svn commit: r44320 - head/en_US.ISO8859-1/books/handbook/security

Dru Lavigne dru at FreeBSD.org
Fri Mar 21 19:07:01 UTC 2014


Author: dru
Date: Fri Mar 21 19:07:00 2014
New Revision: 44320
URL: http://svnweb.freebsd.org/changeset/doc/44320

Log:
  White space fix only. Translators can ignore.
  
  Sponsored by: iXsystems

Modified:
  head/en_US.ISO8859-1/books/handbook/security/chapter.xml

Modified: head/en_US.ISO8859-1/books/handbook/security/chapter.xml
==============================================================================
--- head/en_US.ISO8859-1/books/handbook/security/chapter.xml	Fri Mar 21 18:39:06 2014	(r44319)
+++ head/en_US.ISO8859-1/books/handbook/security/chapter.xml	Fri Mar 21 19:07:00 2014	(r44320)
@@ -5,7 +5,9 @@
      $FreeBSD$
 -->
 <chapter xmlns="http://docbook.org/ns/docbook" xmlns:xlink="http://www.w3.org/1999/xlink" version="5.0" xml:id="security">
-  <info><title>Security</title>
+  <info>
+    <title>Security</title>
+
     <authorgroup>
       <author>
 	<personname>
@@ -17,8 +19,6 @@
     </authorgroup>
   </info>
 
-  
-
   <indexterm><primary>security</primary></indexterm>
 
   <sect1 xml:id="security-synopsis">
@@ -123,9 +123,9 @@
     <para>The <acronym>CIA</acronym> triad is a bedrock concept of
       computer security, customers and end users expect privacy
       of their data.  They expect orders they place to not be changed
-      or their information altered behind the scenes. They also expect
-      access to information at all times.  Together they make up the
-      confidentiality, integrity, and availability of the
+      or their information altered behind the scenes.  They also
+      expect access to information at all times.  Together they make
+      up the confidentiality, integrity, and availability of the
       system.</para>
 
     <para>To protect <acronym>CIA</acronym>, security professionals
@@ -143,21 +143,22 @@
 
       <para>What is a threat as pertaining to computer security?  For
 	years it was assumed that threats are remote attackers, people
-	whom will attempt to access the system without permission, from
-	a remote location.  In today's world, this definition has been
-	expanded to include employees, malicious software, rogue
+	whom will attempt to access the system without permission,
+	from a remote location.  In today's world, this definition has
+	been expanded to include employees, malicious software, rogue
 	network devices, natural disasters, security vulnerabilities,
 	and even competing corporations.</para>
 
-      <para>Every day thousands of systems and networks are attacked and
-	several hundred are accessed without permission.  Sometimes
-	by simple accident, others by remote attackers, and in some
-	cases, corporate espionage or former employees.  As a system
-	user, it is important to prepare for and admit when a mistake
-	has lead to a security breach and report possible issues to
-	the security team.  As an administrator, it is important to
-	know of the threats and be prepared to mitigate them.</para>
-      </sect2>
+      <para>Every day thousands of systems and networks are attacked
+	and several hundred are accessed without permission.
+	Sometimes by simple accident, others by remote attackers, and
+	in some cases, corporate espionage or former employees.  As a
+	system user, it is important to prepare for and admit when a
+	mistake has lead to a security breach and report possible
+	issues to the security team.  As an administrator, it is
+	important to know of the threats and be prepared to mitigate
+	them.</para>
+    </sect2>
 
     <sect2 xml:id="security-groundup">
       <title>A Ground Up Approach</title>
@@ -169,14 +170,14 @@
 	is in these latter configuration aspects that system policy
 	and procedures should take place.</para>
 
-      <para>Many places of business already have a security policy that
-	covers the configuration technology devices in use.  They
+      <para>Many places of business already have a security policy
+	that covers the configuration technology devices in use.  They
 	should contain, at minimal, the security configuration of end
 	user workstations and desktops, mobile devices such as phones
 	and laptops, and both production and development servers.  In
-	many cases, when applying computer security, standard operating
-	procedures (<acronym>SOP</acronym>s) already exist.  When in
-	doubt, ask the security team.</para>
+	many cases, when applying computer security, standard
+	operating procedures (<acronym>SOP</acronym>s) already exist.
+	When in doubt, ask the security team.</para>
     </sect2>
 
     <sect2 xml:id="security-accounts">
@@ -199,7 +200,7 @@
       <para>This command will change the account from this
 	<quote>toor:*:0:0::0:0:Bourne-again Superuser:/root:</quote>
 	to <quote>toor:*LOCKED**:0:0::0:0:Bourne-again
-	Superuser:/root:</quote></para>
+	  Superuser:/root:</quote></para>
 
       <para>In some cases, this is not possible, perhaps because of
 	an additional service.  In those cases, login access
@@ -209,7 +210,7 @@
       <screen>&prompt.root; <userinput>chsh -s /usr/sbin/nologin toor</userinput></screen>
 
       <note>
-        <para>Only super users are able to change the shell for
+	<para>Only super users are able to change the shell for
 	  other users.  Attempting to perform this as a regular user
 	  will fail.</para>
       </note>
@@ -219,37 +220,37 @@
 
       <programlisting>toor:*:0:0::0:0:Bourne-again Superuser:/root:/usr/sbin/nologin</programlisting>
 
-      <para>The <filename>/usr/sbin/nologin</filename> shell will block
-	the &man.login.1; command from assigning a shell to this
+      <para>The <filename>/usr/sbin/nologin</filename> shell will
+	block the &man.login.1; command from assigning a shell to this
 	user.</para>
-      </sect2>
+    </sect2>
 
     <sect2 xml:id="security-sudo">
       <title>Permitted Account Escalation</title>
 
-      <para>In some cases, system administration access needs to
-	be shared with other users.  &os; has two methods to
-	handle this.  The first one, which is not recommended,
-	is a shared root password and adding users to the
-	<systemitem class="groupname">wheel</systemitem> group.
-	To achieve this, edit the <filename>/etc/group</filename>
-	and add the user to the end of the first group.  This
-	user must be separated by a comma character.</para>
+      <para>In some cases, system administration access needs to be
+	shared with other users.  &os; has two methods to handle this.
+	The first one, which is not recommended, is a shared root
+	password and adding users to the <systemitem
+	  class="groupname">wheel</systemitem> group.  To achieve
+	this, edit the <filename>/etc/group</filename> and add the
+	user to the end of the first group.  This user must be
+	separated by a comma character.</para>
 
       <para>The correct way to permit this privilege escalation is
 	using the <package>security/sudo</package> port which will
-	provide additional auditing, more fine grained user
-	control, and even lock users into running only single,
-	privileged commands such as &man.service.8;</para>
+	provide additional auditing, more fine grained user control,
+	and even lock users into running only single, privileged
+	commands such as &man.service.8;</para>
 
       <para>After installation, edit the
 	<filename>/usr/local/etc/sudoers</filename> file by using
 	the <command>visudo</command> interface.  In this example,
-	a new webadmin group will be added, the user
-	<systemitem class="username">trhodes</systemitem> to that
-	group, and then give the user
-	access to restart <package>apache24</package>, the following
-	procedure may be followed:</para>
+	a new webadmin group will be added, the user <systemitem
+	  class="username">trhodes</systemitem> to that group, and
+	then give the user access to restart
+	<package>apache24</package>, the following procedure may be
+	followed:</para>
 
       <screen>&prompt.root; <userinput>pw groupadd webadmin -M trhodes -g 6000</userinput></screen>
 
@@ -268,10 +269,10 @@
     <sect2 xml:id="security-passwords">
       <title>Passwords</title>
 
-      <para>Passwords are a necessary evil of technology.  In the cases
-	they must be used, not only should the password be extremely
-	complex, but also use a powerful hash mechanism to protect it.
-	At the time of this writing, &os; supports
+      <para>Passwords are a necessary evil of technology.  In the
+	cases they must be used, not only should the password be
+	extremely complex, but also use a powerful hash mechanism to
+	protect it.  At the time of this writing, &os; supports
 	<acronym>DES</acronym>, <acronym>MD</acronym>5, Blowfish,
 	<acronym>SHA</acronym>256, and <acronym>SHA</acronym>512 in
 	the <function>crypt()</function> library.  The default is
@@ -288,8 +289,8 @@
 
       <note>
 	<para>At the time of this writing, Blowfish is not part of
-	  <acronym>AES</acronym> nor is it considered compliant
-	  with any <acronym>FIPS</acronym> (Federal Information
+	  <acronym>AES</acronym> nor is it considered compliant with
+	  any <acronym>FIPS</acronym> (Federal Information
 	  Processing Standards) standard and its use may not be
 	  permitted in some environments.</para>
       </note>
@@ -307,7 +308,7 @@
 	their network.</para>
 
       <sect3 xml:id="security-pwpolicy">
-        <title>Password Policy and Enforcement</title>
+	<title>Password Policy and Enforcement</title>
 
 	<para>Enforcing a strong password policy for local accounts
 	  is a fundamental aspect of local system security and policy.
@@ -328,8 +329,8 @@
 
 	<programlisting>password        requisite       pam_passwdqc.so         min=disabled,disabled,disabled,12,10 similar=deny retry=3 enforce=users</programlisting>
 
-	<para>There is already a commented out line for this module and
-	  it may be altered to the version above.  This statement
+	<para>There is already a commented out line for this module
+	  and it may be altered to the version above.  This statement
 	  basically sets several requirements.  First, a minimal
 	  password length is disabled, allowing for a password of any
 	  length.  Using only two character classes are disabled,
@@ -346,7 +347,7 @@
 	  particular to understand what character classes are.</para>
 
 	<para>After this change is made and the file saved, any user
-          changing their password will see a message similar to the
+	  changing their password will see a message similar to the
 	  following.  This message might also clear up some confusion
 	  about the configuration.</para>
 
@@ -371,13 +372,14 @@ Enter new password:</programlisting>
 	  again</para>
 
 	<para>In most password policies, a password aging requirement
-	  is normally set.  This means that a every password must expire
-	  after so many days after it has been set.  To set a password
-	  age time in &os;, set the <option>passwordtime</option> in
+	  is normally set.  This means that a every password must
+	  expire after so many days after it has been set.  To set a
+	  password age time in &os;, set the
+	  <option>passwordtime</option> in
 	  <filename>/etc/login.conf</filename>.  Most users when added
 	  to the system just fall into the <option>default</option>
-	  default group which is where this variable could be added and
-	  the database rebuilt using:</para>
+	  default group which is where this variable could be added
+	  and the database rebuilt using:</para>
 
 	<screen>&prompt.root; <userinput>cap_mkdb /etc/login.conf</userinput></screen>
 
@@ -386,8 +388,9 @@ Enter new password:</programlisting>
 
 	<screen>&prompt.root; <userinput>pw usermod -p 30-apr-2014 -n trhodes</userinput></screen>
 
-	<para>As seen here, an expiration date is set in the form of day,
-	  month, year.  For more information, see &man.pw.8;</para>
+	<para>As seen here, an expiration date is set in the form of
+	  day, month, year.  For more information, see
+	  &man.pw.8;</para>
       </sect3>
     </sect2>
 
@@ -419,8 +422,8 @@ Enter new password:</programlisting>
       <para>After the process complete, which will require some manual
 	pressing of the <keycap>ENTER</keycap> key, a status message
 	will be printed to the screen.  This message will include the
-	amount of files checked, suspect files, possible rootkits,
-	and more.  During the check, some generic security warnings may
+	amount of files checked, suspect files, possible rootkits, and
+	more.  During the check, some generic security warnings may
 	be produced about hidden files, the
 	<application>OpenSSH</application> protocol selection, and
 	occasionally known vulnerable versions of installed software.
@@ -450,24 +453,24 @@ Enter new password:</programlisting>
 	Detection System or <acronym>IDS</acronym>.</para>
 
       <para>&os; provides native support for a basic
-	<acronym>IDS</acronym> system.  In fact, as part of the nightly
-	&man.periodic.8; security emails will notify an administrator
-	of changes.  Since the information is stored locally, there is
-	a change a malicious user could modify and <quote>spoof</quote>
-	the information.  As such, it is recommended to create a
-	separate set of binary signatures and store them on a read
-	only, root owned directory or, preferably, off system such
-	as a <acronym>USB</acronym> disk or
-	<application>rsync</application> server.</para>
+	<acronym>IDS</acronym> system.  In fact, as part of the
+	nightly &man.periodic.8; security emails will notify an
+	administrator of changes.  Since the information is stored
+	locally, there is a change a malicious user could modify and
+	<quote>spoof</quote> the information.  As such, it is
+	recommended to create a separate set of binary signatures and
+	store them on a read only, root owned directory or,
+	preferably, off system such as a <acronym>USB</acronym> disk
+	or <application>rsync</application> server.</para>
 
       <para>To being, a seed needs to be generated.  This is a numeric
 	constant that will be used as to help generate the hash values
-	and to check the hash values.  Lacking this seed value will make
-	faking or checking the checksum values of files difficult it not
-	impossible.  In the following example, the key will be passed
-	with the <option>-s</option> flag.  First, generate a set of
-	hashes and checksums for <filename>/bin</filename> using the
-	following command:</para>
+	and to check the hash values.  Lacking this seed value will
+	make faking or checking the checksum values of files difficult
+	it not impossible.  In the following example, the key will be
+	passed with the <option>-s</option> flag.  First, generate a
+	set of hashes and checksums for <filename>/bin</filename>
+	using the following command:</para>
 
       <screen>&prompt.root; <userinput>mtree -s 3483151339707503 -c -K cksum,sha256digest -p /bin > bin_chksum_mtree</userinput></screen>
 
@@ -513,20 +516,24 @@ Enter new password:</programlisting>
 
       <para>This should produce the same checksum for
 	<filename>/bin</filename> that was produced when the command
-	was originally ran.  Since no changes occurred in the time these
-	commands were ran, the <filename>bin_chksum_output</filename>
-	output will be empty.  To simulate a change, change the date
-	on the <filename>/bin/cat</filename> file using
-	&man.touch.1; and run the verification command again:</para>
+	was originally ran.  Since no changes occurred in the time
+	these commands were ran, the
+	<filename>bin_chksum_output</filename> output will be empty.
+	To simulate a change, change the date on the
+	<filename>/bin/cat</filename> file using &man.touch.1; and run
+	the verification command again:</para>
 
       <screen>&prompt.root; <userinput>touch /bin/cat</userinput></screen>
+
       <screen>&prompt.root; <userinput>mtree -s 3483151339707503 -p /bin < bin_chksum_mtree >> bin_chksum_output</userinput></screen>
+
       <screen>&prompt.root; <userinput>cat bin_chksum_output</userinput></screen>
+
       <programlisting>cat changed
 	modification time expected Fri Sep 27 06:32:55 2013 found Mon Feb  3 10:28:43 2014</programlisting>
 
-      <para>More advanced <acronym>IDS</acronym> systems exist, such as
-	<package>security/aide</package> but in most cases,
+      <para>More advanced <acronym>IDS</acronym> systems exist, such
+	as <package>security/aide</package> but in most cases,
 	&man.mtree.8; provides the functionality administrators need.
 	It is important to keep the seed value and the checksum output
 	hidden from malicious users.</para>
@@ -541,9 +548,9 @@ Enter new password:</programlisting>
 	(<acronym>DOS</acronym>) style attacks.  Some of the more
 	important will be covered here.  Any time a setting is changed
 	with &man.sysctl.8;, the chance to cause undesired harm is
-	increased affecting the availability of the system.  Considering
-	the <acronym>CIA</acronym> of the system should be done during
-	any system-wide configuration change.</para>
+	increased affecting the availability of the system.
+	Considering the <acronym>CIA</acronym> of the system should be
+	done during any system-wide configuration change.</para>
 
       <para>The following is a list of &man.sysctl.8;'s and a short
 	description of what effects the changes will have on the
@@ -574,11 +581,11 @@ Enter new password:</programlisting>
 	ports will be dropped with no return <acronym>RST</acronym>
 	response.  The normal behavior is to return an
 	<acronym>RST</acronym> to show a port is closed.  These will
-	provide some level of protection against <quote>stealth</quote>
-	scans against a system.  Set the net.inet.tcp.blackhole to
-	<quote>2</quote> and the net.inet.udp.blackhole to
-	<quote>1</quote> and review the information in &man.blackhole.4;
-	for more information.</para>
+	provide some level of protection against
+	<quote>stealth</quote> scans against a system.  Set the
+	net.inet.tcp.blackhole to <quote>2</quote> and the
+	net.inet.udp.blackhole to <quote>1</quote> and review the
+	information in &man.blackhole.4; for more information.</para>
 
       <para>Additionally the net.inet.icmp.drop_redirect and
 	net.inet.ip.redirect should be set as well.  These two
@@ -607,7 +614,7 @@ Enter new password:</programlisting>
       <para>Some additional &man.sysctl.8;s are documented in
 	&man.security.7; and it is recommended it be consulted for
 	additional information.</para>
-    </sect2> 
+    </sect2>
   </sect1>
 
   <sect1 xml:id="one-time-passwords">
@@ -630,28 +637,25 @@ Enter new password:</programlisting>
       implementation uses the <acronym>MD5</acronym> hash by
       default.</para>
 
-    <para><acronym>OPIE</acronym> uses three different types of passwords.  The first is
-      the usual &unix; or Kerberos password.  The second is the
-      one-time password which is generated by <command>opiekey</command>.
-      The third
-      type of password is the <quote>secret password</quote> which is used
-      to generate
+    <para><acronym>OPIE</acronym> uses three different types of
+      passwords.  The first is the usual &unix; or Kerberos password.
+      The second is the one-time password which is generated by
+      <command>opiekey</command>.  The third type of password is the
+      <quote>secret password</quote> which is used to generate
       one-time passwords.  The secret password has nothing to do with,
-      and should be different from, the &unix;
-      password.</para>
+      and should be different from, the &unix; password.</para>
 
-    <para>There are two other pieces of data
-      that are important to <acronym>OPIE</acronym>.  One is the
-      <quote>seed</quote> or <quote>key</quote>, consisting of two
-      letters and five digits.  The other is the <quote>iteration
-	count</quote>, a number between 1 and 100.
-      <acronym>OPIE</acronym> creates the one-time password by
-      concatenating the seed and the secret password, applying the <acronym>MD5</acronym>
-      hash as many times as specified by the iteration count, and
-      turning the result into six short English words which represent
-      the one-time password.  The authentication
-      system keeps track of the last one-time password
-      used, and the user is authenticated if the hash of the
+    <para>There are two other pieces of data that are important to
+      <acronym>OPIE</acronym>.  One is the <quote>seed</quote> or
+      <quote>key</quote>, consisting of two letters and five digits.
+      The other is the <quote>iteration count</quote>, a number
+      between 1 and 100.  <acronym>OPIE</acronym> creates the one-time
+      password by concatenating the seed and the secret password,
+      applying the <acronym>MD5</acronym> hash as many times as
+      specified by the iteration count, and turning the result into
+      six short English words which represent the one-time password.
+      The authentication system keeps track of the last one-time
+      password used, and the user is authenticated if the hash of the
       user-provided password is equal to the previous password.
       Because a one-way hash is used, it is impossible to generate
       future one-time passwords if a successfully used password is
@@ -660,26 +664,23 @@ Enter new password:</programlisting>
       When the iteration count gets down to <literal>1</literal>,
       <acronym>OPIE</acronym> must be reinitialized.</para>
 
-    <para>There are a few programs involved in this process.
-      A one-time password, or a consecutive
-      list of one-time passwords, is generated by passing an iteration
-      count, a seed, and a secret
+    <para>There are a few programs involved in this process.  A
+      one-time password, or a consecutive list of one-time passwords,
+      is generated by passing an iteration count, a seed, and a secret
       password to &man.opiekey.1;.  In addition to initializing
       <acronym>OPIE</acronym>, &man.opiepasswd.1; is used to change
-      passwords, iteration counts, or seeds.  The relevant credential files in
-      <filename>/etc/opiekeys</filename> are examined by
+      passwords, iteration counts, or seeds.  The relevant credential
+      files in <filename>/etc/opiekeys</filename> are examined by
       &man.opieinfo.1; which prints out the invoking user's current
       iteration count and seed.</para>
 
-    <para>This section describes four different sorts of operations.  The first is
-      how to set up
-      one-time-passwords for the first time
-      over a secure connection.  The second is how to use <command>opiepasswd</command> over
-      an insecure connection.  The third is how to
-      log in over an insecure connection.  The
-      fourth is how to generate a number of keys
-      which can be written down or printed out to use at insecure
-      locations.</para>
+    <para>This section describes four different sorts of operations.
+      The first is how to set up one-time-passwords for the first time
+      over a secure connection.  The second is how to use
+      <command>opiepasswd</command> over an insecure connection.  The
+      third is how to log in over an insecure connection.  The fourth
+      is how to generate a number of keys which can be written down or
+      printed out to use at insecure locations.</para>
 
     <sect2>
       <title>Initializing <acronym>OPIE</acronym></title>
@@ -706,36 +707,34 @@ MOS MALL GOAT ARM AVID COED</screen>
 	<acronym>SSH</acronym> session to a computer under the user's
 	control.</para>
 
-      <para>When prompted, enter the secret
-	password which will be
+      <para>When prompted, enter the secret password which will be
 	used to generate the one-time login keys.  This password
 	should be difficult to guess and should be different than the
-	password which is associated with the user's login
-	account.  It must be between 10 and 127 characters long.
-	Remember this password.</para>
-
-      <para>The
-	<literal>ID</literal> line lists
-	the login name (<literal>unfurl</literal>), default iteration count
+	password which is associated with the user's login account.
+	It must be between 10 and 127 characters long.  Remember this
+	password.</para>
+
+      <para>The <literal>ID</literal> line lists the login name
+	(<literal>unfurl</literal>), default iteration count
 	(<literal>499</literal>), and default seed
-	(<literal>to4268</literal>).  When logging in,
-	the system will remember these parameters and display them,
-	meaning that they do not have to be memorized.  The last line
-	lists the generated one-time password which corresponds to
-	those parameters and the secret password.  At the next login,
-	use this one-time password.</para>
+	(<literal>to4268</literal>).  When logging in, the system will
+	remember these parameters and display them, meaning that they
+	do not have to be memorized.  The last line lists the
+	generated one-time password which corresponds to those
+	parameters and the secret password.  At the next login, use
+	this one-time password.</para>
     </sect2>
 
     <sect2>
       <title>Insecure Connection Initialization</title>
 
       <para>To initialize or change the secret password on an
-	insecure system, a secure connection is needed to some
-	place where <command>opiekey</command> can be run.  This might be a shell
-	prompt on a trusted machine.  An iteration count is needed,
-	where 100 is probably a good value, and the seed can either be
-	specified or the randomly-generated one used.  On the insecure
-	connection, the machine being initialized, use
+	insecure system, a secure connection is needed to some place
+	where <command>opiekey</command> can be run.  This might be a
+	shell prompt on a trusted machine.  An iteration count is
+	needed, where 100 is probably a good value, and the seed can
+	either be specified or the randomly-generated one used.  On
+	the insecure connection, the machine being initialized, use
 	&man.opiepasswd.1;:</para>
 
       <screen>&prompt.user; <userinput>opiepasswd</userinput>
@@ -762,8 +761,8 @@ Reminder: Do not use opiekey from telnet
 Enter secret pass phrase:
 GAME GAG WELT OUT DOWN CHAT</screen>
 
-      <para>Switch back over to the insecure connection, and copy
-	the generated one-time password over to the relevant
+      <para>Switch back over to the insecure connection, and copy the
+	generated one-time password over to the relevant
 	program.</para>
     </sect2>
 
@@ -867,14 +866,15 @@ Enter secret pass phrase: <userinput>&lt
   </sect1>
 
   <sect1 xml:id="tcpwrappers">
-    <info><title>TCP Wrappers</title>
+    <info>
+      <title>TCP Wrappers</title>
+
       <authorgroup>
-	<author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Written by </contrib></author>
+	<author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Written
+	  by </contrib></author>
       </authorgroup>
     </info>
 
-    
-
     <indexterm><primary>TCP Wrappers</primary></indexterm>
 
     <para><acronym>TCP</acronym> Wrappers extends the abilities of
@@ -919,16 +919,16 @@ Enter secret pass phrase: <userinput>&lt
 	<literal>daemon</literal> is the daemon which &man.inetd.8;
 	started, <literal>address</literal> is a valid hostname,
 	<acronym>IP</acronym> address, or an IPv6 address enclosed in
-	brackets ([ ]), and <literal>action</literal> is
-	either <literal>allow</literal> or <literal>deny</literal>.
+	brackets ([ ]), and <literal>action</literal> is either
+	<literal>allow</literal> or <literal>deny</literal>.
 	<acronym>TCP</acronym> Wrappers uses a first rule match
 	semantic, meaning that the configuration file is scanned in
 	ascending order for a matching rule.  When a match is found,
 	the rule is applied and the search process stops.</para>
 
       <para>For example, to allow <acronym>POP</acronym>3 connections
-	via the <package>mail/qpopper</package>
-	daemon, the following lines should be appended to
+	via the <package>mail/qpopper</package> daemon, the following
+	lines should be appended to
 	<filename>hosts.allow</filename>:</para>
 
       <programlisting># This line is required for POP3 connections:
@@ -1001,9 +1001,10 @@ ALL : .example.com \
 	  /var/log/connections.log) \
 	: deny</programlisting>
 
-	<para>This will deny all connection attempts from <systemitem class="fqdomainname">*.example.com</systemitem> and log the hostname,
-	  <acronym>IP</acronym> address, and the daemon to which
-	  access was attempted to
+	<para>This will deny all connection attempts from <systemitem
+	    class="fqdomainname">*.example.com</systemitem> and log
+	  the hostname, <acronym>IP</acronym> address, and the daemon
+	  to which access was attempted to
 	  <filename>/var/log/connections.log</filename>.</para>
 
 	<para>This example uses the substitution characters
@@ -1048,17 +1049,19 @@ sendmail : PARANOID : deny</programlisti
   </sect1>
 
   <sect1 xml:id="kerberos5">
-    <info><title><application>Kerberos5</application></title>
+    <info>
+      <title><application>Kerberos5</application></title>
+
       <authorgroup>
-	<author><personname><firstname>Tillman</firstname><surname>Hodgson</surname></personname><contrib>Contributed by </contrib></author>
+	<author><personname><firstname>Tillman</firstname><surname>Hodgson</surname></personname><contrib>Contributed
+	  by </contrib></author>
       </authorgroup>
       <authorgroup>
-	<author><personname><firstname>Mark</firstname><surname>Murray</surname></personname><contrib>Based on a contribution by </contrib></author>
+	<author><personname><firstname>Mark</firstname><surname>Murray</surname></personname><contrib>Based
+	  on a contribution by </contrib></author>
       </authorgroup>
     </info>
 
-    
-
     <para><application>Kerberos</application> is a network add-on
       system/protocol that allows users to authenticate themselves
       through the services of a secure server.
@@ -1089,7 +1092,8 @@ sendmail : PARANOID : deny</programlisti
     <itemizedlist>
       <listitem>
 	<para>The <acronym>DNS</acronym> domain (<quote>zone</quote>)
-	  will be <systemitem class="fqdomainname">example.org</systemitem>.</para>
+	  will be <systemitem
+	    class="fqdomainname">example.org</systemitem>.</para>
       </listitem>
 
       <listitem>
@@ -1138,14 +1142,14 @@ sendmail : PARANOID : deny</programlisti
 	a cryptography product, and has historically been affected by
 	<acronym>US</acronym> export regulations.  The
 	<acronym>MIT</acronym> <application>Kerberos</application> is
-	available as the <package>security/krb5</package> package or port.
-	Heimdal <application>Kerberos</application> is another version
-	5 implementation, and was explicitly developed outside of the
-	<acronym>US</acronym> to avoid export regulations.  The
+	available as the <package>security/krb5</package> package or
+	port.  Heimdal <application>Kerberos</application> is another
+	version 5 implementation, and was explicitly developed outside
+	of the <acronym>US</acronym> to avoid export regulations.  The
 	Heimdal <application>Kerberos</application> distribution is
-	available as a the <package>security/heimdal</package> package or port,
-	and a minimal installation is included in the base &os;
-	install.</para>
+	available as a the <package>security/heimdal</package> package
+	or port, and a minimal installation is included in the base
+	&os; install.</para>
 
       <para>These instructions assume the use of the Heimdal
 	distribution included in &os;.</para>
@@ -1196,8 +1200,9 @@ kadmind5_server_enable="YES"</programlis
 
       <para>This <filename>/etc/krb5.conf</filename> implies that the
 	<acronym>KDC</acronym> will use the fully-qualified hostname
-	<systemitem class="fqdomainname">kerberos.example.org</systemitem>.  Add a
-	CNAME (alias) entry to the zone file to accomplish this
+	<systemitem
+	  class="fqdomainname">kerberos.example.org</systemitem>.  Add
+	a CNAME (alias) entry to the zone file to accomplish this
 	if the <acronym>KDC</acronym> has a different hostname.</para>
 
       <note>
@@ -1209,7 +1214,9 @@ kadmind5_server_enable="YES"</programlis
       default_realm = EXAMPLE.ORG</programlisting>
 
 	<para>With the following lines being appended to the
-	  <systemitem class="fqdomainname">example.org</systemitem> zone file:</para>
+	  <systemitem
+	    class="fqdomainname">example.org</systemitem> zone
+	  file:</para>
 
 	<programlisting>_kerberos._udp      IN  SRV     01 00 88 kerberos.example.org.
 _kerberos._tcp      IN  SRV     01 00 88 kerberos.example.org.
@@ -1355,10 +1362,10 @@ kadmin><userinput> exit</userinput></
 
       <para>If &man.kadmind.8; is not running on the
 	<acronym>KDC</acronym> and there is no access to
-	&man.kadmin.8; remotely, add the host principal
-	(<systemitem class="username">host/myserver.EXAMPLE.ORG</systemitem>) directly on
-	the <acronym>KDC</acronym> and then extract it to a
-	temporary file to avoid overwriting the
+	&man.kadmin.8; remotely, add the host principal (<systemitem
+	  class="username">host/myserver.EXAMPLE.ORG</systemitem>)
+	directly on the <acronym>KDC</acronym> and then extract it to
+	a temporary file to avoid overwriting the
 	<filename>/etc/krb5.keytab</filename> on the
 	<acronym>KDC</acronym>, using something like this:</para>
 
@@ -1447,19 +1454,20 @@ kadmin><userinput> exit</userinput></
 	local user account.  Occasionally, one needs to grant access
 	to a local user account to someone who does not have a
 	matching <application>Kerberos</application> principal.  For
-	example, <systemitem class="username">tillman at EXAMPLE.ORG</systemitem> may need
-	access to the local user account
-	<systemitem class="username">webdevelopers</systemitem>.  Other principals may also
-	need access to that local account.</para>
+	example, <systemitem
+	  class="username">tillman at EXAMPLE.ORG</systemitem> may need
+	access to the local user account <systemitem
+	  class="username">webdevelopers</systemitem>.  Other
+	principals may also need access to that local account.</para>
 
       <para>The <filename>.k5login</filename> and
 	<filename>.k5users</filename> files, placed in a user's home
 	directory, can be used to solve this problem.  For example, if
 	<filename>.k5login</filename> with the following contents is
-	placed in the home directory of
-	<systemitem class="username">webdevelopers</systemitem>, both principals listed
-	will have access to that account without requiring a shared
-	password.:</para>
+	placed in the home directory of <systemitem
+	  class="username">webdevelopers</systemitem>, both principals
+	listed will have access to that account without requiring a
+	shared password.:</para>
 
       <screen>tillman at example.org
 jdoe at example.org</screen>
@@ -1476,8 +1484,8 @@ jdoe at example.org</screen>
 	<listitem>
 	  <para>When using either the Heimdal or
 	    <acronym>MIT</acronym>
-	    <application>Kerberos</application><indexterm><primary>Kerberos5</primary><secondary>troubleshooting</secondary></indexterm> ports, ensure that
-	    the <envar>PATH</envar> lists the
+	    <application>Kerberos</application><indexterm><primary>Kerberos5</primary><secondary>troubleshooting</secondary></indexterm>
+	    ports, ensure that the <envar>PATH</envar> lists the
 	    <application>Kerberos</application> versions of the
 	    client applications before the system versions.</para>
 	</listitem>
@@ -1496,11 +1504,12 @@ jdoe at example.org</screen>
 	</listitem>
 
 	<listitem>
-	  <para>If the hostname is changed, the
-	    <systemitem class="username">host/</systemitem> principal must be changed and
-	    the keytab updated.  This also applies to special keytab
-	    entries like the <systemitem class="username">www/</systemitem> principal
-	    used for Apache's <package>www/mod_auth_kerb</package>.</para>
+	  <para>If the hostname is changed, the <systemitem
+	      class="username">host/</systemitem> principal must be
+	    changed and the keytab updated.  This also applies to
+	    special keytab entries like the <systemitem
+	      class="username">www/</systemitem> principal used for
+	    Apache's <package>www/mod_auth_kerb</package>.</para>
 	</listitem>
 
 	<listitem>
@@ -1517,8 +1526,9 @@ jdoe at example.org</screen>
 	<listitem>
 	  <para>Some operating systems that act as clients to the
 	    <acronym>KDC</acronym> do not set the permissions for
-	    &man.ksu.1; to be setuid <systemitem class="username">root</systemitem>.  This
-	    means that &man.ksu.1; does not work.  This is not a
+	    &man.ksu.1; to be setuid <systemitem
+	      class="username">root</systemitem>.  This means that
+	    &man.ksu.1; does not work.  This is not a
 	    <acronym>KDC</acronym> error.</para>
 	</listitem>
 
@@ -1528,10 +1538,10 @@ jdoe at example.org</screen>
 	    principal to have a ticket life longer than the default
 	    ten hours, use <command>modify_principal</command> at the
 	    &man.kadmin.8; prompt to change the maxlife of both the
-	    principal in question and the
-	    <systemitem class="username">krbtgt</systemitem> principal.  Then the
-	    principal can use <command>kinit -l</command> to request a
-	    ticket with a longer lifetime.</para>
+	    principal in question and the <systemitem
+	      class="username">krbtgt</systemitem> principal.  Then
+	    the principal can use <command>kinit -l</command> to
+	    request a ticket with a longer lifetime.</para>
 	</listitem>
 
 	<listitem>
@@ -1611,16 +1621,18 @@ jdoe at example.org</screen>
       <para>The client applications may also use slightly different
 	command line options to accomplish the same tasks.
 	Following the instructions on the <acronym>MIT</acronym>
-	<application>Kerberos</application> <link xlink:href="http://web.mit.edu/Kerberos/www/">web site</link> is
-	recommended.  Be careful of path issues: the
-	<acronym>MIT</acronym> port installs into <filename>/usr/local/</filename> by default, and the
+	<application>Kerberos</application> <link
+	  xlink:href="http://web.mit.edu/Kerberos/www/">web
+	  site</link> is recommended.  Be careful of path issues: the
+	<acronym>MIT</acronym> port installs into
+	<filename>/usr/local/</filename> by default, and the
 	<quote>normal</quote> system applications run instead of
 	<acronym>MIT</acronym> versions if <envar>PATH</envar> lists
 	the system directories first.</para>
 
       <note>
-	<para>With the &os; <acronym>MIT</acronym> <package>security/krb5</package> port, be sure to
-	  read
+	<para>With the &os; <acronym>MIT</acronym>
+	  <package>security/krb5</package> port, be sure to read
 	  <filename>/usr/local/share/doc/krb5/README.FreeBSD</filename>
 	  installed by the port to understand why logins via
 	  &man.telnetd.8; and <command>klogind</command> behave
@@ -1642,8 +1654,7 @@ kadmind5_server_enable="YES"</programlis
 
       <para>This is done because the applications for
 	<acronym>MIT</acronym> Kerberos installs binaries in the
-	<filename>/usr/local</filename>
-	hierarchy.</para>
+	<filename>/usr/local</filename> hierarchy.</para>
     </sect2>
 
     <sect2>
@@ -1656,8 +1667,8 @@ kadmind5_server_enable="YES"</programlis
       </indexterm>
 
       <sect3>
-	<title><application>Kerberos</application> is an
-	  All or Nothing Approach</title>
+	<title><application>Kerberos</application> is an All or
+	  Nothing Approach</title>
 
 	<para>Every service enabled on the network must be modified
 	  to work with <application>Kerberos</application>, or be
@@ -1675,10 +1686,10 @@ kadmind5_server_enable="YES"</programlis
 
 	<para>In a multi-user environment,
 	  <application>Kerberos</application> is less secure.  This is
-	  because it stores the tickets in <filename>/tmp</filename>, which is readable by
-	  all users.  If a user is sharing a computer with other
-	  users, it is possible that the user's tickets can be stolen
-	  or copied by another user.</para>
+	  because it stores the tickets in <filename>/tmp</filename>,
+	  which is readable by all users.  If a user is sharing a
+	  computer with other users, it is possible that the user's
+	  tickets can be stolen or copied by another user.</para>
 
 	<para>This can be overcome with the <literal>-c</literal>
 	  command-line option or, preferably, the
@@ -1724,8 +1735,8 @@ kadmind5_server_enable="YES"</programlis
 	  <acronym>KDC</acronym> to the users, hosts or services.
 	  This means that a trojanned &man.kinit.1; could record all
 	  user names and passwords.  Filesystem integrity checking
-	  tools like <package>security/tripwire</package> can alleviate
-	  this.</para>
+	  tools like <package>security/tripwire</package> can
+	  alleviate this.</para>
       </sect3>
     </sect2>
 
@@ -1777,31 +1788,36 @@ kadmind5_server_enable="YES"</programlis
 
       <itemizedlist>
 	<listitem>
-	  <para><link xlink:href="http://www.faqs.org/faqs/Kerberos-faq/general/preamble.html">
+	  <para><link
+	      xlink:href="http://www.faqs.org/faqs/Kerberos-faq/general/preamble.html">
 	      The <application>Kerberos</application>
 	      FAQ</link></para>
 	</listitem>
 
 	<listitem>
-	  <para><link xlink:href="http://web.mit.edu/Kerberos/www/dialogue.html">Designing
+	  <para><link
+	      xlink:href="http://web.mit.edu/Kerberos/www/dialogue.html">Designing
 	      an Authentication System: a Dialog in Four
 	      Scenes</link></para>
 	</listitem>
 
 	<listitem>
-	  <para><link xlink:href="http://www.ietf.org/rfc/rfc1510.txt?number=1510">RFC
+	  <para><link
+	      xlink:href="http://www.ietf.org/rfc/rfc1510.txt?number=1510">RFC
 	      1510, The <application>Kerberos</application> Network
 	      Authentication Service (V5)</link></para>
 	</listitem>
 
 	<listitem>
-	  <para><link xlink:href="http://web.mit.edu/Kerberos/www/"><acronym>MIT</acronym>
+	  <para><link
+	      xlink:href="http://web.mit.edu/Kerberos/www/"><acronym>MIT</acronym>
 	      <application>Kerberos</application> home
 	      page</link></para>
 	</listitem>
 
 	<listitem>
-	  <para><link xlink:href="http://www.pdc.kth.se/heimdal/">Heimdal
+	  <para><link
+	      xlink:href="http://www.pdc.kth.se/heimdal/">Heimdal
 	      <application>Kerberos</application> home
 	      page</link></para>
 	</listitem>
@@ -1810,14 +1826,15 @@ kadmind5_server_enable="YES"</programlis
   </sect1>
 
   <sect1 xml:id="openssl">
-    <info><title>OpenSSL</title>
+    <info>
+      <title>OpenSSL</title>
+
       <authorgroup>
-	<author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Written by </contrib></author>
+	<author><personname><firstname>Tom</firstname><surname>Rhodes</surname></personname><contrib>Written
+	  by </contrib></author>
       </authorgroup>
     </info>
 
-    
-
     <indexterm>
       <primary>security</primary>
       <secondary>OpenSSL</secondary>
@@ -1833,15 +1850,14 @@ kadmind5_server_enable="YES"</programlis
       encrypted authentication of mail clients and web based
       transactions such as credit card payments.  Many ports such as
       <package>www/apache22</package>, and
-      <package>mail/claws-mail</package> offer
-      compilation support for building with
-      <application>OpenSSL</application>.</para>
+      <package>mail/claws-mail</package> offer compilation support for
+      building with <application>OpenSSL</application>.</para>
 
     <note>
       <para>In most cases, the Ports Collection will attempt to build
-	the <package>security/openssl</package>
-	port unless <varname>WITH_OPENSSL_BASE</varname> is explicitly
-	set to <quote>yes</quote>.</para>
+	the <package>security/openssl</package> port unless
+	<varname>WITH_OPENSSL_BASE</varname> is explicitly set to
+	<quote>yes</quote>.</para>
     </note>
 
     <para>The version of <application>OpenSSL</application> included
@@ -1865,7 +1881,8 @@ kadmind5_server_enable="YES"</programlis
       and not fraudulent.  If the certificate in question has not
       been verified by a <quote>Certificate Authority</quote>
       (<acronym>CA</acronym>), a warning is produced.  A
-      <acronym>CA</acronym> is a company, such as <link xlink:href="http://www.verisign.com">VeriSign</link>, signs
+      <acronym>CA</acronym> is a company, such as <link
+	xlink:href="http://www.verisign.com">VeriSign</link>, signs
       certificates in order to validate the credentials of individuals
       or companies.  This process has a cost associated with it and is
       not a requirement for using certificates; however, it can put
@@ -1946,8 +1963,9 @@ An optional company name []:<userinput>A
 	certificate authority signature file,
 	<filename>myca.key</filename> and the certificate itself,
 	<filename>new.crt</filename>.  These should be placed in a
-	directory, preferably under <filename>/etc</filename>, which is readable only by
-	<systemitem class="username">root</systemitem>.  Permissions of 0700 are
+	directory, preferably under <filename>/etc</filename>, which
+	is readable only by <systemitem
+	  class="username">root</systemitem>.  Permissions of 0700 are
 	appropriate and can be set using &man.chmod.1;.</para>
     </sect2>
 
@@ -2022,7 +2040,9 @@ Connection closed by foreign host.</scre
   </sect1>
 
   <sect1 xml:id="ipsec">
-    <info><title><acronym>VPN</acronym> over IPsec</title>
+    <info>
+      <title><acronym>VPN</acronym> over IPsec</title>
+
       <authorgroup>
 	<author><personname><firstname>Nik</firstname><surname>Clayton</surname></personname><affiliation>
 	    <address><email>nik at FreeBSD.org</email></address>
@@ -2030,23 +2050,22 @@ Connection closed by foreign host.</scre
       </authorgroup>
     </info>
 
-    
-
     <indexterm>
       <primary>IPsec</primary>
     </indexterm>
 
     <sect2>
-      <info><title>Understanding IPsec</title>
+      <info>
+	<title>Understanding IPsec</title>
+
 	<authorgroup>
-	  <author><personname><firstname>Hiten M.</firstname><surname>Pandya</surname></personname><affiliation>
+	  <author><personname><firstname>Hiten
+	    M.</firstname><surname>Pandya</surname></personname><affiliation>
 	      <address><email>hmp at FreeBSD.org</email></address>
 	    </affiliation><contrib>Written by </contrib></author>
 	</authorgroup>
       </info>
 
-      
-
       <para>This section demonstrates the process of setting up IPsec.
 	It assumes familiarity with the concepts of building a custom
 	kernel (see <xref linkend="kernelconfig"/>).</para>
@@ -2055,8 +2074,9 @@ Connection closed by foreign host.</scre
 	top of the Internet Protocol (<acronym>IP</acronym>) layer.
 	It allows two or more hosts to communicate in a secure manner.
 	The &os; IPsec <quote>network stack</quote> is based on the
-	<link xlink:href="http://www.kame.net/">KAME</link> implementation,
-	which has support for both IPv4 and IPv6.</para>
+	<link xlink:href="http://www.kame.net/">KAME</link>
+	implementation, which has support for both IPv4 and
+	IPv6.</para>
 
       <indexterm>
 	<primary>IPsec</primary>
@@ -2171,13 +2191,15 @@ device    crypto</screen>
 	  <para>The internal addresses of the two networks can be
 	    either public or private IP addresses.  However, the
 	    address space must not collide.  For example, both
-	    networks cannot use
-	    <systemitem class="ipaddress">192.168.1.x</systemitem>.</para>
+	    networks cannot use <systemitem
+	      class="ipaddress">192.168.1.x</systemitem>.</para>
 	</listitem>
       </itemizedlist>
 

*** DIFF OUTPUT TRUNCATED AT 1000 LINES ***


More information about the svn-doc-all mailing list