Skip site navigation (1)Skip section navigation (2)
Date:      Thu, 10 Apr 2014 20:52:24 +0000 (UTC)
From:      Dru Lavigne <dru@FreeBSD.org>
To:        doc-committers@freebsd.org, svn-doc-all@freebsd.org, svn-doc-head@freebsd.org
Subject:   svn commit: r44525 - head/en_US.ISO8859-1/books/handbook/security
Message-ID:  <201404102052.s3AKqOM0032800@svn.freebsd.org>

next in thread | raw e-mail | index | archive | help
Author: dru
Date: Thu Apr 10 20:52:23 2014
New Revision: 44525
URL: http://svnweb.freebsd.org/changeset/doc/44525

Log:
  White space fix only. Translators can ignore.
  
  Sponsored by:	iXsystems

Modified:
  head/en_US.ISO8859-1/books/handbook/security/chapter.xml

Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/security/chapter.xml	Thu Apr 10 20:37:05 2014	(r44524)
+++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml	Thu Apr 10 20:52:23 2014	(r44525)
@@ -2437,9 +2437,10 @@ racoon_enable="yes"</programlisting>
     </indexterm>
 
     <para><application>OpenSSH</application> is a set of network
-      connectivity tools used to provide secure access to remote machines.
-      Additionally, <acronym>TCP/IP</acronym> connections can be tunneled or forwarded
-      securely through <acronym>SSH</acronym> connections.
+      connectivity tools used to provide secure access to remote
+      machines.  Additionally, <acronym>TCP/IP</acronym> connections
+      can be tunneled or forwarded securely through
+      <acronym>SSH</acronym> connections.
       <application>OpenSSH</application> encrypts all traffic to
       effectively eliminate eavesdropping, connection hijacking, and
       other network-level attacks.</para>
@@ -2473,9 +2474,9 @@ racoon_enable="yes"</programlisting>
 	<secondary>client</secondary>
       </indexterm>
 
-      <para>To log into a <acronym>SSH</acronym> server, use 
+      <para>To log into a <acronym>SSH</acronym> server, use
 	<command>ssh</command> and specify a username that exists on
-	that server and the <acronym>IP</acronym> address or hostname 
+	that server and the <acronym>IP</acronym> address or hostname
 	of the server.  If this is the first time a connection has
 	been made to the specified server, the user will be prompted
 	to first verify the server's fingerprint:</para>
@@ -2489,24 +2490,24 @@ Password for user@example.com: <userinpu
 
       <para><acronym>SSH</acronym> utilizes a key fingerprint system
 	to verify the authenticity of the server when the client
-	connects.  When the user accepts the key's fingerprint by typing
-	<literal>yes</literal> when connecting for the first time, a
-	copy of the key is saved to
-	<filename>.ssh/known_hosts</filename> in the user's home directory.
-	Future attempts to login are verified against the saved
-	key and <command>ssh</command> will display an
-	alert if the server's key does not match the saved key.  If
-	this occurs, the user should first verify
-	why the key has changed before continuing with the
-	connection.</para>
-
-      <para>By default, recent versions of <application>OpenSSH</application> only accept
-	<acronym>SSH</acronym>v2 connections.  By default, the client will use
-	version 2 if possible and will fall back to version 1 if the
-	server does not support version 2.  To
-	force <command>ssh</command> to only use the specified protocol, include
-	<option>-1</option> or <option>-2</option>.  Additional
-	options are described in &man.ssh.1;.</para>
+	connects.  When the user accepts the key's fingerprint by
+	typing <literal>yes</literal> when connecting for the first
+	time, a copy of the key is saved to
+	<filename>.ssh/known_hosts</filename> in the user's home
+	directory.  Future attempts to login are verified against the
+	saved key and <command>ssh</command> will display an alert if
+	the server's key does not match the saved key.  If this
+	occurs, the user should first verify why the key has changed
+	before continuing with the connection.</para>
+
+      <para>By default, recent versions of
+	<application>OpenSSH</application> only accept
+	<acronym>SSH</acronym>v2 connections.  By default, the client
+	will use version 2 if possible and will fall back to version 1
+	if the server does not support version 2.  To force
+	<command>ssh</command> to only use the specified protocol,
+	include <option>-1</option> or <option>-2</option>.
+	Additional options are described in &man.ssh.1;.</para>
 
       <indexterm>
 	<primary>OpenSSH</primary>
@@ -2516,10 +2517,11 @@ Password for user@example.com: <userinpu
 	<primary>&man.scp.1;</primary>
       </indexterm>
 
-      <para>Use &man.scp.1; to securely copy a file to or from a remote machine.
-	This example copies <filename>COPYRIGHT</filename> on the
-	remote system to a file of the same name in the current
-	directory of the local system:</para>
+      <para>Use &man.scp.1; to securely copy a file to or from a
+	remote machine.  This example copies
+	<filename>COPYRIGHT</filename> on the remote system to a file
+	of the same name in the current directory of the local
+	system:</para>
 
       <screen>&prompt.root; <userinput>scp <replaceable>user@example.com:/COPYRIGHT COPYRIGHT</replaceable></userinput>
 Password for user@example.com: <userinput><replaceable>*******</replaceable></userinput>
@@ -2531,13 +2533,13 @@ COPYRIGHT            100% |*************
 	the server's key is automatically checked before prompting for
 	the user's password.</para>
 
-      <para>The arguments passed to <command>scp</command> are similar to
-	<command>cp</command>.  The file or files to copy is the first
-	argument and the destination to copy to is the second.  Since the file
-	is fetched over the network, one or more of the file
-	arguments takes the form
+      <para>The arguments passed to <command>scp</command> are similar
+	to <command>cp</command>.  The file or files to copy is the
+	first argument and the destination to copy to is the second.
+	Since the file is fetched over the network, one or more of the
+	file arguments takes the form
 	<option>user@host:&lt;path_to_remote_file&gt;</option>.</para>
-	
+
       <para>To open an interactive session for copying files, use
 	<command>sftp</command>.  Refer to &man.sftp.1; for a list of
 	available commands while in an <command>sftp</command>
@@ -2546,14 +2548,14 @@ COPYRIGHT            100% |*************
       <sect3 xml:id="security-ssh-keygen">
 	<title>Key-based Authentication</title>
 
-        <para>Instead of using passwords, a client can be configured
-	  to connect to the remote machine
-	  using keys.  To generate <acronym>DSA</acronym> or
-	  <acronym>RSA</acronym> authentication keys, use
-	  <command>ssh-keygen</command>.  To generate a
-	  public and private key pair, specify the type of key and
-	  follow the prompts.  It is recommended to protect the keys
-	  with a memorable, but hard to guess passphrase.</para>
+	<para>Instead of using passwords, a client can be configured
+	  to connect to the remote machine using keys.  To generate
+	  <acronym>DSA</acronym> or <acronym>RSA</acronym>
+	  authentication keys, use <command>ssh-keygen</command>.  To
+	  generate a public and private key pair, specify the type of
+	  key and follow the prompts.  It is recommended to protect
+	  the keys with a memorable, but hard to guess
+	  passphrase.</para>
 
 	<screen>&prompt.user; <userinput>ssh-keygen -t <replaceable>dsa</replaceable></userinput>
 Generating public/private dsa key pair.
@@ -2566,12 +2568,12 @@ Your public key has been saved in /home/
 The key fingerprint is:
 bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8f:79:17 user@host.example.com</screen>
 
-	<para>Depending upon the specified protocol, the private key is stored
-	  in <filename>~/.ssh/id_dsa</filename> (or
+	<para>Depending upon the specified protocol, the private key
+	  is stored in <filename>~/.ssh/id_dsa</filename> (or
 	  <filename>~/.ssh/id_rsa</filename>), and the public key
 	  is stored in <filename>~/.ssh/id_dsa.pub</filename> (or
-	  <filename>~/.ssh/id_rsa.pub</filename>).
-	  The <emphasis>public</emphasis> key must be first copied to
+	  <filename>~/.ssh/id_rsa.pub</filename>).  The
+	  <emphasis>public</emphasis> key must be first copied to
 	  <filename>~/.ssh/authorized_keys</filename> on the remote
 	  machine in order for key-based authentication to
 	  work.</para>
@@ -2580,10 +2582,11 @@ bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8
 	  <para>Many users believe that keys are secure by design and
 	    will use a key without a passphrase.  This is
 	    <emphasis>dangerous</emphasis> behavior.  An
-	    administrator can verify that a key pair is protected by a passphrase
-	    by viewing the private key manually.  If the private key file
-	    contains the word <literal>ENCRYPTED</literal>, the key
-	    owner is using a passphrase.  In addition, to better secure end users,
+	    administrator can verify that a key pair is protected by a
+	    passphrase by viewing the private key manually.  If the
+	    private key file contains the word
+	    <literal>ENCRYPTED</literal>, the key owner is using a
+	    passphrase.  In addition, to better secure end users,
 	    <literal>from</literal> may be placed in the public key
 	    file.  For example, adding
 	    <literal>from="192.168.10.5"</literal> in the front of
@@ -2592,29 +2595,29 @@ bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8
 	    that <acronym>IP</acronym> address.</para>
 	</warning>
 
-	  <para>The various options and files can be different
-	    according to the <application>OpenSSH</application>
-	    version.  To avoid problems, consult
-	    &man.ssh-keygen.1;.</para>
-
-	<para>If a passphrase is used, the user
-	  will be prompted for the passphrase each time a connection
-	  is made to the server.  To load <acronym>SSH</acronym> keys
-	  into memory, without needing to type the passphrase
-	  each time, use &man.ssh-agent.1; and &man.ssh-add.1;.</para>
-
-	<para>Authentication is handled by <command>ssh-agent</command>, using
-	  the private key(s) that are loaded into it.  Then,
-	  <command>ssh-agent</command> should be used to launch another
-	  application such as a
+	<para>The various options and files can be different
+	  according to the <application>OpenSSH</application> version.
+	  To avoid problems, consult &man.ssh-keygen.1;.</para>
+
+	<para>If a passphrase is used, the user will be prompted for
+	  the passphrase each time a connection is made to the server.
+	  To load <acronym>SSH</acronym> keys into memory, without
+	  needing to type the passphrase each time, use
+	  &man.ssh-agent.1; and &man.ssh-add.1;.</para>
+
+	<para>Authentication is handled by
+	  <command>ssh-agent</command>, using the private key(s) that
+	  are loaded into it.  Then, <command>ssh-agent</command>
+	  should be used to launch another application such as a
 	  shell or a window manager.</para>
 
-	<para>To use <command>ssh-agent</command> in a shell, start it with a
-	  shell as an argument.  Next, add the identity by running
-	  <command>ssh-add</command> and providing it the passphrase for the
-	  private key.  Once these steps have been completed, the user
-	  will be able to <command>ssh</command> to any host that has the
-	  corresponding public key installed.  For example:</para>
+	<para>To use <command>ssh-agent</command> in a shell, start it
+	  with a shell as an argument.  Next, add the identity by
+	  running <command>ssh-add</command> and providing it the
+	  passphrase for the private key.  Once these steps have been
+	  completed, the user will be able to <command>ssh</command>
+	  to any host that has the corresponding public key installed.
+	  For example:</para>
 
 	<screen>&prompt.user; ssh-agent <replaceable>csh</replaceable>
 &prompt.user; ssh-add
@@ -2625,18 +2628,18 @@ Identity added: /usr/home/user/.ssh/id_d
 	<para>To use <command>ssh-agent</command> in
 	  <application>&xorg;</application>, add an entry for it in
 	  <filename>~/.xinitrc</filename>.  This provides the
-	  <command>ssh-agent</command> services to all programs launched in
-	  <application>&xorg;</application>.  An example
+	  <command>ssh-agent</command> services to all programs
+	  launched in <application>&xorg;</application>.  An example
 	  <filename>~/.xinitrc</filename> might look like this:</para>
 
 	<programlisting>exec ssh-agent <replaceable>startxfce4</replaceable></programlisting>
 
-	<para>This launches <command>ssh-agent</command>, which in turn launches
-	  <application>XFCE</application>, every time
+	<para>This launches <command>ssh-agent</command>, which in
+	  turn launches <application>XFCE</application>, every time
 	  <application>&xorg;</application> starts.  Once
 	  <application>&xorg;</application> has been restarted so that
-	  the changes can take effect, run <command>ssh-add</command> to load all
-	  of the <acronym>SSH</acronym> keys.</para>
+	  the changes can take effect, run <command>ssh-add</command>
+	  to load all of the <acronym>SSH</acronym> keys.</para>
       </sect3>
 
       <sect3 xml:id="security-ssh-tunneling">
@@ -2651,8 +2654,9 @@ Identity added: /usr/home/user/.ssh/id_d
 	  create a tunnel to encapsulate another protocol in an
 	  encrypted session.</para>
 
-	<para>The following command tells <command>ssh</command> to create a
-	  tunnel for <application>telnet</application>:</para>
+	<para>The following command tells <command>ssh</command> to
+	  create a tunnel for
+	  <application>telnet</application>:</para>
 
 	<screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5023:localhost:23 user@foo.example.com</replaceable></userinput>
 &prompt.user;</screen>
@@ -2664,8 +2668,8 @@ Identity added: /usr/home/user/.ssh/id_d
 	    <term><option>-2</option></term>
 
 	    <listitem>
-	      <para>Forces <command>ssh</command> to use version 2 to connect to
-		the server.</para>
+	      <para>Forces <command>ssh</command> to use version 2 to
+		connect to the server.</para>
 	    </listitem>
 	  </varlistentry>
 
@@ -2674,7 +2678,8 @@ Identity added: /usr/home/user/.ssh/id_d
 
 	    <listitem>
 	      <para>Indicates no command, or tunnel only.  If omitted,
-		<command>ssh</command> initiates a normal session.</para>
+		<command>ssh</command> initiates a normal
+		session.</para>
 	    </listitem>
 	  </varlistentry>
 
@@ -2709,21 +2714,21 @@ Identity added: /usr/home/user/.ssh/id_d
 
 	<para>An <acronym>SSH</acronym> tunnel works by creating a
 	  listen socket on <systemitem>localhost</systemitem> on the
-	  specified <literal>localport</literal>.  It then forwards any connections received
-	  on <literal>localport</literal> via the <acronym>SSH</acronym>
-	  connection to the specified <literal>remotehost:remoteport</literal>.
-	  In the example, port <literal>5023</literal> on
-	  the client is forwarded to port
-	  <literal>23</literal> on
-	  the remote machine.
-	  Since port 23 is used by
-	  <application>telnet</application>, this creates an encrypted <application>telnet</application>
+	  specified <literal>localport</literal>.  It then forwards
+	  any connections received on <literal>localport</literal> via
+	  the <acronym>SSH</acronym> connection to the specified
+	  <literal>remotehost:remoteport</literal>.  In the example,
+	  port <literal>5023</literal> on the client is forwarded to
+	  port <literal>23</literal> on the remote machine.  Since
+	  port 23 is used by <application>telnet</application>, this
+	  creates an encrypted <application>telnet</application>
 	  session through an <acronym>SSH</acronym> tunnel.</para>
 
-	<para>This method can be used to wrap any number of insecure <acronym>TCP</acronym>
-	  protocols such as <acronym>SMTP</acronym>,
-	  <acronym>POP3</acronym>, and <acronym>FTP</acronym>, as seen
-	  in the following examples.</para>
+	<para>This method can be used to wrap any number of insecure
+	  <acronym>TCP</acronym> protocols such as
+	  <acronym>SMTP</acronym>, <acronym>POP3</acronym>, and
+	  <acronym>FTP</acronym>, as seen in the following
+	  examples.</para>
 
 	<example>
 	  <title>Create a Secure Tunnel for
@@ -2738,23 +2743,24 @@ Escape character is '^]'.
 220 mailserver.example.com ESMTP</screen>
 
 	  <para>This can be used in conjunction with
-	    <command>ssh-keygen</command> and additional user accounts to create
-	    a more seamless <acronym>SSH</acronym> tunneling
+	    <command>ssh-keygen</command> and additional user accounts
+	    to create a more seamless <acronym>SSH</acronym> tunneling
 	    environment.  Keys can be used in place of typing a
 	    password, and the tunnels can be run as a separate
 	    user.</para>
 	</example>
 
 	<example>
-	  <title>Secure Access of a <acronym>POP3</acronym> Server</title>
+	  <title>Secure Access of a <acronym>POP3</acronym>
+	    Server</title>
 
 	  <para>In this example, there is an <acronym>SSH</acronym>
 	    server that accepts connections from the outside.  On the
-	    same network resides a mail server running a <acronym>POP3</acronym> server.
-	    To check email in a secure manner, create an
-	    <acronym>SSH</acronym> connection to the
-	    <acronym>SSH</acronym> server and tunnel through to the
-	    mail server:</para>
+	    same network resides a mail server running a
+	    <acronym>POP3</acronym> server.  To check email in a
+	    secure manner, create an <acronym>SSH</acronym> connection
+	    to the <acronym>SSH</acronym> server and tunnel through to
+	    the mail server:</para>
 
 	  <screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>2110:mail.example.com:110 user@ssh-server.example.com</replaceable></userinput>
 user@ssh-server.example.com's password: <userinput>******</userinput></screen>
@@ -2771,10 +2777,11 @@ user@ssh-server.example.com's password: 
 
 	  <para>Some firewalls
 	    filter both incoming and outgoing connections.  For
-	    example, a firewall might limit access from remote machines to
-	    ports 22 and 80 to only allow <acronym>SSH</acronym> and web surfing.
-	    This prevents access to any other service which uses a
-	    port other than 22 or 80.</para>
+	    example, a firewall might limit access from remote
+	    machines to ports 22 and 80 to only allow
+	    <acronym>SSH</acronym> and web surfing.  This prevents
+	    access to any other service which uses a port other than
+	    22 or 80.</para>
 
 	  <para>The solution is to create an <acronym>SSH</acronym>
 	    connection to a machine outside of the network's firewall
@@ -2805,16 +2812,15 @@ user@unfirewalled-system.example.org's p
 	<acronym>SSH</acronym> server, accepting connections from
 	other <acronym>SSH</acronym> clients.</para>
 
-      <para>To see if <application>sshd</application> is enabled, check
-	<filename>/etc/rc.conf</filename> for this line and add it if
-	it is missing:</para>
+      <para>To see if <application>sshd</application> is enabled,
+	check <filename>/etc/rc.conf</filename> for this line and add
+	it if it is missing:</para>
 
       <programlisting>sshd_enable="YES"</programlisting>
 
-      <para>This will start <application>sshd</application>, the daemon program for
-	<application>OpenSSH</application>, the next time the system
-	boots.  To start it
-	now:</para>
+      <para>This will start <application>sshd</application>, the
+	daemon program for <application>OpenSSH</application>, the
+	next time the system boots.  To start it now:</para>
 
       <screen>&prompt.root; <userinput>service sshd start</userinput></screen>
 
@@ -2830,10 +2836,10 @@ user@unfirewalled-system.example.org's p
 	and the various configuration files.</para>
 
       <para>It is a good idea to limit which users can log into the
-	<acronym>SSH</acronym> server
-	and from where using the <literal>AllowUsers</literal> keyword
-	in the <application>OpenSSH</application> server configuration file.  For
-	example, to only allow <systemitem
+	<acronym>SSH</acronym> server and from where using the
+	<literal>AllowUsers</literal> keyword in the
+	<application>OpenSSH</application> server configuration file.
+	For example, to only allow <systemitem
 	  class="username">root</systemitem> to log in from
 	<systemitem class="ipaddress">192.168.1.32</systemitem>, add
 	this line to <filename>/etc/ssh/sshd_config</filename>:</para>
@@ -2850,31 +2856,34 @@ user@unfirewalled-system.example.org's p
 	so:</para>
 
       <programlisting>AllowUsers root@192.168.1.32 admin</programlisting>
+
       <para>After making changes to
-	<filename>/etc/ssh/sshd_config</filename>, tell <application>sshd</application>
-	to reload its configuration file by running:</para>
+	<filename>/etc/ssh/sshd_config</filename>,
+	tell <application>sshd</application> to reload its
+	configuration file by running:</para>
 
       <screen>&prompt.root; <userinput>service sshd reload</userinput></screen>
 
       <note>
-	<para>When this keyword is used, it is important to list each user that needs to log into
-	  this machine.  Any user that is not specified in that line will be locked out.  Also, the
+	<para>When this keyword is used, it is important to list each
+	  user that needs to log into this machine.  Any user that is
+	  not specified in that line will be locked out.  Also, the
 	  keywords used in the <application>OpenSSH</application>
 	  server configuration file are case-sensitive.  If the
-	  keyword is not spelled correctly, including its case, it will
-	  be ignored.  Always test changes to this file to make sure
-	  that the edits are working as expected.  Refer to
+	  keyword is not spelled correctly, including its case, it
+	  will be ignored.  Always test changes to this file to make
+	  sure that the edits are working as expected.  Refer to
 	  &man.sshd.config.5; to verify the spelling and use of the
 	  available keywords.</para>
       </note>
 
       <tip>
 	<para>Don't confuse <filename>/etc/ssh/sshd_config</filename>
-	  with <filename>/etc/ssh/ssh_config</filename> (note the extra
-	  <literal>d</literal> in the first filename).  The first file
-	  configures the server and the second file configures the
-	  client.  Refer to &man.ssh.config.5; for a listing of the
-	  available client settings,.</para>
+	  with <filename>/etc/ssh/ssh_config</filename> (note the
+	  extra <literal>d</literal> in the first filename).  The
+	  first file configures the server and the second file
+	  configures the client.  Refer to &man.ssh.config.5; for a
+	  listing of the available client settings,.</para>
       </tip>
     </sect2>
   </sect1>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201404102052.s3AKqOM0032800>