From owner-freebsd-doc Sun Oct 28 23:40:15 2001 Delivered-To: freebsd-doc@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id BD73E37B406 for ; Sun, 28 Oct 2001 23:40:01 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id f9T7e1A98169; Sun, 28 Oct 2001 23:40:01 -0800 (PST) (envelope-from gnats) Received: from Kain.sumuk.de (Kain.sumuk.de [213.221.86.114]) by hub.freebsd.org (Postfix) with ESMTP id B6BE237B406 for ; Sun, 28 Oct 2001 23:35:29 -0800 (PST) Received: (from vincent@localhost) by Kain.sumuk.de (8.11.5/8.11.5) id f9T7ZMI09503; Mon, 29 Oct 2001 08:35:22 +0100 (CET) (envelope-from vincent) Message-Id: <200110290735.f9T7ZMI09503@Kain.sumuk.de> Date: Mon, 29 Oct 2001 08:35:22 +0100 (CET) From: Martin Heinen Reply-To: Martin Heinen To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 Subject: docs/31580: Chapter security: Identation Sender: owner-freebsd-doc@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 31580 >Category: docs >Synopsis: Chapter security: Identation >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: current-users >Arrival-Date: Sun Oct 28 23:40:00 PST 2001 >Closed-Date: >Last-Modified: >Originator: Martin Heinen >Release: FreeBSD 4.4-PRERELEASE i386 >Organization: >Environment: System: FreeBSD Kain.sumuk.de 4.4-PRERELEASE FreeBSD 4.4-PRERELEASE #11: Thu Sep 27 18:54:33 CEST 2001 toor@Kain.earth.sol:/usr/obj/usr/src/sys/KAIN i386 >Description: Idented paragraphs according to the FDP. >How-To-Repeat: read the security chapter >Fix: Index: chapter.sgml =================================================================== RCS file: /u/cvs/doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml,v retrieving revision 1.95 diff -u -r1.95 chapter.sgml --- chapter.sgml 2001/10/28 22:10:30 1.95 +++ chapter.sgml 2001/10/29 07:24:54 @@ -2577,8 +2577,7 @@ /etc/rc.conf.local or /etc/rc.conf to enable your firewall, it is important to make sure your firewall is enabled before - any IP interfaces are configured. - + any IP interfaces are configured. The next problem is what your firewall should actually do! This is largely dependent on what access to @@ -2709,23 +2708,23 @@ For other HOWTOs detailing IPSec implementation in - FreeBSD, take a look at - and . + FreeBSD, take a look at + and . The IPsec mechanism provides secure communication for IP - layer and socket layer communication. This section should - explain how to use them. For implementation details, please - refer to The - Developers' Handbook. + layer and socket layer communication. This section should + explain how to use them. For implementation details, please + refer to The + Developers' Handbook. The current IPsec implementation supports both transport mode - and tunnel mode. However, tunnel mode comes with some restrictions. - http://www.kame.net/newsletter/ - has more comprehensive examples. + and tunnel mode. However, tunnel mode comes with some restrictions. + http://www.kame.net/newsletter/ + has more comprehensive examples. Please be aware that in order to use this functionality, you must have the following options compiled into your kernel: @@ -2737,25 +2736,25 @@ Transport Mode Example with IPv4 Let us setup security association to deploy a secure channel - between HOST A (10.2.3.4) and HOST B (10.6.7.8). Here we show a little - complicated example. From HOST A to HOST B, only old AH is used. - From HOST B to HOST A, new AH and new ESP are combined. + between HOST A (10.2.3.4) and HOST B (10.6.7.8). Here we show a little + complicated example. From HOST A to HOST B, only old AH is used. + From HOST B to HOST A, new AH and new ESP are combined. Now we should choose an algorithm to be used corresponding to - "AH"/"new AH"/"ESP"/"new ESP". Please refer to the &man.setkey.8; man - page to know algorithm names. Our choice is MD5 for AH, new-HMAC-SHA1 - for new AH, and new-DES-expIV with 8 byte IV for new ESP. + "AH"/"new AH"/"ESP"/"new ESP". Please refer to the &man.setkey.8; man + page to know algorithm names. Our choice is MD5 for AH, new-HMAC-SHA1 + for new AH, and new-DES-expIV with 8 byte IV for new ESP. Key length highly depends on each algorithm. For example, key - length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1, - and 8 for new-DES-expIV. Now we choose "MYSECRETMYSECRET", - "KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively. + length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1, + and 8 for new-DES-expIV. Now we choose "MYSECRETMYSECRET", + "KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively. OK, let us assign SPI (Security Parameter Index) for each protocol. - Please note that we need 3 SPIs for this secure channel since three - security headers are produced (one for from HOST A to HOST B, two for - from HOST B to HOST A). Please also note that SPI MUST be greater - than or equal to 256. We choose, 1000, 2000, and 3000, respectively. + Please note that we need 3 SPIs for this secure channel since three + security headers are produced (one for from HOST A to HOST B, two for + from HOST B to HOST A). Please also note that SPI MUST be greater + than or equal to 256. We choose, 1000, 2000, and 3000, respectively. @@ -2787,7 +2786,7 @@ Now, let us setup security association. Execute &man.setkey.8; - on both HOST A and B: + on both HOST A and B: &prompt.root; setkey -c @@ -2798,7 +2797,7 @@ Actually, IPsec communication does not process until security policy - entries are defined. In this case, you must setup each host. + entries are defined. In this case, you must setup each host. At A: @@ -2834,7 +2833,7 @@ Another example using IPv6. ESP transport mode is recommended for TCP port number 110 between - Host-A and Host-B. + Host-A and Host-B. ============ ESP ============ @@ -2844,8 +2843,8 @@ Encryption algorithm is blowfish-cbc whose key is "kamekame", and - authentication algorithm is hmac-sha1 whose key is "this is the test - key". Configuration at Host-A: + authentication algorithm is hmac-sha1 whose key is "this is the test + key". Configuration at Host-A: &prompt.root; setkey -c <<EOF @@ -2889,8 +2888,8 @@ Tunnel mode between two security gateways Security protocol is old AH tunnel mode, i.e. specified by - RFC1826, with keyed-md5 whose key is "this is the test" as - authentication algorithm. + RFC1826, with keyed-md5 whose key is "this is the test" as + authentication algorithm. ======= AH ======= @@ -2916,9 +2915,9 @@ If the port number field is omitted such as above then "[any]" is - employed. `-m' specifies the mode of SA to be used. "-m any" means - wild-card of mode of security protocol. You can use this SA for both - tunnel and transport mode. + employed. `-m' specifies the mode of SA to be used. "-m any" means + wild-card of mode of security protocol. You can use this SA for both + tunnel and transport mode. and at Gateway-B: @@ -2939,8 +2938,8 @@ Making SA bundle between two security gateways AH transport mode and ESP tunnel mode is required between - Gateway-A and Gateway-B. In this case, ESP tunnel mode is applied first, - and AH transport mode is next. + Gateway-A and Gateway-B. In this case, ESP tunnel mode is applied first, + and AH transport mode is next. ========== AH ========= @@ -2955,8 +2954,8 @@ Tunnel Mode Example with IPv6 Encryption algorithm is 3des-cbc, and authentication algorithm - for ESP is hmac-sha1. Authentication algorithm for AH is hmac-md5. - Configuration at Gateway-A: + for ESP is hmac-sha1. Authentication algorithm for AH is hmac-md5. + Configuration at Gateway-A: &prompt.root; setkey -c <<EOF @@ -2983,10 +2982,10 @@ Making SAs with the different end ESP tunnel mode is required between Host-A and Gateway-A. Encryption - algorithm is cast128-cbc, and authentication algorithm for ESP is - hmac-sha1. ESP transport mode is recommended between Host-A and Host-B. - Encryption algorithm is rc5-cbc, and authentication algorithm for ESP is - hmac-md5. + algorithm is cast128-cbc, and authentication algorithm for ESP is + hmac-sha1. ESP transport mode is recommended between Host-A and Host-B. + Encryption algorithm is rc5-cbc, and authentication algorithm for ESP is + hmac-md5. ================== ESP ================= @@ -3045,7 +3044,7 @@ OpenSSH - Secure shell is a set of network connectivity tools used to + Secure shell is a set of network connectivity tools used to access remote machines securely. It can be used as a direct replacement for rlogin, rsh, rcp, and @@ -3094,8 +3093,7 @@ The &man.ssh.1; utility works similarly to - &man.rlogin.1;. - + &man.rlogin.1;. &prompt.root ssh user@example.com Host key not found from the list of known hosts. @@ -3113,8 +3111,8 @@ will alert you if the saved fingerprint differs from the received fingerprint on future login attempts. The fingerprints are saved in ~/.ssh/known_hosts, or - ~/.ssh/known_hosts2 for SSH v2 fingerprints. - + ~/.ssh/known_hosts2 for SSH v2 + fingerprints. By default, OpenSSH servers are configured to accept both SSH v1 and SSH v2 connections. The client, however, can choose @@ -3166,12 +3164,11 @@ The system-wide configuration files for both the OpenSSH daemon and client reside within the /etc/ssh - directory. - + directory. + ssh_config configures the client settings, while sshd_config configures the - daemon. - + daemon. Additionally, the (/usr/sbin/sshd by default), and @@ -3183,8 +3180,7 @@ ssh-keygen Instead of using passwords, &man.ssh-keygen.1; can - be used to generate RSA keys to authenticate a user. - + be used to generate RSA keys to authenticate a user. &prompt.user ssh-keygen Initializing random number generator... @@ -3203,8 +3199,7 @@ ~/.ssh/identity, whereas the public key is stored in ~/.ssh/identity.pub. The public key must be placed in ~/.ssh/authorized_keys - of the remote machine in order for the setup to work. - + of the remote machine in order for the setup to work. This will allow connection to the remote machine based upon RSA authentication instead of passwords. @@ -3226,8 +3221,7 @@ machine. &man.ssh-agent.1; and &man.ssh-add.1; are - utilities used in managing multiple passworded private keys. - + utilities used in managing multiple passworded private keys. @@ -3239,7 +3233,8 @@ OpenSSH has the ability to create a tunnel to encapsulate another protocol in an encrypted session. - The following command tells &man.ssh.1; to create a tunnel + + The following command tells &man.ssh.1; to create a tunnel for telnet. &prompt.user; ssh -2 -N -f -L 5023:localhost:23 user@foo.example.com @@ -3298,21 +3293,19 @@ - An SSH tunnel works by creating a listen socket on localhost + An SSH tunnel works by creating a listen socket on localhost on the specified port. It then forwards any connection received on the local host/port via the SSH connection to the specified remote host and port. - In the example, port 5023 on + In the example, port 5023 on localhost is being forwarded to port 23 on localhost of the remote machine. Since 23 is telnet, this - would create a secure telnet session through an SSH tunnel. - + would create a secure telnet session through an SSH tunnel. This can be used to wrap any number of insecure TCP protocols - such as smtp, pop3, ftp, etc. - + such as smtp, pop3, ftp, etc. A typical SSH Tunnel &prompt.user; ssh -2 -N -f -L 5025:localhost:25 user@mailserver.example.com @@ -3326,8 +3319,7 @@ This can be used in conjunction with an &man.ssh-keygen.1; and additional user accounts to create a more seamless/hassle-free SSH tunneling environment. Keys can be used in place of typing - a password, and the tunnels can be run as a separate user. - + a password, and the tunnels can be run as a separate user. Practical SSH Tunneling Examples @@ -3378,7 +3370,7 @@ localhost port 8888, which will be forwarded over to music.example.com port 8000, successfully evading the firewall. - + >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message