Date: Sat, 10 Nov 2001 15:19:43 +0100 (CET) From: Martin Heinen <martin@sumuk.de> To: FreeBSD-gnats-submit@freebsd.org Subject: docs/31899: Markup changes for chapter Security Message-ID: <200111101419.fAAEJh187501@Kain.sumuk.de>
next in thread | raw e-mail | index | archive | help
>Number: 31899
>Category: docs
>Synopsis: Markup changes for chapter Security
>Confidential: no
>Severity: non-critical
>Priority: low
>Responsible: freebsd-doc
>State: open
>Quarter:
>Keywords:
>Date-Required:
>Class: doc-bug
>Submitter-Id: current-users
>Arrival-Date: Sat Nov 10 06:20:01 PST 2001
>Closed-Date:
>Last-Modified:
>Originator: Martin Heinen
>Release: FreeBSD 4.4-PRERELEASE i386
>Organization:
>Environment:
System: FreeBSD Kain.sumuk.de 4.4-PRERELEASE FreeBSD 4.4-PRERELEASE #11: Thu Sep 27 18:54:33 CEST 2001 toor@Kain.earth.sol:/usr/obj/usr/src/sys/KAIN i386
>Description:
changed literal " to <quote>, indented a paragraph,
<Para> -> <para>,
info -> information,
<filename>grunt -> <hostid>grunt,
added missing markup,
localhost -> <hostid>localhost
>How-To-Repeat:
read the Security chapter
>Fix:
Index: chapter.sgml
===================================================================
RCS file: /u/cvs/doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml,v
retrieving revision 1.96
diff -u -r1.96 chapter.sgml
--- chapter.sgml 2001/10/29 11:02:50 1.96
+++ chapter.sgml 2001/11/10 13:59:24
@@ -1014,14 +1014,14 @@
rather than <filename>libdescrypt</filename>.</para>
<para>If you have installed the DES-capable crypt library
- <filename>libdescrypt</filename> (e.g. by installing the
- "crypto" distribution), then which password format will be used
- for new passwords is controlled by the
- <quote>passwd_format</quote> login capability in
- <filename>/etc/login.conf</filename>, which takes values of
- either <quote>des</quote> or <quote>md5</quote>. See the
- &man.login.conf.5; manual page for more information about login
- capabilities.</para>
+ <filename>libdescrypt</filename> (e.g. by installing the
+ <quote>crypto</quote> distribution), then which password format
+ will be used for new passwords is controlled by the
+ <quote>passwd_format</quote> login capability in
+ <filename>/etc/login.conf</filename>, which takes values of
+ either <quote>des</quote> or <quote>md5</quote>. See the
+ &man.login.conf.5; manual page for more information about login
+ capabilities.</para>
</sect2>
</sect1>
@@ -1249,7 +1249,7 @@
s/key 97 fw13894
Password: </screen>
- <Para>Or for OPIE:</para>
+ <para>Or for OPIE:</para>
<screen>&prompt.user; <userinput>telnet example.com</userinput>
Trying 10.0.0.1...
@@ -1345,7 +1345,7 @@
on the host name, user name, terminal port, or IP address of a
login session. These restrictions can be found in the
configuration file <filename>/etc/skey.access</filename>. The
- &man.skey.access.5; manual page has more info on the complete
+ &man.skey.access.5; manual page has more information on the complete
format of the file and also details some security cautions to be
aware of before depending on this file for security.</para>
@@ -1460,8 +1460,8 @@
<para>You should now edit the <filename>krb.conf</filename> and
<filename>krb.realms</filename> files to define your Kerberos realm.
In this case the realm will be <filename>EXAMPLE.COM</filename> and the
- server is <filename>grunt.example.com</filename>. We edit or create
- the <filename>krb.conf</filename> file:</para>
+ server is <hostid role="fqdn">grunt.example.com</hostid>. We edit
+ or create the <filename>krb.conf</filename> file:</para>
<screen>&prompt.root; <userinput>cat krb.conf</userinput>
EXAMPLE.COM
@@ -2655,8 +2655,9 @@
elsewhere, and is not available for unrestricted use.
IDEA is included in the OpenSSL sources in FreeBSD, but it is not
built by default. If you wish to use it, and you comply with the
- license terms, enable the MAKE_IDEA switch in /etc/make.conf and
- rebuild your sources using 'make world'.</para>
+ license terms, enable the <literal>MAKE_IDEA</literal> switch in
+ <filename>/etc/make.conf</filename> and
+ rebuild your sources using <command>make world</command>.</para>
<para>Today, the RSA algorithm is free for use in USA and other
countries. In the past it was protected by a patent.</para>
@@ -2741,14 +2742,18 @@
From HOST B to HOST A, new AH and new ESP are combined.</para>
<para>Now we should choose an algorithm to be used corresponding to
- "AH"/"new AH"/"ESP"/"new ESP". Please refer to the &man.setkey.8; man
+ <quote>AH</quote>/<quote>new AH</quote>/<quote>ESP</quote>/
+ <quote>new ESP</quote>.
+ Please refer to the &man.setkey.8; man
page to know algorithm names. Our choice is MD5 for AH, new-HMAC-SHA1
for new AH, and new-DES-expIV with 8 byte IV for new ESP.</para>
<para>Key length highly depends on each algorithm. For example, key
length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1,
- and 8 for new-DES-expIV. Now we choose "MYSECRETMYSECRET",
- "KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively.</para>
+ and 8 for new-DES-expIV. Now we choose
+ <quote>MYSECRETMYSECRET</quote>,
+ <quote>KAMEKAMEKAMEKAMEKAME</quote>, <quote>PASSWORD</quote>,
+ respectively.</para>
<para>OK, let us assign SPI (Security Parameter Index) for each protocol.
Please note that we need 3 SPIs for this secure channel since three
@@ -2842,9 +2847,10 @@
fec0::10 -------------------- fec0::11
</screen>
- <para>Encryption algorithm is blowfish-cbc whose key is "kamekame", and
- authentication algorithm is hmac-sha1 whose key is "this is the test
- key". Configuration at Host-A:</para>
+ <para>Encryption algorithm is blowfish-cbc whose key is
+ <quote>kamekame</quote>, and authentication algorithm is hmac-sha1
+ whose key is <quote>this is the test key</quote>.
+ Configuration at Host-A:</para>
<screen>
&prompt.root; <command>setkey -c</command> <<<filename>EOF</filename>
@@ -2888,8 +2894,8 @@
<para>Tunnel mode between two security gateways</para>
<para>Security protocol is old AH tunnel mode, i.e. specified by
- RFC1826, with keyed-md5 whose key is "this is the test" as
- authentication algorithm.</para>
+ RFC1826, with keyed-md5 whose key is
+ <quote>this is the test</quote> as authentication algorithm.</para>
<screen>
======= AH =======
@@ -2914,8 +2920,10 @@
EOF
</screen>
- <para>If the port number field is omitted such as above then "[any]" is
- employed. `-m' specifies the mode of SA to be used. "-m any" means
+ <para>If the port number field is omitted such as above then
+ <literal>[any]</literal> is
+ employed. <literal>-m</literal> specifies the mode of SA to be used.
+ <literal>-m any</literal> means
wild-card of mode of security protocol. You can use this SA for both
tunnel and transport mode.</para>
@@ -3102,10 +3110,10 @@
user@example.com's password: <userinput>*******</userinput></screen>
<para>The login will continue just as it would have if a session was
- created using <command>rlogin</command> or telnet. SSH utilizes a
- key fingerprint
- system for verifying the authenticity of the server when the
- client connects. The user is prompted to enter 'yes' only when
+ created using <command>rlogin</command> or <command>telnet</command>.
+ SSH utilizes a key fingerprint system for verifying the authenticity
+ of the server when the client connects. The user is prompted
+ to enter <literal>yes</literal> only when
connecting for the first time. Future attempts to login are all
verified against the saved fingerprint key. The SSH client
will alert you if the saved fingerprint differs from the
@@ -3132,9 +3140,9 @@
</indexterm>
<indexterm><primary><command>scp</command></primary></indexterm>
- <para>The <command>scp</command> command works similarly to rcp;
- it copies a file to or from a remote machine, except in a
- secure fashion.</para>
+ <para>The <command>scp</command> command works similarly to
+ <command>rcp</command>; it copies a file to or from a
+ remote machine, except in a secure fashion.</para>
<screen>&prompt.root <userinput> scp <replaceable>user@example.com:/COPYRIGHT COPYRIGHT</replaceable></userinput>
user@example.com's password:
@@ -3293,15 +3301,16 @@
</variablelist>
- <para>An SSH tunnel works by creating a listen socket on localhost
+ <para>An SSH tunnel works by creating a listen socket on
+ <hostid>localhost</hostid>
on the specified port. It then forwards any connection received
on the local host/port via the SSH connection to the specified
remote host and port.</para>
<para>In the example, port <replaceable>5023</replaceable> on
- localhost is being forwarded to port
- <replaceable>23</replaceable> on localhost of the remote
- machine. Since <replaceable>23</replaceable> is telnet, this
+ <hostid>localhost</hostid> is being forwarded to port
+ <replaceable>23</replaceable> on <hostid>localhost</hostid> of the
+ remote machine. Since <replaceable>23</replaceable> is telnet, this
would create a secure telnet session through an SSH tunnel.</para>
<para>This can be used to wrap any number of insecure TCP protocols
>Release-Note:
>Audit-Trail:
>Unformatted:
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-doc" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200111101419.fAAEJh187501>