From 5680cdf3b7dcddbf85e3750cd0dec2d5cd5cd55c Mon Sep 17 00:00:00 2001
From: Dru Lavigne <dru@FreeBSD.org>
Date: Fri, 21 Mar 2014 19:53:55 +0000
Subject: [PATCH] Initial prep work for OpenSSH chapter. Divide sections into
 client stuff and server stuff. Still needs an editorial review and the last 2
 hanging sub-sections need to be incorporated.

Sponsored by: iXsystems
---
 .../books/handbook/security/chapter.xml       | 124 +++++++-----------
 1 file changed, 49 insertions(+), 75 deletions(-)

diff --git a/en_US.ISO8859-1/books/handbook/security/chapter.xml b/en_US.ISO8859-1/books/handbook/security/chapter.xml
index 8f6279f75a..560ee97fe7 100644
--- a/en_US.ISO8859-1/books/handbook/security/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/security/chapter.xml
@@ -2514,42 +2514,15 @@ racoon_enable="yes"</programlisting>
       compatible with both <acronym>SSH</acronym> version 1 and 2
       protocols.</para>
 
-    <sect2>
-      <title>Advantages of Using
-	<application>OpenSSH</application></title>
-
       <para>When data is sent over the network in an unencrypted form,
 	network sniffers anywhere in between the client and server
 	can steal user/password information or data transferred
 	during the session.  <application>OpenSSH</application> offers
 	a variety of authentication and encryption methods to prevent
 	this from happening.</para>
-    </sect2>
 
     <sect2>
-      <title>Enabling the SSH Server</title>
-
-      <indexterm>
-	<primary>OpenSSH</primary>
-	<secondary>enabling</secondary>
-      </indexterm>
-
-      <para>To see if &man.sshd.8; is enabled, check
-	<filename>/etc/rc.conf</filename> for this line:</para>
-
-      <programlisting>sshd_enable="YES"</programlisting>
-
-      <para>This will start &man.sshd.8;, the daemon program for
-	<application>OpenSSH</application>, the next time the system
-	initializes.  Alternatively, it is possible to use
-	&man.service.8; to start <application>OpenSSH</application>
-	now:</para>
-
-      <screen>&prompt.root; <userinput>service sshd start</userinput></screen>
-    </sect2>
-
-    <sect2>
-      <title>The SSH Client</title>
+      <title>Using the SSH Client Utilities</title>
 
       <indexterm>
 	<primary>OpenSSH</primary>
@@ -2584,10 +2557,6 @@ user@example.com's password: <userinput>*******</userinput></screen>
 	1 or version 2, respectively.  The version 1 compatibility is
 	maintained in the client for backwards compatibility with
 	older versions.</para>
-    </sect2>
-
-    <sect2>
-      <title>Secure Copy</title>
 
       <indexterm>
 	<primary>OpenSSH</primary>
@@ -2617,28 +2586,9 @@ COPYRIGHT            100% |*****************************|  4735
 	<acronym>SSH</acronym>, connection, one or more of the file
 	arguments takes the form
 	<option>user@host:&lt;path_to_remote_file&gt;</option>.</para>
-    </sect2>
 
-    <sect2>
-      <title>Configuration</title>
-
-      <indexterm>
-	<primary>OpenSSH</primary>
-	<secondary>configuration</secondary>
-      </indexterm>
-
-      <para>The system-wide configuration files for both the
-	<application>OpenSSH</application> daemon and client reside
-	in <filename>/etc/ssh</filename>.</para>
-
-      <para><filename>ssh_config</filename> configures the client
-	settings, while <filename>sshd_config</filename> configures
-	the daemon.  Each file has its own manual page which describes
-	the available configuration options.</para>
-    </sect2>
-
-    <sect2 xml:id="security-ssh-keygen">
-      <title>&man.ssh-keygen.1;</title>
+    <sect3 xml:id="security-ssh-keygen">
+      <title>Key-based Authentication</title>
 
       <para>Instead of using passwords, &man.ssh-keygen.1; can be used
 	to generate <acronym>DSA</acronym> or <acronym>RSA</acronym>
@@ -2690,23 +2640,15 @@ bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8f:79:17 user@host.example.com</screen>
 	  that host <acronym>IP</acronym>.</para>
       </warning>
 
-      <para>If a passphrase is used in &man.ssh-keygen.1;, the user
-	will be prompted for the passphrase each time in order to use
-	the private key.  &man.ssh-agent.1; can alleviate the strain
-	of repeatedly entering long passphrases, and is explored in
-	<xref linkend="security-ssh-agent"/>.</para>
-
       <warning>
 	<para>The various options and files can be different according
 	  to the <application>OpenSSH</application> version.  To avoid
 	  problems, consult &man.ssh-keygen.1;.</para>
       </warning>
-    </sect2>
 
-    <sect2 xml:id="security-ssh-agent">
-      <title>Using SSH Agent to Cache Keys</title>
-
-      <para>To load <acronym>SSH</acronym> keys into memory for use,
+      <para>If a passphrase is used in &man.ssh-keygen.1;, the user
+	will be prompted for the passphrase each time in order to use
+	the private key.  To load <acronym>SSH</acronym> keys into memory for use,
 	without needing to type the passphrase each time, use
 	&man.ssh-agent.1; and &man.ssh-add.1;.</para>
 
@@ -2745,9 +2687,9 @@ Identity added: /home/user/.ssh/id_dsa (/home/user/.ssh/id_dsa)
 	<application>&xorg;</application> has been restarted so that
 	the changes can take effect, run &man.ssh-add.1; to load all
 	of the <acronym>SSH</acronym> keys.</para>
-    </sect2>
+    </sect3>
 
-    <sect2 xml:id="security-ssh-tunneling">
+    <sect3 xml:id="security-ssh-tunneling">
       <title><acronym>SSH</acronym> Tunneling</title>
 
       <indexterm>
@@ -2850,11 +2792,7 @@ Escape character is '^]'.
 	  run as a separate user.</para>
       </example>
 
-      <sect3>
-	<title>Practical <acronym>SSH</acronym> Tunneling
-	  Examples</title>
-
-	<sect4>
+      <example>
 	  <title>Secure Access of a POP3 Server</title>
 
 	  <para>In this example, there is an <acronym>SSH</acronym>
@@ -2873,9 +2811,9 @@ user@ssh-server.example.com's password: <userinput>******</userinput></screen>
 	    <systemitem>localhost</systemitem> on port 2110.  This
 	    connection will be forwarded securely across the tunnel to
 	    <systemitem>mail.example.com</systemitem>.</para>
-	</sect4>
+	</example>
 
-	<sect4>
+	<example>
 	  <title>Bypassing a Draconian Firewall</title>
 
 	  <para>Some network administrators impose firewall rules
@@ -2897,12 +2835,30 @@ user@unfirewalled-system.example.org's password: <userinput>*******</userinput><
 	    8888, which will be forwarded over to
 	    <systemitem>music.example.com</systemitem> on port 8000,
 	    successfully bypassing the firewall.</para>
-	</sect4>
+	</example>
       </sect3>
     </sect2>
 
     <sect2>
-      <title>The <varname>AllowUsers</varname> Option</title>
+      <title>Enabling the SSH Server</title>
+
+      <indexterm>
+	<primary>OpenSSH</primary>
+	<secondary>enabling</secondary>
+      </indexterm>
+
+      <para>To see if &man.sshd.8; is enabled, check
+	<filename>/etc/rc.conf</filename> for this line:</para>
+
+      <programlisting>sshd_enable="YES"</programlisting>
+
+      <para>This will start &man.sshd.8;, the daemon program for
+	<application>OpenSSH</application>, the next time the system
+	initializes.  Alternatively, it is possible to use
+	&man.service.8; to start <application>OpenSSH</application>
+	now:</para>
+
+      <screen>&prompt.root; <userinput>service sshd start</userinput></screen>
 
       <para>It is often a good idea to limit which users can log in
 	and from where using <literal>AllowUsers</literal>.  For
@@ -2935,6 +2891,24 @@ user@unfirewalled-system.example.org's password: <userinput>*******</userinput><
       <screen>&prompt.root; <userinput>service sshd reload</userinput></screen>
     </sect2>
 
+    <sect2>
+      <title>Configuration</title>
+
+      <indexterm>
+	<primary>OpenSSH</primary>
+	<secondary>configuration</secondary>
+      </indexterm>
+
+      <para>The system-wide configuration files for both the
+	<application>OpenSSH</application> daemon and client reside
+	in <filename>/etc/ssh</filename>.</para>
+
+      <para><filename>ssh_config</filename> configures the client
+	settings, while <filename>sshd_config</filename> configures
+	the daemon.  Each file has its own manual page which describes
+	the available configuration options.</para>
+    </sect2>
+
     <sect2>
       <title>Further Reading</title>