os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Whitespace change only.

Browse source 
PR:		docs/31580
Submitted by:	Martin Heinen <martin@sumuk.de>
This commit is contained in:
Murray Stokely 2001-10-29 11:02:50 +00:00
parent 58a809138a
commit 9e043bbbd6
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=11069
1 changed files with 62 additions and 70 deletions

132
en_US.ISO8859-1/books/handbook/security/chapter.sgml
View file

@ -2577,8 +2577,7 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
<filename>/etc/rc.conf.local</filename> or
<filename>/etc/rc.conf</filename> to enable your firewall,
it is important to make sure your firewall is enabled before
any IP interfaces are configured.
</para>
any IP interfaces are configured.</para>
<para>The next problem is what your firewall should actually
<emphasis>do</emphasis>! This is largely dependent on what access to
@ -2709,23 +2708,23 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
<tip>
<para>For other HOWTOs detailing IPSec implementation in
FreeBSD, take a look at <ulink
url="http://www.daemonnews.org/200101/ipsec-howto.html"></ulink>
and <ulink
url="http://www.freebsddiary.org/ipsec.php"></ulink>.</para>
FreeBSD, take a look at <ulink
url="http://www.daemonnews.org/200101/ipsec-howto.html"></ulink>
and <ulink
url="http://www.freebsddiary.org/ipsec.php"></ulink>.</para>
</tip>
<para>The IPsec mechanism provides secure communication for IP
layer and socket layer communication. This section should
explain how to use them. For implementation details, please
refer to <ulink
url="../developers-handbook/ipv6.html">The
Developers' Handbook</ulink>.</para>
layer and socket layer communication. This section should
explain how to use them. For implementation details, please
refer to <ulink
url="../developers-handbook/ipv6.html">The
Developers' Handbook</ulink>.</para>
<para>The current IPsec implementation supports both transport mode
and tunnel mode. However, tunnel mode comes with some restrictions.
<ulink url="http://www.kame.net/newsletter/">http://www.kame.net/newsletter/
</ulink> has more comprehensive examples.</para>
and tunnel mode. However, tunnel mode comes with some restrictions.
<ulink url="http://www.kame.net/newsletter/">http://www.kame.net/newsletter/
</ulink> has more comprehensive examples.</para>
<para>Please be aware that in order to use this functionality, you
must have the following options compiled into your kernel:</para>
@ -2737,25 +2736,25 @@ options IPSEC_ESP #IP security (crypto; define w/IPSEC)</progr
<title>Transport Mode Example with IPv4</title>
<para>Let us setup security association to deploy a secure channel
between HOST A (10.2.3.4) and HOST B (10.6.7.8). Here we show a little
complicated example. From HOST A to HOST B, only old AH is used.
From HOST B to HOST A, new AH and new ESP are combined.</para>
between HOST A (10.2.3.4) and HOST B (10.6.7.8). Here we show a little
complicated example. From HOST A to HOST B, only old AH is used.
From HOST B to HOST A, new AH and new ESP are combined.</para>
<para>Now we should choose an algorithm to be used corresponding to
"AH"/"new AH"/"ESP"/"new ESP". Please refer to the &man.setkey.8; man
page to know algorithm names. Our choice is MD5 for AH, new-HMAC-SHA1
for new AH, and new-DES-expIV with 8 byte IV for new ESP.</para>
"AH"/"new AH"/"ESP"/"new ESP". Please refer to the &man.setkey.8; man
page to know algorithm names. Our choice is MD5 for AH, new-HMAC-SHA1
for new AH, and new-DES-expIV with 8 byte IV for new ESP.</para>
<para>Key length highly depends on each algorithm. For example, key
length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1,
and 8 for new-DES-expIV. Now we choose "MYSECRETMYSECRET",
"KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively.</para>
length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1,
and 8 for new-DES-expIV. Now we choose "MYSECRETMYSECRET",
"KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively.</para>
<para>OK, let us assign SPI (Security Parameter Index) for each protocol.
Please note that we need 3 SPIs for this secure channel since three
security headers are produced (one for from HOST A to HOST B, two for
from HOST B to HOST A). Please also note that SPI MUST be greater
than or equal to 256. We choose, 1000, 2000, and 3000, respectively.
Please note that we need 3 SPIs for this secure channel since three
security headers are produced (one for from HOST A to HOST B, two for
from HOST B to HOST A). Please also note that SPI MUST be greater
than or equal to 256. We choose, 1000, 2000, and 3000, respectively.
</para>
<screen>
@ -2787,7 +2786,7 @@ options IPSEC_ESP #IP security (crypto; define w/IPSEC)</progr
</screen>
<para>Now, let us setup security association. Execute &man.setkey.8;
on both HOST A and B:</para>
on both HOST A and B:</para>
<screen>
&prompt.root; <command>setkey -c</command>
@ -2798,7 +2797,7 @@ add 10.6.7.8 10.2.3.4 esp 3000 -m transport -E des-cbc "PASSWORD" ;
</screen>
<para>Actually, IPsec communication does not process until security policy
entries are defined. In this case, you must setup each host.</para>
entries are defined. In this case, you must setup each host.</para>
<screen>
At A:
@ -2834,7 +2833,7 @@ spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
<para>Another example using IPv6.</para>
<para>ESP transport mode is recommended for TCP port number 110 between
Host-A and Host-B.</para>
Host-A and Host-B.</para>
<screen>
============ ESP ============
@ -2844,8 +2843,8 @@ spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
</screen>
<para>Encryption algorithm is blowfish-cbc whose key is "kamekame", and
authentication algorithm is hmac-sha1 whose key is "this is the test
key". Configuration at Host-A:</para>
authentication algorithm is hmac-sha1 whose key is "this is the test
key". Configuration at Host-A:</para>
<screen>
&prompt.root; <command>setkey -c</command> &lt;&lt;<filename>EOF</filename>
@ -2889,8 +2888,8 @@ spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
<para>Tunnel mode between two security gateways</para>
<para>Security protocol is old AH tunnel mode, i.e. specified by
RFC1826, with keyed-md5 whose key is "this is the test" as
authentication algorithm.</para>
RFC1826, with keyed-md5 whose key is "this is the test" as
authentication algorithm.</para>
<screen>
======= AH =======
@ -2916,9 +2915,9 @@ spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
</screen>
<para>If the port number field is omitted such as above then "[any]" is
employed. `-m' specifies the mode of SA to be used. "-m any" means
wild-card of mode of security protocol. You can use this SA for both
tunnel and transport mode.</para>
employed. `-m' specifies the mode of SA to be used. "-m any" means
wild-card of mode of security protocol. You can use this SA for both
tunnel and transport mode.</para>
<para>and at Gateway-B:</para>
@ -2939,8 +2938,8 @@ spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
<para>Making SA bundle between two security gateways</para>
<para>AH transport mode and ESP tunnel mode is required between
Gateway-A and Gateway-B. In this case, ESP tunnel mode is applied first,
and AH transport mode is next.</para>
Gateway-A and Gateway-B. In this case, ESP tunnel mode is applied first,
and AH transport mode is next.</para>
<screen>
========== AH =========
@ -2955,8 +2954,8 @@ spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
<title>Tunnel Mode Example with IPv6</title>
<para>Encryption algorithm is 3des-cbc, and authentication algorithm
for ESP is hmac-sha1. Authentication algorithm for AH is hmac-md5.
Configuration at Gateway-A:</para>
for ESP is hmac-sha1. Authentication algorithm for AH is hmac-md5.
Configuration at Gateway-A:</para>
<screen>
&prompt.root; <command>setkey -c</command> &lt;&lt;<filename>EOF</filename>
@ -2983,10 +2982,10 @@ spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
<para>Making SAs with the different end</para>
<para>ESP tunnel mode is required between Host-A and Gateway-A. Encryption
algorithm is cast128-cbc, and authentication algorithm for ESP is
hmac-sha1. ESP transport mode is recommended between Host-A and Host-B.
Encryption algorithm is rc5-cbc, and authentication algorithm for ESP is
hmac-md5.</para>
algorithm is cast128-cbc, and authentication algorithm for ESP is
hmac-sha1. ESP transport mode is recommended between Host-A and Host-B.
Encryption algorithm is rc5-cbc, and authentication algorithm for ESP is
hmac-md5.</para>
<screen>
================== ESP =================
@ -3045,7 +3044,7 @@ spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
<secondary>OpenSSH</secondary>
</indexterm>
<para>Secure shell is a set of network connectivity tools used to
<para>Secure shell is a set of network connectivity tools used to
access remote machines securely. It can be used as a direct
replacement for <command>rlogin</command>,
<command>rsh</command>, <command>rcp</command>, and
@ -3094,8 +3093,7 @@ spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
</indexterm>
<para>The &man.ssh.1; utility works similarly to
&man.rlogin.1;.
</para>
&man.rlogin.1;.</para>
<screen>&prompt.root <userinput>ssh <replaceable>user@example.com</replaceable></userinput>
Host key not found from the list of known hosts.
@ -3113,8 +3111,8 @@ user@example.com's password: <userinput>*******</userinput></screen>
will alert you if the saved fingerprint differs from the
received fingerprint on future login attempts. The fingerprints
are saved in <filename>~/.ssh/known_hosts</filename>, or
<filename>~/.ssh/known_hosts2</filename> for SSH v2 fingerprints.
</para>
<filename>~/.ssh/known_hosts2</filename> for SSH v2
fingerprints.</para>
<para>By default, OpenSSH servers are configured to accept both
SSH v1 and SSH v2 connections. The client, however, can choose
@ -3166,12 +3164,11 @@ COPYRIGHT 100% |*****************************| 4735
<para>The system-wide configuration files for both the OpenSSH
daemon and client reside within the <filename>/etc/ssh</filename>
directory.
</para>
directory.</para>
<para><filename>ssh_config</filename> configures the client
settings, while <filename>sshd_config</filename> configures the
daemon.
</para>
daemon.</para>
<para>Additionally, the <option>sshd_program</option>
(<filename>/usr/sbin/sshd</filename> by default), and
@ -3183,8 +3180,7 @@ COPYRIGHT 100% |*****************************| 4735
<title>ssh-keygen</title>
<para>Instead of using passwords, &man.ssh-keygen.1; can
be used to generate RSA keys to authenticate a user.
</para>
be used to generate RSA keys to authenticate a user.</para>
<screen>&prompt.user <userinput>ssh-keygen</userinput>
Initializing random number generator...
@ -3203,8 +3199,7 @@ Your identification has been saved in /home/user/.ssh/identity.
<filename>~/.ssh/identity</filename>, whereas the public key is
stored in <filename>~/.ssh/identity.pub</filename>. The public
key must be placed in <filename>~/.ssh/authorized_keys</filename>
of the remote machine in order for the setup to work.
</para>
of the remote machine in order for the setup to work.</para>
<para>This will allow connection to the remote machine based upon
RSA authentication instead of passwords.</para>
@ -3226,8 +3221,7 @@ Your identification has been saved in /home/user/.ssh/identity.
machine.</para>
<para>&man.ssh-agent.1; and &man.ssh-add.1; are
utilities used in managing multiple passworded private keys.
</para>
utilities used in managing multiple passworded private keys.</para>
</sect2>
<sect2>
@ -3239,7 +3233,8 @@ Your identification has been saved in /home/user/.ssh/identity.
<para>OpenSSH has the ability to create a tunnel to encapsulate
another protocol in an encrypted session.</para>
<para>The following command tells &man.ssh.1; to create a tunnel
<para>The following command tells &man.ssh.1; to create a tunnel
for telnet.</para>
<screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5023:localhost:23 user@foo.example.com</replaceable></userinput>
@ -3298,21 +3293,19 @@ Your identification has been saved in /home/user/.ssh/identity.
</variablelist>
<para>An SSH tunnel works by creating a listen socket on localhost
<para>An SSH tunnel works by creating a listen socket on localhost
on the specified port. It then forwards any connection received
on the local host/port via the SSH connection to the specified
remote host and port.</para>
<para>In the example, port <replaceable>5023</replaceable> on
<para>In the example, port <replaceable>5023</replaceable> on
localhost is being forwarded to port
<replaceable>23</replaceable> on localhost of the remote
machine. Since <replaceable>23</replaceable> is telnet, this
would create a secure telnet session through an SSH tunnel.
</para>
would create a secure telnet session through an SSH tunnel.</para>
<para>This can be used to wrap any number of insecure TCP protocols
such as smtp, pop3, ftp, etc.
</para>
such as smtp, pop3, ftp, etc.</para>
<para>A typical SSH Tunnel</para>
<screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5025:localhost:25 user@mailserver.example.com</replaceable></userinput>
@ -3326,8 +3319,7 @@ Escape character is '^]'.
<para>This can be used in conjunction with an &man.ssh-keygen.1;
and additional user accounts to create a more seamless/hassle-free
SSH tunneling environment. Keys can be used in place of typing
a password, and the tunnels can be run as a separate user.
</para>
a password, and the tunnels can be run as a separate user.</para>
<sect3>
<title>Practical SSH Tunneling Examples</title>
@ -3378,7 +3370,7 @@ user@unfirewalled.myserver.com's password: *******</screen>
<hostid>localhost</hostid> port 8888, which will be
forwarded over to <hostid>music.example.com</hostid> port
8000, successfully evading the firewall.</para>
</sect4>
</sect4>
</sect3>
</sect2>