設定檔使用的關鍵字是區分大小寫的,若關鍵字未正確的拼寫 (含其大小寫),則將會被忽略,永遠要記得測試對這個檔案所做的更改來確保伺服器有如預期的方式運作。請參考 <citerefentry><refentrytitle>sshd_config</refentrytitle><manvolnum>5</manvolnum></citerefentry> 來檢查拼寫以及可用的關鍵字。</para> </note> - <para xml:lang="en">In addition, users may be forced to use two factor - authentication via the use of a public and private key. When - required, the user may generate a key pair through the use - of <citerefentry><refentrytitle>ssh-keygen</refentrytitle><manvolnum>1</manvolnum></citerefentry> and send the administrator the public - key. This key file will be placed in the - <filename>authorized_keys</filename> as described above in - the client section. To force the users to use keys only, - the following option may be configured:</para> + <para>此外,使用者可能被強制要透過公鑰與私鑰使用雙重認證 (Two factor authentication)。當需要時,使用者可以透過使用 <citerefentry><refentrytitle>ssh-keygen</refentrytitle><manvolnum>1</manvolnum></citerefentry> 產生一堆金鑰然後將公鑰傳送給管理者,這個金鑰檔會如以上在客戶端章節所述的被放在 <filename>authorized_keys</filename>。要強制使用者只能使用這個金鑰,可能需要設定以下選項:</para> <programlisting xml:lang="en">AuthenticationMethods publickey</programlisting> <tip> - <para xml:lang="en">Do not confuse <filename>/etc/ssh/sshd_config</filename> - with <filename>/etc/ssh/ssh_config</filename> (note the - extra <literal>d</literal> in the first filename). The - first file configures the server and the second file *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201706021826.v52IQbZb070030>