Date: Mon, 29 Oct 2001 08:35:22 +0100 (CET) From: Martin Heinen <martin@sumuk.de> To: FreeBSD-gnats-submit@freebsd.org Subject: docs/31580: Chapter security: Identation Message-ID: <200110290735.f9T7ZMI09503@Kain.sumuk.de>
next in thread | raw e-mail | index | archive | help
>Number: 31580
>Category: docs
>Synopsis: Chapter security: Identation
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-doc
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: doc-bug
>Submitter-Id: current-users
>Arrival-Date: Sun Oct 28 23:40:00 PST 2001
>Closed-Date:
>Last-Modified:
>Originator: Martin Heinen
>Release: FreeBSD 4.4-PRERELEASE i386
>Organization:
>Environment:
System: FreeBSD Kain.sumuk.de 4.4-PRERELEASE FreeBSD 4.4-PRERELEASE #11: Thu Sep 27 18:54:33 CEST 2001 toor@Kain.earth.sol:/usr/obj/usr/src/sys/KAIN i386
>Description:
Idented paragraphs according to the FDP.
>How-To-Repeat:
read the security chapter
>Fix:
Index: chapter.sgml
===================================================================
RCS file: /u/cvs/doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml,v
retrieving revision 1.95
diff -u -r1.95 chapter.sgml
--- chapter.sgml 2001/10/28 22:10:30 1.95
+++ chapter.sgml 2001/10/29 07:24:54
@@ -2577,8 +2577,7 @@
<filename>/etc/rc.conf.local</filename> or
<filename>/etc/rc.conf</filename> to enable your firewall,
it is important to make sure your firewall is enabled before
- any IP interfaces are configured.
- </para>
+ any IP interfaces are configured.</para>
<para>The next problem is what your firewall should actually
<emphasis>do</emphasis>! This is largely dependent on what access to
@@ -2709,23 +2708,23 @@
<tip>
<para>For other HOWTOs detailing IPSec implementation in
- FreeBSD, take a look at <ulink
- url="http://www.daemonnews.org/200101/ipsec-howto.html"></ulink>;
- and <ulink
- url="http://www.freebsddiary.org/ipsec.php"></ulink>.</para>;
+ FreeBSD, take a look at <ulink
+ url="http://www.daemonnews.org/200101/ipsec-howto.html"></ulink>;
+ and <ulink
+ url="http://www.freebsddiary.org/ipsec.php"></ulink>.</para>;
</tip>
<para>The IPsec mechanism provides secure communication for IP
- layer and socket layer communication. This section should
- explain how to use them. For implementation details, please
- refer to <ulink
- url="../developers-handbook/ipv6.html">The
- Developers' Handbook</ulink>.</para>
+ layer and socket layer communication. This section should
+ explain how to use them. For implementation details, please
+ refer to <ulink
+ url="../developers-handbook/ipv6.html">The
+ Developers' Handbook</ulink>.</para>
<para>The current IPsec implementation supports both transport mode
- and tunnel mode. However, tunnel mode comes with some restrictions.
- <ulink url="http://www.kame.net/newsletter/">http://www.kame.net/newsletter/
- </ulink> has more comprehensive examples.</para>
+ and tunnel mode. However, tunnel mode comes with some restrictions.
+ <ulink url="http://www.kame.net/newsletter/">http://www.kame.net/newsletter/
+ </ulink> has more comprehensive examples.</para>
<para>Please be aware that in order to use this functionality, you
must have the following options compiled into your kernel:</para>
@@ -2737,25 +2736,25 @@
<title>Transport Mode Example with IPv4</title>
<para>Let us setup security association to deploy a secure channel
- between HOST A (10.2.3.4) and HOST B (10.6.7.8). Here we show a little
- complicated example. From HOST A to HOST B, only old AH is used.
- From HOST B to HOST A, new AH and new ESP are combined.</para>
+ between HOST A (10.2.3.4) and HOST B (10.6.7.8). Here we show a little
+ complicated example. From HOST A to HOST B, only old AH is used.
+ From HOST B to HOST A, new AH and new ESP are combined.</para>
<para>Now we should choose an algorithm to be used corresponding to
- "AH"/"new AH"/"ESP"/"new ESP". Please refer to the &man.setkey.8; man
- page to know algorithm names. Our choice is MD5 for AH, new-HMAC-SHA1
- for new AH, and new-DES-expIV with 8 byte IV for new ESP.</para>
+ "AH"/"new AH"/"ESP"/"new ESP". Please refer to the &man.setkey.8; man
+ page to know algorithm names. Our choice is MD5 for AH, new-HMAC-SHA1
+ for new AH, and new-DES-expIV with 8 byte IV for new ESP.</para>
<para>Key length highly depends on each algorithm. For example, key
- length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1,
- and 8 for new-DES-expIV. Now we choose "MYSECRETMYSECRET",
- "KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively.</para>
+ length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1,
+ and 8 for new-DES-expIV. Now we choose "MYSECRETMYSECRET",
+ "KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively.</para>
<para>OK, let us assign SPI (Security Parameter Index) for each protocol.
- Please note that we need 3 SPIs for this secure channel since three
- security headers are produced (one for from HOST A to HOST B, two for
- from HOST B to HOST A). Please also note that SPI MUST be greater
- than or equal to 256. We choose, 1000, 2000, and 3000, respectively.
+ Please note that we need 3 SPIs for this secure channel since three
+ security headers are produced (one for from HOST A to HOST B, two for
+ from HOST B to HOST A). Please also note that SPI MUST be greater
+ than or equal to 256. We choose, 1000, 2000, and 3000, respectively.
</para>
<screen>
@@ -2787,7 +2786,7 @@
</screen>
<para>Now, let us setup security association. Execute &man.setkey.8;
- on both HOST A and B:</para>
+ on both HOST A and B:</para>
<screen>
&prompt.root; <command>setkey -c</command>
@@ -2798,7 +2797,7 @@
</screen>
<para>Actually, IPsec communication does not process until security policy
- entries are defined. In this case, you must setup each host.</para>
+ entries are defined. In this case, you must setup each host.</para>
<screen>
At A:
@@ -2834,7 +2833,7 @@
<para>Another example using IPv6.</para>
<para>ESP transport mode is recommended for TCP port number 110 between
- Host-A and Host-B.</para>
+ Host-A and Host-B.</para>
<screen>
============ ESP ============
@@ -2844,8 +2843,8 @@
</screen>
<para>Encryption algorithm is blowfish-cbc whose key is "kamekame", and
- authentication algorithm is hmac-sha1 whose key is "this is the test
- key". Configuration at Host-A:</para>
+ authentication algorithm is hmac-sha1 whose key is "this is the test
+ key". Configuration at Host-A:</para>
<screen>
&prompt.root; <command>setkey -c</command> <<<filename>EOF</filename>
@@ -2889,8 +2888,8 @@
<para>Tunnel mode between two security gateways</para>
<para>Security protocol is old AH tunnel mode, i.e. specified by
- RFC1826, with keyed-md5 whose key is "this is the test" as
- authentication algorithm.</para>
+ RFC1826, with keyed-md5 whose key is "this is the test" as
+ authentication algorithm.</para>
<screen>
======= AH =======
@@ -2916,9 +2915,9 @@
</screen>
<para>If the port number field is omitted such as above then "[any]" is
- employed. `-m' specifies the mode of SA to be used. "-m any" means
- wild-card of mode of security protocol. You can use this SA for both
- tunnel and transport mode.</para>
+ employed. `-m' specifies the mode of SA to be used. "-m any" means
+ wild-card of mode of security protocol. You can use this SA for both
+ tunnel and transport mode.</para>
<para>and at Gateway-B:</para>
@@ -2939,8 +2938,8 @@
<para>Making SA bundle between two security gateways</para>
<para>AH transport mode and ESP tunnel mode is required between
- Gateway-A and Gateway-B. In this case, ESP tunnel mode is applied first,
- and AH transport mode is next.</para>
+ Gateway-A and Gateway-B. In this case, ESP tunnel mode is applied first,
+ and AH transport mode is next.</para>
<screen>
========== AH =========
@@ -2955,8 +2954,8 @@
<title>Tunnel Mode Example with IPv6</title>
<para>Encryption algorithm is 3des-cbc, and authentication algorithm
- for ESP is hmac-sha1. Authentication algorithm for AH is hmac-md5.
- Configuration at Gateway-A:</para>
+ for ESP is hmac-sha1. Authentication algorithm for AH is hmac-md5.
+ Configuration at Gateway-A:</para>
<screen>
&prompt.root; <command>setkey -c</command> <<<filename>EOF</filename>
@@ -2983,10 +2982,10 @@
<para>Making SAs with the different end</para>
<para>ESP tunnel mode is required between Host-A and Gateway-A. Encryption
- algorithm is cast128-cbc, and authentication algorithm for ESP is
- hmac-sha1. ESP transport mode is recommended between Host-A and Host-B.
- Encryption algorithm is rc5-cbc, and authentication algorithm for ESP is
- hmac-md5.</para>
+ algorithm is cast128-cbc, and authentication algorithm for ESP is
+ hmac-sha1. ESP transport mode is recommended between Host-A and Host-B.
+ Encryption algorithm is rc5-cbc, and authentication algorithm for ESP is
+ hmac-md5.</para>
<screen>
================== ESP =================
@@ -3045,7 +3044,7 @@
<secondary>OpenSSH</secondary>
</indexterm>
- <para>Secure shell is a set of network connectivity tools used to
+ <para>Secure shell is a set of network connectivity tools used to
access remote machines securely. It can be used as a direct
replacement for <command>rlogin</command>,
<command>rsh</command>, <command>rcp</command>, and
@@ -3094,8 +3093,7 @@
</indexterm>
<para>The &man.ssh.1; utility works similarly to
- &man.rlogin.1;.
- </para>
+ &man.rlogin.1;.</para>
<screen>&prompt.root <userinput>ssh <replaceable>user@example.com</replaceable></userinput>
Host key not found from the list of known hosts.
@@ -3113,8 +3111,8 @@
will alert you if the saved fingerprint differs from the
received fingerprint on future login attempts. The fingerprints
are saved in <filename>~/.ssh/known_hosts</filename>, or
- <filename>~/.ssh/known_hosts2</filename> for SSH v2 fingerprints.
- </para>
+ <filename>~/.ssh/known_hosts2</filename> for SSH v2
+ fingerprints.</para>
<para>By default, OpenSSH servers are configured to accept both
SSH v1 and SSH v2 connections. The client, however, can choose
@@ -3166,12 +3164,11 @@
<para>The system-wide configuration files for both the OpenSSH
daemon and client reside within the <filename>/etc/ssh</filename>
- directory.
- </para>
+ directory.</para>
+
<para><filename>ssh_config</filename> configures the client
settings, while <filename>sshd_config</filename> configures the
- daemon.
- </para>
+ daemon.</para>
<para>Additionally, the <option>sshd_program</option>
(<filename>/usr/sbin/sshd</filename> by default), and
@@ -3183,8 +3180,7 @@
<title>ssh-keygen</title>
<para>Instead of using passwords, &man.ssh-keygen.1; can
- be used to generate RSA keys to authenticate a user.
- </para>
+ be used to generate RSA keys to authenticate a user.</para>
<screen>&prompt.user <userinput>ssh-keygen</userinput>
Initializing random number generator...
@@ -3203,8 +3199,7 @@
<filename>~/.ssh/identity</filename>, whereas the public key is
stored in <filename>~/.ssh/identity.pub</filename>. The public
key must be placed in <filename>~/.ssh/authorized_keys</filename>
- of the remote machine in order for the setup to work.
- </para>
+ of the remote machine in order for the setup to work.</para>
<para>This will allow connection to the remote machine based upon
RSA authentication instead of passwords.</para>
@@ -3226,8 +3221,7 @@
machine.</para>
<para>&man.ssh-agent.1; and &man.ssh-add.1; are
- utilities used in managing multiple passworded private keys.
- </para>
+ utilities used in managing multiple passworded private keys.</para>
</sect2>
<sect2>
@@ -3239,7 +3233,8 @@
<para>OpenSSH has the ability to create a tunnel to encapsulate
another protocol in an encrypted session.</para>
- <para>The following command tells &man.ssh.1; to create a tunnel
+
+ <para>The following command tells &man.ssh.1; to create a tunnel
for telnet.</para>
<screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5023:localhost:23 user@foo.example.com</replaceable></userinput>
@@ -3298,21 +3293,19 @@
</variablelist>
- <para>An SSH tunnel works by creating a listen socket on localhost
+ <para>An SSH tunnel works by creating a listen socket on localhost
on the specified port. It then forwards any connection received
on the local host/port via the SSH connection to the specified
remote host and port.</para>
- <para>In the example, port <replaceable>5023</replaceable> on
+ <para>In the example, port <replaceable>5023</replaceable> on
localhost is being forwarded to port
<replaceable>23</replaceable> on localhost of the remote
machine. Since <replaceable>23</replaceable> is telnet, this
- would create a secure telnet session through an SSH tunnel.
- </para>
+ would create a secure telnet session through an SSH tunnel.</para>
<para>This can be used to wrap any number of insecure TCP protocols
- such as smtp, pop3, ftp, etc.
- </para>
+ such as smtp, pop3, ftp, etc.</para>
<para>A typical SSH Tunnel</para>
<screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5025:localhost:25 user@mailserver.example.com</replaceable></userinput>
@@ -3326,8 +3319,7 @@
<para>This can be used in conjunction with an &man.ssh-keygen.1;
and additional user accounts to create a more seamless/hassle-free
SSH tunneling environment. Keys can be used in place of typing
- a password, and the tunnels can be run as a separate user.
- </para>
+ a password, and the tunnels can be run as a separate user.</para>
<sect3>
<title>Practical SSH Tunneling Examples</title>
@@ -3378,7 +3370,7 @@
<hostid>localhost</hostid> port 8888, which will be
forwarded over to <hostid>music.example.com</hostid> port
8000, successfully evading the firewall.</para>
- </sect4>
+ </sect4>
</sect3>
</sect2>
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200110290735.f9T7ZMI09503>