svn commit: r44525 - head/en_US.ISO8859-1/books/handbook/security
Dru Lavigne
dru at FreeBSD.org
Thu Apr 10 20:52:24 UTC 2014
Author: dru
Date: Thu Apr 10 20:52:23 2014
New Revision: 44525
URL: http://svnweb.freebsd.org/changeset/doc/44525
Log:
White space fix only. Translators can ignore.
Sponsored by: iXsystems
Modified:
head/en_US.ISO8859-1/books/handbook/security/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Thu Apr 10 20:37:05 2014 (r44524)
+++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Thu Apr 10 20:52:23 2014 (r44525)
@@ -2437,9 +2437,10 @@ racoon_enable="yes"</programlisting>
</indexterm>
<para><application>OpenSSH</application> is a set of network
- connectivity tools used to provide secure access to remote machines.
- Additionally, <acronym>TCP/IP</acronym> connections can be tunneled or forwarded
- securely through <acronym>SSH</acronym> connections.
+ connectivity tools used to provide secure access to remote
+ machines. Additionally, <acronym>TCP/IP</acronym> connections
+ can be tunneled or forwarded securely through
+ <acronym>SSH</acronym> connections.
<application>OpenSSH</application> encrypts all traffic to
effectively eliminate eavesdropping, connection hijacking, and
other network-level attacks.</para>
@@ -2473,9 +2474,9 @@ racoon_enable="yes"</programlisting>
<secondary>client</secondary>
</indexterm>
- <para>To log into a <acronym>SSH</acronym> server, use
+ <para>To log into a <acronym>SSH</acronym> server, use
<command>ssh</command> and specify a username that exists on
- that server and the <acronym>IP</acronym> address or hostname
+ that server and the <acronym>IP</acronym> address or hostname
of the server. If this is the first time a connection has
been made to the specified server, the user will be prompted
to first verify the server's fingerprint:</para>
@@ -2489,24 +2490,24 @@ Password for user at example.com: <userinpu
<para><acronym>SSH</acronym> utilizes a key fingerprint system
to verify the authenticity of the server when the client
- connects. When the user accepts the key's fingerprint by typing
- <literal>yes</literal> when connecting for the first time, a
- copy of the key is saved to
- <filename>.ssh/known_hosts</filename> in the user's home directory.
- Future attempts to login are verified against the saved
- key and <command>ssh</command> will display an
- alert if the server's key does not match the saved key. If
- this occurs, the user should first verify
- why the key has changed before continuing with the
- connection.</para>
-
- <para>By default, recent versions of <application>OpenSSH</application> only accept
- <acronym>SSH</acronym>v2 connections. By default, the client will use
- version 2 if possible and will fall back to version 1 if the
- server does not support version 2. To
- force <command>ssh</command> to only use the specified protocol, include
- <option>-1</option> or <option>-2</option>. Additional
- options are described in &man.ssh.1;.</para>
+ connects. When the user accepts the key's fingerprint by
+ typing <literal>yes</literal> when connecting for the first
+ time, a copy of the key is saved to
+ <filename>.ssh/known_hosts</filename> in the user's home
+ directory. Future attempts to login are verified against the
+ saved key and <command>ssh</command> will display an alert if
+ the server's key does not match the saved key. If this
+ occurs, the user should first verify why the key has changed
+ before continuing with the connection.</para>
+
+ <para>By default, recent versions of
+ <application>OpenSSH</application> only accept
+ <acronym>SSH</acronym>v2 connections. By default, the client
+ will use version 2 if possible and will fall back to version 1
+ if the server does not support version 2. To force
+ <command>ssh</command> to only use the specified protocol,
+ include <option>-1</option> or <option>-2</option>.
+ Additional options are described in &man.ssh.1;.</para>
<indexterm>
<primary>OpenSSH</primary>
@@ -2516,10 +2517,11 @@ Password for user at example.com: <userinpu
<primary>&man.scp.1;</primary>
</indexterm>
- <para>Use &man.scp.1; to securely copy a file to or from a remote machine.
- This example copies <filename>COPYRIGHT</filename> on the
- remote system to a file of the same name in the current
- directory of the local system:</para>
+ <para>Use &man.scp.1; to securely copy a file to or from a
+ remote machine. This example copies
+ <filename>COPYRIGHT</filename> on the remote system to a file
+ of the same name in the current directory of the local
+ system:</para>
<screen>&prompt.root; <userinput>scp <replaceable>user at example.com:/COPYRIGHT COPYRIGHT</replaceable></userinput>
Password for user at example.com: <userinput><replaceable>*******</replaceable></userinput>
@@ -2531,13 +2533,13 @@ COPYRIGHT 100% |*************
the server's key is automatically checked before prompting for
the user's password.</para>
- <para>The arguments passed to <command>scp</command> are similar to
- <command>cp</command>. The file or files to copy is the first
- argument and the destination to copy to is the second. Since the file
- is fetched over the network, one or more of the file
- arguments takes the form
+ <para>The arguments passed to <command>scp</command> are similar
+ to <command>cp</command>. The file or files to copy is the
+ first argument and the destination to copy to is the second.
+ Since the file is fetched over the network, one or more of the
+ file arguments takes the form
<option>user at host:<path_to_remote_file></option>.</para>
-
+
<para>To open an interactive session for copying files, use
<command>sftp</command>. Refer to &man.sftp.1; for a list of
available commands while in an <command>sftp</command>
@@ -2546,14 +2548,14 @@ COPYRIGHT 100% |*************
<sect3 xml:id="security-ssh-keygen">
<title>Key-based Authentication</title>
- <para>Instead of using passwords, a client can be configured
- to connect to the remote machine
- using keys. To generate <acronym>DSA</acronym> or
- <acronym>RSA</acronym> authentication keys, use
- <command>ssh-keygen</command>. To generate a
- public and private key pair, specify the type of key and
- follow the prompts. It is recommended to protect the keys
- with a memorable, but hard to guess passphrase.</para>
+ <para>Instead of using passwords, a client can be configured
+ to connect to the remote machine using keys. To generate
+ <acronym>DSA</acronym> or <acronym>RSA</acronym>
+ authentication keys, use <command>ssh-keygen</command>. To
+ generate a public and private key pair, specify the type of
+ key and follow the prompts. It is recommended to protect
+ the keys with a memorable, but hard to guess
+ passphrase.</para>
<screen>&prompt.user; <userinput>ssh-keygen -t <replaceable>dsa</replaceable></userinput>
Generating public/private dsa key pair.
@@ -2566,12 +2568,12 @@ Your public key has been saved in /home/
The key fingerprint is:
bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8f:79:17 user at host.example.com</screen>
- <para>Depending upon the specified protocol, the private key is stored
- in <filename>~/.ssh/id_dsa</filename> (or
+ <para>Depending upon the specified protocol, the private key
+ is stored in <filename>~/.ssh/id_dsa</filename> (or
<filename>~/.ssh/id_rsa</filename>), and the public key
is stored in <filename>~/.ssh/id_dsa.pub</filename> (or
- <filename>~/.ssh/id_rsa.pub</filename>).
- The <emphasis>public</emphasis> key must be first copied to
+ <filename>~/.ssh/id_rsa.pub</filename>). The
+ <emphasis>public</emphasis> key must be first copied to
<filename>~/.ssh/authorized_keys</filename> on the remote
machine in order for key-based authentication to
work.</para>
@@ -2580,10 +2582,11 @@ bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8
<para>Many users believe that keys are secure by design and
will use a key without a passphrase. This is
<emphasis>dangerous</emphasis> behavior. An
- administrator can verify that a key pair is protected by a passphrase
- by viewing the private key manually. If the private key file
- contains the word <literal>ENCRYPTED</literal>, the key
- owner is using a passphrase. In addition, to better secure end users,
+ administrator can verify that a key pair is protected by a
+ passphrase by viewing the private key manually. If the
+ private key file contains the word
+ <literal>ENCRYPTED</literal>, the key owner is using a
+ passphrase. In addition, to better secure end users,
<literal>from</literal> may be placed in the public key
file. For example, adding
<literal>from="192.168.10.5"</literal> in the front of
@@ -2592,29 +2595,29 @@ bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8
that <acronym>IP</acronym> address.</para>
</warning>
- <para>The various options and files can be different
- according to the <application>OpenSSH</application>
- version. To avoid problems, consult
- &man.ssh-keygen.1;.</para>
-
- <para>If a passphrase is used, the user
- will be prompted for the passphrase each time a connection
- is made to the server. To load <acronym>SSH</acronym> keys
- into memory, without needing to type the passphrase
- each time, use &man.ssh-agent.1; and &man.ssh-add.1;.</para>
-
- <para>Authentication is handled by <command>ssh-agent</command>, using
- the private key(s) that are loaded into it. Then,
- <command>ssh-agent</command> should be used to launch another
- application such as a
+ <para>The various options and files can be different
+ according to the <application>OpenSSH</application> version.
+ To avoid problems, consult &man.ssh-keygen.1;.</para>
+
+ <para>If a passphrase is used, the user will be prompted for
+ the passphrase each time a connection is made to the server.
+ To load <acronym>SSH</acronym> keys into memory, without
+ needing to type the passphrase each time, use
+ &man.ssh-agent.1; and &man.ssh-add.1;.</para>
+
+ <para>Authentication is handled by
+ <command>ssh-agent</command>, using the private key(s) that
+ are loaded into it. Then, <command>ssh-agent</command>
+ should be used to launch another application such as a
shell or a window manager.</para>
- <para>To use <command>ssh-agent</command> in a shell, start it with a
- shell as an argument. Next, add the identity by running
- <command>ssh-add</command> and providing it the passphrase for the
- private key. Once these steps have been completed, the user
- will be able to <command>ssh</command> to any host that has the
- corresponding public key installed. For example:</para>
+ <para>To use <command>ssh-agent</command> in a shell, start it
+ with a shell as an argument. Next, add the identity by
+ running <command>ssh-add</command> and providing it the
+ passphrase for the private key. Once these steps have been
+ completed, the user will be able to <command>ssh</command>
+ to any host that has the corresponding public key installed.
+ For example:</para>
<screen>&prompt.user; ssh-agent <replaceable>csh</replaceable>
&prompt.user; ssh-add
@@ -2625,18 +2628,18 @@ Identity added: /usr/home/user/.ssh/id_d
<para>To use <command>ssh-agent</command> in
<application>&xorg;</application>, add an entry for it in
<filename>~/.xinitrc</filename>. This provides the
- <command>ssh-agent</command> services to all programs launched in
- <application>&xorg;</application>. An example
+ <command>ssh-agent</command> services to all programs
+ launched in <application>&xorg;</application>. An example
<filename>~/.xinitrc</filename> might look like this:</para>
<programlisting>exec ssh-agent <replaceable>startxfce4</replaceable></programlisting>
- <para>This launches <command>ssh-agent</command>, which in turn launches
- <application>XFCE</application>, every time
+ <para>This launches <command>ssh-agent</command>, which in
+ turn launches <application>XFCE</application>, every time
<application>&xorg;</application> starts. Once
<application>&xorg;</application> has been restarted so that
- the changes can take effect, run <command>ssh-add</command> to load all
- of the <acronym>SSH</acronym> keys.</para>
+ the changes can take effect, run <command>ssh-add</command>
+ to load all of the <acronym>SSH</acronym> keys.</para>
</sect3>
<sect3 xml:id="security-ssh-tunneling">
@@ -2651,8 +2654,9 @@ Identity added: /usr/home/user/.ssh/id_d
create a tunnel to encapsulate another protocol in an
encrypted session.</para>
- <para>The following command tells <command>ssh</command> to create a
- tunnel for <application>telnet</application>:</para>
+ <para>The following command tells <command>ssh</command> to
+ create a tunnel for
+ <application>telnet</application>:</para>
<screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5023:localhost:23 user at foo.example.com</replaceable></userinput>
&prompt.user;</screen>
@@ -2664,8 +2668,8 @@ Identity added: /usr/home/user/.ssh/id_d
<term><option>-2</option></term>
<listitem>
- <para>Forces <command>ssh</command> to use version 2 to connect to
- the server.</para>
+ <para>Forces <command>ssh</command> to use version 2 to
+ connect to the server.</para>
</listitem>
</varlistentry>
@@ -2674,7 +2678,8 @@ Identity added: /usr/home/user/.ssh/id_d
<listitem>
<para>Indicates no command, or tunnel only. If omitted,
- <command>ssh</command> initiates a normal session.</para>
+ <command>ssh</command> initiates a normal
+ session.</para>
</listitem>
</varlistentry>
@@ -2709,21 +2714,21 @@ Identity added: /usr/home/user/.ssh/id_d
<para>An <acronym>SSH</acronym> tunnel works by creating a
listen socket on <systemitem>localhost</systemitem> on the
- specified <literal>localport</literal>. It then forwards any connections received
- on <literal>localport</literal> via the <acronym>SSH</acronym>
- connection to the specified <literal>remotehost:remoteport</literal>.
- In the example, port <literal>5023</literal> on
- the client is forwarded to port
- <literal>23</literal> on
- the remote machine.
- Since port 23 is used by
- <application>telnet</application>, this creates an encrypted <application>telnet</application>
+ specified <literal>localport</literal>. It then forwards
+ any connections received on <literal>localport</literal> via
+ the <acronym>SSH</acronym> connection to the specified
+ <literal>remotehost:remoteport</literal>. In the example,
+ port <literal>5023</literal> on the client is forwarded to
+ port <literal>23</literal> on the remote machine. Since
+ port 23 is used by <application>telnet</application>, this
+ creates an encrypted <application>telnet</application>
session through an <acronym>SSH</acronym> tunnel.</para>
- <para>This method can be used to wrap any number of insecure <acronym>TCP</acronym>
- protocols such as <acronym>SMTP</acronym>,
- <acronym>POP3</acronym>, and <acronym>FTP</acronym>, as seen
- in the following examples.</para>
+ <para>This method can be used to wrap any number of insecure
+ <acronym>TCP</acronym> protocols such as
+ <acronym>SMTP</acronym>, <acronym>POP3</acronym>, and
+ <acronym>FTP</acronym>, as seen in the following
+ examples.</para>
<example>
<title>Create a Secure Tunnel for
@@ -2738,23 +2743,24 @@ Escape character is '^]'.
220 mailserver.example.com ESMTP</screen>
<para>This can be used in conjunction with
- <command>ssh-keygen</command> and additional user accounts to create
- a more seamless <acronym>SSH</acronym> tunneling
+ <command>ssh-keygen</command> and additional user accounts
+ to create a more seamless <acronym>SSH</acronym> tunneling
environment. Keys can be used in place of typing a
password, and the tunnels can be run as a separate
user.</para>
</example>
<example>
- <title>Secure Access of a <acronym>POP3</acronym> Server</title>
+ <title>Secure Access of a <acronym>POP3</acronym>
+ Server</title>
<para>In this example, there is an <acronym>SSH</acronym>
server that accepts connections from the outside. On the
- same network resides a mail server running a <acronym>POP3</acronym> server.
- To check email in a secure manner, create an
- <acronym>SSH</acronym> connection to the
- <acronym>SSH</acronym> server and tunnel through to the
- mail server:</para>
+ same network resides a mail server running a
+ <acronym>POP3</acronym> server. To check email in a
+ secure manner, create an <acronym>SSH</acronym> connection
+ to the <acronym>SSH</acronym> server and tunnel through to
+ the mail server:</para>
<screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>2110:mail.example.com:110 user at ssh-server.example.com</replaceable></userinput>
user at ssh-server.example.com's password: <userinput>******</userinput></screen>
@@ -2771,10 +2777,11 @@ user at ssh-server.example.com's password:
<para>Some firewalls
filter both incoming and outgoing connections. For
- example, a firewall might limit access from remote machines to
- ports 22 and 80 to only allow <acronym>SSH</acronym> and web surfing.
- This prevents access to any other service which uses a
- port other than 22 or 80.</para>
+ example, a firewall might limit access from remote
+ machines to ports 22 and 80 to only allow
+ <acronym>SSH</acronym> and web surfing. This prevents
+ access to any other service which uses a port other than
+ 22 or 80.</para>
<para>The solution is to create an <acronym>SSH</acronym>
connection to a machine outside of the network's firewall
@@ -2805,16 +2812,15 @@ user at unfirewalled-system.example.org's p
<acronym>SSH</acronym> server, accepting connections from
other <acronym>SSH</acronym> clients.</para>
- <para>To see if <application>sshd</application> is enabled, check
- <filename>/etc/rc.conf</filename> for this line and add it if
- it is missing:</para>
+ <para>To see if <application>sshd</application> is enabled,
+ check <filename>/etc/rc.conf</filename> for this line and add
+ it if it is missing:</para>
<programlisting>sshd_enable="YES"</programlisting>
- <para>This will start <application>sshd</application>, the daemon program for
- <application>OpenSSH</application>, the next time the system
- boots. To start it
- now:</para>
+ <para>This will start <application>sshd</application>, the
+ daemon program for <application>OpenSSH</application>, the
+ next time the system boots. To start it now:</para>
<screen>&prompt.root; <userinput>service sshd start</userinput></screen>
@@ -2830,10 +2836,10 @@ user at unfirewalled-system.example.org's p
and the various configuration files.</para>
<para>It is a good idea to limit which users can log into the
- <acronym>SSH</acronym> server
- and from where using the <literal>AllowUsers</literal> keyword
- in the <application>OpenSSH</application> server configuration file. For
- example, to only allow <systemitem
+ <acronym>SSH</acronym> server and from where using the
+ <literal>AllowUsers</literal> keyword in the
+ <application>OpenSSH</application> server configuration file.
+ For example, to only allow <systemitem
class="username">root</systemitem> to log in from
<systemitem class="ipaddress">192.168.1.32</systemitem>, add
this line to <filename>/etc/ssh/sshd_config</filename>:</para>
@@ -2850,31 +2856,34 @@ user at unfirewalled-system.example.org's p
so:</para>
<programlisting>AllowUsers root at 192.168.1.32 admin</programlisting>
+
<para>After making changes to
- <filename>/etc/ssh/sshd_config</filename>, tell <application>sshd</application>
- to reload its configuration file by running:</para>
+ <filename>/etc/ssh/sshd_config</filename>,
+ tell <application>sshd</application> to reload its
+ configuration file by running:</para>
<screen>&prompt.root; <userinput>service sshd reload</userinput></screen>
<note>
- <para>When this keyword is used, it is important to list each user that needs to log into
- this machine. Any user that is not specified in that line will be locked out. Also, the
+ <para>When this keyword is used, it is important to list each
+ user that needs to log into this machine. Any user that is
+ not specified in that line will be locked out. Also, the
keywords used in the <application>OpenSSH</application>
server configuration file are case-sensitive. If the
- keyword is not spelled correctly, including its case, it will
- be ignored. Always test changes to this file to make sure
- that the edits are working as expected. Refer to
+ keyword is not spelled correctly, including its case, it
+ will be ignored. Always test changes to this file to make
+ sure that the edits are working as expected. Refer to
&man.sshd.config.5; to verify the spelling and use of the
available keywords.</para>
</note>
<tip>
<para>Don't confuse <filename>/etc/ssh/sshd_config</filename>
- with <filename>/etc/ssh/ssh_config</filename> (note the extra
- <literal>d</literal> in the first filename). The first file
- configures the server and the second file configures the
- client. Refer to &man.ssh.config.5; for a listing of the
- available client settings,.</para>
+ with <filename>/etc/ssh/ssh_config</filename> (note the
+ extra <literal>d</literal> in the first filename). The
+ first file configures the server and the second file
+ configures the client. Refer to &man.ssh.config.5; for a
+ listing of the available client settings,.</para>
</tip>
</sect2>
</sect1>
More information about the svn-doc-head
mailing list