Synopsis

From owner-svn-doc-projects@FreeBSD.ORG Mon Apr 29 12:44:23 2013 Return-Path: Delivered-To: svn-doc-projects@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id D4920923; Mon, 29 Apr 2013 12:44:23 +0000 (UTC) (envelope-from dru@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id C65661266; Mon, 29 Apr 2013 12:44:23 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r3TCiNE7004917; Mon, 29 Apr 2013 12:44:23 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r3TCiN1H004916; Mon, 29 Apr 2013 12:44:23 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201304291244.r3TCiN1H004916@svn.freebsd.org> From: Dru Lavigne Date: Mon, 29 Apr 2013 12:44:23 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-projects@freebsd.org Subject: svn commit: r41513 - projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security X-SVN-Group: doc-projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-projects@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for doc projects trees List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Apr 2013 12:44:23 -0000 Author: dru Date: Mon Apr 29 12:44:22 2013 New Revision: 41513 URL: http://svnweb.freebsd.org/changeset/doc/41513 Log: First pass through this chapter. Due to its size, patch only addresses first 1/2 of chapter, fixing the following: - &os; - etc and you - some acronym tags - general tightening and grammo fixing - removed note in 15.3 as this belongs in preface, not in a chapter - fixed filesystems (which bled over into other part of chapter) Approved by: gjb (mentor) Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml Sat Apr 27 14:18:12 2013 (r41512) +++ projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml Mon Apr 29 12:44:22 2013 (r41513) @@ -24,31 +24,27 @@ Synopsis - This chapter will provide a basic introduction to system + This chapter provides a basic introduction to system security concepts, some general good rules of thumb, and some - advanced topics under &os;. A lot of the topics covered here - can be applied to system and Internet security in general as - well. The Internet is no longer a friendly place - in which everyone wants to be your kind neighbor. Securing your - system is imperative to protect your data, intellectual - property, time, and much more from the hands of hackers and the - like. - - &os; provides an array of utilities and mechanisms to ensure - the integrity and security of your system and network. + advanced topics under &os;. Many of the topics covered here + can be applied to system and Internet security in general. + Securing a system is imperative to protect data, + intellectual property, time, and much more from the hands of + hackers and the like. + + &os; provides an array of utilities and mechanisms to + protect the integrity and security of the system and + network. After reading this chapter, you will know: - Basic system security concepts, in respect to - &os;. + Basic &os; system security concepts. - About the various crypt mechanisms available in &os;, - such as DES and - MD5. + The various crypt mechanisms available in &os;. @@ -61,41 +57,37 @@ - How to set up Kerberos5 on + How to set up Kerberos on &os;. How to configure IPsec and create a - VPN between &os;/&windows; - machines. + VPN. How to configure and use - OpenSSH, &os;'s - SSH implementation. + OpenSSH on &os;. - What file system ACLs are and how to - use them. + How to use filesystem ACLs. - How to use the Portaudit - utility to audit third party software packages installed - from the Ports Collection. + How to use portaudit to + audit third party software packages installed from the + Ports Collection. - How to utilize the &os; security advisories - publications. + How to utilize &os; security advisories. - Have an idea of what Process Accounting is and how to - enable it on &os;. + What Process Accounting is and how to enable it on + &os;. @@ -107,36 +99,26 @@ - Additional security topics are covered throughout this book. - For example, Mandatory Access Control is discussed in and Internet Firewalls are discussed in . + Additional security topics are covered elsewhere in this + Handbook. For example, Mandatory Access Control is discussed in + and Internet firewalls are discussed in + . Introduction Security is a function that begins and ends with the system - administrator. While all BSD &unix; multi-user systems have - some inherent security, the job of building and maintaining - additional security mechanisms to keep those users - honest is probably one of the single largest - undertakings of the sysadmin. Machines are only as secure as - you make them, and security concerns are ever competing with the - human necessity for convenience. &unix; systems, in general, - are capable of running a huge number of simultaneous processes - and many of these processes operate as servers — meaning - that external entities can connect and talk to them. As - yesterday's mini-computers and mainframes become today's - desktops, and as computers become networked and inter-networked, - security becomes an even bigger issue. + administrator. While &os; provides some inherent security, the + job of configuring and maintaining additional security + mechanisms is probably one of the single largest undertakings of + the sysadmin. System security also pertains to dealing with various forms of attack, including attacks that attempt to crash, or otherwise make a system unusable, but do not attempt to compromise the - root account (break root). - Security concerns can be split up into several - categories: + root account. Security concerns can be + split up into several categories: @@ -148,7 +130,7 @@ - Root compromise through accessible servers. + Root compromise through accessible services. @@ -171,50 +153,36 @@ Denial of Service (DoS) - A denial of service attack is an action that deprives the - machine of needed resources. Typically, DoS attacks are - brute-force mechanisms that attempt to crash or otherwise make a - machine unusable by overwhelming its servers or network stack. - Some DoS attacks try to take advantage of bugs in the networking - stack to crash a machine with a single packet. The latter can - only be fixed by applying a bug fix to the kernel. Attacks on - servers can often be fixed by properly specifying options to + A Denial of Service DoS attack is an + action that deprives the machine of needed resources. + Typically, DoS attacks are brute-force + mechanisms that attempt to crash or otherwise make a machine + unusable by overwhelming its services or network stack. Attacks + on servers can often be fixed by properly specifying options to limit the load the servers incur on the system under adverse conditions. Brute-force network attacks are harder to deal - with. A spoofed-packet attack, for example, is nearly - impossible to stop, short of cutting your system off from the - Internet. It may not be able to take your machine down, but it - can saturate your Internet connection. + with. This type of attack may not be able to take the machine + down, but it can saturate the Internet connection. security account compromises - A user account compromise is even more common than a DoS - attack. Many sysadmins still run standard - telnetd, - rlogind, - rshd, and - ftpd servers on their machines. - These servers, by default, do not operate over encrypted - connections. The result is that if you have any moderate-sized - user base, one or more of your users logging into your system - from a remote location (which is the most common and convenient - way to login to a system) will have his or her password sniffed. - The attentive system admin will analyze his remote access logs - looking for suspicious source addresses even for successful - logins. - - One must always assume that once an attacker has access to a - user account, the attacker can break root. - However, the reality is that in a well secured and maintained - system, access to a user account does not necessarily give the - attacker access to root. The distinction - is important because without access to root - the attacker cannot generally hide his tracks and may, at best, - be able to do nothing more than mess with the user's files, or - crash the machine. User account compromises are very common + A user account compromise is more common than a + DoS attack. Many sysadmins still run + unencrypted services, meaning that users logging into the + system from a remote location are vulnerable to having their + password sniffed. The attentive sysadmin analyzes the + remote access logs looking for suspicious source addresses and + suspicious logins. + + In a well secured and maintained system, access to a user + account does not necessarily give the attacker access to + root. Without root + access, the attacker cannot generally hide his tracks and may, + at best, be able to do nothing more than mess with the user's + files or crash the machine. User account compromises are common because users tend not to take the precautions that sysadmins take. @@ -223,27 +191,14 @@ backdoors - System administrators must keep in mind that there are - potentially many ways to break root on a - machine. The attacker may know the root - password, the attacker may find a bug in a root-run server and - be able to break root over a network - connection to that server, or the attacker may know of a bug in - a suid-root program that allows the attacker to break - root once he has broken into a user's - account. If an attacker has found a way to break - root on a machine, the attacker may not - have a need to install a backdoor. Many of the - root holes found and closed to date involve - a considerable amount of work by the attacker to cleanup after - himself, so most attackers install backdoors. A backdoor - provides the attacker with a way to easily regain - root access to the system, but it also - gives the smart system administrator a convenient way to detect - the intrusion. Making it impossible for an attacker to install - a backdoor may actually be detrimental to your security, because - it will not close off the hole the attacker found to break in - the first place. + There are potentially many ways to break + root: the attacker may know the + root password, the attacker may exploit a + bug in a service which runs as root, or the + attacker may know of a bug in a SUID-root program. An attacker + may utilize a program known as a backdoor to search for + vulnerable systems, take advantage of unpatched exploits to + access a system, and hide traces of illegal activity. Security remedies should always be implemented with a multi-layered onion peel approach and can be @@ -251,26 +206,26 @@ - Securing root and staff + Secure root and staff accounts. - Securing root–run servers - and suid/sgid binaries. + Secure root–run servers + and SUID/SGID binaries. - Securing user accounts. + Secure user accounts. - Securing the password file. + Secure the password file. - Securing the kernel core, raw devices, and - file systems. + Secure the kernel core, raw devices, and + filesystems. @@ -283,8 +238,7 @@ - The next section of this chapter will cover the above bullet - items in greater depth. + The next section covers these items in greater depth. @@ -295,254 +249,141 @@ securing &os; - - Command Versus Protocol - - Throughout this document, we will use - bold text to refer to an - application, and a monospaced font to refer - to specific commands. Protocols will use a normal font. This - typographical distinction is useful for instances such as ssh, - since it is a protocol as well as command. - - - The sections that follow will cover the methods of securing - your &os; system that were mentioned in the last section of this - chapter. + This section describes methods for securing a &os; system + against the attacks that were mentioned in the previous section. - Securing the <username>root</username> Account and - Staff Accounts + Securing the <username>root</username> Account su - First off, do not bother securing staff accounts if you - have not secured the root account. Most + Most systems have a password assigned to the - root account. The first thing you do is - assume that the password is always - compromised. This does not mean that you should remove the - password. The password is almost always necessary for console - access to the machine. What it does mean is that you should - not make it possible to use the password outside of the - console or possibly even with the &man.su.1; command. For - example, make sure that your ptys are specified as being - insecure in the /etc/ttys file so that - direct root logins via - telnet or rlogin are - disallowed. If using other login services such as - sshd, make sure that direct - root logins are disabled there as well. - You can do this by editing your - /etc/ssh/sshd_config file, and making - sure that PermitRootLogin is set to - no. Consider every access method — - services such as FTP often fall through the cracks. Direct - root logins should only be allowed via - the system console. + root account. Assume that this password + is always at risk of being compromised. + This does not mean that the password should be disabled as the + password is almost always necessary for console access to the + machine. However, it should not be possible to use this + password outside of the console or possibly even with + &man.su.1;. For example, setting the entries in + /etc/ttys to insecure + prevents root logins to the specified + terminals. In &os;, root logins using + &man.ssh.1; are disabled by default as + PermitRootLogin is set to + no in + /etc/ssh/sshd_config. Consider every + access method as services such as FTP often fall through the + cracks. Direct root logins should only + be allowed via the system console. wheel - Of course, as a sysadmin you have to be able to get to - root, so we open up a few holes. But we - make sure these holes require additional password verification - to operate. One way to make root - accessible is to add appropriate staff accounts to the - wheel group (in - /etc/group). The staff members placed in - the wheel group are allowed to - su to root. You - should never give staff members native - wheel access by putting them in the - wheel group in their password entry. - Staff accounts should be placed in a - staff group, and then added to the - wheel group via the - /etc/group file. Only those staff - members who actually need to have root - access should be placed in the wheel - group. It is also possible, when using an authentication - method such as Kerberos, to use Kerberos' - .k5login file in the - root account to allow a &man.ksu.1; to - root without having to place anyone at - all in the wheel group. This may be - the better solution since the wheel - mechanism still allows an intruder to break - root if the intruder has gotten hold of - your password file and can break into a staff account. While - having the wheel mechanism is better - than having nothing at all, it is not necessarily the safest - option. + Since a sysadmin needs access to + root, additional password verification + should be configured. One method is to add appropriate user + accounts to wheel in + /etc/group. Members of + wheel are allowed to + &man.su.1; to root. Only + those users who actually need to have + root access should be placed in + wheel. When using Kerberos for + authentication, create a .k5login in + the home directory of root to allow + &man.ksu.1; to be used without having to place anyone in + wheel. - To lock an account completely, the &man.pw.8; command - should be used: + To lock an account completely, use &man.pw.8;: &prompt.root; pw lock staff - This will prevent the user from logging in using any - mechanism, including &man.ssh.1;. + This will prevent the specified user from logging in using + any mechanism, including &man.ssh.1;. Another method of blocking access to accounts would be to replace the encrypted password with a single * character. This character - would never match the encrypted password and thus block user - access. For example, the following staff account: + would never match the encrypted password and thus blocks user + access. For example, the entry for the following + account: foobar:R9DT/Fa1/LV9U:1000:1000::0:0:Foo Bar:/home/foobar:/usr/local/bin/tcsh - Should be changed to this: + could be changed to this using &man.vipw.8;: foobar:*:1000:1000::0:0:Foo Bar:/home/foobar:/usr/local/bin/tcsh - This will prevent the foobar user - from logging in using conventional methods. This method for - access restriction is flawed on sites using + This prevents foobar from logging in + using conventional methods. This method for access + restriction is flawed on sites using Kerberos or in situations where the user has set up keys with &man.ssh.1;. - These security mechanisms also assume that you are logging + These security mechanisms assume that users are logging in from a more restrictive server to a less restrictive - server. For example, if your main box is running all sorts of - servers, your workstation should not be running any. In order - for your workstation to be reasonably secure you should run as - few servers as possible, up to and including no servers at - all, and you should run a password-protected screen blanker. - Of course, given physical access to a workstation an attacker - can break any sort of security you put on it. This is - definitely a problem that you should consider, but you should - also consider the fact that the vast majority of break-ins - occur remotely, over a network, from people who do not have - physical access to your workstation or servers. - - Using something like Kerberos also gives you the ability - to disable or change the password for a staff account in one - place, and have it immediately affect all the machines on - which the staff member may have an account. If a staff - member's account gets compromised, the ability to instantly - change his password on all machines should not be underrated. - With discrete passwords, changing a password on N machines can - be a mess. You can also impose re-passwording restrictions - with Kerberos: not only can a Kerberos ticket be made to - timeout after a while, but the Kerberos system can require - that the user choose a new password after a certain period of - time (say, once a month). + server. For example, if the server is running network + services, the workstation should not be running any. In + order for a workstation to be reasonably secure, run zero or + as few services as possible and run a password-protected + screensaver. Of course, given physical access to any system, + an attacker can break any sort of security. Fortunately, + many break-ins occur remotely, over a network, + from people who do not have physical access to the + system. + + Using Kerberos provides the ability to disable or change + the password for a user in one place, and have it immediately + affect all the machines on which the user has an account. If + an account is compromised, the ability to instantly change the + associated password on all machines should not be underrated. + Additional restrictions can be imposed with Kerberos: a + Kerberos ticket can be configured to timeout and the Kerberos + system can require that the user choose a new password after a + configurable period of time. Securing Root-run Servers and SUID/SGID Binaries - ntalk - - - comsat - - - finger - - sandboxes sshd - - telnetd - - - rshd - - - rlogind - - The prudent sysadmin only runs the servers he needs to, no - more, no less. Be aware that third party servers are often - the most bug-prone. For example, running an old version of - imapd or - popper is like giving a universal - root ticket out to the entire world. - Never run a server that you have not checked out carefully. - Many servers do not need to be run as - root. For example, the - ntalk, - comsat, and - finger daemons can be run in - special user sandboxes. A sandbox is - not perfect, unless you go through a large amount of trouble, - but the onion approach to security still stands: If someone is - able to break in through a server running in a sandbox, they - still have to break out of the sandbox. The more layers the - attacker must break through, the lower the likelihood of his - success. Root holes have historically been found in virtually - every server ever run as root, including - basic system servers. If you are running a machine through - which people only login via sshd - and never login via telnetd or - rshd or - rlogind, then turn off those - services! - - &os; now defaults to running - ntalkd, - comsat, and - finger in a sandbox. Another - program which may be a candidate for running in a sandbox is - &man.named.8;. /etc/defaults/rc.conf - includes the arguments necessary to run - named in a sandbox in a - commented-out form. Depending on whether you are installing a - new system or upgrading an existing system, the special user - accounts used by these sandboxes may not be installed. The - prudent sysadmin would research and implement sandboxes for - servers whenever possible. + The prudent sysadmin only enables required services + and is aware that third party servers are often the most + bug-prone. Never run a server that has not been checked + out carefully. Think twice before running any service as + root as many daemons can be run as a + separate service account or can be started in a + sandbox. Do not activate insecure + services such as telnetd or + rlogind. - - sendmail - - - There are a number of other servers that typically do not - run in sandboxes: sendmail, - popper, - imapd, - ftpd, and others. There are - alternatives to some of these, but installing them may require - more work than you are willing to perform (the convenience - factor strikes again). You may have to run these servers as - root and rely on other mechanisms to - detect break-ins that might occur through them. - - The other big potential root holes in - a system are the suid-root and sgid binaries installed on the - system. Most of these binaries, such as + Another potential security hole is SUID-root and SGID + binaries. Most of these binaries, such as rlogin, reside in /bin, /sbin, /usr/bin, or /usr/sbin. While nothing is - 100% safe, the system-default suid and sgid binaries can be - considered reasonably safe. Still, root - holes are occasionally found in these binaries. A - root hole was found in - Xlib in 1998 that made - xterm (which is typically suid) - vulnerable. It is better to be safe than sorry and the - prudent sysadmin will restrict suid binaries, that only staff - should run, to a special group that only staff can access, and - get rid of (chmod 000) any suid binaries - that nobody uses. A server with no display generally does not - need an xterm binary. Sgid - binaries can be almost as dangerous. If an intruder can break - an sgid-kmem binary, the intruder might be able to read + 100% safe, the system-default SUID and SGID binaries can be + considered reasonably safe. It is recommended to restrict + SUID binaries to a special group that only staff can access, + and to delete any unused SUID binaries. SGID binaries can be + almost as dangerous. If an intruder can break an SGID-kmem + binary, the intruder might be able to read /dev/kmem and thus read the encrypted - password file, potentially compromising any passworded - account. Alternatively an intruder who breaks group + password file, potentially compromising user accounts. + Alternatively, an intruder who breaks group kmem can monitor keystrokes sent through ptys, including ptys used by users who login through secure methods. An intruder that breaks the @@ -558,226 +399,203 @@ Securing User Accounts User accounts are usually the most difficult to secure. - While you can impose draconian access restrictions on your - staff and star out their passwords, you may not - be able to do so with any general user accounts you might - have. If you do have sufficient control, then you may win out - and be able to secure the user accounts properly. If not, you - simply have to be more vigilant in your monitoring of those - accounts. Use of ssh and Kerberos for user accounts is more - problematic, due to the extra administration and technical - support required, but still a very good solution compared to a - encrypted password file. + Be vigilant in the monitoring of user accounts. Use of + &man.ssh.1; and Kerberos for user accounts + requires extra administration and technical support, but + provides a good solution compared to an encrypted password + file. Securing the Password File The only sure fire way is to star out as many passwords as - you can and use ssh or Kerberos for access to those accounts. - Even though the encrypted password file - (/etc/spwd.db) can only be read by - root, it may be possible for an intruder - to obtain read access to that file even if the attacker cannot - obtain root-write access. + possible and use &man.ssh.1; or Kerberos + for access to those accounts. Even though the encrypted + password file (/etc/spwd.db) can only be + read by root, it may be possible for an + intruder to obtain read access to that file even if the + attacker cannot obtain root-write access. - Your security scripts should always check for and report - changes to the password file (see the Security scripts should be used to check for and report + changes to the password file as described in the Checking file integrity - section below). + section. Securing the Kernel Core, Raw Devices, and - File Systems + Filesystems - If an attacker breaks root he can do - just about anything, but there are certain conveniences. For - example, most modern kernels have a packet sniffing device - driver built in. Under &os; it is called the - bpf device. An intruder will - commonly attempt to run a packet sniffer on a compromised - machine. You do not need to give the intruder the capability - and most systems do not have the need for the - bpf device compiled in. + Most modern kernels have a packet sniffing device driver + built in. Under &os; it is called + bpf. This device is needed for DHCP, + but can be removed in the custom kernel configuration file of + systems that do not provide or use DHCP. sysctl - But even if you turn off the bpf - device, you still have /dev/mem and - /dev/kmem to worry about. For that - matter, the intruder can still write to raw disk devices. - Also, there is another kernel feature called the module - loader, &man.kldload.8;. An enterprising intruder can use a - KLD module to install his own bpf - device, or other sniffing device, on a running kernel. To - avoid these problems you have to run the kernel at a higher - secure level, at least securelevel 1. - - The secure level of the kernel can be set in a variety of - ways. The simplest way of raising the secure level of a - running kernel is through a sysctl on the - kern.securelevel kernel variable: + Even if bpf is disabled, + /dev/mem and + /dev/kmem are still problematic. An + intruder can still write to raw disk devices. An enterprising + intruder can use &man.kldload.8; to install his own + bpf, or another sniffing device, on a + running kernel. To avoid these problems, run the kernel at a + higher security level, at least security level 1. + + The security level of the kernel can be set in a variety + of ways. The simplest way of raising the security level of a + running kernel is to set + kern.securelevel: &prompt.root; sysctl kern.securelevel=1 - By default, the &os; kernel boots with a secure level of - -1. The secure level will remain at -1 unless it is altered, - either by the administrator or by &man.init.8; because of a - setting in the start up scripts. The secure level may be - raised during system startup by setting the - kern_securelevel_enable variable to - YES in the - /etc/rc.conf file, and the value of the - kern_securelevel variable to the desired - secure level. - - The default secure level of a &os; system right after the - startup scripts are done is -1. This is called - insecure mode because immutable file flags may - be turned off, all devices may be read from or written to, and - so on. + By default, the &os; kernel boots with a security level of + -1. This is called insecure mode because + immutable file flags may be turned off and all devices may be + read from or written to. The security level will remain at -1 + unless it is altered, either by the administrator or by + &man.init.8;, because of a setting in the startup scripts. + The security level may be raised during system startup by + setting + kern_securelevel_enable to + YES in /etc/rc.conf, + and the value of kern_securelevel to the + desired security level. - Once the secure level is set to 1 or a higher value, the + Once the security level is set to 1 or a higher value, the append-only and immutable files are honored, they cannot be - turned off, and access to raw devices will be denied. Higher + turned off, and access to raw devices is denied. Higher levels restrict even more operations. For a full description - of the effect of various secure levels, please read the - &man.security.7; manual page. + of the effect of various security levels, refer to + &man.security.7; and &man.init.8;. - Bumping the secure level to 1 or higher may cause a few - problems to X11 (access to /dev/io will - be blocked), or to the installation of &os; built from - source (the installworld part of - the process needs to temporarily reset the append-only and - immutable flags of some files), and in a few other cases. - Sometimes, as in the case of X11, it may be possible to work - around this by starting &man.xdm.1; pretty early in the boot - process, when the securelevel is still low enough. - Workarounds like this may not be possible for all secure + Bumping the security level to 1 or higher may cause a + few + problems to &xorg;, as access to + /dev/io will be blocked, or to the + installation of &os; built from source as + installworld needs to temporarily + reset the append-only and immutable flags of some files. + In the case of &xorg;, it may be + possible to work around this by starting &man.xdm.1; early + in the boot process, when the security level is still low + enough. Workarounds may not be possible for all secure levels or for all the potential restrictions they enforce. A bit of forward planning is a good idea. Understanding the - restrictions imposed by each secure level is important as + restrictions imposed by each security level is important as they severely diminish the ease of system use. It will also make choosing a default setting much simpler and prevent any surprises. - If the kernel's secure level is raised to 1 or a higher + If the kernel's security level is raised to 1 or a higher value, it may be useful to set the schg - flag on critical startup binaries, directories, and script - files (i.e., everything that gets run up to the point where - the securelevel is set). This might be overdoing it, and - upgrading the system is much more difficult when it operates - at a high secure level. A less strict compromise is to run - the system at a higher secure level but skip setting the - schg flag for every system file and - directory under the sun. Another possibility is to simply + flag on critical startup binaries, directories, script + files, and everything that gets run up to the point where + the security level is set. A less strict compromise is to run + the system at a higher security level but skip setting the + schg flag. Another possibility is to mount / and /usr read-only. It should be noted that being too draconian about what is permitted may - prevent the all-important detection of an intrusion. + prevent detection of an intrusion. - Checking File Integrity: Binaries, Configuration Files, - Etc. + Checking File Integrity - When it comes right down to it, you can only protect your - core system configuration and control files so much before the - convenience factor rears its ugly head. For example, using - chflags to set the schg - bit on most of the files in / and One can only protect the core system configuration and + control files so much before the convenience factor rears its + ugly head. For example, using &man.chflags.1; to + set the schg bit on most of the files in + / and /usr is probably counterproductive, because while it may protect the files, it - also closes a detection window. The last layer of your - security onion is perhaps the most important — - detection. The rest of your security is pretty much useless - (or, worse, presents you with a false sense of security) if - you cannot detect potential intrusions. Half the job of the - onion is to slow down the attacker, rather than stop him, in - order to be able to catch him in the act. + also closes an intrusion detection window. Security measures + are useless or, worse, present a false sense of security, if + potential intrusions cannot be detected. Half the job of + security is to slow down, not stop, an attacker, in order to + catch him in the act. The best way to detect an intrusion is to look for modified, missing, or unexpected files. The best way to look - for modified files is from another (often centralized) + for modified files is from another, often centralized, limited-access system. Writing your security scripts on the - extra-secure limited-access system makes them mostly invisible - to potential attackers, and this is important. In order to - take maximum advantage you generally have to give the - limited-access box significant access to the other machines in - the business, usually either by doing a read-only NFS export - of the other machines to the limited-access box, or by setting - up ssh key-pairs to allow the limited-access box to ssh to the - other machines. Except for its network traffic, NFS is the - least visible method — allowing you to monitor the file - systems on each client box virtually undetected. If your - limited-access server is connected to the client boxes through - a switch, the NFS method is often the better choice. If your - limited-access server is connected to the client boxes through - a hub, or through several layers of routing, the NFS method - may be too insecure (network-wise) and using ssh may be the - better choice even with the audit-trail tracks that ssh - lays. - - Once you have given a limited-access box at least read - access to the client systems it is supposed to monitor, you - must write scripts to do the actual monitoring. Given an NFS - mount, you can write scripts out of simple system utilities - such as &man.find.1; and &man.md5.1;. It is best to - physically md5 the client-box files at least once a day, and + extra-security limited-access system makes them mostly + invisible + to potential attackers. In order to take maximum advantage, + the limited-access box needs significant access to the other + machines, usually either through a read-only + NFS export or by setting up + &man.ssh.1; key-pairs. Except for its + network traffic, NFS is the least visible + method, allowing the administrator to monitor the filesystems + on each client box virtually undetected. If a limited-access + server is connected to the client boxes through + a switch, the NFS method is often the + better choice. If a limited-access server is connected to the + client boxes through several layers of routing, the + NFS method may be too insecure and + &man.ssh.1; may be the better + choice. + + Once a limited-access box has been given at least read + access to the client systems it is supposed to monitor, create + the monitoring scripts. Given an NFS + mount, write scripts out of simple system utilities such as + &man.find.1; and &man.md5.1;. It is best to physically + &man.md5.1; the client system's files at least once a day, and to test control files such as those found in /etc and /usr/local/etc even more often. When mismatches are found, relative to the base md5 information the limited-access machine knows is valid, it - should scream at a sysadmin to go check it out. A good - security script will also check for inappropriate suid - binaries and for new or deleted files on system partitions - such as / and / and /usr. - When using ssh rather than NFS, writing the security - script is much more difficult. You essentially have to - scp the scripts to the client box in order - to run them, making them visible, and for safety you also need - to scp the binaries (such as find) that - those scripts use. The ssh client - on the client box may already be compromised. All in all, - using ssh may be necessary when running over insecure links, - but it is also a lot harder to deal with. - - A good security script will also check for changes to user - and staff members access configuration files: - .rhosts, .shosts, - .ssh/authorized_keys and so forth, files - that might fall outside the purview of the + When using &man.ssh.1; rather than + NFS, writing the security script is more + difficult. For example, &man.scp.1; is needed to + send the scripts to the client box in order to run them. The + &man.ssh.1; client + on the client box may already be compromised. Using + &man.ssh.1; may be necessary when running + over insecure links, but it is harder to deal with. + + A good security script will also check for changes to + hidden configuration files, such as + .rhosts and + .ssh/authorized_keys, as these files + might fall outside the purview of the MD5 check. - If you have a huge amount of user disk space, it may take - too long to run through every file on those partitions. In - this case, setting mount flags to disallow suid binaries is a - good idea. The nosuid option (see - &man.mount.8;) is what you want to look into. You should - probably scan them anyway, at least once a week, since the - object of this layer is to detect a break-in attempt, whether - or not the attempt succeeds. + For a large amount of user disk space, it may take too + long to run through every file on those partitions. In this + case, consider setting mount flags to disallow SUID binaries + by using nosuid with &man.mount.8;. Scan + these partitions at least once a week, since the objective is + to detect a break-in attempt, whether or not the attempt + succeeds. Process accounting (see &man.accton.8;) is a relatively - low-overhead feature of the operating system which might help - as a post-break-in evaluation mechanism. It is especially - useful in tracking down how an intruder has actually broken - into a system, assuming the file is still intact after the - break-in has occurred. + low-overhead feature of &os; which might help as a + post-break-in evaluation mechanism. It is especially useful + in tracking down how an intruder broke into a system, assuming + the file is still intact after the break-in has + occurred. *** DIFF OUTPUT TRUNCATED AT 1000 LINES *** From owner-svn-doc-projects@FreeBSD.ORG Mon Apr 29 12:49:45 2013 Return-Path: Delivered-To: svn-doc-projects@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 9DB43A1E; Mon, 29 Apr 2013 12:49:45 +0000 (UTC) (envelope-from dru@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 8F31812B0; Mon, 29 Apr 2013 12:49:45 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r3TCnjt7005896; Mon, 29 Apr 2013 12:49:45 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r3TCnj71005895; Mon, 29 Apr 2013 12:49:45 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201304291249.r3TCnj71005895@svn.freebsd.org> From: Dru Lavigne Date: Mon, 29 Apr 2013 12:49:45 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-projects@freebsd.org Subject: svn commit: r41514 - projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/ppp-and-slip X-SVN-Group: doc-projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-projects@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for doc projects trees List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Apr 2013 12:49:45 -0000 Author: dru Date: Mon Apr 29 12:49:45 2013 New Revision: 41514 URL: http://svnweb.freebsd.org/changeset/doc/41514 Log: This patch addresses the following: - you - some acronym tags This chapter needs much more work, further patches pending. Approved by: gjb (mentor) Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/ppp-and-slip/chapter.xml Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/ppp-and-slip/chapter.xml ============================================================================== --- projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/ppp-and-slip/chapter.xml Mon Apr 29 12:44:22 2013 (r41513) +++ projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/ppp-and-slip/chapter.xml Mon Apr 29 12:49:45 2013 (r41514) @@ -125,7 +125,7 @@ An account with an Internet Service Provider - (ISP) which you connect to using + (ISP) for connecting using PPP. @@ -156,7 +156,7 @@ password - Your login name and password. (Either a + A login name and password. (Either a regular &unix; style login and password pair, or a PAP or CHAP login and password pair). @@ -167,14 +167,14 @@ The IP address of one or more name servers. - Normally, you will be given two IP addresses by your - ISP. If they have not given you at - least one, use the enable dns command - in ppp.conf and - ppp will set the name - servers. This feature depends on the - ISP's PPP - implementation supporting DNS negotiation. + Normally, the ISP will provide two + IP addresses. If it has not provided any IP addresses, + include enable dns in + ppp.conf and + ppp will set the name servers. This + feature requires the ISP's + PPP implementation to support DNS + negotiation. @@ -184,13 +184,13 @@ - The IP address of your ISP's - gateway. The gateway is the machine to which you will - connect and will be set up as your default - route. If you do not have this - information, we can make one up and your + The IP address of the ISP's + gateway. The gateway is the machine to connect to + and will be set up as the default + route. When in doubt, make one up and the ISP's PPP server - will tell us the correct value when we connect. + will set the correct value during connection + setup. This IP number is referred to as HISADDR by @@ -198,9 +198,8 @@ - The netmask you should use. If the - ISP has not provided you with one, - you can safely use The netmask. If the ISP has not + provided one, use 255.255.255.255. @@ -215,8 +214,8 @@ - If you do not have any of the required information, - contact your ISP. + If any of the required information is missing, contact + the ISP. Throughout this section, many of the examples showing @@ -243,13 +242,10 @@ Examples can be found in /usr/share/examples/ppp/. - Configuring ppp requires that you - edit a number of files, depending on your requirements. - What you put in them depends to some extent on whether your - ISP allocates IP addresses statically - (i.e., you get given one IP address, and always use that - one) or dynamically (i.e., your IP address changes each time - you connect). + Configuring ppp requires a number of + files to be edited, depending on the requirements and + whether the ISP allocates IP addresses + statically or dynamically. <acronym>PPP</acronym> and Static IP @@ -260,9 +256,8 @@ <secondary>with static IP addresses</secondary> </indexterm> - <para>You will need to edit the - <filename>/etc/ppp/ppp.conf</filename> configuration file. - It should look similar to the example below.</para> + <para>Edit <filename>/etc/ppp/ppp.conf</filename> so that it + looks similar to the example below.</para> <note> <para>Lines that end in a <literal>:</literal> start in @@ -347,9 +342,10 @@ <term>Line 5:</term> <listitem> - <para>Sets the speed you want to connect at. If - 115200 does not work (it should with any reasonably - new modem), try 38400 instead.</para> + <para>Sets the connection speed. If + <literal>115200</literal> does not work (it should + with any reasonably new modem), try + <literal>38400</literal> instead.</para> </listitem> </varlistentry> @@ -411,10 +407,10 @@ <listitem> <para>Identifies an entry for a provider called <quote>provider</quote>. This could be changed - to the name of your <acronym>ISP</acronym> so - that later you can use the <option>load - <replaceable>ISP</replaceable></option> to start - the connection.</para> + to the name of the <acronym>ISP</acronym> so + that <option>load + <replaceable>ISP</replaceable></option> can be + used to start the connection.</para> </listitem> </varlistentry> @@ -427,17 +423,16 @@ colon (<literal>:</literal>) or pipe character (<literal>|</literal>) as a separator. The difference between the two separators is described - in &man.ppp.8;. To summarize, if you want to rotate - through the numbers, use a colon. If you want to - always attempt to dial the first number first and - only use the other numbers if the first number - fails, use the pipe character. Always quote the - entire set of phone numbers as shown.</para> - - <para>You must enclose the phone number in quotation - marks (<literal>"</literal>) if there is any - intention on using spaces in the phone number. - This can cause a simple, yet subtle error.</para> + in &man.ppp.8;. To summarize, to rotate through the + numbers, use a colon. To always attempt to dial the + first number first and only use the other numbers if + the first number fails, use the pipe character. + Always quote the entire set of phone numbers as + shown.</para> + + <para>The phone number must be enclosed in quotation + marks (<literal>"</literal>) if there are any spaces + in the phone number.</para> </listitem> </varlistentry> @@ -460,10 +455,9 @@ <listitem> <indexterm><primary>PAP</primary></indexterm> <indexterm><primary>CHAP</primary></indexterm> - <para>If you are using PAP or CHAP, there will be no - login at this point, and this line should be - commented out or removed. See <link - linkend="userppp-PAPnCHAP">PAP and CHAP + <para>When using PAP or CHAP, there will be no login + and this line should be commented out or removed. + See <link linkend="userppp-PAPnCHAP">PAP and CHAP authentication</link> for further details.</para> <para>The login string is of the same chat-like @@ -476,11 +470,12 @@ login: <replaceable>foo</replaceable> password: <replaceable>bar</replaceable> protocol: ppp</screen> - <para>You will need to alter this script to suit your - own needs. When you write this script for the first - time, you should ensure that you have enabled - <quote>chat</quote> logging so you can determine if - the conversation is going as expected.</para> + <para>Replace the login and password values with + those required by the <acronym>ISP</acronym>. When + writing this script for the first time, ensure that + <quote>chat</quote> logging is enabled in order to + determine if the conversation is going as + expected.</para> </listitem> </varlistentry> @@ -492,10 +487,9 @@ protocol: ppp</screen> <para>Sets the default idle timeout (in seconds) for the connection. Here, the connection will be closed - automatically after 300 seconds of inactivity. If - you never want to timeout, set this value to zero - or use the <option>-ddial</option> command line - switch.</para> + automatically after 300 seconds of inactivity. To + never timeout, set this value to zero or use the + <option>-ddial</option> command line switch.</para> </listitem> </varlistentry> @@ -506,15 +500,15 @@ protocol: ppp</screen> <para>Sets the interface addresses. The string <replaceable>x.x.x.x</replaceable> should be - replaced by the IP address that your provider has - allocated to you. The string + replaced by the IP address the provider has + allocated. The string <replaceable>y.y.y.y</replaceable> should be replaced by the IP address of the <acronym>ISP</acronym>'s gateway. If the ISP has - not given you a gateway address, use <hostid - role="netmask">10.0.0.2/0</hostid>. If you need to - use a <quote>guessed</quote> address, make sure that - you create an entry in + not provided a gateway address, use <hostid + role="netmask">10.0.0.2/0</hostid>. When using a + <quote>guessed</quote> address, make sure to create + an entry in <filename>/etc/ppp/ppp.linkup</filename> as per the instructions for <link linkend="userppp-dynamicIP"><acronym>PPP</acronym> @@ -536,20 +530,19 @@ protocol: ppp</screen> otherwise <literal>HISADDR</literal> will not yet be initialized.</para> - <para>If you do not wish to run <command>ppp</command> - in <option>-auto</option> mode, this line should be - moved to the <filename>ppp.linkup</filename> - file.</para> + <para>When <command>ppp</command> is not run in + <option>-auto</option> mode, this line should be + moved to <filename>ppp.linkup</filename>.</para> </listitem> </varlistentry> </variablelist> <para>It is not necessary to add an entry to - <filename>ppp.linkup</filename> when you have a static - IP address and are running <command>ppp</command> in - <option>-auto</option> mode as your routing table entries - are already correct before you connect. You may however - wish to create an entry to invoke programs after + <filename>ppp.linkup</filename> when using a static + IP address with <command>ppp</command> in + <option>-auto</option> mode as the routing table entries + are already correct before a connection is established. + However, an entry can be created to invoke programs after connection. This is explained later with the sendmail example.</para> @@ -572,7 +565,7 @@ protocol: ppp</screen> <primary>IPCP</primary> </indexterm> - <para>If your service provider does not assign static IP + <para>If the service provider does not assign static IP addresses, <command>ppp</command> can be configured to negotiate the local and remote addresses. This is done by <quote>guessing</quote> an IP address and allowing @@ -596,10 +589,9 @@ protocol: ppp</screen> <listitem> <para>The number after the <literal>/</literal> character is the number of bits of the address that - <command>ppp</command> will insist on. You may wish - to use IP numbers more appropriate to your - circumstances, but the above example will always - work.</para> + <command>ppp</command> will insist on. These + IP numbers can be replaced, but the above example + will always work.</para> <para>The last argument (<literal>0.0.0.0</literal>) tells <acronym>PPP</acronym> to start negotiations @@ -614,8 +606,8 @@ protocol: ppp</screen> </varlistentry> </variablelist> - <para>If you are not running in <option>-auto</option> mode, - you will need to create an entry in + <para>When not running in <option>-auto</option> mode, + create an entry in <filename>/etc/ppp/ppp.linkup</filename>. <filename>ppp.linkup</filename> is used after a connection has been established. At this point, @@ -672,15 +664,14 @@ protocol: ppp</screen> <secondary>receiving incoming calls</secondary> </indexterm> - <para>When you configure <command>ppp</command> to - receive incoming calls on a machine connected to a LAN, - you must decide if you wish to forward packets to the LAN. - If you do, you should allocate the peer an IP number from - your LAN's subnet, and use the command <command>enable - proxy</command> in your - <filename>/etc/ppp/ppp.conf</filename> file. You should - also confirm that the <filename>/etc/rc.conf</filename> - file contains the following:</para> + <para>When configuring <command>ppp</command> to receive + incoming calls on a machine connected to a LAN, decide if + packets should be forwarded to the LAN. If so, allocate + the peer an IP number from the LAN's subnet and use + <command>enable proxy</command> in + <filename>/etc/ppp/ppp.conf</filename>. Also, confirm + that <filename>/etc/rc.conf</filename> contains the + following:</para> <programlisting>gateway_enable="YES"</programlisting> </sect4> @@ -699,15 +690,15 @@ protocol: ppp</screen> designed with dial-up lines in mind.</para> <para>The advantages of using <command>mgetty</command> is - that it actively <emphasis>talks</emphasis> to modems, - meaning if port is turned off in - <filename>/etc/ttys</filename> then your modem will not - answer the phone.</para> + that it actively <emphasis>talks</emphasis> to modems. + If the port is turned off in + <filename>/etc/ttys</filename>, the modem will not answer + the phone.</para> <para>Later versions of <command>mgetty</command> (from 0.99beta onwards) also support the automatic detection of - <acronym>PPP</acronym> streams, allowing your clients - script-less access to your server.</para> + <acronym>PPP</acronym> streams, allowing clients + scriptless access to the server.</para> <para>Refer to <link linkend="userppp-mgetty">Mgetty and AutoPPP</link> for more information on @@ -718,16 +709,14 @@ protocol: ppp</screen> <title><acronym>PPP</acronym> Permissions The ppp command must normally be - run as the root user. If however, - you wish to allow ppp to run in - server mode as a normal user by executing - ppp as described below, that user - must be given permission to run ppp - by adding them to the network - group in /etc/group. + run as the root user. To give a + user permission to run ppp in server + mode, add their user account to the + network group in + /etc/group. - You will also need to give them access to one or more - sections of the configuration file using the + Then, give the account access to one or more sections + of the configuration file using the allow command: allow users fred mary @@ -769,12 +758,12 @@ exec /usr/sbin/ppp -direct $IDENT&prompt.root; ln -s ppp-shell /etc/ppp/ppp-dialup - You should use this script as the - shell for all of your dialup users. - This is an example from /etc/passwd - for a dialup PPP user with username - pchilds (remember do not directly - edit the password file, use &man.vipw.8;). + Use this script as the shell for + all dialup users. This is an example from + /etc/passwd for a dialup + PPP user with the username + pchilds. Do not directly edit this + file, use &man.vipw.8;. pchilds:*:1011:300:Peter Childs PPP:/home/ppp:/etc/ppp/ppp-dialup @@ -803,10 +792,10 @@ exec /usr/sbin/ppp -direct $IDENTppp-shell. - For example, if you have three dialup customers, + Consider three dialup customers, fred, sam, - and mary, that you route /24 CIDR - networks for, you would type the following: + and mary. In order to route /24 + CIDR networks, type the following: &prompt.root; ln -s /etc/ppp/ppp-shell /etc/ppp/ppp-fred &prompt.root; ln -s /etc/ppp/ppp-shell /etc/ppp/ppp-sam @@ -845,7 +834,7 @@ ttyu1: for each session. For each dialup line enabled in /etc/ttys create an entry similar to the one for ttyu0: above. Each - line should get a unique IP address from your pool of + line should get a unique IP address from the pool of IP addresses for dynamic users. @@ -855,10 +844,8 @@ ttyu1: Along with the contents of the sample /usr/share/examples/ppp/ppp.conf - above you should add a section for each of the - statically assigned dialup users. We will continue with - our fred, sam, - and mary example. + above, add a section for each of the statically assigned + dialup users: fred: set ifaddr 203.14.100.1 203.14.101.1 255.255.255.255 @@ -916,9 +903,9 @@ mary: role="package">comms/mgetty+sendfax port on his system. - Make sure your + Make sure /usr/local/etc/mgetty+sendfax/login.config - file has the following in it: + has the following: /AutoPPP/ - - /etc/ppp/ppp-pap-dialup @@ -953,8 +940,8 @@ exec /usr/sbin/ppp -direct pap$IDENTenable passwdauth - If you wish to assign some users a static IP number, - you can specify the number as the third argument in + To assign some users a static IP, specify the IP + address as the third argument in /etc/ppp/ppp.secret. See /usr/share/examples/ppp/ppp.secret.sample for examples. @@ -1015,8 +1002,8 @@ set nbns 203.14.100.5 that the authentication part of the connection is done using either the PAP or CHAP authentication mechanism. If this is the case, the ISP will not give - a login: prompt when you connect, but - will start talking PPP + a login: during connection, but will + start talking PPP immediately. PAP is less secure than CHAP, but security is not @@ -1041,8 +1028,8 @@ set nbns 203.14.100.5 Line 13: - This line specifies your PAP/CHAP user name. - You will need to insert the correct value for + This line specifies the PAP/CHAP user name. + Insert the correct value for MyUserName. @@ -1052,10 +1039,10 @@ set nbns 203.14.100.5 password - This line specifies your PAP/CHAP password. - You will need to insert the correct value for - MyPassword. You may - want to add an additional line, such as: + This line specifies the PAP/CHAP password. + Insert the correct value for + MyPassword. An + additional line can be added, such as: 16 accept PAP @@ -1073,9 +1060,9 @@ set nbns 203.14.100.5 Line 15: - Your ISP will not normally - require you to log into the server when using PAP or - CHAP. You must therefore disable your set + The ISP will not normally + require a login into the server when using PAP or + CHAP. Therefore, disable the set login string. @@ -1083,13 +1070,13 @@ set nbns 203.14.100.5 - Changing Your <command>ppp</command> Configuration + <title>Changing the <command>ppp</command> Configuration on the Fly It is possible to talk to the ppp program while it is running in the background, but only if a suitable diagnostic port has been set up. To do - this, add the following line to your configuration: + this, add the following line to the configuration: set server /var/run/ppp-tun%d DiagnosticPassword 0177 @@ -1127,8 +1114,8 @@ set nbns 203.14.100.5 ppp_nat, which is enabled by default. - If you use this feature, you may also find useful - the following /etc/ppp/ppp.conf options + When using this feature, the following + /etc/ppp/ppp.conf options are useful to enable incoming connections forwarding: nat port tcp 10.0.0.2:ftp ftp @@ -1146,10 +1133,9 @@ nat port tcp 10.0.0.2:http httpPPPconfiguration - You now have ppp configured, but - there are a few more things to do before it is ready to - work. They all involve editing the - /etc/rc.conf file. + Now that ppp is configured, there are + a few more things to edit in + /etc/rc.conf. Working from the top down in this file, make sure the hostname= line is set, e.g.: @@ -1157,11 +1143,11 @@ nat port tcp 10.0.0.2:http httphostname="foo.example.com" If the ISP has supplied a static IP - address and name, it is probably best that you use this name - as your host name. + address and name, it is recommended to use this name as the + host name. Look for the network_interfaces - variable. If you want to configure your system to dial your + variable. To configure the system to dial the ISP on demand, make sure the tun0 device is added to the list, otherwise remove it. @@ -1178,15 +1164,15 @@ ifconfig_tun0= ppp -auto mysystem This script is executed at network configuration time, - starting your ppp daemon in - mode. If you have a LAN for which - this machine is a gateway, you may also wish to use the + starting the ppp daemon in + mode. If the machine functions as + a gateway for a LAN, consider using the switch. Refer to the manual page - for further details. + for details. Make sure that the router program is set to - NO with the following line in your + NO with the following line in /etc/rc.conf: router_enable="NO" @@ -1204,24 +1190,22 @@ ifconfig_tun0= sendmail_flags line does not include the option, otherwise sendmail will attempt to do a network - lookup every now and then, possibly causing your machine - to dial out. You may try: + lookup every now and then, possibly causing the machine + to dial out. Try this command instead: sendmail_flags="-bd" sendmail - The downside of this is that you must force - sendmail to re-examine the mail queue - whenever the PPP link is up by - typing: + The downside is that sendmail must be + forced to re-examine the mail queue whenever the + PPP link is up by typing: &prompt.root; /usr/sbin/sendmail -q - You may wish to use the !bg command - in ppp.linkup to do this - automatically: + To automatically use the !bg command + in ppp.linkup: 1 provider: 2 delete ALL @@ -1232,20 +1216,20 @@ ifconfig_tun0= SMTP - If you do not like this, it is possible to set up a - dfilter to block SMTP traffic. Refer to the - sample files for further details. + It is possible to set up a dfilter to + block SMTP traffic. Refer to the sample files for further + details. All that is left is to reboot the machine. After - rebooting, you can now either type: + rebooting, either type: &prompt.root; ppp and then dial provider to start the - PPP session, or, if you want + PPP session, or, to configure ppp to establish sessions automatically - when there is outbound traffic (and you have not created the - start_if.tun0 script), type: + when there is outbound traffic and there is no existing + start_if.tun0 script, type: &prompt.root; ppp -auto provider @@ -1261,7 +1245,7 @@ ifconfig_tun0= Ensure that the tun device - is built into your kernel. + is built into the kernel. @@ -1279,18 +1263,17 @@ ifconfig_tun0= - If you have a dynamic IP address, create an entry in + When using a dynamic IP address, create an entry in /etc/ppp/ppp.linkup. - Update your /etc/rc.conf - file. + Update /etc/rc.conf. Create a start_if.tun0 script - if you require demand dialing. + if demand dialing is required. @@ -1299,7 +1282,7 @@ ifconfig_tun0= Ensure that the tun device - is built into your kernel. + is built into the kernel. @@ -1334,8 +1317,7 @@ ifconfig_tun0= - Update your /etc/rc.conf - file. + Update /etc/rc.conf. @@ -1361,23 +1343,21 @@ ifconfig_tun0= This section covers a few issues which may arise when - using PPP over a modem connection. For - instance, perhaps you need to know exactly what prompts the - system you are dialing into will present. Some + using PPP over a modem connection. Some ISPs present the ssword prompt, and others will present password; if the ppp script is not written accordingly, the login attempt will fail. The most common way to debug ppp connections is by connecting manually. The following - information will walk you through a manual connection step by + information walks through a manual connection step by step. Check the Device Nodes When using a custom kernel, make sure to include the - following line in your kernel configuration file: + following line in the kernel configuration file: device uart @@ -1389,17 +1369,13 @@ ifconfig_tun0= &prompt.root; dmesg | grep uart - You should get some pertinent output about the - uart devices. These are the COM - ports we need. If your modem acts like a standard serial - port then you should see it listed on + The uart devices should provide + some pertinent output about the COM ports. If the modem acts + like a standard serial port, it should be listed on uart1, or - COM2. If so, you are not required - to rebuild the kernel. When matching up sio modem is on - uart1 or - COM2 if you are in DOS, then your - modem device would be /dev/cuau1. + COM2. If so, a custom kernel is not + needed. In this configuration, the modem device would be + /dev/cuau1. @@ -1407,42 +1383,39 @@ ifconfig_tun0= Connecting to the Internet by manually controlling ppp is quick, easy, and a great way to - debug a connection or just get information on how your + debug a connection or just get information on how the ISP treats ppp client connections. Lets start PPP from - the command line. Note that in all of our examples we will - use example as the hostname of the - machine running PPP. You start - ppp by just typing + the command line. The following examples use + example as the hostname of the + machine running PPP. To start ppp: &prompt.root; ppp - We have now started ppp. - + This sets the modem device to + cuau1: + ppp ON example> set device /dev/cuau1 - We set our modem device, in this case it is - cuau1. + This sets the connection speed to 115,200 + kbps: ppp ON example> set speed 115200 - Set the connection speed, in this case we - are using 115,200 kbps. - - ppp ON example> enable dns - - Tell ppp to configure our + This tells ppp to configure the resolver and add the nameserver lines to /etc/resolv.conf. If - ppp cannot determine our hostname, we can - set one manually later. + ppp cannot determine the hostname, it can + manually be set later. - ppp ON example> term + ppp ON example> enable dns Switch to terminal mode so that we can manually control the modem. + ppp ON example> term + deflink: Entering terminal mode on /dev/cuau1 type '~h' for help @@ -1451,7 +1424,7 @@ OK atdt123456789 Use at to initialize the modem, - then use atdt and the number for your + then use atdt and the number for the ISP to begin the dial in process. CONNECT @@ -1462,8 +1435,8 @@ OK ISP Login:myusername - Here you are prompted for a username, return the - prompt with the username that was provided by the + When prompted for a username, return the prompt with the + username that was provided by the ISP. ISP Pass:mypassword @@ -1475,7 +1448,7 @@ OK Shell or PPP:ppp - Depending on your ISP this prompt + Depending on the ISP, this prompt may never appear. Here we are being asked if we wish to use a shell on the provider, or to start ppp. In this example, we have chosen @@ -1504,47 +1477,45 @@ OK Here we add our default route, we need to do this before we can talk to the outside world as currently the only established connection is with the peer. If this fails due to - existing routes you can put a bang character - ! in front of the . - Alternatively, you can set this before making the actual - connection and it will negotiate a new route - accordingly. + existing routes, put a bang character + (!) in front of the . + Alternatively, set this before making the actual connection + and it will negotiate a new route accordingly. - If everything went good we should now have an active - connection to the Internet, which could be thrown into the + If everything went well, there is now an active + connection to the Internet which can be placed into the background using CTRL - z If you notice the - PPP return to ppp then - we have lost our connection. This is good to know because it - shows our connection status. Capital P's show that we have a - connection to the ISP and lowercase p's - show that the connection has been lost for whatever reason. - ppp only has these 2 states. + z. If + PPP instead returns to + ppp, the connection has been lost. An + uppercase P indicates a + connection to the ISP and a lowercase + p indicates that the connection has been + lost. ppp only has these 2 states. Debugging - If you have a direct line and cannot seem to make a - connection, then turn hardware flow - CTS/RTS to off with the . This is mainly the case if you are + For a direct line that cannot seem to make a connection, + turn hardware flow CTS/RTS to off with + . This can occur when connected to some PPP capable - terminal servers, where PPP hangs - when it tries to write data to your communication link, so - it would be waiting for a CTS, or Clear - To Send signal which may never come. If you use this option - however, you should also use the - option, which may be required to defeat hardware dependent - on passing certain characters from end to end, most of the - time XON/XOFF. See the &man.ppp.8; manual page for more - information on this option, and how it is used. - - If you have an older modem, you may need to use the - . Parity is set at none - be default, but is used for error checking (with a large + terminal servers as PPP hangs + when it tries to write data to the communication link and + then waits for a Clear To Send (CTS) + signal which may never come. When using this option, + include , which may be required + to defeat hardware which is dependent on passing certain + characters from end to end, such as XON/XOFF. See + &man.ppp.8; for more information on how this option is + used. + + For an older modem, may + be needed. Parity is set at none by + default, but is used for error checking (with a large increase in traffic) on older modems and some - ISPs. You may need this option for + ISPs. This option may be needed for the Compuserve ISP. PPP may not return to the @@ -1554,13 +1525,13 @@ OK command will force ppp to start sending the configuration information. - If you never obtain a login prompt, then most likely you - need to use PAP or - CHAP authentication instead of the - &unix; style in the example above. To use - PAP or CHAP just add - the following options to PPP - before going into terminal mode: + If a login prompt never appears, try using + PAP or CHAP + authentication instead of the &unix; style in the example + above. To use PAP or + CHAP, add the following options to + PPP before going into terminal + mode: ppp ON example> set authname myusername @@ -1574,17 +1545,16 @@ OK replaced with the password that was assigned by the ISP. - If you connect fine, but cannot seem to find any domain - name, try to use &man.ping.8; with an IP - address and see if you can get any return information. If - you experience 100 percent (100%) packet loss, then it is - most likely that you were not assigned a default route. - Double check that the option was set during the connection. If you - can connect to a remote IP address then - it is possible that a resolver address has not been added - to the /etc/resolv.conf. This file - should look like: + If the connection is active but cannot resolve any + domain names, try to &man.ping.8; an IP + address. If there is 100% packet loss, it is likely that a + default route was not assigned. Double check that + was set during the + connection. If a connection to a remote + IP address cannot be established, it is + possible that a resolver address has not been added to + /etc/resolv.conf. This file should + look like: domain example.com nameserver x.x.x.x @@ -1592,15 +1562,11 @@ nameserver y.y.y.yWhere x.x.x.x and y.y.y.y should be replaced with - the IP address of your - ISP's DNS servers. This information may - or may not have been provided when you signed up, but a - quick call to your ISP should remedy - that. - - You could also have &man.syslog.3; provide a logging - function for your PPP connection. - Just add: + the IP address of the + ISP's DNS servers. + + To configure &man.syslog.3; to log + PPP connections, add: !ppp *.* /var/log/ppp.log @@ -1677,7 +1643,7 @@ name_of_service_provider: Running <command>ppp</command> - As root, you can run: + As root, run: &prompt.root; ppp -ddial name_of_service_provider @@ -1686,8 +1652,8 @@ name_of_service_provider: Starting <command>ppp</command> at Boot - Add the following to your - /etc/rc.conf file: + Add the following to + /etc/rc.conf: ppp_enable="YES" ppp_mode="ddial" @@ -1699,25 +1665,22 @@ ppp_profile="name_of_service_provider"Using a PPPoE Service Tag Sometimes it will be necessary to use a service tag to - establish your connection. Service tags are used to *** DIFF OUTPUT TRUNCATED AT 1000 LINES *** From owner-svn-doc-projects@FreeBSD.ORG Mon Apr 29 22:06:39 2013 Return-Path: Delivered-To: svn-doc-projects@freebsd.org Received: from mx1.freebsd.org (mx1.FreeBSD.org [8.8.178.115]) by hub.freebsd.org (Postfix) with ESMTP id 6D4CCB86; Mon, 29 Apr 2013 22:06:39 +0000 (UTC) (envelope-from dru@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 5F4931904; Mon, 29 Apr 2013 22:06:39 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r3TM6d9F011957; Mon, 29 Apr 2013 22:06:39 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r3TM6dfb011955; Mon, 29 Apr 2013 22:06:39 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201304292206.r3TM6dfb011955@svn.freebsd.org> From: Dru Lavigne Date: Mon, 29 Apr 2013 22:06:39 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-projects@freebsd.org Subject: svn commit: r41522 - projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/ppp-and-slip X-SVN-Group: doc-projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-projects@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for doc projects trees List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 29 Apr 2013 22:06:39 -0000 Author: dru Date: Mon Apr 29 22:06:38 2013 New Revision: 41522 URL: http://svnweb.freebsd.org/changeset/doc/41522 Log: Fix command/application tags that should be man page entities. Approved by: bcr (mentor) Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/ppp-and-slip/chapter.xml Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/ppp-and-slip/chapter.xml ============================================================================== --- projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/ppp-and-slip/chapter.xml Mon Apr 29 21:56:02 2013 (r41521) +++ projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/ppp-and-slip/chapter.xml Mon Apr 29 22:06:38 2013 (r41522) @@ -171,7 +171,7 @@ IP addresses. If it has not provided any IP addresses, include enable dns in ppp.conf and - ppp will set the name servers. This + &man.ppp.8; will set the name servers. This feature requires the ISP's PPP implementation to support DNS negotiation. @@ -194,7 +194,7 @@ This IP number is referred to as HISADDR by - ppp. + &man.ppp.8;. @@ -237,12 +237,13 @@ configuration - ppp uses the configuration files - located in /etc/ppp. + Several files located in /etc/ppp are used to + configure &man.ppp.8;. Examples can be found in /usr/share/examples/ppp/. - Configuring ppp requires a number of + Configuring &man.ppp.8; requires a number of files to be edited, depending on the requirements and whether the ISP allocates IP addresses statically or dynamically. @@ -292,7 +293,7 @@ Identifies the default entry. Commands in this entry are executed automatically when - ppp is + &man.ppp.8; is run. @@ -513,7 +514,7 @@ protocol: ppp instructions for PPP and Dynamic IP addresses. If this line is - omitted, ppp cannot run in + omitted, &man.ppp.8; cannot run in mode. @@ -530,7 +531,7 @@ protocol: ppp otherwise HISADDR will not yet be initialized. - When ppp is not run in + When &man.ppp.8; is not run in mode, this line should be moved to ppp.linkup. @@ -539,7 +540,7 @@ protocol: ppp It is not necessary to add an entry to ppp.linkup when using a static - IP address with ppp in + IP address with &man.ppp.8; in mode as the routing table entries are already correct before a connection is established. However, an entry can be created to invoke programs after @@ -566,10 +567,10 @@ protocol: ppp If the service provider does not assign static IP - addresses, ppp can be configured to + addresses, &man.ppp.8; can be configured to negotiate the local and remote addresses. This is done by guessing an IP address and allowing - ppp to set it up correctly using the IP + &man.ppp.8; to set it up correctly using the IP Configuration Protocol (IPCP) after connecting. The ppp.conf configuration is the same as PPP @@ -589,7 +590,7 @@ protocol: ppp The number after the / character is the number of bits of the address that - ppp will insist on. These + &man.ppp.8; will insist on. These IP numbers can be replaced, but the above example will always work. @@ -611,7 +612,7 @@ protocol: ppp /etc/ppp/ppp.linkup. ppp.linkup is used after a connection has been established. At this point, - ppp will have assigned the interface + &man.ppp.8; will have assigned the interface addresses and it will now be possible to add the routing table entries: @@ -624,7 +625,7 @@ protocol: ppp On establishing a connection, - ppp will look for an entry in + &man.ppp.8; will look for an entry in ppp.linkup according to the following rules: First, try to match the same label as we used in ppp.conf. If @@ -639,7 +640,7 @@ protocol: ppp Line 2: - This line tells ppp to add a + This line tells &man.ppp.8; to add a default route that points to HISADDR. HISADDR will be replaced with the @@ -664,7 +665,7 @@ protocol: ppp receiving incoming calls - When configuring ppp to receive + When configuring &man.ppp.8; to receive incoming calls on a machine connected to a LAN, decide if packets should be forwarded to the LAN. If so, allocate the peer an IP number from the LAN's subnet and use @@ -683,34 +684,34 @@ protocol: ppp Dial-up Services provides a good description on enabling dial-up services using &man.getty.8;. - An alternative to getty is An alternative to &man.getty.8; is mgetty (from comms/mgetty+sendfax - port), a smarter version of getty + port), a smarter version of &man.getty.8; designed with dial-up lines in mind. - The advantages of using mgetty is + The advantages of using &man.getty.8; is that it actively talks to modems. If the port is turned off in /etc/ttys, the modem will not answer the phone. - Later versions of mgetty (from + Later versions of &man.getty.8; (from 0.99beta onwards) also support the automatic detection of PPP streams, allowing clients scriptless access to the server. Refer to Mgetty and AutoPPP for more information on - mgetty. + &man.getty.8;. <acronym>PPP</acronym> Permissions - The ppp command must normally be + Typically, &man.ppp.8; is run as the root user. To give a - user permission to run ppp in server + user permission to run &man.ppp.8; in server mode, add their user account to the network group in /etc/group. @@ -874,10 +875,10 @@ mary: - <command>mgetty</command> and AutoPPP + &man.getty.8; and AutoPPP - mgetty + &man.getty.8; @@ -891,9 +892,9 @@ mary: By default the comms/mgetty+sendfax port comes with the AUTO_PPP option enabled - allowing mgetty to detect the LCP + allowing &man.getty.8; to detect the LCP phase of PPP connections and - automatically spawn off a ppp shell. + automatically spawn off a &man.ppp.8; shell. However, since the default login/password sequence does not occur it is necessary to authenticate users using either PAP or CHAP. @@ -909,7 +910,7 @@ mary: /AutoPPP/ - - /etc/ppp/ppp-pap-dialup - This will tell mgetty to run the + This will tell &man.getty.8; to run the ppp-pap-dialup script for detected PPP connections. @@ -1070,11 +1071,11 @@ set nbns 203.14.100.5 - Changing the <command>ppp</command> Configuration + <title>Changing the &man.ppp.8; Configuration on the Fly - It is possible to talk to the ppp - program while it is running in the background, but only + It is possible to talk to &man.ppp.8; + while it is running in the background, but only if a suitable diagnostic port has been set up. To do this, add the following line to the configuration: @@ -1133,7 +1134,7 @@ nat port tcp 10.0.0.2:http httpPPPconfiguration - Now that ppp is configured, there are + Now that &man.ppp.8; is configured, there are a few more things to edit in /etc/rc.conf. @@ -1164,7 +1165,7 @@ ifconfig_tun0= ppp -auto mysystem This script is executed at network configuration time, - starting the ppp daemon in + starting the &man.ppp.8; daemon in mode. If the machine functions as a gateway for a LAN, consider using the switch. Refer to the manual page @@ -1181,24 +1182,24 @@ ifconfig_tun0= routed - It is important that the routed - daemon is not started, as routed tends + It is important that the &man.routed.8; + daemon is not started, as &man.routed.8; tends to delete the default routing table entries created by - ppp. + &man.ppp.8;. It is probably a good idea to ensure that the sendmail_flags line does not include the option, otherwise - sendmail will attempt to do a network + &man.sendmail.8; will attempt to do a network lookup every now and then, possibly causing the machine to dial out. Try this command instead: sendmail_flags="-bd" - sendmail + Sendmail - The downside is that sendmail must be + The downside is that &man.sendmail.8; must be forced to re-examine the mail queue whenever the PPP link is up by typing: @@ -1227,7 +1228,7 @@ ifconfig_tun0= and then dial provider to start the PPP session, or, to configure - ppp to establish sessions automatically + &man.ppp.8; to establish sessions automatically when there is outbound traffic and there is no existing start_if.tun0 script, type: @@ -1346,9 +1347,9 @@ ifconfig_tun0= using PPP over a modem connection. Some ISPs present the ssword prompt, and others will present - password; if the ppp + password; if the &man.ppp.8; script is not written accordingly, the login attempt will - fail. The most common way to debug ppp + fail. The most common way to debug &man.ppp.8; connections is by connecting manually. The following information walks through a manual connection step by step. @@ -1364,7 +1365,7 @@ ifconfig_tun0= The uart device is already included in the GENERIC kernel, so no additional steps are necessary in this case. Just - check the dmesg output for the modem + check the &man.dmesg.8; output for the modem device with: &prompt.root; dmesg | grep uart @@ -1382,14 +1383,13 @@ ifconfig_tun0= Connecting Manually Connecting to the Internet by manually controlling - ppp is quick, easy, and a great way to + &man.ppp.8; is quick, easy, and a great way to debug a connection or just get information on how the - ISP treats ppp client - connections. Lets start PPP from - the command line. The following examples use + ISP treats &man.ppp.8; client + connections. The following examples use example as the hostname of the - machine running PPP. To start - ppp: + machine running &man.ppp.8;. To start + &man.ppp.8;: &prompt.root; ppp @@ -1403,10 +1403,10 @@ ifconfig_tun0= ppp ON example> set speed 115200 - This tells ppp to configure the + This tells &man.ppp.8; to configure the resolver and add the nameserver lines to /etc/resolv.conf. If - ppp cannot determine the hostname, it can + &man.ppp.8; cannot determine the hostname, it can manually be set later. ppp ON example> enable dns @@ -1423,8 +1423,8 @@ type '~h' for help OK atdt123456789 - Use at to initialize the modem, - then use atdt and the number for the + Use &man.at.1; to initialize the modem, + then type atdt and the number for the ISP to begin the dial in process. CONNECT @@ -1451,8 +1451,8 @@ OK Depending on the ISP, this prompt may never appear. Here we are being asked if we wish to use a shell on the provider, or to start - ppp. In this example, we have chosen - to use ppp as we want an Internet + &man.ppp.8;. In this example, we have chosen + to use &man.ppp.8; as we want an Internet connection. Ppp ON example> @@ -1492,7 +1492,7 @@ OK uppercase P indicates a connection to the ISP and a lowercase p indicates that the connection has been - lost. ppp only has these 2 states. + lost. &man.ppp.8; only has these 2 states. Debugging @@ -1522,7 +1522,7 @@ OK command mode, which is usually a negotiation error where the ISP is waiting for your side to start negotiating. At this point, using the ~p - command will force ppp to start + command will force &man.ppp.8; to start sending the configuration information. If a login prompt never appears, try using @@ -1617,7 +1617,7 @@ nameserver y.y.y.yNo kernel configuration is necessary for PPPoE. If the necessary netgraph support is not built into the kernel, it will be dynamically loaded by - ppp. + &man.ppp.8;. @@ -1641,7 +1641,7 @@ name_of_service_provider: - Running <command>ppp</command> + Running &man.ppp.8; As root, run: @@ -1650,7 +1650,7 @@ name_of_service_provider: - Starting <command>ppp</command> at Boot + Starting &man.ppp.8; at Boot Add the following to /etc/rc.conf: @@ -1685,8 +1685,8 @@ ppp_profile="name_of_service_provider"The profile name (service tag) will be used in the PPPoE configuration entry in ppp.conf as the provider part of the - set device command (see the &man.ppp.8; - manual page for full details). It should look like + set device command (refer to &man.ppp.8; + for details). It should look like this: set device PPPoE:xl1:ISP @@ -1801,7 +1801,7 @@ ppp_profile="name_of_service_provider"usbd_enable="YES" It is also possible to set up - ppp to dial up at startup. To do + &man.ppp.8; to dial up at startup. To do this add the following lines to /etc/rc.conf: @@ -1993,7 +1993,7 @@ ng0: flags=88d1<UP,POINTOPOINT,RUNNIN A tun virtual tunnel device will be created for interaction between the pptp and - ppp processes. Once the prompt is + &man.ppp.8; processes. Once the prompt is returned, or the pptp process has confirmed a connection, examine the tunnel: @@ -2004,7 +2004,7 @@ tun0: flags=8051<UP,POINTOPOINT,RUNNI If unable to connect, check the router configuration, which is usually accessible via - telnet or a web browser. Examine + &man.telnet.1; or a web browser. Examine the output of pptp and the contents of /var/log/ppp.log for clues. From owner-svn-doc-projects@FreeBSD.ORG Tue Apr 30 09:50:27 2013 Return-Path: Delivered-To: svn-doc-projects@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id E535DF25; Tue, 30 Apr 2013 09:50:27 +0000 (UTC) (envelope-from gabor@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id D53A6165C; Tue, 30 Apr 2013 09:50:27 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r3U9oRG7063111; Tue, 30 Apr 2013 09:50:27 GMT (envelope-from gabor@svn.freebsd.org) Received: (from gabor@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r3U9oNqX063075; Tue, 30 Apr 2013 09:50:23 GMT (envelope-from gabor@svn.freebsd.org) Message-Id: <201304300950.r3U9oNqX063075@svn.freebsd.org> From: Gabor Kovesdan Date: Tue, 30 Apr 2013 09:50:23 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-projects@freebsd.org Subject: svn commit: r41526 - in projects/xml-tools: de_DE.ISO8859-1/articles de_DE.ISO8859-1/articles/freebsd-update-server de_DE.ISO8859-1/articles/port-mentor-guidelines de_DE.ISO8859-1/books/handbook/cu... X-SVN-Group: doc-projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-projects@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for doc projects trees List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 30 Apr 2013 09:50:28 -0000 Author: gabor Date: Tue Apr 30 09:50:22 2013 New Revision: 41526 URL: http://svnweb.freebsd.org/changeset/doc/41526 Log: - MFH Added: projects/xml-tools/de_DE.ISO8859-1/articles/freebsd-update-server/ - copied from r41525, head/de_DE.ISO8859-1/articles/freebsd-update-server/ projects/xml-tools/en_US.ISO8859-1/htdocs/internal/clusteradm.xml - copied unchanged from r41525, head/en_US.ISO8859-1/htdocs/internal/clusteradm.xml projects/xml-tools/en_US.ISO8859-1/htdocs/projects/2011-freebsd-gsoc-thumbnail.jpg - copied unchanged from r41525, head/en_US.ISO8859-1/htdocs/projects/2011-freebsd-gsoc-thumbnail.jpg projects/xml-tools/en_US.ISO8859-1/htdocs/projects/2013-freebsd-gsoc-thumbnail.jpg - copied unchanged from r41525, head/en_US.ISO8859-1/htdocs/projects/2013-freebsd-gsoc-thumbnail.jpg projects/xml-tools/en_US.ISO8859-1/htdocs/projects/2013-freebsd-gsoc.pdf - copied unchanged from r41525, head/en_US.ISO8859-1/htdocs/projects/2013-freebsd-gsoc.pdf projects/xml-tools/en_US.ISO8859-1/htdocs/security/reporting.xml - copied unchanged from r41525, head/en_US.ISO8859-1/htdocs/security/reporting.xml projects/xml-tools/en_US.ISO8859-1/htdocs/security/unsupported.xml - copied unchanged from r41525, head/en_US.ISO8859-1/htdocs/security/unsupported.xml projects/xml-tools/ja_JP.eucJP/htdocs/security/reporting.xml - copied unchanged from r41525, head/ja_JP.eucJP/htdocs/security/reporting.xml projects/xml-tools/ja_JP.eucJP/htdocs/security/unsupported.xml - copied unchanged from r41525, head/ja_JP.eucJP/htdocs/security/unsupported.xml projects/xml-tools/share/pgpkeys/asomers.key - copied unchanged from r41525, head/share/pgpkeys/asomers.key projects/xml-tools/share/pgpkeys/bhaga.key - copied unchanged from r41525, head/share/pgpkeys/bhaga.key projects/xml-tools/share/pgpkeys/bk.key - copied unchanged from r41525, head/share/pgpkeys/bk.key projects/xml-tools/share/pgpkeys/deb.key - copied unchanged from r41525, head/share/pgpkeys/deb.key projects/xml-tools/share/pgpkeys/dhw.key - copied unchanged from r41525, head/share/pgpkeys/dhw.key projects/xml-tools/share/pgpkeys/dutchdaemon.key - copied unchanged from r41525, head/share/pgpkeys/dutchdaemon.key projects/xml-tools/share/pgpkeys/hiren.key - copied unchanged from r41525, head/share/pgpkeys/hiren.key projects/xml-tools/share/pgpkeys/pgpkeys-other.xml - copied unchanged from r41525, head/share/pgpkeys/pgpkeys-other.xml projects/xml-tools/share/security/advisories/FreeBSD-SA-13:05.nfsserver.asc - copied unchanged from r41525, head/share/security/advisories/FreeBSD-SA-13:05.nfsserver.asc projects/xml-tools/share/security/patches/SA-13:05/ - copied from r41525, head/share/security/patches/SA-13:05/ Deleted: projects/xml-tools/ja_JP.eucJP/htdocs/FAQ/ projects/xml-tools/ja_JP.eucJP/htdocs/availability.xml projects/xml-tools/ja_JP.eucJP/htdocs/tutorials/ Modified: projects/xml-tools/de_DE.ISO8859-1/articles/Makefile projects/xml-tools/de_DE.ISO8859-1/articles/freebsd-update-server/article.xml projects/xml-tools/de_DE.ISO8859-1/articles/port-mentor-guidelines/article.xml projects/xml-tools/de_DE.ISO8859-1/books/handbook/cutting-edge/chapter.xml projects/xml-tools/de_DE.ISO8859-1/books/porters-handbook/book.xml projects/xml-tools/de_DE.ISO8859-1/htdocs/docs/books.xml projects/xml-tools/de_DE.ISO8859-1/share/xml/news.xml projects/xml-tools/de_DE.ISO8859-1/share/xml/release.l10n.ent projects/xml-tools/en_US.ISO8859-1/articles/committers-guide/article.xml projects/xml-tools/en_US.ISO8859-1/articles/contributors/contrib.additional.xml projects/xml-tools/en_US.ISO8859-1/articles/contributors/contrib.committers.xml projects/xml-tools/en_US.ISO8859-1/books/handbook/jails/chapter.xml projects/xml-tools/en_US.ISO8859-1/books/handbook/kernelconfig/chapter.xml projects/xml-tools/en_US.ISO8859-1/books/handbook/pgpkeys/chapter.xml projects/xml-tools/en_US.ISO8859-1/books/handbook/ports/chapter.xml projects/xml-tools/en_US.ISO8859-1/books/porters-handbook/book.xml projects/xml-tools/en_US.ISO8859-1/books/porters-handbook/uses.xml projects/xml-tools/en_US.ISO8859-1/htdocs/administration.xml projects/xml-tools/en_US.ISO8859-1/htdocs/advocacy/myths.xml projects/xml-tools/en_US.ISO8859-1/htdocs/docs/books.xml projects/xml-tools/en_US.ISO8859-1/htdocs/internal/Makefile projects/xml-tools/en_US.ISO8859-1/htdocs/portmgr/policies_eol.xml projects/xml-tools/en_US.ISO8859-1/htdocs/projects/Makefile projects/xml-tools/en_US.ISO8859-1/htdocs/projects/summerofcode.xml projects/xml-tools/en_US.ISO8859-1/htdocs/releases/8.4R/schedule.xml projects/xml-tools/en_US.ISO8859-1/htdocs/security/Makefile projects/xml-tools/en_US.ISO8859-1/htdocs/security/security.xml projects/xml-tools/en_US.ISO8859-1/htdocs/where.xml projects/xml-tools/ja_JP.eucJP/books/handbook/kernelconfig/chapter.xml projects/xml-tools/ja_JP.eucJP/books/handbook/ports/chapter.xml projects/xml-tools/ja_JP.eucJP/htdocs/Makefile projects/xml-tools/ja_JP.eucJP/htdocs/docs/books.xml projects/xml-tools/ja_JP.eucJP/htdocs/internal/Makefile projects/xml-tools/ja_JP.eucJP/htdocs/security/Makefile projects/xml-tools/ja_JP.eucJP/htdocs/security/security.xml projects/xml-tools/ja_JP.eucJP/htdocs/where.xml projects/xml-tools/ja_JP.eucJP/share/xml/navibar.l10n.ent projects/xml-tools/ja_JP.eucJP/share/xml/news.xml projects/xml-tools/ru_RU.KOI8-R/articles/freebsd-questions/article.xml projects/xml-tools/ru_RU.KOI8-R/articles/geom-class/article.xml projects/xml-tools/ru_RU.KOI8-R/articles/hubs/article.xml projects/xml-tools/ru_RU.KOI8-R/articles/pr-guidelines/article.xml projects/xml-tools/ru_RU.KOI8-R/books/design-44bsd/Makefile projects/xml-tools/ru_RU.KOI8-R/books/design-44bsd/book.xml projects/xml-tools/ru_RU.KOI8-R/books/handbook/install/chapter.xml projects/xml-tools/ru_RU.KOI8-R/books/handbook/ports/chapter.xml projects/xml-tools/share/pgpkeys/pgpkeys-developers.xml projects/xml-tools/share/pgpkeys/pgpkeys.ent projects/xml-tools/share/xml/advisories.xml projects/xml-tools/share/xml/authors.ent projects/xml-tools/share/xml/commercial.consult.xml projects/xml-tools/share/xml/commercial.isp.xml projects/xml-tools/share/xml/developers.ent projects/xml-tools/share/xml/navibar.ent projects/xml-tools/share/xml/news.xml projects/xml-tools/share/xml/release.ent Directory Properties: projects/xml-tools/ (props changed) projects/xml-tools/de_DE.ISO8859-1/ (props changed) projects/xml-tools/en_US.ISO8859-1/ (props changed) projects/xml-tools/en_US.ISO8859-1/htdocs/projects/2009-freebsd-gsoc.pdf (props changed) projects/xml-tools/en_US.ISO8859-1/htdocs/projects/2010-freebsd-gsoc.pdf (props changed) projects/xml-tools/en_US.ISO8859-1/htdocs/projects/2011-freebsd-gsoc.pdf (props changed) projects/xml-tools/ja_JP.eucJP/ (props changed) projects/xml-tools/ru_RU.KOI8-R/ (props changed) projects/xml-tools/share/ (props changed) Modified: projects/xml-tools/de_DE.ISO8859-1/articles/Makefile ============================================================================== --- projects/xml-tools/de_DE.ISO8859-1/articles/Makefile Tue Apr 30 01:29:18 2013 (r41525) +++ projects/xml-tools/de_DE.ISO8859-1/articles/Makefile Tue Apr 30 09:50:22 2013 (r41526) @@ -8,6 +8,7 @@ SUBDIR = contributing SUBDIR+= contributing-ports SUBDIR+= explaining-bsd +SUBDIR+= freebsd-update-server SUBDIR+= laptop SUBDIR+= linux-comparison SUBDIR+= nanobsd Modified: projects/xml-tools/de_DE.ISO8859-1/articles/freebsd-update-server/article.xml ============================================================================== --- head/de_DE.ISO8859-1/articles/freebsd-update-server/article.xml Tue Apr 30 01:29:18 2013 (r41525) +++ projects/xml-tools/de_DE.ISO8859-1/articles/freebsd-update-server/article.xml Tue Apr 30 09:50:22 2013 (r41526) @@ -1,8 +1,6 @@ - - -%entities; + +FreeBSD Update Server"> ]> @@ -836,14 +834,14 @@ the new builds. # Build the world log "Building world" - cd /usr/src && - make -j 2 ${COMPATFLAGS} buildworld 2>&1 + cd /usr/src && + make -j 2 ${COMPATFLAGS} buildworld 2>&1 # Distribute the world log "Distributing world" - cd /usr/src/release && - make -j 2 obj && - make ${COMPATFLAGS} release.1 release.2 2>&1 + cd /usr/src/release && + make -j 2 obj && + make ${COMPATFLAGS} release.1 release.2 2>&1 Modified: projects/xml-tools/de_DE.ISO8859-1/articles/port-mentor-guidelines/article.xml ============================================================================== Binary file (source and/or target). No diff available. Modified: projects/xml-tools/de_DE.ISO8859-1/books/handbook/cutting-edge/chapter.xml ============================================================================== --- projects/xml-tools/de_DE.ISO8859-1/books/handbook/cutting-edge/chapter.xml Tue Apr 30 01:29:18 2013 (r41525) +++ projects/xml-tools/de_DE.ISO8859-1/books/handbook/cutting-edge/chapter.xml Tue Apr 30 09:50:22 2013 (r41526) @@ -379,7 +379,7 @@ MergeChanges /etc/ /var/named/etc/-p-Nummer, die von dem Kommando uname -r ausgegeben wird) wird aus dieser Datei ausgelesen. Die Neuinstallation des selbstkonfigurierten Kernels, selbst wenn - sich daran nichts ge�dert hat, erlaubt es &man.uname.1;, den + sich daran nichts ge�ndert hat, erlaubt es &man.uname.1;, den aktuellen Patch-Level des Systems korrekt wiederzugeben. Dies ist besonders hilfreich, wenn mehrere Systeme gewartet werden, da es eine schnelle Einsch�tzung der installierten Aktualisierungen in Modified: projects/xml-tools/de_DE.ISO8859-1/books/porters-handbook/book.xml ============================================================================== --- projects/xml-tools/de_DE.ISO8859-1/books/porters-handbook/book.xml Tue Apr 30 01:29:18 2013 (r41525) +++ projects/xml-tools/de_DE.ISO8859-1/books/porters-handbook/book.xml Tue Apr 30 09:50:22 2013 (r41526) @@ -8,7 +8,7 @@ $FreeBSD$ $FreeBSDde: de-docproj/books/porters-handbook/book.xml,v 1.241 2011/10/08 16:18:17 jkois Exp $ - basiert auf: 1.1117 + basiert auf: r37819 --> @@ -15824,12 +15824,50 @@ Reference: <http://www.freebsd.org/po + 900040 + 19. Juli 2011 + Standardm��ige Erh�hung von MAXCPU f�r &os; auf + 64 f�r amd64 und ia64 und auf 128 f�r XLP + (mips). + + + 900041 13. August 2011 9.0-CURRENT, nachdem Capsicum-Funktionalit�ten implementiert wurden. Zus�tzlich wurde fget(9) um ein Rechte-Argument erweitert. + + + 900042 + 28. August 2011 + Versionsspr�nge f�r Shared-Libraries deren ABI + sich ge�ndert hat, in Vorbereitung f�r 9.0. + + + + 900043 + 2. September 2011 + Automatische Erkennung von USB-Massenspeicher + Ger�ten, die das no synchronize cache SCSI Kommando + nicht unterst�tzen. + + + + 900044 + 10. September 2011 + Re-factor auto-quirk. + + + + 900045 + 13. Oktober 2011 + Allen nicht-kompatiblen + Systemaufruf-Einstiegspunkten wurde ein sys_ + vorangestellt. + + Modified: projects/xml-tools/de_DE.ISO8859-1/htdocs/docs/books.xml ============================================================================== --- projects/xml-tools/de_DE.ISO8859-1/htdocs/docs/books.xml Tue Apr 30 01:29:18 2013 (r41525) +++ projects/xml-tools/de_DE.ISO8859-1/htdocs/docs/books.xml Tue Apr 30 09:50:22 2013 (r41526) @@ -1,9 +1,9 @@ + - + @@ -256,7 +256,7 @@ (mh)
Eine Einf�hrung in das MH-Mailprogramm.

NanoBSD +

NanoBSD (nanobsd)
Informationen zu den NanoBSD-Werkzeugen, mit deren Hilfe sich FreeBSD-Images f�r den Einsatz in eingebetteten Modified: projects/xml-tools/de_DE.ISO8859-1/share/xml/news.xml ============================================================================== --- projects/xml-tools/de_DE.ISO8859-1/share/xml/news.xml Tue Apr 30 01:29:18 2013 (r41525) +++ projects/xml-tools/de_DE.ISO8859-1/share/xml/news.xml Tue Apr 30 09:50:22 2013 (r41526) @@ -4,7 +4,7 @@ @@ -16,7 +16,7 @@ Version & Plattform Distribution - ISO + ISO Statusseite @@ -89,7 +89,7 @@ Version & Plattform Distribution - ISO + ISO Modified: projects/xml-tools/en_US.ISO8859-1/articles/committers-guide/article.xml ============================================================================== --- projects/xml-tools/en_US.ISO8859-1/articles/committers-guide/article.xml Tue Apr 30 01:29:18 2013 (r41525) +++ projects/xml-tools/en_US.ISO8859-1/articles/committers-guide/article.xml Tue Apr 30 09:50:22 2013 (r41526) @@ -143,7 +143,6 @@ Branches - stable/7 (7.X-STABLE), stable/8 (8.X-STABLE), stable/9 (9.X-STABLE), head (-CURRENT) @@ -2426,10 +2425,10 @@ ControlPersist yes - &a.simon; + &a.des; - Simon is the + Dag-Erling is the FreeBSD Security Officer and oversees the &a.security-officer;. Modified: projects/xml-tools/en_US.ISO8859-1/articles/contributors/contrib.additional.xml ============================================================================== --- projects/xml-tools/en_US.ISO8859-1/articles/contributors/contrib.additional.xml Tue Apr 30 01:29:18 2013 (r41525) +++ projects/xml-tools/en_US.ISO8859-1/articles/contributors/contrib.additional.xml Tue Apr 30 09:50:22 2013 (r41526) @@ -2086,6 +2086,11 @@ + Daniel Levai + leva@ecentrum.hu + + + Daniel J. O'Connor darius@dons.net.au Modified: projects/xml-tools/en_US.ISO8859-1/articles/contributors/contrib.committers.xml ============================================================================== --- projects/xml-tools/en_US.ISO8859-1/articles/contributors/contrib.committers.xml Tue Apr 30 01:29:18 2013 (r41525) +++ projects/xml-tools/en_US.ISO8859-1/articles/contributors/contrib.committers.xml Tue Apr 30 09:50:22 2013 (r41526) @@ -1088,6 +1088,10 @@ + &a.hiren; + + + &a.hmp; @@ -1376,6 +1380,10 @@ + &a.asomers; + + + &a.brian; Modified: projects/xml-tools/en_US.ISO8859-1/books/handbook/jails/chapter.xml ============================================================================== --- projects/xml-tools/en_US.ISO8859-1/books/handbook/jails/chapter.xml Tue Apr 30 01:29:18 2013 (r41525) +++ projects/xml-tools/en_US.ISO8859-1/books/handbook/jails/chapter.xml Tue Apr 30 09:50:22 2013 (r41526) @@ -556,7 +556,6 @@ jail_www_devf usage of its features. If the presented steps below look too complicated, it is advised to take a look at a simpler system such as sysutils/qjail or sysutils/ezjail, which provides an easier method of administering &os; jails and is not as sophisticated as this setup. Modified: projects/xml-tools/en_US.ISO8859-1/books/handbook/kernelconfig/chapter.xml ============================================================================== --- projects/xml-tools/en_US.ISO8859-1/books/handbook/kernelconfig/chapter.xml Tue Apr 30 01:29:18 2013 (r41525) +++ projects/xml-tools/en_US.ISO8859-1/books/handbook/kernelconfig/chapter.xml Tue Apr 30 09:50:22 2013 (r41526) @@ -493,14 +493,16 @@ options IPDIVERTGENERIC will be also be added to the local kernel unless they are specifically prevented using nooptions or nodevice. - The remainder of this chapter addresses the contents of a + A comprehensive list of configuration directives and their + descriptions may be found in &man.config.5;. + + The remainder of this chapter addresses the contents of a typical configuration file and the role various options and devices play. To build a file which contains all available options, run the following command as root: - &prompt.root; cd /usr/src/sys/i386/conf && make LINT Modified: projects/xml-tools/en_US.ISO8859-1/books/handbook/pgpkeys/chapter.xml ============================================================================== --- projects/xml-tools/en_US.ISO8859-1/books/handbook/pgpkeys/chapter.xml Tue Apr 30 01:29:18 2013 (r41525) +++ projects/xml-tools/en_US.ISO8859-1/books/handbook/pgpkeys/chapter.xml Tue Apr 30 09:50:22 2013 (r41526) @@ -37,4 +37,10 @@ §ion.pgpkeys-developers; + + + Other Cluster Account Holders + + §ion.pgpkeys-other; + Modified: projects/xml-tools/en_US.ISO8859-1/books/handbook/ports/chapter.xml ============================================================================== --- projects/xml-tools/en_US.ISO8859-1/books/handbook/ports/chapter.xml Tue Apr 30 01:29:18 2013 (r41525) +++ projects/xml-tools/en_US.ISO8859-1/books/handbook/ports/chapter.xml Tue Apr 30 09:50:22 2013 (r41526) @@ -1337,7 +1337,7 @@ Deinstalling ca_root_nss-3.13.5... done< Once the compile is complete, you are returned to the prompt. The next step is to install the port using - make install: + make install: &prompt.root; make install ===> Installing for lsof-4.57 @@ -1778,7 +1778,8 @@ ftp://ftp.FreeBSD.org/pub/FreeBSD/ports/ The portsclean utility is part of the - portupgrade suite. + ports-mgmt/portupgrade + suite. directly supports the window system. Do not put regular X applications here; most of them should go into other x11-* categories - (see below). If your port is - an X application, define USE_XLIB - (implied by USE_IMAKE) and put it - in the appropriate category. + (see below). @@ -3866,17 +3863,6 @@ ALWAYS_KEEP_DISTFILES= yes - USE_CDRTOOLS - The port requires - cdrecord either from - sysutils/cdrtools or - sysutils/cdrtools-cjk, - according to the user's preference. - - - USE_GCC The port requires a specific version of gcc to build. The exact version @@ -5775,69 +5761,18 @@ CMAKE_SOURCE_PATH= ${WRKSRC}/subp - - Using <literal>pkg-config</literal> - - If your ports requires pkg-config, - just set USE_PKGCONFIG to the following - possible values: - - Values for <makevar>USE_PKGCONFIG</makevar> - - - - - Definition - Description - - - - - - USE_PKGCONFIG= yes - The ports uses pkg-config only at build - time - - - - USE_PKGCONFIG= build - The ports uses pkg-config only at build - time - - - - USE_PKGCONFIG= run - The ports uses pkg-config only at run - time - - - - USE_PKGCONFIG= both - The ports uses pkg-config both at build and run - time - - - -
- - Using GNU <literal>gettext</literal> Basic Usage - If your port requires gettext, - just set USE_GETTEXT to - yes, and your port will grow the - dependency on devel/gettext. The value of - USE_GETTEXT can also specify the required - version of the libintl library, the basic - part of gettext, but using this feature - is strongly discouraged: Your port - should work with just the current version of devel/gettext. + If your port requires gettext, set + USES= gettext, and your + port will inherit a dependency on devel/gettext. Other values for + gettext usage are listed in . A rather common case is a port using gettext and configure. @@ -5848,7 +5783,7 @@ CMAKE_SOURCE_PATH= ${WRKSRC}/subp CPPFLAGS and LDFLAGS as follows: - USE_GETTEXT= yes + USES= gettext CPPFLAGS+= -I${LOCALBASE}/include LDFLAGS+= -L${LOCALBASE}/lib @@ -5857,7 +5792,7 @@ GNU_CONFIGURE= yes Of course, the code can be more compact if there are no more flags to pass to configure: - USE_GETTEXT= yes + USES= gettext GNU_CONFIGURE= yes @@ -5878,7 +5813,7 @@ GNU_CONFIGURE= yes .include <bsd.port.options.mk> .if ${PORT_OPTIONS:MNLS} -USE_GETTEXT= yes +USES+= gettext PLIST_SUB+= NLS="" .else CONFIGURE_ARGS+= --disable-nls @@ -6134,25 +6069,12 @@ PLIST_SUB+= NLS="@comment " USE_GL= glu - Some ports define USE_XLIB, which - makes the port depend on all the 50 or so libraries. This - variable exists for backwards compatibility, as it predates - modular X.Org, and should not be used on new ports. - Variables for Ports That Use X - USE_XLIB - The port uses the X libraries. Deprecated - - use a list of X.Org components in - USE_XORG variable - instead. - - - USE_IMAKE The port uses imake. Modified: projects/xml-tools/en_US.ISO8859-1/books/porters-handbook/uses.xml ============================================================================== --- projects/xml-tools/en_US.ISO8859-1/books/porters-handbook/uses.xml Tue Apr 30 01:29:18 2013 (r41525) +++ projects/xml-tools/en_US.ISO8859-1/books/porters-handbook/uses.xml Tue Apr 30 09:50:22 2013 (r41526) @@ -40,15 +40,51 @@ + desktop-file-utils + none + + Implies that the port uses the + update-desktop-database from + devel/desktop-file-utils. + This uses will automatically add a post-install step in such a way + that the port itself still can specify there own post-install step + if needed. It also insert lines into the plist for package + install and removal to run + update-desktop-database. + + + fuse none Implies the port will depend on the FUSE library and handle - the the dependency on the kernel module depending on the version + the dependency on the kernel module depending on the version of &os;. + gettext + none, lib, build, + run + Implies that the port uses devel/gettext in one way or another. By + default, with no arguments or with the lib + argument, implies gettext with build-time and + run-time dependencies, build implies a build-time + dependency, and run implies a run-time + dependency. + + + + iconv + none + Implies that the port uses converters/libiconv as build-time and + run-time dependency. + + + + pathfix none Look for the Makefile.in and @@ -58,6 +94,21 @@ + pkgconfig + + none, build, run, + both + + Implies that the port uses devel/pkgconf in one way or another. + With no arguments or with the build + argument, it implies pkg-config as a build-time + dependency; run implies a run-time dependency; + and both implies both run-time and build-time + dependencies. + + + qmail none, build, run, both, vars @@ -72,6 +123,21 @@ + shared-mime-info + none + + Implies that the port uses + update-mime-database from + misc/shared-mime-info. This + uses will automatically add a post-install step in such a way that + the port itself still can specify there own post-install step if + needed. It also insert lines into the plist for package install + and removal to run + update-mime-data with the correct + arguments. + + + zenoss none Implies the port uses &a.tabthorpe; <tabthorpe@FreeBSD.org>
&a.marcus; <marcus@FreeBSD.org>

&a.bapt; <bapt@FreeBSD.org>
-
&a.bdrewery; <bdrewery@FreeBSD.org>
+
&a.bdrewery; <bdrewery@FreeBSD.org> + (Release Engineering Team Liaison)

&a.decke; <decke@FreeBSD.org>

&a.erwin; <erwin@FreeBSD.org>

&a.itetcu; <itetcu@FreeBSD.org>
@@ -150,12 +151,20 @@ Engineering Team in greater detail.

+
&a.mva; <mva@FreeBSD.org>
+
&a.gjb; <gjb@FreeBSD.org>

&a.kib; <kib@FreeBSD.org>
+
&a.joel; <joel@FreeBSD.org>

&a.blackend; <blackend@FreeBSD.org>
+
&a.skreuzer; <skreuzer@FreeBSD.org>
+
&a.delphij; <delphij@FreeBSD.org>

&a.jpaetzel; <jpaetzel@FreeBSD.org>
+
&a.rodrigc; <rodrigc@FreeBSD.org>

&a.hrs; <hrs@FreeBSD.org>
+
&a.glebius; <glebius@FreeBSD.org>

&a.kensmith; <kensmith@FreeBSD.org> (Lead)
+
&a.marius; <marius@FreeBSD.org>

Builders Release Engineering Team @@ -206,12 +215,12 @@ href="mailto:denise@ixsystems.com">denise@ixsystems.com>
Deb Goodkin <deb@FreeBSD.org>

&a.jkoshy; <jkoshy@FreeBSD.org>
-
Dru Lavigne <dlavigne6@sympatico.ca>
+
&a.dru; <dru@FreeBSD.org>

&a.mwlucas; <mwlucas@FreeBSD.org>

&a.imp; <imp@FreeBSD.org>
-
Kris Moore <kris@pcbsd.org>
+
&a.kmoore; <kmoore@FreeBSD.org>

&a.murray; <murray@FreeBSD.org>

Matt Olander <matt@FreeBSD.org>

Jeremy C. Reed <
-
&a.eadler; < eadler@FreeBSD.org>
+
&a.eadler; <eadler@FreeBSD.org>

&a.gavin; <gavin@FreeBSD.org>

&a.gonzo; <gonzo@FreeBSD.org>

Cluster Administrators - <clusteradm@>
+ <admins@>

The Cluster Administrators consists of the people responsible for administrating the machines that the project relies on for its distributed work and communication to be synchronised. It consists mainly of those people who have physical access to the servers. Issues concerning the projects infrastructure or setting up new - machines should be directed to the cluster administrators.
+ machines should be directed to the cluster administrators. This + team is led by the lead cluster administrator whose duties and + responsbilities are described in the cluster administration charter + in greater detail.

&a.bhaga; <bhaga@FreeBSD.org>

&a.brd; <brd@FreeBSD.org>

&a.bz; <bz@FreeBSD.org>
+
&a.gjb; <gjb@FreeBSD.org>

&a.kensmith; <kensmith@FreeBSD.org>
-
&a.peter; <peter@FreeBSD.org>
+
&a.peter; <peter@FreeBSD.org> (Lead)

&a.sbruno; <sbruno@FreeBSD.org>

&a.simon; <simon@FreeBSD.org>
+
&a.zi; <zi@FreeBSD.org>

CVSup Mirror Site Coordinators Modified: projects/xml-tools/en_US.ISO8859-1/htdocs/advocacy/myths.xml ============================================================================== --- projects/xml-tools/en_US.ISO8859-1/htdocs/advocacy/myths.xml Tue Apr 30 01:29:18 2013 (r41525) +++ projects/xml-tools/en_US.ISO8859-1/htdocs/advocacy/myths.xml Tue Apr 30 09:50:22 2013 (r41526) @@ -27,8 +27,8 @@ particular project it is indicated as such.
If you are aware of an omission or error on this page, please - let the maintainer, Tom Rhodes <trhodes@FreeBSD.org> - know.
+ let the FreeBSD + documentation project mailing list know.
Index
@@ -88,8 +88,8 @@ from the Internet, 24 hours a day. You don't need to wait for someone else to roll a release.
-
FreeBSD, NetBSD: An installable snapshot of the current - progress is made every 24 hours. These snapshots can be installed +
FreeBSD: An installable snapshot of the current + progress is made weekly. These snapshots can be installed exactly like an ordinary release, and do not require installation over an existing system.
@@ -105,13 +105,6 @@ released, simply because for most *BSD users it is an every day event.
-
All the *BSD Projects use CVS to maintain their source code.
- -
All the *BSD Projects: make a CVS tree available for anyone to - browse and download, 24 hours a day. The tree can be retrieved using - Anonymous CVS, CVSup, CVSupit, CTM (by e-mail), or through simple - FTP.
-
Anyone can submit patches, bug reports, documentation, and other contributions. They can do this by using the send-pr program installed on their *BSD system, or by using a web based @@ -185,8 +178,7 @@
TinyBSD is a set of tools made up of shell scripts designed to allow easy - development of Embedded Systems based on FreeBSD 5.x and - 6.x.
+ development of Embedded Systems based on FreeBSD.

ThinBSD is a small FreeBSD based boot image that allows a standard PC to act as @@ -258,40 +250,8 @@ outdated nor dying. Many professional users like the stability that years of testing has provided FreeBSD.
-
Technological enhancements continue to be added to *BSD, including, - but not limited to;
- -
-
SMP: Symmetric Multi-Processing, making use of systems with - multiple CPUs.
- -
SoftUpdates: Makes the BSD filesystem at least as fast as the - Linux filesystem, without needing to enable - asynchronous writes, with their associated risk.
- -
VM system: The VM (Virtual Memory) subsystem continues to be - refined. The merged VM/cache design helps systems like - wcarchive.cdrom.com juggle thousands (literally, more than 10,000) - simultaneous FTP connections without falling over.
- -
Architecture ports: FreeBSD supports seven main architectures - currently: Alpha, AMD64, i386, Itanium, PC-98, PowerPC and UltraSPARC. - There are also ongoing works to port the project for further - architectures. See the Supported Platforms page - for more information.
- -
MAC Framework: FreeBSD supports Mandatory Access Control, a feature - usually found in trusted operating systems available for high - prices. FreeBSD gives you advanced security for free! The - TrustedBSD Project - provides further trusted operating system extensions.
- -
GEOM classess: GEOM is a modular disk framework that lets - you concatenate, mirror, stripe, or encrypt disks. It is rich - in functionality and keeps your data safe.
- -
+
Technological + enhancements continue to be added to *BSD.

Modified: projects/xml-tools/en_US.ISO8859-1/htdocs/docs/books.xml ============================================================================== --- projects/xml-tools/en_US.ISO8859-1/htdocs/docs/books.xml Tue Apr 30 01:29:18 2013 (r41525) +++ projects/xml-tools/en_US.ISO8859-1/htdocs/docs/books.xml Tue Apr 30 09:50:22 2013 (r41526) @@ -257,6 +257,11 @@ A guide to the PAM system and modules under FreeBSD.
+
+ Port Mentor Guidelines (port-mentor-guidelines)
+ Guidelines for new and/or potential port mentors and + mentees.
+
Package building procedures (portbuild)
Describes the approach used by the FreeBSD port Modified: projects/xml-tools/en_US.ISO8859-1/htdocs/internal/Makefile ============================================================================== --- projects/xml-tools/en_US.ISO8859-1/htdocs/internal/Makefile Tue Apr 30 01:29:18 2013 (r41525) +++ projects/xml-tools/en_US.ISO8859-1/htdocs/internal/Makefile Tue Apr 30 09:50:22 2013 (r41526) @@ -9,6 +9,7 @@ DOCS= about.xml DOCS+= bylaws.xml +DOCS+= clusteradm.xml DOCS+= core-vote.xml DOCS+= data.xml DOCS+= developer.xml Copied: projects/xml-tools/en_US.ISO8859-1/htdocs/internal/clusteradm.xml (from r41525, head/en_US.ISO8859-1/htdocs/internal/clusteradm.xml) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ projects/xml-tools/en_US.ISO8859-1/htdocs/internal/clusteradm.xml Tue Apr 30 09:50:22 2013 (r41526, copy of r41525, head/en_US.ISO8859-1/htdocs/internal/clusteradm.xml) @@ -0,0 +1,105 @@ + + +]> + + + &title; + + $FreeBSD$ + + + + + +
Lead cluster administrator is a delegated officer role (aka. "hat") + that answers to the &os; Core Team and ultimately the &os; community + at large. This person shall have the operational authority over the + &os; cluster infrastructure (to the extent that the Core Team can + delegate this authority) and will be responsible for the following in + general:
+ +
+
Ensure the reliable operation of the Project's equipment and + network resources.
+ +
Ensure that the Project's resources are suitably and effectively + used to serve the Project's interests.
+ +
Ensure that reasonable security precautions and mitigations are + implemented within the constraints of the nature of a highly + distributed project.
+ +
Delegate to and coordinating with both the site-specific admin + teams and the admins at large.
+ +
Ensure that standard operating procedures, rules, guidelines etc + are documented and understandable.
+ +
Take measures to ensure that a competent administrator would be + expected to be able to adopt a predecessor's work in a reasonable + amount of time.
+ +
Contingency planning and implementation to ensure continuity + across site specific problems (including donated site withdrawal or + outages).
+ +
Keep the interested parties (Core Team, Security Team, &os; + Foundation, Port Management Team, etc), project members and community + members appropriately informed.
+ +
Give timely and authoritive answers to questions, or a direct + referral to the appropriate party.
+ +
Aid other hat wearers and cluster administrators to get their job + done.
+ +
Where practical and appropriate, use the Project's own product as + a proving ground.
+ +
Make sure that it is easy for developers to know what hardware + resources they have access to for project purposes.
+
+ +
The lead cluster administrator answers to the &os; Core Team. If a + party is unhappy with a position that the hat wearer takes and is + unable to change their mind, they may take the issue to the Core Team. + The Core Team has the final say in the matter. If the lead cluster + administrator is a member of the Core Team then a complaint may be + made in confidence via the core secretary or another member if + desired.
+ +
Any of the following still require a sign-off from the Core Team:
+ +
+
New public facing services.
+ +
Planned withdrawal of public facing services.
+ +
New team members.
+
+ +
Notable interaction with other hats:
+ +
+
The lead cluster administrator will consult with the Security + Officer and the Security Team where appropriate but will be + responsible for making decisions. However, the Security Officer may + respond to security emergencies involving project infrastructure as + necessary.
+ +
The Port Management Team has a large resource footprint and + arrangements will be made with them to effectively operate their + resources within the constraints of the overall cluster + operation.
+
+ +
Earmarked resources:
+ +
Some site resources are provided for specific purposes. Any such + earmarking or use restrictions will be documented to make sure such + resources are used as intended.
+ + + Modified: projects/xml-tools/en_US.ISO8859-1/htdocs/portmgr/policies_eol.xml ============================================================================== --- projects/xml-tools/en_US.ISO8859-1/htdocs/portmgr/policies_eol.xml Tue Apr 30 01:29:18 2013 (r41525) +++ projects/xml-tools/en_US.ISO8859-1/htdocs/portmgr/policies_eol.xml Tue Apr 30 09:50:22 2013 (r41526) @@ -56,52 +56,38 @@
- - - - - - - - - - - - - - - - - - - - - *** DIFF OUTPUT TRUNCATED AT 1000 LINES *** From owner-svn-doc-projects@FreeBSD.ORG Thu May 2 14:22:16 2013 Return-Path: Delivered-To: svn-doc-projects@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 5FD2E40D; Thu, 2 May 2013 14:22:16 +0000 (UTC) (envelope-from dru@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 5120B1FA5; Thu, 2 May 2013 14:22:16 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r42EMGtb080646; Thu, 2 May 2013 14:22:16 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r42EMGne080645; Thu, 2 May 2013 14:22:16 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201305021422.r42EMGne080645@svn.freebsd.org> From: Dru Lavigne Date: Thu, 2 May 2013 14:22:16 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-projects@freebsd.org Subject: svn commit: r41541 - projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security X-SVN-Group: doc-projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-projects@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for doc projects trees List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 May 2013 14:22:16 -0000 Author: dru Date: Thu May 2 14:22:15 2013 New Revision: 41541 URL: http://svnweb.freebsd.org/changeset/doc/41541 Log: This patch addresses the following in the second half of this chapter: - you - &os; - some acronym tags - the remaining command/application tags that should be man page entities - some grammar fixes Approved by: bcr (mentor) Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml Thu May 2 13:02:26 2013 (r41540) +++ projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml Thu May 2 14:22:15 2013 (r41541) @@ -53,7 +53,7 @@ How to configure TCP Wrappers for use - with inetd. + with &man.inetd.8;. @@ -257,7 +257,7 @@ Securing the <username>root</username> Account - su + &man.su.1; Most @@ -355,7 +355,7 @@ sandboxes - sshd + &man.sshd.8; The prudent sysadmin only enables required services @@ -365,12 +365,12 @@ root as many daemons can be run as a separate service account or can be started in a sandbox. Do not activate insecure - services such as telnetd or - rlogind. + services such as &man.telnetd.8; or + &man.rlogind.8;. Another potential security hole is SUID-root and SGID binaries. Most of these binaries, such as - rlogin, reside in /bin, /sbin, /usr/bin, or - sysctl + &man.sysctl.8; Even if bpf is disabled, @@ -525,7 +525,7 @@ The best way to detect an intrusion is to look for modified, missing, or unexpected files. The best way to look for modified files is from another, often centralized, - limited-access system. Writing your security scripts on the + limited-access system. Writing security scripts on the extra-security limited-access system makes them mostly invisible to potential attackers. In order to take maximum advantage, @@ -657,7 +657,7 @@ &man.inetd.8; carefully and pay specific attention to , , and . Spoofed IP attacks will circumvent - to inetd, so + to &man.inetd.8;, so typically a combination of options must be used. Some standalone servers have self-fork-limitation parameters. @@ -681,7 +681,7 @@ reasonable MaxDaemonChildren to prevent cascade failures. - Syslogd can be attacked + &man.syslogd.8; can be attacked directly and it is strongly recommended to use whenever possible, and otherwise. @@ -722,10 +722,10 @@ with ICMP responses. This type of attack can crash the server by running it out of memory, especially if the server cannot drain the ICMP responses it generates fast enough. Use - the sysctl variable + the &man.sysctl.8; variable net.inet.icmp.icmplim to limit these attacks. The last major class of springboard attacks is - related to certain internal inetd + related to certain internal &man.inetd.8; services such as the UDP echo service. An attacker spoofs a UDP packet with a source address of server A's echo port and a destination address of server B's echo port, where @@ -744,7 +744,7 @@ parameters. A spoofed packet attack that uses a random source IP will cause the kernel to generate a temporary cached route in the route table, viewable with netstat -rna | - fgrep W3. These routes typically timeout in 1600 + fgrep W3. These routes typically timeout in 1600 seconds or so. If the kernel detects that the cached route table has gotten too big, it will dynamically reduce the rtexpire but will never decrease it to less @@ -774,15 +774,15 @@ - Access Issues with Kerberos and SSH + Access Issues with Kerberos and &man.ssh.1; - ssh + &man.ssh.1; There are a few issues with both Kerberos and &man.ssh.1; that need to be addressed if they are used. Kerberos is an excellent authentication - protocol, but there are bugs in the kerberized - &man.telnet.1; and &man.rlogin.1; applications that make them + protocol, but there are bugs in the kerberized versions of + &man.telnet.1; and &man.rlogin.1; that make them unsuitable for dealing with binary streams. By default, Kerberos does not encrypt a session unless is used whereas &man.ssh.1; @@ -801,13 +801,14 @@ It is recommended that &man.ssh.1; is used in combination with Kerberos whenever possible for staff - logins and &man.ssh.1; can be compiled with + logins and &man.ssh.1; can be compiled with Kerberos support. This reduces reliance on potentially - exposed ssh keys while protecting passwords via Kerberos. + exposed SSH keys while protecting + passwords via Kerberos. Keys should only be used for automated tasks from secure machines as this is something that Kerberos is unsuited to. It is recommended to either turn off key-forwarding in the - ssh configuration, or to make use + SSH configuration, or to make use of from=IP/DOMAIN in authorized_keys to make the key only usable to entities logging in from specific machines. @@ -971,7 +972,7 @@ Secure Connection Initialization To initialize OPIE for the first time, - execute opiepasswd: + execute &man.opiepasswd.1;: &prompt.user; opiepasswd -c [grimreaper] ~ $ opiepasswd -f -c @@ -1173,7 +1174,7 @@ Enter secret pass phrase: < Initial Configuration To enable TCP Wrappers in &os;, ensure - the inetd server is started from + the &man.inetd.8; server is started from /etc/rc.conf with . Then, properly configure /etc/hosts.allow. @@ -1189,7 +1190,7 @@ Enter secret pass phrase: < are set to either be permitted or blocked depending on the options in /etc/hosts.allow. The default configuration in &os; is to allow a connection to every daemon - started with inetd. + started with &man.inetd.8;. Basic configuration usually takes the form of daemon : address : action, where @@ -1213,7 +1214,7 @@ Enter secret pass phrase: < # This line is required for POP3 connections: qpopper : ALL : allow - After adding this line, inetd + After adding this line, &man.inetd.8; needs to be restarted: &prompt.root; service inetd restart @@ -1575,7 +1576,7 @@ Verifying password - Password: KDC is functioning by obtaining and - listing a ticket for the principal (user) that you just + listing a ticket for the principal (user) that was just created from the command-line of the KDC itself: @@ -2134,31 +2135,31 @@ kadmind5_server_enable="YES"OpenSSL - One feature that many users overlook is the - OpenSSL toolkit included in &os;. - OpenSSL provides an encryption - transport layer on top of the normal communications layer; - thus allowing it to be intertwined with many network + The + OpenSSL toolkit is included in &os;. + It provides an encryption + transport layer on top of the normal communications layer, + allowing it to be intertwined with many network applications and services. Some uses of OpenSSL may - include encrypted authentication of mail clients, web based - transactions such as credit card payments and more. Many + include encrypted authentication of mail clients and web based + transactions such as credit card payments. Many ports such as www/apache22, and - mail/claws-mail will offer + mail/claws-mail offer compilation support for building with OpenSSL. - In most cases the Ports Collection will attempt to build + In most cases, the Ports Collection will attempt to build the security/openssl - port unless the WITH_OPENSSL_BASE make - variable is explicitly set to yes. + port unless WITH_OPENSSL_BASE + is explicitly set to yes. The version of OpenSSL included - in &os; supports Secure Sockets Layer v2/v3 (SSLv2/SSLv3), + in &os; supports Secure Sockets Layer v2/v3 (SSLv2/SSLv3) and Transport Layer Security v1 (TLSv1) network security protocols and can be used as a general cryptographic library. @@ -2168,7 +2169,7 @@ kadmind5_server_enable="YES"MAKE_IDEA variable must be set in - make.conf. + /etc/make.conf. One of the most common uses of @@ -2176,15 +2177,14 @@ kadmind5_server_enable="YES"Certificate - Authorities, or CAs, a warning is - usually produced. A Certificate Authority is a company, such + been verified by a Certificate + Authority (CA), a warning is + produced. A CA is a company, such as VeriSign, - which will sign certificates in order to validate credentials + signs certificates in order to validate the credentials of individuals or companies. This process has a cost - associated with it and is definitely not a requirement for - using certificates; however, it can put some of the more - paranoid users at ease. + associated with it and is not a requirement for + using certificates; however, it can put users at ease. Generating Certificates @@ -2226,22 +2226,23 @@ An optional company name []:< Notice the response directly after the Common Name prompt shows a domain name. This prompt requires a server name to be entered for verification - purposes; placing anything but a domain name would yield a - useless certificate. Other options, for instance expire - time, alternate encryption algorithms, etc. are available. - A complete list may be obtained by viewing the - &man.openssl.1; manual page. - - Two files should now exist in the directory in which the - aforementioned command was issued. The certificate request, - req.pem, may be sent to a certificate - authority who will validate the credentials that you - entered, sign the request and return the certificate to you. - The second file created will be named + purposes and placing anything but a domain name yields a + useless certificate. Other options, such as the expire + time and alternate encryption algorithms, are available. + A complete list of options is described in + &man.openssl.1;. + + Two files should now exist in the directory in which this + command was issued. The certificate request, + req.pem, may be sent to a + CA + who will validate the entered credentials, + sign the request, and return the signed certificate. + The second file is named cert.pem and is the private key for the - certificate and should be protected at all costs; if this + certificate and should be protected at all costs. If this falls in the hands of others it can be used to impersonate - you (or your server). + the user or the server. In cases where a signature from a CA is not required, a self signed certificate can be created. @@ -2263,30 +2264,31 @@ An optional company name []:< new.crt. These should be placed in a directory, preferably under /etc, which is readable - only by root. Permissions of 0700 should - be fine for this and they can be set with the - chmod utility. + only by root. Permissions of 0700 are + appropriate and can be set using + &man.chmod.1;. - Using Certificates, an Example + Using Certificates - So what can these files do? A good use would be to + One use for a certificate is to encrypt connections to the Sendmail MTA. - This would dissolve the use of clear text authentication for + This prevents the use of clear text authentication for users who send mail via the local MTA. - This is not the best use in the world as some - MUAs will present the user with an - error if they have not installed the certificate locally. + Some + MUAs will display + error if the user has not installed the certificate locally. Refer to the documentation included with the software for more information on certificate installation. - The following lines should be placed inside the local + To configure Sendmail, the + following lines should be placed in the local .mc file: dnl SSL Options @@ -2296,24 +2298,24 @@ define(`confSERVER_CERT',`/etc/certs/new define(`confSERVER_KEY',`/etc/certs/myca.key')dnl define(`confTLS_SRV_OPTIONS', `V')dnl - Where /etc/certs/ - is the directory to be used for storing the certificate and - key files locally. The last few requirements are a rebuild - of the local .cf file. This is easily - achieved by typing make - install within the - /etc/mail directory. + In this example, /etc/certs/ + stores the certificate and + key files locally. After saving the edits, rebuild + the local .cf file by typing + make install + within /etc/mail. Follow that up with make restart which should start the Sendmail daemon. - If all went well there will be no error messages in the - /var/log/maillog file and + If all went well, there will be no error messages in + /var/log/maillog and Sendmail will show up in the process list. - For a simple test, simply connect to the mail server - using the &man.telnet.1; utility: + For a simple test, connect to the mail server + using &man.telnet.1;: &prompt.root; telnet example.com 25 Trying 192.0.34.166... @@ -2337,7 +2339,7 @@ Escape character is '^]'. Connection closed by foreign host. If the STARTTLS line appears in the - output then everything is working correctly. + output, everything is working correctly. @@ -2355,15 +2357,12 @@ Connection closed by foreign host. - VPN over IPsec + <acronym>VPN</acronym> over IPsec IPsec - Creating a VPN between two networks, separated by the - Internet, using FreeBSD gateways. - @@ -2380,18 +2379,19 @@ Connection closed by foreign host.Understanding IPsec - This section will guide you through the process of - setting up IPsec. In order to set up IPsec, it is necessary - that you are familiar with the concepts of building a custom + This section demonstrates the process of + setting up IPsec. It assumes + familiarity with the concepts of building a custom kernel (see ). IPsec is a protocol which sits on - top of the Internet Protocol (IP) layer. It allows two or - more hosts to communicate in a secure manner (hence the - name). The FreeBSD IPsec network stack is + top of the Internet Protocol (IP) layer. + It allows two or + more hosts to communicate in a secure manner. + The &os; IPsec network stack is based on the KAME - implementation, which has support for both protocol - families, IPv4 and IPv6. + implementation, which has support for both IPv4 and + IPv6. IPsec @@ -2408,16 +2408,18 @@ Connection closed by foreign host. Encapsulated Security Payload - ESP), protects the IP packet data from - third party interference, by encrypting the contents - using symmetric cryptography algorithms (like Blowfish, - 3DES). + ESP): this protocol + protects the IP packet data from + third party interference by encrypting the contents + using symmetric cryptography algorithms such as Blowfish + and 3DES. - Authentication Header (AH), + Authentication Header + (AH): this protocol protects the IP packet header from third party - interference and spoofing, by computing a cryptographic + interference and spoofing by computing a cryptographic checksum and hashing the IP packet header fields with a secure hashing function. This is then followed by an additional header that contains the hash, to allow the @@ -2439,18 +2441,17 @@ Connection closed by foreign host. IPsec can either be used to directly encrypt the traffic - between two hosts (known as Transport - Mode); or to build virtual - tunnels between two subnets, which could be used for - secure communication between two corporate networks (known - as Tunnel Mode). The latter is more + between two hosts using Transport + Mode or to build virtual + tunnels using + Tunnel Mode. The latter mode is more commonly known as a Virtual Private Network - (VPN). The &man.ipsec.4; manual page should be - consulted for detailed information on the IPsec subsystem in - FreeBSD. + (VPN). Consult &man.ipsec.4; + for detailed information on the IPsec subsystem in + &os;. - To add IPsec support to your kernel, add the following - options to your kernel configuration file: + To add IPsec support to the kernel, add the following + options to the custom kernel configuration file: kernel options @@ -2474,40 +2475,30 @@ options IPSEC_DEBUG #debug for IP sec - The Problem - - There is no standard for what constitutes a VPN. VPNs - can be implemented using a number of different technologies, - each of which have their own strengths and weaknesses. This - section presents a scenario, and the strategies used for - implementing a VPN for this scenario. - - - - The Scenario: Two networks, one home based and one - corporate based. Both are connected to the Internet, and - expected, via this <acronym>VPN</acronym> to behave as - one. + <acronym>VPN</acronym> Between a Home and Corporate + Network VPN creating - The premise is as follows: + There is no standard for what constitutes a + VPN. VPNs can be + implemented using a number of different technologies, each + of which has their own strengths and weaknesses. This + section presents the strategies used for implementing a + VPN for the following scenario: - You have at least two sites - - - - Both sites are using IP internally + There are at least two sites where each site is using + IP internally. - Both sites are connected to the Internet, through a - gateway that is running FreeBSD. + Both sites are connected to the Internet through a + gateway that is running &os;. @@ -2517,15 +2508,15 @@ options IPSEC_DEBUG #debug for IP sec The internal addresses of the two networks can be - public or private IP addresses, it does not matter. - They just may not collide; e.g.: may not both use + either public or private IP addresses. However, the + address space must not collide. For example, both + networks cannot use 192.168.1.x. - - - + + Tom @@ -2536,23 +2527,24 @@ options IPSEC_DEBUG #debug for IP sec Written by - + Configuring IPsec on &os; - To begin, the + To begin, security/ipsec-tools - must be installed from the Ports Collection. This third - party software package provides a number of applications - which will help support the configuration. + must be installed from the Ports Collection. This + software provides a number of applications + which support the configuration. The next requirement is to create two &man.gif.4; pseudo-devices which will be used to tunnel packets and allow both networks to communicate properly. As root, run the following commands, - replacing the internal and - external items with the real - internal and external gateways: + replacing internal and + external with the real IP + addresses of the + internal and external interfaces of the two gateways: &prompt.root; ifconfig gif0 create @@ -2560,18 +2552,19 @@ options IPSEC_DEBUG #debug for IP sec &prompt.root; ifconfig gif0 tunnel external1 external2 - For example, the corporate LAN's - public IP is - 172.16.5.4 having a private - IP of + In this example, the corporate LAN's + external IP address is + 172.16.5.4 and its internal + IP address is 10.246.38.1. The home - LAN's public IP is - 192.168.1.12 with an internal - private IP of + LAN's external IP + address is + 192.168.1.12 and its internal + private IP address is 10.0.0.5. - This may seem confusing, so review the following example - output from the &man.ifconfig.8; command: + If this is confusing, review the following example output + from &man.ifconfig.8;: Gateway 1: @@ -2587,9 +2580,8 @@ tunnel inet 192.168.1.12 --> 172.16.5 inet 10.0.0.5 --> 10.246.38.1 netmask 0xffffff00 inet6 fe80::250:bfff:fe3a:c1f%gif0 prefixlen 64 scopeid 0x4 - Once complete, both private IPs - should be reachable using the &man.ping.8; command like - the following output suggests: + Once complete, both internal IP + addresses should be reachable using &man.ping.8;: priv-net# ping 10.0.0.5 PING 10.0.0.5 (10.0.0.5): 56 data bytes @@ -2629,8 +2621,8 @@ round-trip min/avg/max/stddev = 28.106/9 At this point, internal machines should be reachable from each gateway as well as from machines behind the - gateways. This is easily determined from the following - example: + gateways. Again, use &man.ping.8; to + confirm: corp-net# ping 10.0.0.8 PING 10.0.0.8 (10.0.0.8): 56 data bytes @@ -2655,12 +2647,13 @@ PING 10.246.38.1 (10.246.38.107): 56 dat round-trip min/avg/max/stddev = 21.145/31.721/53.491/12.179 ms Setting up the tunnels is the easy part. Configuring - a secure link is a much more in depth process. The + a secure link is a more in depth process. The following configuration uses pre-shared - (PSK) RSA keys. Aside - from the IP addresses, both - /usr/local/etc/racoon/racoon.conf files - will be identical and look similar to + (PSK) RSA keys. Other than + the IP addresses, the + /usr/local/etc/racoon/racoon.conf on + both gateways + will be identical and look similar to: path pre_shared_key "/usr/local/etc/racoon/psk.txt"; #location of pre-shared key file log debug; #log verbosity setting: set to 'notify' when testing and debugging is complete @@ -2720,19 +2713,18 @@ sainfo (address 10.246.38.0/24 any addr compression_algorithm deflate; } - Explaining every available option, along with those - listed in these examples is beyond the scope of this - document. There is plenty of relevant information in the - racoon configuration manual - page. - - The SPD policies need to be - configured so &os; and racoon is - able to encrypt and decrypt network traffic between + For descriptions of each available option, refer to the + manual + page for racoon.conf. + + The Security Policy Database (SPD) + needs to be configured so that &os; and + racoon are + able to encrypt and decrypt network traffic between the hosts. - This task may be undertaken with a simple shell script - similar to the following which is on the corporate gateway. + This can be achieved with a shell script, + similar to the following, on the corporate gateway. This file will be used during system initialization and should be saved as /usr/local/etc/racoon/setkey.conf. @@ -2767,12 +2759,12 @@ Foreground mode. another console and use &man.tcpdump.1; to view network traffic using the following command. Replace em0 with the network interface card as - required. + required: &prompt.root; tcpdump -i em0 host 172.16.5.4 and dst 192.168.1.12 Data similar to the following should appear on the - console. If not, there is an issue, and debugging the + console. If not, there is an issue and debugging the returned data will be required. 01:47:32.021683 IP corporatenetwork.com > 192.168.1.12.privatenetwork.com: ESP(spi=0x02acbf9f,seq=0xa) @@ -2781,9 +2773,9 @@ Foreground mode. At this point, both networks should be available and seem to be part of the same network. Most likely both - networks are protected by a firewall, as they should be. To + networks are protected by a firewall. To allow traffic to flow between them, rules need to be added - to pass packets back and forth. For the &man.ipfw.8; + to pass packets. For the &man.ipfw.8; firewall, add the following lines to the firewall configuration file: @@ -2819,7 +2811,8 @@ pass out quick on gif0 from any to any - + + @@ -2844,65 +2837,63 @@ racoon_enable="yes" OpenSSH is a set of network connectivity tools used to access remote machines securely. - It can be used as a direct replacement for - rlogin, rsh, - rcp, and telnet. Additionally, TCP/IP connections can be tunneled/forwarded - securely through SSH. OpenSSH + securely through SSH connections. + OpenSSH encrypts all traffic to effectively eliminate eavesdropping, connection hijacking, and other network-level attacks. OpenSSH is maintained by the - OpenBSD project, and is based upon SSH v1.2.12 with all the - recent bug fixes and updates. It is compatible with both SSH - protocols 1 and 2. + OpenBSD project and is installed by default in &os;. It is + compatible with both SSH version + 1 and 2 protocols. - Advantages of Using OpenSSH - - Normally, when using &man.telnet.1; or &man.rlogin.1;, - data is sent over the network in a clear, un-encrypted form. - Network sniffers anywhere in between the client and server - can steal your user/password information or data transferred - in your session. OpenSSH offers + Advantages of Using + <application>OpenSSH</application> + + When + data is sent over the network in an unencrypted form, + network sniffers anywhere in between the client and server + can steal user/password information or data transferred + during the session. OpenSSH offers a variety of authentication and encryption methods to prevent this from happening. - Enabling <application>sshd</application> + Enabling &man.sshd.8; OpenSSH enabling - The sshd is an option - presented during a Standard install of - &os;. To see if sshd is enabled, - check the rc.conf file for: + To see if &man.sshd.8; is enabled, + check /etc/rc.conf for this line: sshd_enable="YES" - This will load &man.sshd.8;, the daemon program for - OpenSSH, the next time your + This will start &man.sshd.8;, the daemon program for + OpenSSH, the next time the system initializes. Alternatively, it is possible to use &man.service.8; to - start OpenSSH: + start OpenSSH now: &prompt.root; service sshd start - SSH Client + &man.ssh.1; Client OpenSSH client - The &man.ssh.1; utility works similarly to - &man.rlogin.1;. + To use &man.ssh.1; to connect to a system running + &man.sshd.8;, specify the username and host to log + into: &prompt.root; ssh user@example.com Host key not found from the list of known hosts. @@ -2910,22 +2901,19 @@ Are you sure you want to continue connec Host 'example.com' added to the list of known hosts. user@example.com's password: ******* - The login will continue just as it would have if a - session was created using rlogin or - telnet. SSH utilizes a key fingerprint - system for verifying the authenticity of the server when the - client connects. The user is prompted to enter - yes only when connecting for the first - time. Future attempts to login are all verified against the - saved fingerprint key. The SSH client will alert you if the + SSH utilizes a key fingerprint + system to verify the authenticity of the server when the + client connects. The user is prompted to type + yes when connecting for the first + time. Future attempts to login are verified against the + saved fingerprint key and the &man.ssh.1; client will display + an alert if the saved fingerprint differs from the received fingerprint on future login attempts. The fingerprints are saved in - ~/.ssh/known_hosts, or - ~/.ssh/known_hosts2 for SSH v2 - fingerprints. + ~/.ssh/known_hosts. - By default, recent versions of the - OpenSSH servers only accept SSH + By default, recent versions of &man.sshd.8; only accept + SSH v2 connections. The client will use version 2 if possible and will fall back to version 1. The client can also be forced to use one or the other by passing it the @@ -2943,11 +2931,11 @@ user@example.com's password: secure copy - scp + &man.scp.1; - The &man.scp.1; command works similarly to &man.rcp.1;; - it copies a file to or from a remote machine, except in a + Use &man.scp.1; to + copy a file to or from a remote machine in a secure fashion. &prompt.root; scp user@example.com:/COPYRIGHT COPYRIGHT @@ -2961,10 +2949,12 @@ COPYRIGHT 100% |************* here. The arguments passed to &man.scp.1; are similar to - &man.cp.1;, with the file or files in the first argument, + &man.cp.1;, with the file or files to copy in the first + argument, and the destination in the second. Since the file is - fetched over the network, through SSH, one or more of the - file arguments takes on the form + fetched over the network, through an SSH, + connection, one or more of the + file arguments takes the form . @@ -2978,24 +2968,20 @@ COPYRIGHT 100% |************* The system-wide configuration files for both the OpenSSH daemon and client reside - within the /etc/ssh - directory. + in /etc/ssh. ssh_config configures the client settings, while sshd_config configures - the daemon. - - Additionally, the - (/usr/sbin/sshd by default), and - rc.conf - options can provide more levels of configuration. + the daemon. Each file has its own manual page which describes + the available configuration options. - <application>ssh-keygen</application> + &man.ssh-keygen.1; Instead of using passwords, &man.ssh-keygen.1; can - be used to generate DSA or RSA keys to authenticate a + be used to generate DSA or + RSA keys to authenticate a user: &prompt.user; ssh-keygen -t dsa @@ -3014,7 +3000,7 @@ bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8 in ~/.ssh/id_dsa or ~/.ssh/id_rsa, whereas the public key is stored in ~/.ssh/id_dsa.pub or - ~/.ssh/id_rsa.pub, respectively for + ~/.ssh/id_rsa.pub, respectively for the DSA and RSA key types. The public key must be placed in the ~/.ssh/authorized_keys file of the @@ -3022,43 +3008,42 @@ bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8 DSA keys in order for the setup to work. - This will allow connection to the remote machine based - upon SSH keys instead of passwords. + This setup allows connections to the remote machine based + upon SSH keys instead of passwords. If a passphrase is used in &man.ssh-keygen.1;, the user - will be prompted for a password each time in order to use + will be prompted for the passphrase each time in order to use the private key. &man.ssh-agent.1; can alleviate the strain of repeatedly entering long passphrases, and is explored in - the section - below. + . The various options and files can be different according to the OpenSSH - version you have on your system; to avoid problems you - should consult the &man.ssh-keygen.1; manual page. + version. To avoid problems, + consult &man.ssh-keygen.1;. - <application>ssh-agent</application> and <application>ssh-add</application> + &man.ssh-agent.1; and &man.ssh-add.1; - The &man.ssh-agent.1; and &man.ssh-add.1; utilities - provide methods for SSH keys to - be loaded into memory for use, without needing to type the - passphrase each time. - - The &man.ssh-agent.1; utility will handle the - authentication using the private key(s) that are loaded into - it. &man.ssh-agent.1; should be used to launch another + To load SSH + keys into memory for use, without needing to type the + passphrase each time, use &man.ssh-agent.1; and + &man.ssh-add.1;. + + Authentication is handled by &man.ssh-agent.1;, using the + private key(s) that are loaded into + it. Then, &man.ssh-agent.1; should be used to launch another application. At the most basic level, it could spawn a - shell or at a more advanced level, a window manager. + shell or a window manager. - To use &man.ssh-agent.1; in a shell, first it will need - to be spawned with a shell as an argument. Secondly, the - identity needs to be added by running &man.ssh-add.1; and + To use &man.ssh-agent.1; in a shell, start it + with a shell as an argument. Next, add the identity + by running &man.ssh-add.1; and providing it the passphrase for the private key. Once these - steps have been completed the user will be able to + steps have been completed, the user will be able to &man.ssh.1; to any host that has the corresponding public key installed. For example: @@ -3068,24 +3053,28 @@ Enter passphrase for /home/user/.ssh/id_ Identity added: /home/user/.ssh/id_dsa (/home/user/.ssh/id_dsa) &prompt.user; - To use &man.ssh-agent.1; in X11, a call to - &man.ssh-agent.1; will need to be placed in - ~/.xinitrc. This will provide the - &man.ssh-agent.1; services to all programs launched in X11. + To use &man.ssh-agent.1; in + &xorg;, a call to + &man.ssh-agent.1; needs to be placed in + ~/.xinitrc. This provides the + &man.ssh-agent.1; services to all programs launched in + &xorg;. *** DIFF OUTPUT TRUNCATED AT 1000 LINES *** From owner-svn-doc-projects@FreeBSD.ORG Thu May 2 15:47:18 2013 Return-Path: Delivered-To: svn-doc-projects@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 1E5631CC; Thu, 2 May 2013 15:47:18 +0000 (UTC) (envelope-from dru@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 0F6E714DC; Thu, 2 May 2013 15:47:18 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r42FlItg009980; Thu, 2 May 2013 15:47:18 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r42FlIcE009979; Thu, 2 May 2013 15:47:18 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201305021547.r42FlIcE009979@svn.freebsd.org> From: Dru Lavigne Date: Thu, 2 May 2013 15:47:18 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-projects@freebsd.org Subject: svn commit: r41542 - projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/eresources X-SVN-Group: doc-projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-projects@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for doc projects trees List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 02 May 2013 15:47:18 -0000 Author: dru Date: Thu May 2 15:47:17 2013 New Revision: 41542 URL: http://svnweb.freebsd.org/changeset/doc/41542 Log: Initial pass, further patches needed. This patch addresses the following: - &os; - you/we, e.g. - fix Project and filesystems - removes deprecated KDE list Approved by: bcr (mentor) Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/eresources/chapter.xml Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/eresources/chapter.xml ============================================================================== --- projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/eresources/chapter.xml Thu May 2 14:22:15 2013 (r41541) +++ projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/eresources/chapter.xml Thu May 2 15:47:17 2013 (r41542) @@ -8,18 +8,18 @@ Resources on the Internet - The rapid pace of FreeBSD progress makes print media + The rapid pace of &os; progress makes print media impractical as a means of following the latest developments. Electronic resources are the best, if not often the only, way - to stay informed of the latest advances. Since FreeBSD is a + to stay informed of the latest advances. Since &os; is a volunteer effort, the user community itself also generally serves as a technical support department of sorts, with electronic mail, web forums, and USENET news being the most effective way of reaching that community. - The most important points of contact with the FreeBSD user - community are outlined below. If you are aware of other resources - not mentioned here, please send them to the &a.doc; so that they + The most important points of contact with the &os; user + community are outlined below. Please send other resources + not mentioned here to the &a.doc; so that they may also be included. @@ -27,23 +27,23 @@ The mailing lists are the most direct way of addressing questions or opening a technical discussion to a concentrated - FreeBSD audience. There are a wide variety of lists on a number - of different FreeBSD topics. Addressing your questions to the + &os; audience. There are a wide variety of lists on a number + of different &os; topics. Sending questions to the most appropriate mailing list will invariably assure a faster and more accurate response. The charters for the various lists are given at the bottom of this document. Please read the charter before - joining or sending mail to any list. Most of our - list subscribers now receive many hundreds of FreeBSD related - messages every day, and by setting down charters and rules for - proper use we are striving to keep the signal-to-noise ratio + joining or sending mail to any list. Most + list subscribers receive many hundreds of &os; related + messages every day, and the charters and rules for + use are meant to keep the signal-to-noise ratio of the lists high. To do less would see the mailing lists ultimately fail as an effective communications medium for the - project. + Project. - If you wish to test your ability to send to + To test the ability to send email to &os; lists, send a test message to &a.test.name;. Please do not send test messages to any other list. @@ -61,11 +61,11 @@ Archives are kept for all of the mailing lists and can be searched using the FreeBSD World Wide Web + url="&url.base;/search/index.html">&os; World Wide Web server. The keyword searchable archive offers an excellent way of finding answers to frequently asked questions and should be consulted before posting a question. Note that - this also means that messages sent to FreeBSD mailing lists + this also means that messages sent to &os; mailing lists are archived in perpetuity. When protecting privacy is a concern, consider using a disposable secondary email address and posting only public information. @@ -89,12 +89,13 @@ &a.advocacy.name; - FreeBSD Evangelism + &os; Evangelism &a.announce.name; - Important events and project milestones (moderated) + Important events and Project milestones +(moderated) @@ -105,7 +106,7 @@ &a.bugbusters.name; Discussions pertaining to the maintenance of - the FreeBSD problem report database and related + the &os; problem report database and related tools @@ -116,13 +117,13 @@ &a.chat.name; - Non-technical items related to the FreeBSD + Non-technical items related to the &os; community &a.chromium.name; - FreeBSD-specific Chromium issues + &os;-specific Chromium issues @@ -134,12 +135,12 @@ &a.isp.name; Issues for Internet Service Providers using - FreeBSD + &os; &a.jobs.name; - FreeBSD employment and consulting + &os; employment and consulting opportunities @@ -161,7 +162,7 @@ &a.test.name; - Where to send your test messages instead of + Where to send test messages instead of to one of the actual lists @@ -169,7 +170,7 @@ Technical lists: The following - lists are for technical discussion. You should read the + lists are for technical discussion. Read the charter for each list carefully before joining or sending mail to one as there are firm guidelines for their use and content. @@ -191,7 +192,7 @@ &a.afs.name; - Porting AFS to FreeBSD + Porting AFS to &os; @@ -202,7 +203,7 @@ &a.amd64.name; - Porting FreeBSD to AMD64 systems (moderated) + Porting &os; to AMD64 systems (moderated) @@ -214,22 +215,22 @@ &a.arm.name; - Porting FreeBSD to &arm; processors + Porting &os; to &arm; processors &a.atm.name; - Using ATM networking with FreeBSD + Using ATM networking with &os; &a.bluetooth.name; - Using &bluetooth; technology in FreeBSD + Using &bluetooth; technology in &os; &a.cluster.name; - Using FreeBSD in a clustered environment + Using &os; in a clustered environment @@ -240,7 +241,7 @@ &a.database.name; Discussing database use and development under - FreeBSD + &os; @@ -250,7 +251,7 @@ &a.doc.name; - Creating FreeBSD related documents + Creating &os; related documents @@ -260,19 +261,19 @@ &a.eclipse.name; - FreeBSD users of Eclipse IDE, tools, rich client + &os; users of Eclipse IDE, tools, rich client applications and ports. &a.embedded.name; - Using FreeBSD in embedded applications + Using &os; in embedded applications &a.eol.name; - Peer support of FreeBSD-related software that - is no longer supported by the FreeBSD project. + Peer support of &os;-related software that + is no longer supported by the &os; Project. @@ -283,7 +284,7 @@ &a.firewire.name; - FreeBSD &firewire; (iLink, IEEE 1394) technical + &os; &firewire; (iLink, IEEE 1394) technical discussion @@ -318,29 +319,29 @@ &a.hardware.name; General discussion of hardware for running - FreeBSD + &os; &a.i18n.name; - FreeBSD Internationalization + &os; Internationalization &a.ia32.name; - FreeBSD on the IA-32 (&intel; x86) + &os; on the IA-32 (&intel; x86) platform &a.ia64.name; - Porting FreeBSD to &intel;'s upcoming IA64 + Porting &os; to &intel;'s upcoming IA64 systems &a.infiniband.name; - Infiniband on FreeBSD + Infiniband on &os; @@ -363,23 +364,17 @@ &a.java.name; &java; developers and people porting &jdk;s to - FreeBSD - - - - &a.kde.name; - Porting KDE and - KDE applications + &os; &a.lfs.name; - Porting LFS to FreeBSD + Porting LFS to &os; &a.mips.name; - Porting FreeBSD to &mips; + Porting &os; to &mips; @@ -389,13 +384,13 @@ &a.mono.name; - Mono and C# applications on FreeBSD + Mono and C# applications on &os; &a.mozilla.name; Porting Mozilla to - FreeBSD + &os; @@ -468,18 +463,18 @@ &a.ppc.name; - Porting FreeBSD to the &powerpc; + Porting &os; to the &powerpc; &a.proliant.name; - Technical discussion of FreeBSD on HP ProLiant + Technical discussion of &os; on HP ProLiant server platforms &a.python.name; - FreeBSD-specific Python issues + &os;-specific Python issues @@ -492,12 +487,12 @@ &a.realtime.name; Development of realtime extensions to - FreeBSD + &os; &a.ruby.name; - FreeBSD-specific Ruby discussions + &os;-specific Ruby discussions @@ -507,12 +502,12 @@ &a.security.name; - Security issues affecting FreeBSD + Security issues affecting &os; &a.small.name; - Using FreeBSD in embedded applications + Using &os; in embedded applications (obsolete; use &a.embedded.name; instead) @@ -523,12 +518,12 @@ &a.sparc.name; - Porting FreeBSD to &sparc; based systems + Porting &os; to &sparc; based systems &a.standards.name; - FreeBSD's conformance to the C99 and the &posix; + &os;'s conformance to the C99 and the &posix; standards @@ -539,23 +534,23 @@ &a.tcltk.name; - FreeBSD-specific Tcl/Tk discussions + &os;-specific Tcl/Tk discussions &a.threads.name; - Threading in FreeBSD + Threading in &os; &a.tilera.name; - Porting FreeBSD to the Tilera family of + Porting &os; to the Tilera family of CPUs &a.tokenring.name; - Support Token Ring in FreeBSD + Support Token Ring in &os; @@ -582,7 +577,7 @@ &a.x11.name; - Maintenance and support of X11 on FreeBSD + Maintenance and support of X11 on &os; @@ -610,7 +605,7 @@ are for more specialized (and demanding) audiences and are probably not of interest to the general public. It is also a good idea to establish a presence in the technical lists - before joining one of these limited lists so that you will + before joining one of these limited lists in order to understand the communications etiquette involved. @@ -636,7 +631,7 @@ &a.wip-status.name; - FreeBSD Work-In-Progress Status + &os; Work-In-Progress Status @@ -650,7 +645,7 @@ Digest lists: All of the above lists are available in a digest format. Once subscribed to a list, - you can change your digest options in your account options + the digest options can be changed in the account options section. SVN lists: The following lists @@ -834,38 +829,38 @@ How to Subscribe - To subscribe to a list, click on the list name above or - go to &a.mailman.lists.link; and click on the list that you - are interested in. The list page should contain all of the - necessary subscription instructions. + To subscribe to a list, click the list name at + &a.mailman.lists.link;. + The page that is displayed should contain all of the + necessary subscription instructions for that list. To actually post to a given list, send mail to listname@FreeBSD.org. It will then be redistributed to mailing list members world-wide. - To unsubscribe yourself from a list, click on the URL + To unsubscribe from a list, click on the URL found at the bottom of every email received from the list. It is also possible to send an email to listname-unsubscribe@FreeBSD.org - to unsubscribe yourself. + to unsubscribe. - Again, we would like to request that you keep discussion - in the technical mailing lists on a technical track. If you - are only interested in important announcements then it is - suggested that you join the &a.announce;, which is intended - only for infrequent traffic. + It is important to keep discussion + in the technical mailing lists on a technical track. To + only receive important announcements, instead + join the &a.announce;, which is intended + for infrequent traffic. List Charters - All FreeBSD mailing lists have + All &os; mailing lists have certain basic rules which must be adhered to by anyone using them. Failure to comply with these guidelines will result - in two (2) written warnings from the FreeBSD Postmaster + in two (2) written warnings from the &os; Postmaster postmaster@FreeBSD.org, after which, on a - third offense, the poster will removed from all FreeBSD + third offense, the poster will removed from all &os; mailing lists and filtered from further posting to them. We regret that such rules and measures are necessary at all, but today's Internet is a pretty harsh environment, it would @@ -877,8 +872,8 @@ The topic of any posting should adhere to the basic - charter of the list it is posted to, e.g., if the list - is about technical issues then your posting should contain + charter of the list it is posted to. If the list + is about technical issues, the posting should contain technical discussion. Ongoing irrelevant chatter or flaming only detracts from the value of the mailing list for everyone on it and will not be tolerated. For @@ -893,11 +888,11 @@ a great deal of subscriber overlap and except for the most esoteric mixes (say -stable & -scsi), there really is no reason to post to more than one list at - a time. If a message is sent to you in such a way that - multiple mailing lists appear on the Cc - line then the Cc line should also be - trimmed before sending it out again. You are - still responsible for your own cross-postings, no matter + a time. If a message is received with + multiple mailing lists on the Cc + line, trim the Cc line + before replying. The person who replies is + still responsible for cross-posting, no matter who the originator might have been. @@ -915,7 +910,7 @@ - Advertising of non-FreeBSD related products or + Advertising of non-&os; related products or services is strictly prohibited and will result in an immediate ban if it is clear that the offender is advertising by spam. @@ -954,10 +949,10 @@ milestones This is the mailing list for people interested - only in occasional announcements of significant FreeBSD + only in occasional announcements of significant &os; events. This includes announcements about snapshots and other releases. It contains announcements of new - FreeBSD capabilities. It may contain calls for + &os; capabilities. It may contain calls for volunteers etc. This is a low volume, strictly moderated mailing list. @@ -970,7 +965,7 @@ Architecture and design discussions - This list is for discussion of the FreeBSD + This list is for discussion of the &os; architecture. Messages will mostly be kept strictly technical in nature. Examples of suitable topics are: @@ -1003,9 +998,9 @@ &a.bluetooth.name; - &bluetooth; in FreeBSD + &bluetooth; in &os; - This is the forum where FreeBSD's &bluetooth; users + This is the forum where &os;'s &bluetooth; users congregate. Design issues, implementation details, patches, bug reports, status reports, feature requests, and all matters related to &bluetooth; are fair @@ -1035,7 +1030,7 @@ Bug reports This is the mailing list for reporting bugs in - FreeBSD. Whenever possible, bugs should be submitted + &os;. Whenever possible, bugs should be submitted using the &man.send-pr.1; command or the WEB interface to it. @@ -1046,7 +1041,7 @@ &a.chat.name; - Non technical items related to the FreeBSD + Non technical items related to the &os; community This list contains the overflow from the other @@ -1066,11 +1061,11 @@ &a.chromium.name; - FreeBSD-specific Chromium + &os;-specific Chromium issues This is a list for the discussion of Chromium - support for FreeBSD. This is a technical list to + support for &os;. This is a technical list to discuss development and installation of Chromium. @@ -1079,11 +1074,11 @@ &a.core.name; - FreeBSD core team + &os; core team This is an internal mailing list for use by the core members. Messages can be sent to it when a serious - FreeBSD-related matter requires arbitration or + &os;-related matter requires arbitration or high-level scrutiny. @@ -1109,10 +1104,10 @@ &a.cvsweb.name; - FreeBSD CVSweb Project + &os; CVSweb Project Technical discussions about use, development and - maintenance of FreeBSD-CVSweb. + maintenance of &os;-CVSweb. @@ -1134,12 +1129,12 @@ &a.doc.name; - Documentation project + Documentation Project This mailing list is for the discussion of issues and projects related to the creation of documentation - for FreeBSD. The members of this mailing list are - collectively referred to as The FreeBSD + for &os;. The members of this mailing list are + collectively referred to as The &os; Documentation Project. It is an open list; feel free to join and contribute! @@ -1189,13 +1184,13 @@ &a.embedded.name; - Using FreeBSD in embedded + Using &os; in embedded applications - This list discusses topics related to using FreeBSD + This list discusses topics related to using &os; in embedded systems. This is a technical mailing list for which strictly technical content is expected. For - the purpose of this list we define embedded systems as + the purpose of this list, embedded systems are those computing devices which are not desktops and which usually serve a single purpose as opposed to being general computing environments. Examples include, but @@ -1223,15 +1218,15 @@ &a.eol.name; - Peer support of FreeBSD-related software - that is no longer supported by the FreeBSD - project. + Peer support of &os;-related software + that is no longer supported by the &os; + Project. This list is for those interested in providing or - making use of peer support of FreeBSD-related software - for which the FreeBSD project no longer provides - official support (e.g., in the form of security - advisories and patches). + making use of peer support of &os;-related software + for which the &os; Project no longer provides + official support in the form of security + advisories and patches. @@ -1244,7 +1239,7 @@ This is a mailing list for discussion of the design and implementation of a &firewire; (aka IEEE 1394 aka - iLink) subsystem for FreeBSD. Relevant topics + iLink) subsystem for &os;. Relevant topics specifically include the standards, bus devices and their protocols, adapter boards/cards/chips sets, and the architecture and implementation of code for their @@ -1258,7 +1253,7 @@ File systems - Discussions concerning FreeBSD file systems. + Discussions concerning &os; filesystems. This is a technical mailing list for which strictly technical content is expected. @@ -1300,7 +1295,7 @@ Discussions concerning The GNOME Desktop Environment - for FreeBSD systems. This is a technical mailing list + for &os; systems. This is a technical mailing list for which strictly technical content is expected. @@ -1324,7 +1319,7 @@ This is the forum for technical discussions concerning the redesign of the IP firewall code in - FreeBSD. This is a technical mailing list for which + &os;. This is a technical mailing list for which strictly technical content is expected. @@ -1333,10 +1328,10 @@ &a.ia64.name; - Porting FreeBSD to IA64 + Porting &os; to IA64 This is a technical mailing list for individuals - actively working on porting FreeBSD to the IA-64 + actively working on porting &os; to the IA-64 platform from &intel;, to bring up problems or discuss alternative solutions. Individuals interested in following the technical discussion are also @@ -1351,7 +1346,7 @@ ISDN Communications This is the mailing list for people discussing the - development of ISDN support for FreeBSD. + development of ISDN support for &os;. @@ -1363,7 +1358,7 @@ This is the mailing list for people discussing the development of significant &java; applications for - FreeBSD and the porting and maintenance of + &os; and the porting and maintenance of &jdk;s. @@ -1375,17 +1370,17 @@ Jobs offered and sought This is a forum for posting employment notices - and resumes specifically related to &os;, e.g., if you - are seeking &os;-related employment or have a job - involving &os; to advertise then this is the right - place. This is not a mailing list + specifically related to &os; and resumes from those + seeking &os;-related employment. This is + not a mailing list for general employment issues since adequate forums for that already exist elsewhere. Note that this list, like other FreeBSD.org mailing lists, - is distributed worldwide. Thus, you need to be clear - about location and the extent to which telecommuting or + is distributed worldwide. Be clear + about the geographic location and the extent to which + telecommuting or assistance with relocation is available. Email should use open formats only — @@ -1404,7 +1399,7 @@ KDE Discussions concerning - KDE on FreeBSD systems. + KDE on &os; systems. This is a technical mailing list for which strictly technical content is expected. @@ -1417,8 +1412,8 @@ Technical discussions This is a forum for technical discussions related - to FreeBSD. This is the primary technical mailing list. - It is for individuals actively working on FreeBSD, to + to &os;. This is the primary technical mailing list. + It is for individuals actively working on &os;, to bring up problems or discuss alternative solutions. Individuals interested in following the technical discussion are also welcome. This is a technical @@ -1431,11 +1426,11 @@ &a.hardware.name; - General discussion of FreeBSD + General discussion of &os; hardware General discussion about the types of hardware - that FreeBSD runs on, various problems and suggestions + that &os; runs on, various problems and suggestions concerning what to buy or avoid. @@ -1447,7 +1442,7 @@ Mirror sites Announcements and discussion for people who run - FreeBSD mirror sites. + &os; mirror sites. @@ -1459,7 +1454,7 @@ Providers This mailing list is for discussing topics relevant - to Internet Service Providers (ISPs) using FreeBSD. + to Internet Service Providers (ISPs) using &os;. This is a technical mailing list for which strictly technical content is expected. @@ -1470,7 +1465,7 @@ Mono and C# applications on - FreeBSD + &os; This is a list for discussions related to the Mono development framework on &os;. This is a technical @@ -1503,7 +1498,7 @@ Announcements This is the mailing list for people interested in - changes and issues related to the FreeBSD.org project + changes and issues related to the FreeBSD.org Project infrastructure. This moderated list is strictly for announcements: no replies, @@ -1515,21 +1510,21 @@ &a.performance.name; - Discussions about tuning or speedingup - FreeBSD + Discussions about tuning or speeding up + &os; This mailing list exists to provide a place for hackers, administrators, and/or concerned parties to discuss performance related topics pertaining to - FreeBSD. Acceptable topics includes talking about - FreeBSD installations that are either under high load, + &os;. Acceptable topics includes talking about + &os; installations that are either under high load, are experiencing performance problems, or are pushing - the limits of FreeBSD. Concerned parties that are + the limits of &os;. Concerned parties that are willing to work toward improving the performance of - FreeBSD are highly encouraged to subscribe to this list. + &os; are highly encouraged to subscribe to this list. This is a highly technical list ideally suited for - experienced FreeBSD users, hackers, or administrators - interested in keeping FreeBSD fast, robust, and + experienced &os; users, hackers, or administrators + interested in keeping &os; fast, robust, and scalable. This list is not a question-and-answer list that replaces reading through documentation, but it is a place to make contributions or inquire about unanswered @@ -1546,7 +1541,7 @@ filter firewall system Discussion concerning the packet filter (pf) - firewall system in terms of FreeBSD. Technical + firewall system in terms of &os;. Technical discussion and user questions are both welcome. This list is also a place to discuss the ALTQ QoS framework. @@ -1581,8 +1576,8 @@ Porting to Non &intel; platforms - Cross-platform FreeBSD issues, general discussion - and proposals for non &intel; FreeBSD ports. This is + Cross-platform &os; issues, general discussion + and proposals for non &intel; &os; ports. This is a technical mailing list for which strictly technical content is expected. @@ -1595,7 +1590,7 @@ Discussion of ports - Discussions concerning FreeBSD's ports + Discussions concerning &os;'s ports collection (/usr/ports), ports infrastructure, and general ports coordination efforts. This is a technical mailing list for which @@ -1628,7 +1623,7 @@ Discussion of ports bugs - Discussions concerning problem reports for FreeBSD's + Discussions concerning problem reports for &os;'s ports collection (/usr/ports), proposed ports, or modifications to ports. This is a technical mailing @@ -1641,11 +1636,11 @@ &a.proliant.name; - Technical discussion of FreeBSD on HP + Technical discussion of &os; on HP ProLiant server platforms This mailing list is to be used for the technical - discussion of the usage of FreeBSD on HP ProLiant + discussion of the usage of &os; on HP ProLiant servers, including the discussion of ProLiant-specific drivers, management software, configuration tools, and BIOS updates. As such, this is the primary place to @@ -1658,13 +1653,13 @@ &a.python.name; - Python on FreeBSD + Python on &os; This is a list for discussions related to improving - Python-support on FreeBSD. This is a technical mailing + Python-support on &os;. This is a technical mailing list. It is for individuals working on porting Python, its 3rd party modules and - Zope stuff to FreeBSD. + Zope stuff to &os;. Individuals interested in following the technical discussion are also welcome. @@ -1677,9 +1672,9 @@ User questions This is the mailing list for questions about - FreeBSD. You should not send how to - questions to the technical lists unless you consider - the question to be pretty technical. + &os;. Do not send how to + questions to the technical lists unless + the question is quite technical. @@ -1687,11 +1682,11 @@ &a.ruby.name; - FreeBSD-specific Ruby + &os;-specific Ruby discussions This is a list for discussions related to the Ruby - support on FreeBSD. This is a technical mailing + support on &os;. This is a technical mailing list. It is for individuals working on Ruby ports, 3rd party libraries and frameworks. @@ -1707,7 +1702,7 @@ SCSI subsystem This is the mailing list for people working on - the SCSI subsystem for FreeBSD. This is a technical + the SCSI subsystem for &os;. This is a technical mailing list for which strictly technical content is expected. @@ -1719,7 +1714,7 @@ Security issues - FreeBSD computer security issues (DES, Kerberos, + &os; computer security issues (DES, Kerberos, known security holes and fixes, etc). This is a technical mailing list for which strictly technical discussion is expected. Note that this is not a @@ -1734,7 +1729,7 @@ Security Notifications - Notifications of FreeBSD security problems and *** DIFF OUTPUT TRUNCATED AT 1000 LINES *** From owner-svn-doc-projects@FreeBSD.ORG Fri May 3 12:16:08 2013 Return-Path: Delivered-To: svn-doc-projects@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by hub.freebsd.org (Postfix) with ESMTP id 1DEE29BB; Fri, 3 May 2013 12:16:08 +0000 (UTC) (envelope-from dru@FreeBSD.org) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) by mx1.freebsd.org (Postfix) with ESMTP id 0FCF81CEA; Fri, 3 May 2013 12:16:08 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.6/8.14.6) with ESMTP id r43CG78S047076; Fri, 3 May 2013 12:16:07 GMT (envelope-from dru@svn.freebsd.org) Received: (from dru@localhost) by svn.freebsd.org (8.14.6/8.14.5/Submit) id r43CG72x047075; Fri, 3 May 2013 12:16:07 GMT (envelope-from dru@svn.freebsd.org) Message-Id: <201305031216.r43CG72x047075@svn.freebsd.org> From: Dru Lavigne Date: Fri, 3 May 2013 12:16:07 +0000 (UTC) To: doc-committers@freebsd.org, svn-doc-projects@freebsd.org Subject: svn commit: r41544 - projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security X-SVN-Group: doc-projects MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-doc-projects@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: SVN commit messages for doc projects trees List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 03 May 2013 12:16:08 -0000 Author: dru Date: Fri May 3 12:16:07 2013 New Revision: 41544 URL: http://svnweb.freebsd.org/changeset/doc/41544 Log: White space fix only. Translators can ignore. Approved by: bcr (mentor) Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml Modified: projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml ============================================================================== --- projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml Fri May 3 08:43:29 2013 (r41543) +++ projects/ISBN_1-57176-407-0/en_US.ISO8859-1/books/handbook/security/chapter.xml Fri May 3 12:16:07 2013 (r41544) @@ -27,10 +27,10 @@ This chapter provides a basic introduction to system security concepts, some general good rules of thumb, and some advanced topics under &os;. Many of the topics covered here - can be applied to system and Internet security in general. - Securing a system is imperative to protect data, - intellectual property, time, and much more from the hands of - hackers and the like. + can be applied to system and Internet security in general. + Securing a system is imperative to protect data, intellectual + property, time, and much more from the hands of hackers and the + like. &os; provides an array of utilities and mechanisms to protect the integrity and security of the system and @@ -173,8 +173,8 @@ DoS attack. Many sysadmins still run unencrypted services, meaning that users logging into the system from a remote location are vulnerable to having their - password sniffed. The attentive sysadmin analyzes the - remote access logs looking for suspicious source addresses and + password sniffed. The attentive sysadmin analyzes the remote + access logs looking for suspicious source addresses and suspicious logins. In a well secured and maintained system, access to a user @@ -289,10 +289,9 @@ should be configured. One method is to add appropriate user accounts to wheel in /etc/group. Members of - wheel are allowed to - &man.su.1; to root. Only - those users who actually need to have - root access should be placed in + wheel are allowed to &man.su.1; to + root. Only those users who actually need + to have root access should be placed in wheel. When using Kerberos for authentication, create a .k5login in the home directory of root to allow @@ -333,9 +332,8 @@ as few services as possible and run a password-protected screensaver. Of course, given physical access to any system, an attacker can break any sort of security. Fortunately, - many break-ins occur remotely, over a network, - from people who do not have physical access to the - system. + many break-ins occur remotely, over a network, from people who + do not have physical access to the system. Using Kerberos provides the ability to disable or change the password for a user in one place, and have it immediately @@ -358,21 +356,19 @@ &man.sshd.8; - The prudent sysadmin only enables required services - and is aware that third party servers are often the most - bug-prone. Never run a server that has not been checked - out carefully. Think twice before running any service as + The prudent sysadmin only enables required services and is + aware that third party servers are often the most bug-prone. + Never run a server that has not been checked out carefully. + Think twice before running any service as root as many daemons can be run as a separate service account or can be started in a sandbox. Do not activate insecure - services such as &man.telnetd.8; or - &man.rlogind.8;. + services such as &man.telnetd.8; or &man.rlogind.8;. Another potential security hole is SUID-root and SGID - binaries. Most of these binaries, such as - &man.rlogin.1;, reside in /bin, /sbin, /bin, + /sbin, /usr/bin, or /usr/sbin. While nothing is 100% safe, the system-default SUID and SGID binaries can be @@ -400,22 +396,21 @@ User accounts are usually the most difficult to secure. Be vigilant in the monitoring of user accounts. Use of - &man.ssh.1; and Kerberos for user accounts - requires extra administration and technical support, but - provides a good solution compared to an encrypted password - file. + &man.ssh.1; and Kerberos for user accounts requires extra + administration and technical support, but provides a good + solution compared to an encrypted password file. Securing the Password File The only sure fire way is to star out as many passwords as - possible and use &man.ssh.1; or Kerberos - for access to those accounts. Even though the encrypted - password file (/etc/spwd.db) can only be - read by root, it may be possible for an - intruder to obtain read access to that file even if the - attacker cannot obtain root-write access. + possible and use &man.ssh.1; or Kerberos for access to those + accounts. Even though the encrypted password file + (/etc/spwd.db) can only be read by + root, it may be possible for an intruder + to obtain read access to that file even if the attacker cannot + obtain root-write access. Security scripts should be used to check for and report changes to the password file as described in the Bumping the security level to 1 or higher may cause a - few - problems to &xorg;, as access to - /dev/io will be blocked, or to the + few problems to &xorg;, as access + to /dev/io will be blocked, or to the installation of &os; built from source as installworld needs to temporarily reset the append-only and immutable flags of some files. @@ -495,9 +489,9 @@ If the kernel's security level is raised to 1 or a higher value, it may be useful to set the schg - flag on critical startup binaries, directories, script - files, and everything that gets run up to the point where - the security level is set. A less strict compromise is to run + flag on critical startup binaries, directories, script files, + and everything that gets run up to the point where the + security level is set. A less strict compromise is to run the system at a higher security level but skip setting the schg flag. Another possibility is to mount / and One can only protect the core system configuration and control files so much before the convenience factor rears its - ugly head. For example, using &man.chflags.1; to - set the schg bit on most of the files in - / and schg bit on most of the files in / and /usr is probably counterproductive, because while it may protect the files, it also closes an intrusion detection window. Security measures @@ -527,21 +521,19 @@ for modified files is from another, often centralized, limited-access system. Writing security scripts on the extra-security limited-access system makes them mostly - invisible - to potential attackers. In order to take maximum advantage, - the limited-access box needs significant access to the other - machines, usually either through a read-only + invisible to potential attackers. In order to take maximum + advantage, the limited-access box needs significant access to + the other machines, usually either through a read-only NFS export or by setting up - &man.ssh.1; key-pairs. Except for its - network traffic, NFS is the least visible - method, allowing the administrator to monitor the filesystems - on each client box virtually undetected. If a limited-access - server is connected to the client boxes through - a switch, the NFS method is often the - better choice. If a limited-access server is connected to the - client boxes through several layers of routing, the - NFS method may be too insecure and - &man.ssh.1; may be the better + &man.ssh.1; key-pairs. Except for its network traffic, + NFS is the least visible method, allowing + the administrator to monitor the filesystems on each client + box virtually undetected. If a limited-access server is + connected to the client boxes through a switch, the + NFS method is often the better choice. If + a limited-access server is connected to the client boxes + through several layers of routing, the NFS + method may be too insecure and &man.ssh.1; may be the better choice. Once a limited-access box has been given at least read @@ -561,14 +553,13 @@ class="directory">/ and /usr. - When using &man.ssh.1; rather than - NFS, writing the security script is more - difficult. For example, &man.scp.1; is needed to - send the scripts to the client box in order to run them. The - &man.ssh.1; client - on the client box may already be compromised. Using - &man.ssh.1; may be necessary when running - over insecure links, but it is harder to deal with. + When using &man.ssh.1; rather than NFS, + writing the security script is more difficult. For example, + &man.scp.1; is needed to send the scripts to the client box in + order to run them. The &man.ssh.1; client on the client box + may already be compromised. Using &man.ssh.1; may be + necessary when running over insecure links, but it is harder + to deal with. A good security script will also check for changes to hidden configuration files, such as @@ -613,8 +604,7 @@ thought. More importantly, a security administrator should mix it up a bit. If recommendations, such as those mentioned in this section, are applied verbatim, those methodologies are - given to - the prospective attacker who also has access to this + given to the prospective attacker who also has access to this document. @@ -657,10 +647,9 @@ &man.inetd.8; carefully and pay specific attention to , , and . Spoofed IP attacks will circumvent - to &man.inetd.8;, so - typically a combination of options must be used. Some - standalone servers have self-fork-limitation - parameters. + to &man.inetd.8;, so typically a + combination of options must be used. Some standalone servers + have self-fork-limitation parameters. Sendmail provides , which tends to work @@ -681,13 +670,12 @@ reasonable MaxDaemonChildren to prevent cascade failures. - &man.syslogd.8; can be attacked - directly and it is strongly recommended to use + &man.syslogd.8; can be attacked directly and it is + strongly recommended to use whenever possible, and otherwise. - Be careful with connect-back - services such as + Be careful with connect-back services such as reverse-identd, which can be attacked directly. The reverse-ident feature of TCP Wrappers is not recommended for @@ -701,7 +689,7 @@ exclusive firewall which denies everything by default except for traffic which is explicitly allowed. The range of port numbers used for dynamic binding in &os; is controlled by - several net.inet.ip.portrange + several net.inet.ip.portrange &man.sysctl.8; variables. Another common DoS attack, called a @@ -725,26 +713,26 @@ the &man.sysctl.8; variable net.inet.icmp.icmplim to limit these attacks. The last major class of springboard attacks is - related to certain internal &man.inetd.8; - services such as the UDP echo service. An attacker spoofs a - UDP packet with a source address of server A's echo port - and a destination address of server B's echo port, where - server A and B on the same LAN. The two servers bounce this - one packet back and forth between each other. The attacker - can overload both servers and the LAN by injecting a few - packets in this manner. Similar problems exist with the + related to certain internal &man.inetd.8; services such as the + UDP echo service. An attacker spoofs a UDP packet with a + source address of server A's echo port and a destination + address of server B's echo port, where server A and B on the + same LAN. The two servers bounce this one packet back and + forth between each other. The attacker can overload both + servers and the LAN by injecting a few packets in this manner. + Similar problems exist with the chargen port. These inetd-internal test services should remain disabled. - Spoofed packet attacks may be used to overload the - kernel route cache. Refer to the + Spoofed packet attacks may be used to overload the kernel + route cache. Refer to the net.inet.ip.rtexpire, rtminexpire, and - rtmaxcache &man.sysctl.8; - parameters. A spoofed packet attack that uses a random source - IP will cause the kernel to generate a temporary cached route - in the route table, viewable with netstat -rna | - fgrep W3. These routes typically timeout in 1600 + rtmaxcache &man.sysctl.8; parameters. A + spoofed packet attack that uses a random source IP will cause + the kernel to generate a temporary cached route in the route + table, viewable with netstat -rna | fgrep + W3. These routes typically timeout in 1600 seconds or so. If the kernel detects that the cached route table has gotten too big, it will dynamically reduce the rtexpire but will never decrease it to less @@ -768,9 +756,9 @@ better, it may be prudent to manually override both rtexpire and rtminexpire via &man.sysctl.8;. Never set either parameter to zero - as this could crash the machine. Setting both - parameters to 2 seconds should be sufficient to protect the - route table from attack. + as this could crash the machine. Setting both parameters to 2 + seconds should be sufficient to protect the route table from + attack. @@ -778,36 +766,32 @@ &man.ssh.1; - There are a few issues with both Kerberos and - &man.ssh.1; that need to be addressed if - they are used. Kerberos is an excellent authentication - protocol, but there are bugs in the kerberized versions of - &man.telnet.1; and &man.rlogin.1; that make them - unsuitable for dealing with binary streams. By default, - Kerberos does not encrypt a session unless - is used whereas &man.ssh.1; - encrypts everything. - - While &man.ssh.1; works well, it - forwards encryption keys by default. This introduces a - security risk to a user who uses - &man.ssh.1; to access an insecure - machine from a secure workstation. The keys themselves are - not exposed, but &man.ssh.1; installs a - forwarding port for the duration of the login. If an attacker - has broken root on the insecure machine, - he can utilize that port to gain access to any other machine - that those keys unlock. - - It is recommended that &man.ssh.1; is - used in combination with Kerberos whenever possible for staff - logins and &man.ssh.1; can be compiled with - Kerberos support. This reduces reliance on potentially - exposed SSH keys while protecting - passwords via Kerberos. - Keys should only be used for automated tasks from secure - machines as this is something that Kerberos is unsuited to. - It is recommended to either turn off key-forwarding in the + There are a few issues with both Kerberos and &man.ssh.1; + that need to be addressed if they are used. Kerberos is an + excellent authentication protocol, but there are bugs in the + kerberized versions of &man.telnet.1; and &man.rlogin.1; that + make them unsuitable for dealing with binary streams. By + default, Kerberos does not encrypt a session unless + is used whereas &man.ssh.1; encrypts + everything. + + While &man.ssh.1; works well, it forwards encryption keys + by default. This introduces a security risk to a user who + uses &man.ssh.1; to access an insecure machine from a secure + workstation. The keys themselves are not exposed, but + &man.ssh.1; installs a forwarding port for the duration of the + login. If an attacker has broken root on + the insecure machine, he can utilize that port to gain access + to any other machine that those keys unlock. + + It is recommended that &man.ssh.1; is used in combination + with Kerberos whenever possible for staff logins and + &man.ssh.1; can be compiled with Kerberos support. This + reduces reliance on potentially exposed SSH + keys while protecting passwords via Kerberos. Keys should + only be used for automated tasks from secure machines as this + is something that Kerberos is unsuited to. It is recommended + to either turn off key-forwarding in the SSH configuration, or to make use of from=IP/DOMAIN in authorized_keys to make the key only @@ -853,11 +837,11 @@ Originally, the only secure way to encrypt passwords in &unix; was based on the Data Encryption Standard (DES). Since the source code for - DES could not be exported - outside the US, &os; had to find a way to both comply with US - law and retain compatibility with other &unix; variants that - used DES. The solution was MD5 which is - believed to be more secure than DES. + DES could not be exported outside the US, + &os; had to find a way to both comply with US law and retain + compatibility with other &unix; variants that used + DES. The solution was MD5 which is believed + to be more secure than DES. Recognizing the Crypt Mechanism @@ -943,30 +927,27 @@ OPIE must be reinitialized. There are a few programs involved in this process. - &man.opiekey.1; accepts an iteration count, a seed, - and a secret password, and generates a one-time password or a - consecutive list of one-time passwords. In addition to - initializing OPIE, - &man.opiepasswd.1; is used to change passwords, - iteration counts, or seeds. It takes either a secret + &man.opiekey.1; accepts an iteration count, a seed, and a secret + password, and generates a one-time password or a consecutive + list of one-time passwords. In addition to initializing + OPIE, &man.opiepasswd.1; is used to change + passwords, iteration counts, or seeds. It takes either a secret passphrase, or an iteration count, seed, and a one-time password. The relevant credential files in /etc/opiekeys are examined by - &man.opieinfo.1; which prints out the invoking user's - current iteration count and seed. + &man.opieinfo.1; which prints out the invoking user's current + iteration count and seed. There are four different sorts of operations. The first is - to use &man.opiepasswd.1; over a secure connection to - set up one-time-passwords for the first time, or to change the - password or seed. The second operation is to use - &man.opiepasswd.1; over an insecure connection, in - conjunction with &man.opiekey.1; over a secure - connection, to do the same. The third is to use - &man.opiekey.1; to log in over an insecure - connection. The fourth is to use &man.opiekey.1; to - generate a number of keys which can be written down or printed - out to carry to insecure locations in order to make a connection - to anywhere. + to use &man.opiepasswd.1; over a secure connection to set up + one-time-passwords for the first time, or to change the password + or seed. The second operation is to use &man.opiepasswd.1; over + an insecure connection, in conjunction with &man.opiekey.1; over + a secure connection, to do the same. The third is to use + &man.opiekey.1; to log in over an insecure connection. The + fourth is to use &man.opiekey.1; to generate a number of keys + which can be written down or printed out to carry to insecure + locations in order to make a connection to anywhere. Secure Connection Initialization @@ -1005,11 +986,11 @@ MOS MALL GOAT ARM AVID COED To initialize or change the secret password over an insecure connection, a secure connection is needed to some - place where &man.opiekey.1; can be run. This might - be a shell prompt on a trusted machine. An iteration count - is needed, where 100 is probably a good value, and the seed - can either be specified or the randomly-generated one used. - On the insecure connection, the machine being initialized, use + place where &man.opiekey.1; can be run. This might be a shell + prompt on a trusted machine. An iteration count is needed, + where 100 is probably a good value, and the seed can either be + specified or the randomly-generated one used. On the insecure + connection, the machine being initialized, use &man.opiepasswd.1;: &prompt.user; opiepasswd @@ -1070,10 +1051,10 @@ Password: At this point, generate the one-time password to answer this login prompt. This must be done on a trusted system - where it is safe to run &man.opiekey.1;. There - are versions of this command for &windows;, &macos; and &os;. - This command needs the iteration count and the seed as command - line options. Use cut-and-paste from the login prompt on the + where it is safe to run &man.opiekey.1;. There are versions + of this command for &windows;, &macos; and &os;. This command + needs the iteration count and the seed as command line + options. Use cut-and-paste from the login prompt on the machine being logged in to. On the trusted system: @@ -1093,8 +1074,8 @@ GAME GAG WELT OUT DOWN CHAT Sometimes there is no access to a trusted machine or secure connection. In this case, it is possible to use - &man.opiekey.1; to generate a number of one-time - passwords beforehand. For example: + &man.opiekey.1; to generate a number of one-time passwords + beforehand. For example: &prompt.user; opiekey -n 5 30 zz99999 Using the MD5 algorithm to compute response. @@ -1158,12 +1139,12 @@ Enter secret pass phrase: < TCP Wrappers extends the abilities of to provide support for every server daemon under its control. It can be configured - to provide logging support, return messages to - connections, and permit a daemon to only accept internal - connections. While some of these features can be provided - by implementing a firewall, TCP Wrappers adds - an extra layer of protection and goes beyond the amount of - control a firewall can provide. + to provide logging support, return messages to connections, and + permit a daemon to only accept internal connections. While some + of these features can be provided by implementing a firewall, + TCP Wrappers adds an extra layer of + protection and goes beyond the amount of control a firewall can + provide. TCP Wrappers should not be considered a replacement for a properly configured firewall. @@ -1194,9 +1175,8 @@ Enter secret pass phrase: < Basic configuration usually takes the form of daemon : address : action, where - daemon is the daemon which - &man.inetd.8; started, - address is a valid hostname, + daemon is the daemon which &man.inetd.8; + started, address is a valid hostname, IP address, or an IPv6 address enclosed in brackets ([ ]), and action is either allow or deny. @@ -1205,17 +1185,16 @@ Enter secret pass phrase: < ascending order for a matching rule. When a match is found, the rule is applied and the search process stops. - For example, to - allow POP3 connections via the - mail/qpopper daemon, - the following lines should be appended to + For example, to allow POP3 connections + via the mail/qpopper + daemon, the following lines should be appended to hosts.allow: # This line is required for POP3 connections: qpopper : ALL : allow - After adding this line, &man.inetd.8; - needs to be restarted: + After adding this line, &man.inetd.8; needs to be + restarted: &prompt.root; service inetd restart @@ -1224,12 +1203,12 @@ qpopper : ALL : allow Advanced Configuration TCP Wrappers provides advanced options - to allow more control over the way connections are - handled. In some cases, it may be appropriate to return a - comment to certain hosts or daemon connections. In other - cases, a log entry should be recorded or an email sent - to the administrator. Other situations may require the use of - a service for local connections only. This is all possible + to allow more control over the way connections are handled. + In some cases, it may be appropriate to return a comment to + certain hosts or daemon connections. In other cases, a log + entry should be recorded or an email sent to the + administrator. Other situations may require the use of a + service for local connections only. This is all possible through the use of configuration options known as wildcards, expansion characters and external command execution. @@ -1241,8 +1220,8 @@ qpopper : ALL : allow should be denied yet a reason should be sent to the individual who attempted to establish that connection. That action is possible with . When a - connection attempt is made, - executes a shell command or script. An example exists in + connection attempt is made, executes + a shell command or script. An example exists in hosts.allow: # The rest of the daemons are protected. @@ -1250,15 +1229,14 @@ ALL : ALL \ : severity auth.info \ : twist /bin/echo "You are not welcome to use %d from %h." - In this example, the message - You are not allowed to use daemon - from hostname. will be returned - for any daemon not previously configured in the access file. - This is useful for sending a reply back to the - connection initiator right after the established connection - is dropped. Any message returned must - be wrapped in quote (") - characters. + In this example, the message You are not allowed + to use daemon from + hostname. will be returned for + any daemon not previously configured in the access file. + This is useful for sending a reply back to the connection + initiator right after the established connection is dropped. + Any message returned must be wrapped in + quote (") characters. It may be possible to launch a denial of service @@ -1268,13 +1246,13 @@ ALL : ALL \ Another possibility is to use . - Like , - implicitly denies the - connection and may be used to run external shell commands or - scripts. Unlike , - will not send a reply back to the - individual who established the connection. For example, - consider the following configuration line: + Like , + implicitly denies the connection and may be used to run + external shell commands or scripts. Unlike + , will not send + a reply back to the individual who established the + connection. For example, consider the following + configuration line: # We do not allow connections from example.com: ALL : .example.com \ @@ -1283,9 +1261,9 @@ ALL : .example.com \ : deny This will deny all connection attempts from *.example.com and log - the hostname, IP address, and the - daemon to which access was attempted to + role="fqdn">*.example.com and log the hostname, + IP address, and the daemon to which + access was attempted to /var/log/connections.log. This example uses the substitution characters @@ -1298,17 +1276,16 @@ ALL : .example.com \ The ALL option may be used to match every instance of a daemon, domain, or an - IP address. Another wildcard - is PARANOID which may be used to match + IP address. Another wildcard is + PARANOID which may be used to match any host which provides an IP address that may be forged. For example, PARANOID may be used to define an action to be taken whenever a connection is made from an IP address that differs from its hostname. In this example, all connection requests to - &man.sendmail.8; which have an - IP address that varies from its hostname - will be denied: + &man.sendmail.8; which have an IP address + that varies from its hostname will be denied: # Block possibly spoofed requests to sendmail: sendmail : PARANOID : deny @@ -1355,23 +1332,22 @@ sendmail : PARANOID : denyKerberos can be described as an identity-verifying proxy system. It can also be described as a - trusted third-party authentication system. After a - user authenticates with Kerberos, - their communications can be encrypted to assure privacy and data + trusted third-party authentication system. After a user + authenticates with Kerberos, their + communications can be encrypted to assure privacy and data integrity. - The only function of - Kerberos is to provide - the secure authentication of users on the network. It - does not provide authorization functions (what users are allowed - to do) or auditing functions (what those users did). It is - recommended that - Kerberos be used with other security - methods which provide authorization and audit services. - - This section provides a guide on how to - set up Kerberos as distributed for - &os;. Refer to the relevant manual pages for more complete + The only function of Kerberos is + to provide the secure authentication of users on the network. + It does not provide authorization functions (what users are + allowed to do) or auditing functions (what those users did). It + is recommended that Kerberos be used + with other security methods which provide authorization and + audit services. + + This section provides a guide on how to set up + Kerberos as distributed for &os;. + Refer to the relevant manual pages for more complete descriptions. For purposes of demonstrating a @@ -1416,8 +1392,8 @@ sendmail : PARANOID : denyKerberos is both the name of a network authentication protocol and an adjective to describe programs that implement it, such as - Kerberos telnet. - The current version of the protocol is version 5, described in + Kerberos telnet. The current + version of the protocol is version 5, described in RFC 1510. Several free implementations of this protocol are @@ -1427,24 +1403,22 @@ sendmail : PARANOID : denyKerberos was originally developed, continues to develop their Kerberos package. It is commonly used in the US as - a cryptography product, and has historically been - affected by US export regulations. The + a cryptography product, and has historically been affected by + US export regulations. The MIT Kerberos is available as the security/krb5 package or port. - Heimdal - Kerberos is another version 5 - implementation, and was explicitly developed outside of the + role="package">security/krb5 package or port. + Heimdal Kerberos is another version + 5 implementation, and was explicitly developed outside of the US to avoid export regulations. The Heimdal Kerberos distribution is available as a the security/heimdal package or port, - and a minimal installation is included in the base &os; + and a minimal installation is included in the base &os; install. - These instructions - assume the use of the Heimdal distribution included in - &os;. + These instructions assume the use of the Heimdal + distribution included in &os;. @@ -1464,11 +1438,10 @@ sendmail : PARANOID : denyKerberos realm, and thus has heightened security concerns. - While running the - Kerberos server requires very few - computing resources, a dedicated machine acting only as a - KDC is recommended for security - reasons. + While running the Kerberos + server requires very few computing resources, a dedicated + machine acting only as a KDC is recommended + for security reasons. To begin setting up a KDC, ensure that /etc/rc.conf contains the correct @@ -1493,15 +1466,14 @@ kadmind5_server_enable="YES"This /etc/krb5.conf implies that the KDC will use the fully-qualified hostname - kerberos.example.org. - Add a CNAME (alias) entry to the zone file to accomplish this - if the KDC has a different - hostname. + kerberos.example.org. Add a + CNAME (alias) entry to the zone file to accomplish this + if the KDC has a different hostname. For large networks with a properly configured - DNS server, the - above example could be trimmed to: + DNS server, the above example could be + trimmed to: [libdefaults] default_realm = EXAMPLE.ORG @@ -1526,33 +1498,28 @@ _kerberos IN TXT EXAMPLE. server. - Next, create the - Kerberos database which - contains the keys of all principals encrypted with a master - password. It is not required to remember this password as it - will be stored in + Next, create the Kerberos + database which contains the keys of all principals encrypted + with a master password. It is not required to remember this + password as it will be stored in /var/heimdal/m-key. To create the - master key, run &man.kstash.8; and enter a - password. + master key, run &man.kstash.8; and enter a password. - Once the master key has been created, initialize - the database using kadmin -l. - This option instructs - &man.kadmin.8; to modify the local database files - directly rather than going through the - &man.kadmind.8; network service. This handles the - chicken-and-egg problem of trying to connect to the database - before it is created. At the &man.kadmin.8; - prompt, use init to create the realm's - initial database. - - Lastly, while still in &man.kadmin.8;, create - the first principal using add. - Stick to the default options for the principal for now, as - these can be changed later with modify. - Type ? at the - &man.kadmin.8; prompt to see the available - options. + Once the master key has been created, initialize the + database using kadmin -l. This option + instructs &man.kadmin.8; to modify the local database files + directly rather than going through the &man.kadmind.8; network + service. This handles the chicken-and-egg problem of trying + to connect to the database before it is created. At the + &man.kadmin.8; prompt, use init to create + the realm's initial database. + + Lastly, while still in &man.kadmin.8;, create the first + principal using add. Stick to the default + options for the principal for now, as these can be changed + later with modify. Type + ? at the &man.kadmin.8; prompt to see the + available options. A sample database creation session is shown below: @@ -1570,12 +1537,12 @@ Attributes []: Password: xxxxxxxx Verifying password - Password: xxxxxxxx - Next, start the KDC - services. Run service kerberos start and + Next, start the KDC services. Run + service kerberos start and service kadmind start to bring up the services. While there will not be any kerberized daemons - running at this point, it is possible to confirm that - the KDC is functioning by obtaining and + running at this point, it is possible to confirm that the + KDC is functioning by obtaining and listing a ticket for the principal (user) that was just created from the command-line of the KDC itself: @@ -1611,9 +1578,9 @@ Aug 27 15:37:58 Aug 28 01:37:58 krbtgt media. Next, create /etc/krb5.keytab. - This is the major difference between a server - providing Kerberos enabled - daemons and a workstation: the server must have a + This is the major difference between a server providing + Kerberos enabled daemons and a + workstation: the server must have a keytab. This file contains the server's host key, which allows it and the KDC to verify each others identity. It @@ -1622,31 +1589,28 @@ Aug 27 15:37:58 Aug 28 01:37:58 krbtgt public. Typically, the keytab is transferred - to the server using &man.kadmin.8;. - This is handy because the host principal, the - KDC end of the + to the server using &man.kadmin.8;. This is handy because the + host principal, the KDC end of the krb5.keytab, is also created using &man.kadmin.8;. - A ticket must already be obtained and - this ticket must be allowed to use the - &man.kadmin.8; interface in the + A ticket must already be obtained and this ticket must be + allowed to use the &man.kadmin.8; interface in the kadmind.acl. See the section titled Remote administration ininfo heimdal for details on designing access control - lists. Instead of enabling remote &man.kadmin.8; - access, the administrator can - securely connect to the KDC via the - local console or &man.ssh.1;, and - perform administration locally using + lists. Instead of enabling remote &man.kadmin.8; access, the + administrator can securely connect to the + KDC via the local console or &man.ssh.1;, + and perform administration locally using kadmin -l. After installing /etc/krb5.conf, use add --random-key from the Kerberos server. This adds the server's host principal. Then, use ext - to extract the server's host - principal to its own keytab. For example: + to extract the server's host principal to its own keytab. For + example: &prompt.root; kadmin kadmin> add --random-key host/myserver.example.org @@ -1659,8 +1623,8 @@ kadmin> exitNote that ext stores the extracted key in /etc/krb5.keytab by default. - If &man.kadmind.8; is not running on - the KDC and there is no access to + If &man.kadmind.8; is not running on the + KDC and there is no access to &man.kadmin.8; remotely, add the host principal (host/myserver.EXAMPLE.ORG) directly on the KDC and then extract it to a @@ -1673,18 +1637,16 @@ kadmin> ext --keytab=/tmp/exa kadmin> exit The keytab can then be securely copied to the server - using &man.scp.1; or a removable media. - Be sure to specify a non-default keytab name to - avoid overwriting the keytab on the + using &man.scp.1; or a removable media. Be sure to specify a + non-default keytab name to avoid overwriting the keytab on the KDC. At this point, the server can communicate with the KDC using krb5.conf and it can prove its - own identity with krb5.keytab. - It is now ready for the - Kerberos services to be enabled. - For this example, the &man.telnetd.8; service + own identity with krb5.keytab. It is now + ready for the Kerberos services to + be enabled. For this example, the &man.telnetd.8; service is enabled in /etc/inetd.conf and &man.inetd.8; has been restarted with service inetd restart: @@ -1692,8 +1654,8 @@ kadmin> exittelnet stream tcp nowait root /usr/libexec/telnetd telnetd -a user The critical change is that the - authentication type is set to user. Refer to - &man.telnetd.8; for more details. + authentication type is set to user. Refer to &man.telnetd.8; + for more details. @@ -1710,16 +1672,15 @@ kadmin> exitKDC. - Test the client by attempting to use - &man.kinit.1;, &man.klist.1;, and - &man.kdestroy.1; from the client to obtain, show, - and then delete a ticket for the principal created + Test the client by attempting to use &man.kinit.1;, + &man.klist.1;, and &man.kdestroy.1; from the client to obtain, + show, and then delete a ticket for the principal created above. Kerberos applications - should also be able to connect - to Kerberos enabled servers. - If that does not work but obtaining a ticket does, the - problem is likely with the server and not with the client or - the KDC. + should also be able to connect to + Kerberos enabled servers. If that + does not work but obtaining a ticket does, the problem is + likely with the server and not with the client or the + KDC. When testing a Kerberized application, try using a packet sniffer such as &man.tcpdump.1; to confirm that the password @@ -1727,16 +1688,14 @@ kadmin> exitVarious non-core Kerberos client applications are available. The minimal - installation in &os; installs &man.telnetd.8; as the - only Kerberos enabled - service. + installation in &os; installs &man.telnetd.8; as the only + Kerberos enabled service. The Heimdal port installs - Kerberos enabled - versions of &man.ftpd.8;, &man.rshd.8;, - &man.rcp.1;, &man.rlogind.8;, and a few - other less common programs. The MIT port - also contains a full suite of + Kerberos enabled versions of + &man.ftpd.8;, &man.rshd.8;, &man.rcp.1;, &man.rlogind.8;, and + a few other less common programs. The MIT + port also contains a full suite of Kerberos client applications. @@ -1755,29 +1714,28 @@ kadmin> exitUsers within a realm typically have their Kerberos principal mapped to a - local user account. Occasionally, one needs to grant - access to a - local user account to someone who does not have a matching - Kerberos principal. For example, - tillman@EXAMPLE.ORG may need access to - the local user account webdevelopers. - Other principals may also need access to that local - account. *** DIFF OUTPUT TRUNCATED AT 1000 LINES ***

Estimated EoL

RELENG_7 n/a RELENG_7_3 packages-7-stable February 28, 2013
RELENG_7_3 7.3-RELEASE RELENG_7_3 packages-7-stable March 31, 2012
RELENG_7_4 7.4-RELEASE RELENG_7_3 packages-7-stable February 28, 2013
RELENG_8

Estimated EoL
RELENG_7	n/a	RELENG_7_3	packages-7-stable	February 28, 2013
RELENG_7_3	7.3-RELEASE	RELENG_7_3	packages-7-stable	March 31, 2012
RELENG_7_4	7.4-RELEASE	RELENG_7_3	packages-7-stable	February 28, 2013
RELENG_8