Whitespace change only.

PR: docs/31580 Submitted by: Martin Heinen <martin@sumuk.de>
svn path=/head/; revision=11069
2001-10-29 11:02:50 +00:00 · 2001-10-29 11:02:50 +00:00 · 9e043bbbd6 · 2020-12-08 03:00:23 +00:00
commit 9e043bbbd6
parent 58a809138a
1 changed files with 62 additions and 70 deletions
--- a/en_US.ISO8859-1/books/handbook/security/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/security/chapter.sgml
@ -2577,8 +2577,7 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
 	<filename>/etc/rc.conf.local</filename> or
 	<filename>/etc/rc.conf</filename> to enable your firewall,
 	it is important to make sure your firewall is enabled before
-	any IP interfaces are configured.
+	any IP interfaces are configured.</para>
      </para>
      <para>The next problem is what your firewall should actually
 	<emphasis>do</emphasis>! This is largely dependent on what access to
@ -2709,23 +2708,23 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
    <tip>
      <para>For other HOWTOs detailing IPSec implementation in
-      FreeBSD, take a look at <ulink
+        FreeBSD, take a look at <ulink
-      url="http://www.daemonnews.org/200101/ipsec-howto.html"></ulink>
+        url="http://www.daemonnews.org/200101/ipsec-howto.html"></ulink>
-      and <ulink
+        and <ulink
-      url="http://www.freebsddiary.org/ipsec.php"></ulink>.</para>
+        url="http://www.freebsddiary.org/ipsec.php"></ulink>.</para>
    </tip>
    <para>The IPsec mechanism provides secure communication for IP
-    layer and socket layer communication.  This section should
+      layer and socket layer communication.  This section should
-    explain how to use them.  For implementation details, please
+      explain how to use them.  For implementation details, please
-    refer to <ulink
+      refer to <ulink
-    url="../developers-handbook/ipv6.html">The
+      url="../developers-handbook/ipv6.html">The
-    Developers' Handbook</ulink>.</para>
+      Developers' Handbook</ulink>.</para>
    <para>The current IPsec implementation supports both transport mode
-    and tunnel mode.  However, tunnel mode comes with some restrictions.
+      and tunnel mode.  However, tunnel mode comes with some restrictions.
-    <ulink url="http://www.kame.net/newsletter/">http://www.kame.net/newsletter/
+      <ulink url="http://www.kame.net/newsletter/">http://www.kame.net/newsletter/
-    </ulink> has more comprehensive examples.</para>
+      </ulink> has more comprehensive examples.</para>
    <para>Please be aware that in order to use this functionality, you
      must have the following options compiled into your kernel:</para>
@ -2737,25 +2736,25 @@ options          IPSEC_ESP          #IP security (crypto; define w/IPSEC)</progr
      <title>Transport Mode Example with IPv4</title>
      <para>Let us setup security association to deploy a secure channel
-      between HOST A (10.2.3.4) and HOST B (10.6.7.8).  Here we show a little
+        between HOST A (10.2.3.4) and HOST B (10.6.7.8).  Here we show a little
-      complicated example.  From HOST A to HOST B, only old AH is used.
+        complicated example.  From HOST A to HOST B, only old AH is used.
-      From HOST B to HOST A, new AH and new ESP are combined.</para>
+        From HOST B to HOST A, new AH and new ESP are combined.</para>
      <para>Now we should choose an algorithm to be used corresponding to
-      "AH"/"new AH"/"ESP"/"new ESP".  Please refer to the &man.setkey.8; man
+        "AH"/"new AH"/"ESP"/"new ESP".  Please refer to the &man.setkey.8; man
-      page to know algorithm names.  Our choice is MD5 for AH, new-HMAC-SHA1
+        page to know algorithm names.  Our choice is MD5 for AH, new-HMAC-SHA1
-      for new AH, and new-DES-expIV with 8 byte IV for new ESP.</para>
+        for new AH, and new-DES-expIV with 8 byte IV for new ESP.</para>
      <para>Key length highly depends on each algorithm.  For example, key
-      length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1,
+        length must be equal to 16 bytes for MD5, 20 for new-HMAC-SHA1,
-      and 8 for new-DES-expIV.  Now we choose "MYSECRETMYSECRET",
+        and 8 for new-DES-expIV.  Now we choose "MYSECRETMYSECRET",
-      "KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively.</para>
+        "KAMEKAMEKAMEKAMEKAME", "PASSWORD", respectively.</para>
      <para>OK, let us assign SPI (Security Parameter Index) for each protocol.
-      Please note that we need 3 SPIs for this secure channel since three
+        Please note that we need 3 SPIs for this secure channel since three
-      security headers are produced (one for from HOST A to HOST B, two for
+        security headers are produced (one for from HOST A to HOST B, two for
-      from HOST B to HOST A).  Please also note that SPI MUST be greater
+        from HOST B to HOST A).  Please also note that SPI MUST be greater
-      than or equal to 256.  We choose, 1000, 2000, and 3000, respectively.
+        than or equal to 256.  We choose, 1000, 2000, and 3000, respectively.
      </para>
      <screen>
@ -2787,7 +2786,7 @@ options          IPSEC_ESP          #IP security (crypto; define w/IPSEC)</progr
 </screen>
      <para>Now, let us setup security association.  Execute &man.setkey.8;
-      on both HOST A and B:</para>
+        on both HOST A and B:</para>
      <screen>
 &prompt.root; <command>setkey -c</command>
@ -2798,7 +2797,7 @@ add 10.6.7.8 10.2.3.4 esp 3000 -m transport -E des-cbc "PASSWORD" ;
 </screen>
     <para>Actually, IPsec communication does not process until security policy
-     entries are defined.  In this case, you must setup each host.</para>
+       entries are defined.  In this case, you must setup each host.</para>
     <screen>
 At A:
@ -2834,7 +2833,7 @@ spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
      <para>Another example using IPv6.</para>
      <para>ESP transport mode is recommended for TCP port number 110 between
-      Host-A and Host-B.</para>
+        Host-A and Host-B.</para>
      <screen>
              ============ ESP ============
@ -2844,8 +2843,8 @@ spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
 </screen>
      <para>Encryption algorithm is blowfish-cbc whose key is "kamekame", and
-      authentication algorithm is hmac-sha1 whose key is "this is the test
+        authentication algorithm is hmac-sha1 whose key is "this is the test
-      key".  Configuration at Host-A:</para>
+        key".  Configuration at Host-A:</para>
      <screen>
        &prompt.root; <command>setkey -c</command> &lt;&lt;<filename>EOF</filename>
@ -2889,8 +2888,8 @@ spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
      <para>Tunnel mode between two security gateways</para>
      <para>Security protocol is old AH tunnel mode, i.e. specified by
-      RFC1826, with keyed-md5 whose key is "this is the test" as
+        RFC1826, with keyed-md5 whose key is "this is the test" as
-      authentication algorithm.</para>
+        authentication algorithm.</para>
      <screen>
                             ======= AH =======
@ -2916,9 +2915,9 @@ spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
 </screen>
      <para>If the port number field is omitted such as above then "[any]" is
-      employed. `-m' specifies the mode of SA to be used. "-m any" means
+        employed. `-m' specifies the mode of SA to be used. "-m any" means
-      wild-card of mode of security protocol. You can use this SA for both
+        wild-card of mode of security protocol. You can use this SA for both
-      tunnel and transport mode.</para>
+        tunnel and transport mode.</para>
      <para>and at Gateway-B:</para>
@ -2939,8 +2938,8 @@ spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
      <para>Making SA bundle between two security gateways</para>
      <para>AH transport mode and ESP tunnel mode is required between
-      Gateway-A and Gateway-B. In this case, ESP tunnel mode is applied first,
+        Gateway-A and Gateway-B. In this case, ESP tunnel mode is applied first,
-      and AH transport mode is next.</para>
+        and AH transport mode is next.</para>
      <screen>
                            ========== AH =========
@ -2955,8 +2954,8 @@ spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
      <title>Tunnel Mode Example with IPv6</title>
      <para>Encryption algorithm is 3des-cbc, and authentication algorithm
-      for ESP is hmac-sha1.  Authentication algorithm for AH is hmac-md5.
+        for ESP is hmac-sha1.  Authentication algorithm for AH is hmac-md5.
-      Configuration at Gateway-A:</para>
+        Configuration at Gateway-A:</para>
      <screen>
        &prompt.root; <command>setkey -c</command> &lt;&lt;<filename>EOF</filename>
@ -2983,10 +2982,10 @@ spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
      <para>Making SAs with the different end</para>
      <para>ESP tunnel mode is required between Host-A and Gateway-A. Encryption
-      algorithm is cast128-cbc, and authentication algorithm for ESP is
+        algorithm is cast128-cbc, and authentication algorithm for ESP is
-      hmac-sha1.  ESP transport mode is recommended between Host-A and Host-B.
+        hmac-sha1.  ESP transport mode is recommended between Host-A and Host-B.
-      Encryption algorithm is rc5-cbc, and authentication algorithm for ESP is
+        Encryption algorithm is rc5-cbc, and authentication algorithm for ESP is
-      hmac-md5.</para>
+        hmac-md5.</para>
      <screen>
              ================== ESP =================
@ -3045,7 +3044,7 @@ spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
      <secondary>OpenSSH</secondary>
    </indexterm>
-      <para>Secure shell is a set of network connectivity tools used to
+    <para>Secure shell is a set of network connectivity tools used to
      access remote machines securely.  It can be used as a direct
      replacement for <command>rlogin</command>,
      <command>rsh</command>, <command>rcp</command>, and
@ -3094,8 +3093,7 @@ spdadd 10.6.7.8 10.2.3.4 any -P out ipsec
      </indexterm>
      <para>The &man.ssh.1; utility works similarly to 
-        &man.rlogin.1;.
+        &man.rlogin.1;.</para>
      </para>
      <screen>&prompt.root <userinput>ssh <replaceable>user@example.com</replaceable></userinput>
 Host key not found from the list of known hosts.
@ -3113,8 +3111,8 @@ user@example.com's password: <userinput>*******</userinput></screen>
        will alert you if the saved fingerprint differs from the
        received fingerprint on future login attempts.  The fingerprints
        are saved in <filename>~/.ssh/known_hosts</filename>, or
-	<filename>~/.ssh/known_hosts2</filename> for SSH v2 fingerprints.
+	<filename>~/.ssh/known_hosts2</filename> for SSH v2
-      </para>
+	fingerprints.</para>
      <para>By default, OpenSSH servers are configured to accept both
 	SSH v1 and SSH v2 connections.  The client, however, can choose
@ -3166,12 +3164,11 @@ COPYRIGHT            100% |*****************************|  4735
      <para>The system-wide configuration files for both the OpenSSH 
        daemon and client reside within the <filename>/etc/ssh</filename> 
-        directory.
+        directory.</para>
-      </para>
+
      <para><filename>ssh_config</filename> configures the client 
        settings, while <filename>sshd_config</filename> configures the 
-        daemon.
+        daemon.</para>
      </para>
      <para>Additionally, the <option>sshd_program</option>
 	(<filename>/usr/sbin/sshd</filename> by default), and
@ -3183,8 +3180,7 @@ COPYRIGHT            100% |*****************************|  4735
      <title>ssh-keygen</title>
      <para>Instead of using passwords, &man.ssh-keygen.1; can
-        be used to generate RSA keys to authenticate a user.
+        be used to generate RSA keys to authenticate a user.</para>
      </para>
      <screen>&prompt.user <userinput>ssh-keygen</userinput>
 Initializing random number generator...
@ -3203,8 +3199,7 @@ Your identification has been saved in /home/user/.ssh/identity.
        <filename>~/.ssh/identity</filename>, whereas the public key is
        stored in <filename>~/.ssh/identity.pub</filename>.  The public
        key must be placed in <filename>~/.ssh/authorized_keys</filename>
-        of the remote machine in order for the setup to work.
+        of the remote machine in order for the setup to work.</para>
      </para>
      <para>This will allow connection to the remote machine based upon
        RSA authentication instead of passwords.</para>
@ -3226,8 +3221,7 @@ Your identification has been saved in /home/user/.ssh/identity.
 	machine.</para>
      <para>&man.ssh-agent.1; and &man.ssh-add.1; are 
-        utilities used in managing multiple passworded private keys.
+        utilities used in managing multiple passworded private keys.</para>
      </para>
    </sect2>
    <sect2>
@ -3239,7 +3233,8 @@ Your identification has been saved in /home/user/.ssh/identity.
      <para>OpenSSH has the ability to create a tunnel to encapsulate
        another protocol in an encrypted session.</para>
-       <para>The following command tells &man.ssh.1; to create a tunnel 
+
      <para>The following command tells &man.ssh.1; to create a tunnel 
         for telnet.</para>
       <screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5023:localhost:23 user@foo.example.com</replaceable></userinput>
@ -3298,21 +3293,19 @@ Your identification has been saved in /home/user/.ssh/identity.
      </variablelist>
-       <para>An SSH tunnel works by creating a listen socket on localhost
+      <para>An SSH tunnel works by creating a listen socket on localhost
 	on the specified port.  It then forwards any connection received
 	on the local host/port via the SSH connection to the specified
 	remote host and port.</para>
-       <para>In the example, port <replaceable>5023</replaceable> on
+      <para>In the example, port <replaceable>5023</replaceable> on
 	localhost is being forwarded to port
 	<replaceable>23</replaceable> on localhost of the remote
 	machine.  Since <replaceable>23</replaceable> is telnet, this
-	would create a secure telnet session through an SSH tunnel.
+	would create a secure telnet session through an SSH tunnel.</para>
       </para>
       <para>This can be used to wrap any number of insecure TCP protocols 
-         such as smtp, pop3, ftp, etc.
+         such as smtp, pop3, ftp, etc.</para>
       </para>
       <para>A typical SSH Tunnel</para>
       <screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5025:localhost:25 user@mailserver.example.com</replaceable></userinput>
@ -3326,8 +3319,7 @@ Escape character is '^]'.
       <para>This can be used in conjunction with an &man.ssh-keygen.1; 
         and additional user accounts to create a more seamless/hassle-free
         SSH tunneling environment.  Keys can be used in place of typing
-         a password, and the tunnels can be run as a separate user.
+         a password, and the tunnels can be run as a separate user.</para>
      </para>
      <sect3>
 	<title>Practical SSH Tunneling Examples</title>
@ -3378,7 +3370,7 @@ user@unfirewalled.myserver.com's password: *******</screen>
 	    <hostid>localhost</hostid> port 8888, which will be
 	    forwarded over to <hostid>music.example.com</hostid> port
 	    8000, successfully evading the firewall.</para>
-      </sect4>
+        </sect4>
      </sect3>
    </sect2>