FreeBSD Bugzilla – Attachment 17390 Details for
Bug 31580
Chapter security: Identation
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
file.diff
file.diff (text/plain), 13.86 KB, created by
Martin Heinen
on 2001-10-29 07:40:00 UTC
(
hide
)
Description:
file.diff
Filename:
MIME Type:
Creator:
Martin Heinen
Created:
2001-10-29 07:40:00 UTC
Size:
13.86 KB
patch
obsolete
>Index: chapter.sgml >=================================================================== >RCS file: /u/cvs/doc/en_US.ISO8859-1/books/handbook/security/chapter.sgml,v >retrieving revision 1.95 >diff -u -r1.95 chapter.sgml >--- chapter.sgml 2001/10/28 22:10:30 1.95 >+++ chapter.sgml 2001/10/29 07:24:54 >@@ -2577,8 +2577,7 @@ > <filename>/etc/rc.conf.local</filename> or > <filename>/etc/rc.conf</filename> to enable your firewall, > it is important to make sure your firewall is enabled before >- any IP interfaces are configured. >- </para> >+ any IP interfaces are configured.</para> > > <para>The next problem is what your firewall should actually > <emphasis>do</emphasis>! This is largely dependent on what access to >@@ -2709,23 +2708,23 @@ > > <tip> > <para>For other HOWTOs detailing IPSec implementation in >- FreeBSD, take a look at <ulink >- url="http://www.daemonnews.org/200101/ipsec-howto.html"></ulink> >- and <ulink >- url="http://www.freebsddiary.org/ipsec.php"></ulink>.</para> >+ FreeBSD, take a look at <ulink >+ url="http://www.daemonnews.org/200101/ipsec-howto.html"></ulink> >+ and <ulink >+ url="http://www.freebsddiary.org/ipsec.php"></ulink>.</para> > </tip> > > <para>The IPsec mechanism provides secure communication for IP >- layer and socket layer communication. This section should >- explain how to use them. For implementation details, please >- refer to <ulink >- url="../developers-handbook/ipv6.html">The >- Developers' Handbook</ulink>.</para> >+ layer and socket layer communication. This section should >+ explain how to use them. For implementation details, please >+ refer to <ulink >+ url="../developers-handbook/ipv6.html">The >+ Developers' Handbook</ulink>.</para> > > <para>The current IPsec implementation supports both transport mode >- and tunnel mode. However, tunnel mode comes with some restrictions. >- <ulink url="http://www.kame.net/newsletter/">http://www.kame.net/newsletter/ >- </ulink> has more comprehensive examples.</para> >+ and tunnel mode. However, tunnel mode comes with some restrictions. >+ <ulink url="http://www.kame.net/newsletter/">http://www.kame.net/newsletter/ >+ </ulink> has more comprehensive examples.</para> > > <para>Please be aware that in order to use this functionality, you > must have the following options compiled into your kernel:</para> >@@ -2737,25 +2736,25 @@ > <title>Transport Mode Example with IPv4</title> > > <para>Let us setup security association to deploy a secure channel >- between HOST A (10.2.3.4) and HOST B (10.6.7.8). Here we show a little >- complicated example. From HOST A to HOST B, only old AH is used. >- From HOST B to HOST A, new AH and new ESP are combined.</para> >+ between HOST A (10.2.3.4) and HOST B (10.6.7.8). Here we show a little >+ complicated example. From HOST A to HOST B, only old AH is used. >+ From HOST B to HOST A, new AH and new ESP are combined.</para> > > <para>Now we should choose an algorithm to be used corresponding to >- "AH"/"new AH"/"ESP"/"new ESP". Please refer to the &man.setkey.8; man >- page to know algorithm names. Our choice is MD5 for AH, new-HMAC-SHA1 >- for new AH, and new-DES-expIV with 8 byte IV for new ESP.</para> >+ "AH"/"new AH"/"ESP"/"new ESP". Please refer to the &man.setkey.8; man >+ page to know algorithm names. Our choice is MD5 for AH, new-HMAC-SHA1 >+ for new AH, and new-DES-expIV with 8 byte IV for new ESP.</para> > > <para>Key length highly depends on each algorithm. For example, key >- length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1, >- and 8 for new-DES-expIV. Now we choose "MYSECRETMYSECRET", >- "KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively.</para> >+ length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1, >+ and 8 for new-DES-expIV. Now we choose "MYSECRETMYSECRET", >+ "KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively.</para> > > <para>OK, let us assign SPI (Security Parameter Index) for each protocol. >- Please note that we need 3 SPIs for this secure channel since three >- security headers are produced (one for from HOST A to HOST B, two for >- from HOST B to HOST A). Please also note that SPI MUST be greater >- than or equal to 256. We choose, 1000, 2000, and 3000, respectively. >+ Please note that we need 3 SPIs for this secure channel since three >+ security headers are produced (one for from HOST A to HOST B, two for >+ from HOST B to HOST A). Please also note that SPI MUST be greater >+ than or equal to 256. We choose, 1000, 2000, and 3000, respectively. > </para> > > <screen> >@@ -2787,7 +2786,7 @@ > </screen> > > <para>Now, let us setup security association. Execute &man.setkey.8; >- on both HOST A and B:</para> >+ on both HOST A and B:</para> > > <screen> > &prompt.root; <command>setkey -c</command> >@@ -2798,7 +2797,7 @@ > </screen> > > <para>Actually, IPsec communication does not process until security policy >- entries are defined. In this case, you must setup each host.</para> >+ entries are defined. In this case, you must setup each host.</para> > > <screen> > At A: >@@ -2834,7 +2833,7 @@ > <para>Another example using IPv6.</para> > > <para>ESP transport mode is recommended for TCP port number 110 between >- Host-A and Host-B.</para> >+ Host-A and Host-B.</para> > > <screen> > ============ ESP ============ >@@ -2844,8 +2843,8 @@ > </screen> > > <para>Encryption algorithm is blowfish-cbc whose key is "kamekame", and >- authentication algorithm is hmac-sha1 whose key is "this is the test >- key". Configuration at Host-A:</para> >+ authentication algorithm is hmac-sha1 whose key is "this is the test >+ key". Configuration at Host-A:</para> > > <screen> > &prompt.root; <command>setkey -c</command> <<<filename>EOF</filename> >@@ -2889,8 +2888,8 @@ > <para>Tunnel mode between two security gateways</para> > > <para>Security protocol is old AH tunnel mode, i.e. specified by >- RFC1826, with keyed-md5 whose key is "this is the test" as >- authentication algorithm.</para> >+ RFC1826, with keyed-md5 whose key is "this is the test" as >+ authentication algorithm.</para> > > <screen> > ======= AH ======= >@@ -2916,9 +2915,9 @@ > </screen> > > <para>If the port number field is omitted such as above then "[any]" is >- employed. `-m' specifies the mode of SA to be used. "-m any" means >- wild-card of mode of security protocol. You can use this SA for both >- tunnel and transport mode.</para> >+ employed. `-m' specifies the mode of SA to be used. "-m any" means >+ wild-card of mode of security protocol. You can use this SA for both >+ tunnel and transport mode.</para> > > <para>and at Gateway-B:</para> > >@@ -2939,8 +2938,8 @@ > <para>Making SA bundle between two security gateways</para> > > <para>AH transport mode and ESP tunnel mode is required between >- Gateway-A and Gateway-B. In this case, ESP tunnel mode is applied first, >- and AH transport mode is next.</para> >+ Gateway-A and Gateway-B. In this case, ESP tunnel mode is applied first, >+ and AH transport mode is next.</para> > > <screen> > ========== AH ========= >@@ -2955,8 +2954,8 @@ > <title>Tunnel Mode Example with IPv6</title> > > <para>Encryption algorithm is 3des-cbc, and authentication algorithm >- for ESP is hmac-sha1. Authentication algorithm for AH is hmac-md5. >- Configuration at Gateway-A:</para> >+ for ESP is hmac-sha1. Authentication algorithm for AH is hmac-md5. >+ Configuration at Gateway-A:</para> > > <screen> > &prompt.root; <command>setkey -c</command> <<<filename>EOF</filename> >@@ -2983,10 +2982,10 @@ > <para>Making SAs with the different end</para> > > <para>ESP tunnel mode is required between Host-A and Gateway-A. Encryption >- algorithm is cast128-cbc, and authentication algorithm for ESP is >- hmac-sha1. ESP transport mode is recommended between Host-A and Host-B. >- Encryption algorithm is rc5-cbc, and authentication algorithm for ESP is >- hmac-md5.</para> >+ algorithm is cast128-cbc, and authentication algorithm for ESP is >+ hmac-sha1. ESP transport mode is recommended between Host-A and Host-B. >+ Encryption algorithm is rc5-cbc, and authentication algorithm for ESP is >+ hmac-md5.</para> > > <screen> > ================== ESP ================= >@@ -3045,7 +3044,7 @@ > <secondary>OpenSSH</secondary> > </indexterm> > >- <para>Secure shell is a set of network connectivity tools used to >+ <para>Secure shell is a set of network connectivity tools used to > access remote machines securely. It can be used as a direct > replacement for <command>rlogin</command>, > <command>rsh</command>, <command>rcp</command>, and >@@ -3094,8 +3093,7 @@ > </indexterm> > > <para>The &man.ssh.1; utility works similarly to >- &man.rlogin.1;. >- </para> >+ &man.rlogin.1;.</para> > > <screen>&prompt.root <userinput>ssh <replaceable>user@example.com</replaceable></userinput> > Host key not found from the list of known hosts. >@@ -3113,8 +3111,8 @@ > will alert you if the saved fingerprint differs from the > received fingerprint on future login attempts. The fingerprints > are saved in <filename>~/.ssh/known_hosts</filename>, or >- <filename>~/.ssh/known_hosts2</filename> for SSH v2 fingerprints. >- </para> >+ <filename>~/.ssh/known_hosts2</filename> for SSH v2 >+ fingerprints.</para> > > <para>By default, OpenSSH servers are configured to accept both > SSH v1 and SSH v2 connections. The client, however, can choose >@@ -3166,12 +3164,11 @@ > > <para>The system-wide configuration files for both the OpenSSH > daemon and client reside within the <filename>/etc/ssh</filename> >- directory. >- </para> >+ directory.</para> >+ > <para><filename>ssh_config</filename> configures the client > settings, while <filename>sshd_config</filename> configures the >- daemon. >- </para> >+ daemon.</para> > > <para>Additionally, the <option>sshd_program</option> > (<filename>/usr/sbin/sshd</filename> by default), and >@@ -3183,8 +3180,7 @@ > <title>ssh-keygen</title> > > <para>Instead of using passwords, &man.ssh-keygen.1; can >- be used to generate RSA keys to authenticate a user. >- </para> >+ be used to generate RSA keys to authenticate a user.</para> > > <screen>&prompt.user <userinput>ssh-keygen</userinput> > Initializing random number generator... >@@ -3203,8 +3199,7 @@ > <filename>~/.ssh/identity</filename>, whereas the public key is > stored in <filename>~/.ssh/identity.pub</filename>. The public > key must be placed in <filename>~/.ssh/authorized_keys</filename> >- of the remote machine in order for the setup to work. >- </para> >+ of the remote machine in order for the setup to work.</para> > > <para>This will allow connection to the remote machine based upon > RSA authentication instead of passwords.</para> >@@ -3226,8 +3221,7 @@ > machine.</para> > > <para>&man.ssh-agent.1; and &man.ssh-add.1; are >- utilities used in managing multiple passworded private keys. >- </para> >+ utilities used in managing multiple passworded private keys.</para> > </sect2> > > <sect2> >@@ -3239,7 +3233,8 @@ > > <para>OpenSSH has the ability to create a tunnel to encapsulate > another protocol in an encrypted session.</para> >- <para>The following command tells &man.ssh.1; to create a tunnel >+ >+ <para>The following command tells &man.ssh.1; to create a tunnel > for telnet.</para> > > <screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5023:localhost:23 user@foo.example.com</replaceable></userinput> >@@ -3298,21 +3293,19 @@ > </variablelist> > > >- <para>An SSH tunnel works by creating a listen socket on localhost >+ <para>An SSH tunnel works by creating a listen socket on localhost > on the specified port. It then forwards any connection received > on the local host/port via the SSH connection to the specified > remote host and port.</para> > >- <para>In the example, port <replaceable>5023</replaceable> on >+ <para>In the example, port <replaceable>5023</replaceable> on > localhost is being forwarded to port > <replaceable>23</replaceable> on localhost of the remote > machine. Since <replaceable>23</replaceable> is telnet, this >- would create a secure telnet session through an SSH tunnel. >- </para> >+ would create a secure telnet session through an SSH tunnel.</para> > > <para>This can be used to wrap any number of insecure TCP protocols >- such as smtp, pop3, ftp, etc. >- </para> >+ such as smtp, pop3, ftp, etc.</para> > > <para>A typical SSH Tunnel</para> > <screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5025:localhost:25 user@mailserver.example.com</replaceable></userinput> >@@ -3326,8 +3319,7 @@ > <para>This can be used in conjunction with an &man.ssh-keygen.1; > and additional user accounts to create a more seamless/hassle-free > SSH tunneling environment. Keys can be used in place of typing >- a password, and the tunnels can be run as a separate user. >- </para> >+ a password, and the tunnels can be run as a separate user.</para> > > <sect3> > <title>Practical SSH Tunneling Examples</title> >@@ -3378,7 +3370,7 @@ > <hostid>localhost</hostid> port 8888, which will be > forwarded over to <hostid>music.example.com</hostid> port > 8000, successfully evading the firewall.</para> >- </sect4> >+ </sect4> > </sect3> > </sect2>
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=17390">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 31580
: 17390