From owner-freebsd-doc Sat Nov 10 6:20:16 2001 Delivered-To: freebsd-doc@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 2BACF37B427 for ; Sat, 10 Nov 2001 06:20:02 -0800 (PST) Received: (from gnats@localhost) by freefall.freebsd.org (8.11.4/8.11.4) id fAAEK2m30183; Sat, 10 Nov 2001 06:20:02 -0800 (PST) (envelope-from gnats) Received: from Kain.sumuk.de (Kain.sumuk.de [213.221.86.114]) by hub.freebsd.org (Postfix) with ESMTP id EE45A37B41D for ; Sat, 10 Nov 2001 06:19:50 -0800 (PST) Received: (from vincent@localhost) by Kain.sumuk.de (8.11.5/8.11.5) id fAAEJh187501; Sat, 10 Nov 2001 15:19:43 +0100 (CET) (envelope-from vincent) Message-Id: <200111101419.fAAEJh187501@Kain.sumuk.de> Date: Sat, 10 Nov 2001 15:19:43 +0100 (CET) From: Martin Heinen Reply-To: Martin Heinen To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.113 Subject: docs/31899: Markup changes for chapter Security Sender: owner-freebsd-doc@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.org >Number: 31899 >Category: docs >Synopsis: Markup changes for chapter Security >Confidential: no >Severity: non-critical >Priority: low >Responsible: freebsd-doc >State: open >Quarter: >Keywords: >Date-Required: >Class: doc-bug >Submitter-Id: current-users >Arrival-Date: Sat Nov 10 06:20:01 PST 2001 >Closed-Date: >Last-Modified: >Originator: Martin Heinen >Release: FreeBSD 4.4-PRERELEASE i386 >Organization: >Environment: System: FreeBSD Kain.sumuk.de 4.4-PRERELEASE FreeBSD 4.4-PRERELEASE #11: Thu Sep 27 18:54:33 CEST 2001 toor@Kain.earth.sol:/usr/obj/usr/src/sys/KAIN i386 >Description: changed literal " to , indented a paragraph, -> , info -> information, grunt -> grunt, added missing markup, localhost -> localhost >How-To-Repeat: read the Security chapter >Fix: Index: chapter.sgml =================================================================== RCS file: /u/cvs/doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml,v retrieving revision 1.96 diff -u -r1.96 chapter.sgml --- chapter.sgml 2001/10/29 11:02:50 1.96 +++ chapter.sgml 2001/11/10 13:59:24 @@ -1014,14 +1014,14 @@ rather than libdescrypt. If you have installed the DES-capable crypt library - libdescrypt (e.g. by installing the - "crypto" distribution), then which password format will be used - for new passwords is controlled by the - passwd_format login capability in - /etc/login.conf, which takes values of - either des or md5. See the - &man.login.conf.5; manual page for more information about login - capabilities. + libdescrypt (e.g. by installing the + crypto distribution), then which password format + will be used for new passwords is controlled by the + passwd_format login capability in + /etc/login.conf, which takes values of + either des or md5. See the + &man.login.conf.5; manual page for more information about login + capabilities. @@ -1249,7 +1249,7 @@ s/key 97 fw13894 Password: - Or for OPIE: + Or for OPIE: &prompt.user; telnet example.com Trying 10.0.0.1... @@ -1345,7 +1345,7 @@ on the host name, user name, terminal port, or IP address of a login session. These restrictions can be found in the configuration file /etc/skey.access. The - &man.skey.access.5; manual page has more info on the complete + &man.skey.access.5; manual page has more information on the complete format of the file and also details some security cautions to be aware of before depending on this file for security. @@ -1460,8 +1460,8 @@ You should now edit the krb.conf and krb.realms files to define your Kerberos realm. In this case the realm will be EXAMPLE.COM and the - server is grunt.example.com. We edit or create - the krb.conf file: + server is grunt.example.com. We edit + or create the krb.conf file: &prompt.root; cat krb.conf EXAMPLE.COM @@ -2655,8 +2655,9 @@ elsewhere, and is not available for unrestricted use. IDEA is included in the OpenSSL sources in FreeBSD, but it is not built by default. If you wish to use it, and you comply with the - license terms, enable the MAKE_IDEA switch in /etc/make.conf and - rebuild your sources using 'make world'. + license terms, enable the MAKE_IDEA switch in + /etc/make.conf and + rebuild your sources using make world. Today, the RSA algorithm is free for use in USA and other countries. In the past it was protected by a patent. @@ -2741,14 +2742,18 @@ From HOST B to HOST A, new AH and new ESP are combined. Now we should choose an algorithm to be used corresponding to - "AH"/"new AH"/"ESP"/"new ESP". Please refer to the &man.setkey.8; man + AH/new AH/ESP/ + new ESP. + Please refer to the &man.setkey.8; man page to know algorithm names. Our choice is MD5 for AH, new-HMAC-SHA1 for new AH, and new-DES-expIV with 8 byte IV for new ESP. Key length highly depends on each algorithm. For example, key length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1, - and 8 for new-DES-expIV. Now we choose "MYSECRETMYSECRET", - "KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively. + and 8 for new-DES-expIV. Now we choose + MYSECRETMYSECRET, + KAMEKAMEKAMEKAMEKAME, PASSWORD, + respectively. OK, let us assign SPI (Security Parameter Index) for each protocol. Please note that we need 3 SPIs for this secure channel since three @@ -2842,9 +2847,10 @@ fec0::10 -------------------- fec0::11 - Encryption algorithm is blowfish-cbc whose key is "kamekame", and - authentication algorithm is hmac-sha1 whose key is "this is the test - key". Configuration at Host-A: + Encryption algorithm is blowfish-cbc whose key is + kamekame, and authentication algorithm is hmac-sha1 + whose key is this is the test key. + Configuration at Host-A: &prompt.root; setkey -c <<EOF @@ -2888,8 +2894,8 @@ Tunnel mode between two security gateways Security protocol is old AH tunnel mode, i.e. specified by - RFC1826, with keyed-md5 whose key is "this is the test" as - authentication algorithm. + RFC1826, with keyed-md5 whose key is + this is the test as authentication algorithm. ======= AH ======= @@ -2914,8 +2920,10 @@ EOF - If the port number field is omitted such as above then "[any]" is - employed. `-m' specifies the mode of SA to be used. "-m any" means + If the port number field is omitted such as above then + [any] is + employed. -m specifies the mode of SA to be used. + -m any means wild-card of mode of security protocol. You can use this SA for both tunnel and transport mode. @@ -3102,10 +3110,10 @@ user@example.com's password: ******* The login will continue just as it would have if a session was - created using rlogin or telnet. SSH utilizes a - key fingerprint - system for verifying the authenticity of the server when the - client connects. The user is prompted to enter 'yes' only when + created using rlogin or telnet. + SSH utilizes a key fingerprint system for verifying the authenticity + of the server when the client connects. The user is prompted + to enter yes only when connecting for the first time. Future attempts to login are all verified against the saved fingerprint key. The SSH client will alert you if the saved fingerprint differs from the @@ -3132,9 +3140,9 @@ scp - The scp command works similarly to rcp; - it copies a file to or from a remote machine, except in a - secure fashion. + The scp command works similarly to + rcp; it copies a file to or from a + remote machine, except in a secure fashion. &prompt.root scp user@example.com:/COPYRIGHT COPYRIGHT user@example.com's password: @@ -3293,15 +3301,16 @@ - An SSH tunnel works by creating a listen socket on localhost + An SSH tunnel works by creating a listen socket on + localhost on the specified port. It then forwards any connection received on the local host/port via the SSH connection to the specified remote host and port. In the example, port 5023 on - localhost is being forwarded to port - 23 on localhost of the remote - machine. Since 23 is telnet, this + localhost is being forwarded to port + 23 on localhost of the + remote machine. Since 23 is telnet, this would create a secure telnet session through an SSH tunnel. This can be used to wrap any number of insecure TCP protocols >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-doc" in the body of the message