svn commit: r44322 - head/en_US.ISO8859-1/books/handbook/security
Dru Lavigne
dru at FreeBSD.org
Fri Mar 21 19:53:56 UTC 2014
Author: dru
Date: Fri Mar 21 19:53:55 2014
New Revision: 44322
URL: http://svnweb.freebsd.org/changeset/doc/44322
Log:
Initial prep work for OpenSSH chapter.
Divide sections into client stuff and server stuff.
Still needs an editorial review and the last 2 hanging sub-sections
need to be incorporated.
Sponsored by: iXsystems
Modified:
head/en_US.ISO8859-1/books/handbook/security/chapter.xml
Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/security/chapter.xml Fri Mar 21 19:42:49 2014 (r44321)
+++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml Fri Mar 21 19:53:55 2014 (r44322)
@@ -2514,42 +2514,15 @@ racoon_enable="yes"</programlisting>
compatible with both <acronym>SSH</acronym> version 1 and 2
protocols.</para>
- <sect2>
- <title>Advantages of Using
- <application>OpenSSH</application></title>
-
<para>When data is sent over the network in an unencrypted form,
network sniffers anywhere in between the client and server
can steal user/password information or data transferred
during the session. <application>OpenSSH</application> offers
a variety of authentication and encryption methods to prevent
this from happening.</para>
- </sect2>
<sect2>
- <title>Enabling the SSH Server</title>
-
- <indexterm>
- <primary>OpenSSH</primary>
- <secondary>enabling</secondary>
- </indexterm>
-
- <para>To see if &man.sshd.8; is enabled, check
- <filename>/etc/rc.conf</filename> for this line:</para>
-
- <programlisting>sshd_enable="YES"</programlisting>
-
- <para>This will start &man.sshd.8;, the daemon program for
- <application>OpenSSH</application>, the next time the system
- initializes. Alternatively, it is possible to use
- &man.service.8; to start <application>OpenSSH</application>
- now:</para>
-
- <screen>&prompt.root; <userinput>service sshd start</userinput></screen>
- </sect2>
-
- <sect2>
- <title>The SSH Client</title>
+ <title>Using the SSH Client Utilities</title>
<indexterm>
<primary>OpenSSH</primary>
@@ -2584,10 +2557,6 @@ user at example.com's password: <userinput>
1 or version 2, respectively. The version 1 compatibility is
maintained in the client for backwards compatibility with
older versions.</para>
- </sect2>
-
- <sect2>
- <title>Secure Copy</title>
<indexterm>
<primary>OpenSSH</primary>
@@ -2617,28 +2586,9 @@ COPYRIGHT 100% |*************
<acronym>SSH</acronym>, connection, one or more of the file
arguments takes the form
<option>user at host:<path_to_remote_file></option>.</para>
- </sect2>
-
- <sect2>
- <title>Configuration</title>
-
- <indexterm>
- <primary>OpenSSH</primary>
- <secondary>configuration</secondary>
- </indexterm>
-
- <para>The system-wide configuration files for both the
- <application>OpenSSH</application> daemon and client reside
- in <filename>/etc/ssh</filename>.</para>
-
- <para><filename>ssh_config</filename> configures the client
- settings, while <filename>sshd_config</filename> configures
- the daemon. Each file has its own manual page which describes
- the available configuration options.</para>
- </sect2>
- <sect2 xml:id="security-ssh-keygen">
- <title>&man.ssh-keygen.1;</title>
+ <sect3 xml:id="security-ssh-keygen">
+ <title>Key-based Authentication</title>
<para>Instead of using passwords, &man.ssh-keygen.1; can be used
to generate <acronym>DSA</acronym> or <acronym>RSA</acronym>
@@ -2690,23 +2640,15 @@ bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8
that host <acronym>IP</acronym>.</para>
</warning>
- <para>If a passphrase is used in &man.ssh-keygen.1;, the user
- will be prompted for the passphrase each time in order to use
- the private key. &man.ssh-agent.1; can alleviate the strain
- of repeatedly entering long passphrases, and is explored in
- <xref linkend="security-ssh-agent"/>.</para>
-
<warning>
<para>The various options and files can be different according
to the <application>OpenSSH</application> version. To avoid
problems, consult &man.ssh-keygen.1;.</para>
</warning>
- </sect2>
-
- <sect2 xml:id="security-ssh-agent">
- <title>Using SSH Agent to Cache Keys</title>
- <para>To load <acronym>SSH</acronym> keys into memory for use,
+ <para>If a passphrase is used in &man.ssh-keygen.1;, the user
+ will be prompted for the passphrase each time in order to use
+ the private key. To load <acronym>SSH</acronym> keys into memory for use,
without needing to type the passphrase each time, use
&man.ssh-agent.1; and &man.ssh-add.1;.</para>
@@ -2745,9 +2687,9 @@ Identity added: /home/user/.ssh/id_dsa (
<application>&xorg;</application> has been restarted so that
the changes can take effect, run &man.ssh-add.1; to load all
of the <acronym>SSH</acronym> keys.</para>
- </sect2>
+ </sect3>
- <sect2 xml:id="security-ssh-tunneling">
+ <sect3 xml:id="security-ssh-tunneling">
<title><acronym>SSH</acronym> Tunneling</title>
<indexterm>
@@ -2850,11 +2792,7 @@ Escape character is '^]'.
run as a separate user.</para>
</example>
- <sect3>
- <title>Practical <acronym>SSH</acronym> Tunneling
- Examples</title>
-
- <sect4>
+ <example>
<title>Secure Access of a POP3 Server</title>
<para>In this example, there is an <acronym>SSH</acronym>
@@ -2873,9 +2811,9 @@ user at ssh-server.example.com's password:
<systemitem>localhost</systemitem> on port 2110. This
connection will be forwarded securely across the tunnel to
<systemitem>mail.example.com</systemitem>.</para>
- </sect4>
+ </example>
- <sect4>
+ <example>
<title>Bypassing a Draconian Firewall</title>
<para>Some network administrators impose firewall rules
@@ -2897,12 +2835,30 @@ user at unfirewalled-system.example.org's p
8888, which will be forwarded over to
<systemitem>music.example.com</systemitem> on port 8000,
successfully bypassing the firewall.</para>
- </sect4>
+ </example>
</sect3>
</sect2>
<sect2>
- <title>The <varname>AllowUsers</varname> Option</title>
+ <title>Enabling the SSH Server</title>
+
+ <indexterm>
+ <primary>OpenSSH</primary>
+ <secondary>enabling</secondary>
+ </indexterm>
+
+ <para>To see if &man.sshd.8; is enabled, check
+ <filename>/etc/rc.conf</filename> for this line:</para>
+
+ <programlisting>sshd_enable="YES"</programlisting>
+
+ <para>This will start &man.sshd.8;, the daemon program for
+ <application>OpenSSH</application>, the next time the system
+ initializes. Alternatively, it is possible to use
+ &man.service.8; to start <application>OpenSSH</application>
+ now:</para>
+
+ <screen>&prompt.root; <userinput>service sshd start</userinput></screen>
<para>It is often a good idea to limit which users can log in
and from where using <literal>AllowUsers</literal>. For
@@ -2936,6 +2892,24 @@ user at unfirewalled-system.example.org's p
</sect2>
<sect2>
+ <title>Configuration</title>
+
+ <indexterm>
+ <primary>OpenSSH</primary>
+ <secondary>configuration</secondary>
+ </indexterm>
+
+ <para>The system-wide configuration files for both the
+ <application>OpenSSH</application> daemon and client reside
+ in <filename>/etc/ssh</filename>.</para>
+
+ <para><filename>ssh_config</filename> configures the client
+ settings, while <filename>sshd_config</filename> configures
+ the daemon. Each file has its own manual page which describes
+ the available configuration options.</para>
+ </sect2>
+
+ <sect2>
<title>Further Reading</title>
<para>The <link
More information about the svn-doc-head
mailing list