os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Overhaul the documentation relating to crypto and related topics. Some of

Browse source 
this stuff had been out of date for 3 or 4 years or more.

Reviewed by:	alex
This commit is contained in:
Kris Kennaway 2000-09-24 07:01:53 +00:00
parent 9ca8d7cd86
commit b256c3a748
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=8010
10 changed files with 118 additions and 476 deletions
en_US.ISO8859-1
articles/committers-guide
article.sgml
books
faq
book.sgml
handbook
introduction
chapter.sgml
security
chapter.sgml
porters-handbook
book.sgml
en_US.ISO_8859-1
articles/committers-guide
article.sgml
books
faq
book.sgml
handbook
introduction
chapter.sgml
security
chapter.sgml
porters-handbook
book.sgml

42
en_US.ISO8859-1/articles/committers-guide/article.sgml
View file

@ -16,7 +16,7 @@
</author>
</authorgroup>
<pubdate>$FreeBSD: doc/en_US.ISO_8859-1/articles/committers-guide/article.sgml,v 1.35 2000/08/16 17:41:40 dannyboy Exp $</pubdate>
<pubdate>$FreeBSD: doc/en_US.ISO_8859-1/articles/committers-guide/article.sgml,v 1.36 2000/08/23 20:36:53 ben Exp $</pubdate>
<copyright>
<year>1999</year>
@ -43,13 +43,6 @@
<entry><hostid>freefall.FreeBSD.org</hostid></entry>
</row>
<row>
<entry>
<emphasis>International Crypto Repository Host</emphasis>
</entry>
<entry><hostid>internat.FreeBSD.org</hostid></entry>
</row>
<row>
<entry><emphasis>Login Methods</emphasis></entry>
<entry>&man.ssh.1;</entry>
@ -60,24 +53,12 @@
<entry>/home/ncvs</entry>
</row>
<row>
<entry><emphasis>International Crypto CVSROOT</emphasis></entry>
<entry>/home/cvs.crypt</entry>
</row>
<row>
<entry><emphasis>Main CVS Repository Meisters</emphasis></entry>
<entry>&a.jdp; and &a.peter; as well as &a.asami; for
<filename>ports/</filename></entry>
</row>
<row>
<entry>
<emphasis>International Crypto CVS Repository Meister</emphasis>
</entry>
<entry>&a.markm;</entry>
</row>
<row>
<entry><emphasis>Mailing List</emphasis></entry>
<entry><email>cvs-committers@FreeBSD.org</email></entry>
@ -120,8 +101,7 @@
one of them instead. The only ones allowed to directly fiddle
the repository bits are the repomeisters. Satoshi Asami is also a
repomeister for the <filename>ports/</filename> portion of the
tree. Mark Murray is the repomeister for the International
Crypto Repository in South Africa.</para>
tree.</para>
<para>CVS operations are usually done by logging into
<hostid>freefall</hostid>, making sure the
@ -531,11 +511,11 @@
</itemizedlist>
<para>You'll almost certainly get a conflict because
of the <literal>$Id: article.sgml,v 1.36 2000-08-23 20:36:53 ben Exp $</literal> (or in FreeBSD's case,
of the <literal>$Id: article.sgml,v 1.37 2000-09-24 07:01:47 kris Exp $</literal> (or in FreeBSD's case,
<literal>$FreeBSD<!-- stop expansion -->$</literal>) lines, so you'll have to edit
the file to resolve the conflict (remove the marker lines and
the second <literal>$Id: article.sgml,v 1.36 2000-08-23 20:36:53 ben Exp $</literal> line, leaving the original
<literal>$Id: article.sgml,v 1.36 2000-08-23 20:36:53 ben Exp $</literal> line intact).</para>
the second <literal>$Id: article.sgml,v 1.37 2000-09-24 07:01:47 kris Exp $</literal> line, leaving the original
<literal>$Id: article.sgml,v 1.37 2000-09-24 07:01:47 kris Exp $</literal> line intact).</para>
</listitem>
<listitem>
@ -1082,18 +1062,6 @@ docs:Documentation Bug:nik:</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>&a.markm;</term>
<listitem>
<para>Mark is the CVS repository meister for the
international crypto repository kept on
<hostid>internat.FreeBSD.org</hostid> in South Africa.</para>
<para>Mark also oversees most of the crypto code; if you have
any crypto updates, please ask Mark first.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>&a.steve;</term>

99
en_US.ISO8859-1/books/faq/book.sgml
View file

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>$FreeBSD: doc/en_US.ISO_8859-1/books/faq/book.sgml,v 1.94 2000/09/22 18:40:00 marko Exp $</pubdate>
<pubdate>$FreeBSD: doc/en_US.ISO_8859-1/books/faq/book.sgml,v 1.95 2000/09/22 23:41:25 ben Exp $</pubdate>
<abstract>
<para>This is the FAQ for FreeBSD versions 2.X, 3.X, and 4.X. All entries
@ -1844,81 +1844,30 @@ systems.</para>
</answer></qandaentry>
<qandaentry><question>
<para>I live outside the US. Can I use DES encryption?</para></question><answer>
<qandaentry>
<question>
<para>Should I use DES passwords, or MD5, and how do I specify
which form my users receive?</para>
</question>
<para>If it is not absolutely imperative that you use DES style
encryption, you can use FreeBSD's default encryption for even
<emphasis>better</emphasis> security, and with no export restrictions. FreeBSD
2.0's password default scrambler is now <emphasis>MD5</emphasis>-based, and is
more CPU-intensive to crack with an automated password cracker
than DES, and allows longer passwords as well. The only reason
for not using the <emphasis>MD5</emphasis>-based crypt today would be to use the
the same password entries on FreeBSD and non-FreeBSD systems.</para>
<para>Since the DES encryption algorithm cannot legally be exported
from the US, non-US users should not download this software (as
part of the <literal>secrdist</literal> from US FTP sites.</para>
<para>There is however a replacement libcrypt available, based on
sources written in Australia by David Burren. This code is now
available on some non-US FreeBSD mirror sites. Sources for the
unencumbered libcrypt, and binaries of the programs which use it,
can be obtained from the following FTP sites:</para>
<segmentedlist>
<seglistitem><seg>South Africa</seg>
<seg>
<ulink URL="ftp://ftp.internat.FreeBSD.org/pub/FreeBSD/">ftp://ftp.internat.FreeBSD.org/pub/FreeBSD/</ulink>,
<ulink URL="ftp://storm.sea.uct.ac.za/pub/FreeBSD/">ftp://storm.sea.uct.ac.za/pub/FreeBSD/</ulink>
</seg>
</seglistitem>
<seglistitem><seg>Brazil</seg>
<seg><ulink URL="ftp://ftp.iqm.unicamp.br/pub/FreeBSD/">ftp://ftp.iqm.unicamp.br/pub/FreeBSD/</ulink></seg>
</seglistitem>
<seglistitem><seg>Finland</seg>
<seg>
<ulink URL="ftp://nic.funet.fi/pub/unix/FreeBSD/eurocrypt/">ftp://nic.funet.fi/pub/unix/FreeBSD/eurocrypt/</ulink>
</seg>
</seglistitem>
</segmentedlist>
<para>The non-US <emphasis>securedist</emphasis> can be used as a direct replacement
for the encumbered US <emphasis>securedist</emphasis>. This <emphasis>securedist</emphasis>
package is installed the same way as the US package (see
installation notes for details). If you are going to install DES
encryption, you should do so as soon as possible, before
installing other software.</para>
<para>Non-US users should please not download any encryption software
from the USA. This can get the maintainers of the sites from
which the software is downloaded into severe legal difficulties.</para>
<para>A non-US distribution of Kerberos is also being developed, and
current versions can generally be obtained by anonymous FTP from
<hostid role="fqdn">braae.ru.ac.za</hostid>.</para>
<para>There is also a <link linkend="mailing">mailing list</link> for the
discussion of non-US encryption software. For more information, send
an email message with a single line saying <literal>help</literal> in the body
of your message to <email>majordomo@braae.ru.ac.za</email>.</para>
</answer></qandaentry>
<answer>
<para>The default password format on FreeBSD is to use
<emphasis>MD5</emphasis>-based passwords. These are believed to
be more secure than the traditional UNIX password format, which
used a scheme based on the <emphasis>DES</emphasis> algorithm.
DES passwords are still available if you need to share your
password file with legacy operating systems which still use the
less secure password format (they are available if you choose to
install the <quote>crypto</quote> distribution in sysinstall, or
by installing the crypto sources if building from source). Which
password format to use for new passwords is controlled by the
<quote>passwd_format</quote> login capability in
<filename>/etc/login.conf</filename>, which takes values of either
<quote>des</quote> (if available) or <quote>md5</quote>. See the
login.conf(5) manpage for more information about login
capabilities.</para>
</answer>
</qandaentry>
<qandaentry><question>
<para>The boot floppy starts but hangs at the <literal>Probing Devices...</literal>

19
en_US.ISO8859-1/books/handbook/introduction/chapter.sgml
View file

@ -1,7 +1,7 @@
<!--
The FreeBSD Documentation Project
$FreeBSD: doc/en_US.ISO_8859-1/books/handbook/introduction/chapter.sgml,v 1.30 2000/07/12 14:39:18 nbm Exp $
$FreeBSD: doc/en_US.ISO_8859-1/books/handbook/introduction/chapter.sgml,v 1.31 2000/08/26 17:44:28 marko Exp $
-->
<chapter id="introduction">
@ -688,23 +688,6 @@
<para>You can also view the master (and most frequently updated)
copies at <ulink
url="http://www.FreeBSD.org/">http://www.FreeBSD.org/</ulink>.</para>
<para>The core of FreeBSD does not contain DES code which would
inhibit its being exported outside the United States. There is an
add-on package to the core distribution, for use only in the United
States, which contains the programs that normally use DES. The
auxiliary packages provided separately can be used by anyone. A
freely (from outside the U.S.) exportable European distribution of
DES for our non-U.S. users also exists and is described in the
<ulink url="../faq/index.html">FreeBSD FAQ</ulink>.</para>
<para>If password security for FreeBSD is all you need, and you have
no requirement for copying encrypted passwords from different hosts
(Suns, DEC machines, etc) into FreeBSD password entries, then
FreeBSD's MD5 based security may be all you require! We feel that
our default security model is more than a match for DES, and avoids
dealing with any messy export issues. If you are outside (or even
inside) the U.S., give it a try!</para>
</sect2>
</sect1>
</chapter>

129
en_US.ISO8859-1/books/handbook/security/chapter.sgml
View file

@ -1,7 +1,7 @@
<!--
The FreeBSD Documentation Project
$FreeBSD: doc/en_US.ISO_8859-1/books/handbook/security/chapter.sgml,v 1.35 2000/07/20 13:45:19 alex Exp $
$FreeBSD: doc/en_US.ISO_8859-1/books/handbook/security/chapter.sgml,v 1.36 2000/08/14 17:48:24 ben Exp $
-->
<chapter id="security">
@ -763,7 +763,7 @@
<para>Unfortunately the only secure way to encrypt passwords when
UNIX came into being was based on DES, the Data Encryption
Standard. This is not such a problem for users that live in
the US, but since the source code for DES cannot be exported
the US, but since the source code for DES could not be exported
outside the US, FreeBSD had to find a way to both comply with
US law and retain compatibility with all the other UNIX
variants that still use DES.</para>
@ -813,6 +813,16 @@ lrwxr-xr-x 1 root wheel 15 Mar 19 06:56 libcrypt_p.a -&gt; libdescrypt_p.a</s
<para>On a system using the MD5-based libraries, the same links will
be present, but the target will be <filename>libscrypt</filename>
rather than <filename>libdescrypt</filename>.</para>
<para>If you have installed the DES-capable crypt library
<filename>libdescrypt</filename> (e.g. by installing the
"crypto" distribution), then which password format will be used
for new passwords is controlled by the
<quote>passwd_format</quote> login capability in
<filename>/etc/login.conf</filename>, which takes values of
either <quote>des</quote> or <quote>md5</quote>. See the
login.conf(5) manpage for more information about login
capabilities.</para>
</sect2>
</sect1>
@ -1127,15 +1137,9 @@ permit port ttyd0</programlisting>
<para>In FreeBSD, the Kerberos is not that from the original 4.4BSD-Lite,
distribution, but eBones, which had been previously ported to FreeBSD
1.1.5.1, and was sourced from outside the USA/Canada, and is thus
available to system owners outside those countries.</para>
<para>For those needing to get a legal foreign distribution of this
software, please <emphasis>do not</emphasis> get it from a USA or Canada
site. You will get that site in <emphasis>big</emphasis> trouble! A
legal copy of this is available from <hostid
role="fqdn">ftp.internat.FreeBSD.org</hostid>, which is in South
Africa and an official FreeBSD mirror site.</para>
1.1.5.1, and was sourced from outside the USA/Canada, and was thus
available to system owners outside those countries during the era
of restrictive export controls on cryptographic code from the USA.</para>
<sect2>
<title>Creating the initial database</title>
@ -2309,13 +2313,16 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
Secure Sockets Layer v2/v3 (SSLv2/SSLv3) and Transport Layer
Security v1 (TLSv1) network security protocols.</para>
<para>However, some of the algorithms (specifically, RSA and IDEA)
included in OpenSSL are protected by patents in the USA and
elsewhere, and are not available for unrestricted use (in
particular, IDEA is not available at all in FreeBSD's version of
OpenSSL). As a result, FreeBSD has available two different
versions of the OpenSSL RSA libraries depending on geographical
location (USA/non-USA).</para>
<para>However, one of the algorithms (specifically IDEA)
included in OpenSSL is protected by patents in the USA and
elsewhere, and is not available for unrestricted use.
IDEA is included in the OpenSSL sources in FreeBSD, but it is not
built by default. If you wish to use it, and you comply with the
license terms, enable the MAKE_IDEA switch in /etc/make.conf and
rebuild your sources using 'make world'.</para>
<para>Today, the RSA algorithm is free for use in USA and other
countries. In the past it was protected by a patent.</para>
<sect2>
<title>Source Code Installations</title>
@ -2326,92 +2333,6 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
information about obtaining and updating FreeBSD source
code.</para>
</sect2>
<sect2>
<title>International (Non-USA) Users</title>
<para>People who are located outside the USA, and who obtain their
crypto sources from <hostid
role="fqdn">internat.FreeBSD.org</hostid> (the International
Crypto Repository) or an international mirror site, will build a
version of OpenSSL which includes the <quote>native</quote> OpenSSL
implementation of
RSA, but does not include IDEA, because the latter is restricted
in certain locations elsewhere in the world. In the future a more
flexible geographical identification system may allow building of
IDEA in countries for which it is not restricted.</para>
<para>Please be aware of any local restrictions on the import, use
and redistribution of cryptography which may exist in your
country.</para>
</sect2>
<sect2>
<title>USA Users</title>
<para>As noted above, RSA is patented in the USA, with terms
preventing general use without an appropriate license. Therefore
the standard OpenSSL RSA code may not be used in the USA, and has been
removed from the version of OpenSSL carried on USA mirror sites.
The RSA patent is due to expire on September 20, 2000, at which
time it is intended to add the <quote>full</quote> RSA code back to
the USA version of OpenSSL.</para>
<para>However (and fortunately), the RSA patent holder (<ulink
url="http://www.rsasecurity.com/">RSA Security</ulink>, has
provided a <quote>RSA reference implementation</quote> toolkit
(RSAREF) which is available for <emphasis>certain classes of
use</emphasis>, including <emphasis>non-commercial use</emphasis>
(see the RSAREF license for their definition of
non-commercial).</para>
<para>If you meet the conditions of the RSAREF license and wish to
use it in conjunction with OpenSSL to provide RSA support, you can
install the rsaref port, which is located in
<filename>/usr/ports/security/rsaref</filename>, or the
<literal>rsaref-2.0</literal> package. The OpenSSL library will
then automatically detect and use the RSAREF libraries. Please obtain
legal advice if you are unsure of your compliance with the license
terms.</para>
<para> The RSAREF implementation is inferior to the
<quote>native</quote> OpenSSL implementation (it is much slower,
and cannot be used with keys larger than 1024 bits). If you are not
located in the USA then you are doing yourself a disadvantage by
using RSAREF.</para>
<para>Users who have purchased an appropriate RSA source code
license from RSA Security may use the International version of
OpenSSL described above to obtain native RSA support.</para>
<para>IDEA code is also removed from the USA version of OpenSSL for
patent reasons.</para>
</sect2>
<sect2>
<title>Binary Installations</title>
<para>If your FreeBSD installation was a binary installation (e.g.,
installed from the Walnut Creek CDROM, or from a snapshot
downloaded from
<hostid role="fqdn">ftp.FreeBSD.org</hostid>) and you selected to
install the <literal>crypto</literal> collection, then the
<literal>sysinstall</literal> utility will automatically select
the correct version to install during the installation
process. If the international version was selected but could
not be installed during sysinstall (e.g. you have not
configured network access, and the version must be downloaded
from a FTP site) then you can add the international RSA library
after installation as a package.</para>
<para>The <literal>librsaintl</literal> package contains the RSA
code for International (non-USA) users. This is not legal for
use in the USA, but international users should use this version
because the RSA implementation is faster and more flexible. It
is available from <hostid
role="fqdn">ftp.internat.FreeBSD.org</hostid> and does not
require RSAREF.</para>
</sect2>
</sect1>
<sect1 id="ipsec">

8
en_US.ISO8859-1/books/porters-handbook/book.sgml
View file

@ -1,7 +1,7 @@
<!--
The FreeBSD Documentation Project
$FreeBSD: doc/en_US.ISO_8859-1/books/porters-handbook/book.sgml,v 1.127 2000/09/22 07:06:02 sobomax Exp $
$FreeBSD: doc/en_US.ISO_8859-1/books/porters-handbook/book.sgml,v 1.128 2000/09/22 08:26:05 asami Exp $
-->
<!DOCTYPE BOOK PUBLIC "-//FreeBSD//DTD DocBook V3.1-Based Extension//EN" [
@ -2003,8 +2003,8 @@ PLIST_SUB= OCTAVE_VERSION=${OCTAVE_VERSION}</programlisting>
<title>Licensing Problems</title>
<para>Some software packages have restrictive licenses or can be in
violation of the law (PKP's patent on public key crypto, ITAR (export
of crypto software) to name just two of them). What we can do with
violation of the law in some countries (such as violating a patent).
What we can do with
them varies a lot, depending on the exact wordings of the respective
licenses.</para>
@ -2039,7 +2039,7 @@ PLIST_SUB= OCTAVE_VERSION=${OCTAVE_VERSION}</programlisting>
<listitem>
<para>If the port has legal restrictions on who can use it (e.g.,
crypto stuff) or has a &ldquo;no commercial use&rdquo; license,
patented stuff) or has a &ldquo;no commercial use&rdquo; license,
set the variable <makevar>RESTRICTED</makevar> to be the string
describing the reason why. For such ports, the distfiles/packages
will not be available even from our ftp sites.</para>

42
en_US.ISO_8859-1/articles/committers-guide/article.sgml
View file

@ -16,7 +16,7 @@
</author>
</authorgroup>
<pubdate>$FreeBSD: doc/en_US.ISO_8859-1/articles/committers-guide/article.sgml,v 1.35 2000/08/16 17:41:40 dannyboy Exp $</pubdate>
<pubdate>$FreeBSD: doc/en_US.ISO_8859-1/articles/committers-guide/article.sgml,v 1.36 2000/08/23 20:36:53 ben Exp $</pubdate>
<copyright>
<year>1999</year>
@ -43,13 +43,6 @@
<entry><hostid>freefall.FreeBSD.org</hostid></entry>
</row>
<row>
<entry>
<emphasis>International Crypto Repository Host</emphasis>
</entry>
<entry><hostid>internat.FreeBSD.org</hostid></entry>
</row>
<row>
<entry><emphasis>Login Methods</emphasis></entry>
<entry>&man.ssh.1;</entry>
@ -60,24 +53,12 @@
<entry>/home/ncvs</entry>
</row>
<row>
<entry><emphasis>International Crypto CVSROOT</emphasis></entry>
<entry>/home/cvs.crypt</entry>
</row>
<row>
<entry><emphasis>Main CVS Repository Meisters</emphasis></entry>
<entry>&a.jdp; and &a.peter; as well as &a.asami; for
<filename>ports/</filename></entry>
</row>
<row>
<entry>
<emphasis>International Crypto CVS Repository Meister</emphasis>
</entry>
<entry>&a.markm;</entry>
</row>
<row>
<entry><emphasis>Mailing List</emphasis></entry>
<entry><email>cvs-committers@FreeBSD.org</email></entry>
@ -120,8 +101,7 @@
one of them instead. The only ones allowed to directly fiddle
the repository bits are the repomeisters. Satoshi Asami is also a
repomeister for the <filename>ports/</filename> portion of the
tree. Mark Murray is the repomeister for the International
Crypto Repository in South Africa.</para>
tree.</para>
<para>CVS operations are usually done by logging into
<hostid>freefall</hostid>, making sure the
@ -531,11 +511,11 @@
</itemizedlist>
<para>You'll almost certainly get a conflict because
of the <literal>$Id: article.sgml,v 1.36 2000-08-23 20:36:53 ben Exp $</literal> (or in FreeBSD's case,
of the <literal>$Id: article.sgml,v 1.37 2000-09-24 07:01:47 kris Exp $</literal> (or in FreeBSD's case,
<literal>$FreeBSD<!-- stop expansion -->$</literal>) lines, so you'll have to edit
the file to resolve the conflict (remove the marker lines and
the second <literal>$Id: article.sgml,v 1.36 2000-08-23 20:36:53 ben Exp $</literal> line, leaving the original
<literal>$Id: article.sgml,v 1.36 2000-08-23 20:36:53 ben Exp $</literal> line intact).</para>
the second <literal>$Id: article.sgml,v 1.37 2000-09-24 07:01:47 kris Exp $</literal> line, leaving the original
<literal>$Id: article.sgml,v 1.37 2000-09-24 07:01:47 kris Exp $</literal> line intact).</para>
</listitem>
<listitem>
@ -1082,18 +1062,6 @@ docs:Documentation Bug:nik:</programlisting>
</listitem>
</varlistentry>
<varlistentry>
<term>&a.markm;</term>
<listitem>
<para>Mark is the CVS repository meister for the
international crypto repository kept on
<hostid>internat.FreeBSD.org</hostid> in South Africa.</para>
<para>Mark also oversees most of the crypto code; if you have
any crypto updates, please ask Mark first.</para>
</listitem>
</varlistentry>
<varlistentry>
<term>&a.steve;</term>

99
en_US.ISO_8859-1/books/faq/book.sgml
View file

@ -15,7 +15,7 @@
</author>
</authorgroup>
<pubdate>$FreeBSD: doc/en_US.ISO_8859-1/books/faq/book.sgml,v 1.94 2000/09/22 18:40:00 marko Exp $</pubdate>
<pubdate>$FreeBSD: doc/en_US.ISO_8859-1/books/faq/book.sgml,v 1.95 2000/09/22 23:41:25 ben Exp $</pubdate>
<abstract>
<para>This is the FAQ for FreeBSD versions 2.X, 3.X, and 4.X. All entries
@ -1844,81 +1844,30 @@ systems.</para>
</answer></qandaentry>
<qandaentry><question>
<para>I live outside the US. Can I use DES encryption?</para></question><answer>
<qandaentry>
<question>
<para>Should I use DES passwords, or MD5, and how do I specify
which form my users receive?</para>
</question>
<para>If it is not absolutely imperative that you use DES style
encryption, you can use FreeBSD's default encryption for even
<emphasis>better</emphasis> security, and with no export restrictions. FreeBSD
2.0's password default scrambler is now <emphasis>MD5</emphasis>-based, and is
more CPU-intensive to crack with an automated password cracker
than DES, and allows longer passwords as well. The only reason
for not using the <emphasis>MD5</emphasis>-based crypt today would be to use the
the same password entries on FreeBSD and non-FreeBSD systems.</para>
<para>Since the DES encryption algorithm cannot legally be exported
from the US, non-US users should not download this software (as
part of the <literal>secrdist</literal> from US FTP sites.</para>
<para>There is however a replacement libcrypt available, based on
sources written in Australia by David Burren. This code is now
available on some non-US FreeBSD mirror sites. Sources for the
unencumbered libcrypt, and binaries of the programs which use it,
can be obtained from the following FTP sites:</para>
<segmentedlist>
<seglistitem><seg>South Africa</seg>
<seg>
<ulink URL="ftp://ftp.internat.FreeBSD.org/pub/FreeBSD/">ftp://ftp.internat.FreeBSD.org/pub/FreeBSD/</ulink>,
<ulink URL="ftp://storm.sea.uct.ac.za/pub/FreeBSD/">ftp://storm.sea.uct.ac.za/pub/FreeBSD/</ulink>
</seg>
</seglistitem>
<seglistitem><seg>Brazil</seg>
<seg><ulink URL="ftp://ftp.iqm.unicamp.br/pub/FreeBSD/">ftp://ftp.iqm.unicamp.br/pub/FreeBSD/</ulink></seg>
</seglistitem>
<seglistitem><seg>Finland</seg>
<seg>
<ulink URL="ftp://nic.funet.fi/pub/unix/FreeBSD/eurocrypt/">ftp://nic.funet.fi/pub/unix/FreeBSD/eurocrypt/</ulink>
</seg>
</seglistitem>
</segmentedlist>
<para>The non-US <emphasis>securedist</emphasis> can be used as a direct replacement
for the encumbered US <emphasis>securedist</emphasis>. This <emphasis>securedist</emphasis>
package is installed the same way as the US package (see
installation notes for details). If you are going to install DES
encryption, you should do so as soon as possible, before
installing other software.</para>
<para>Non-US users should please not download any encryption software
from the USA. This can get the maintainers of the sites from
which the software is downloaded into severe legal difficulties.</para>
<para>A non-US distribution of Kerberos is also being developed, and
current versions can generally be obtained by anonymous FTP from
<hostid role="fqdn">braae.ru.ac.za</hostid>.</para>
<para>There is also a <link linkend="mailing">mailing list</link> for the
discussion of non-US encryption software. For more information, send
an email message with a single line saying <literal>help</literal> in the body
of your message to <email>majordomo@braae.ru.ac.za</email>.</para>
</answer></qandaentry>
<answer>
<para>The default password format on FreeBSD is to use
<emphasis>MD5</emphasis>-based passwords. These are believed to
be more secure than the traditional UNIX password format, which
used a scheme based on the <emphasis>DES</emphasis> algorithm.
DES passwords are still available if you need to share your
password file with legacy operating systems which still use the
less secure password format (they are available if you choose to
install the <quote>crypto</quote> distribution in sysinstall, or
by installing the crypto sources if building from source). Which
password format to use for new passwords is controlled by the
<quote>passwd_format</quote> login capability in
<filename>/etc/login.conf</filename>, which takes values of either
<quote>des</quote> (if available) or <quote>md5</quote>. See the
login.conf(5) manpage for more information about login
capabilities.</para>
</answer>
</qandaentry>
<qandaentry><question>
<para>The boot floppy starts but hangs at the <literal>Probing Devices...</literal>

19
en_US.ISO_8859-1/books/handbook/introduction/chapter.sgml
View file

@ -1,7 +1,7 @@
<!--
The FreeBSD Documentation Project
$FreeBSD: doc/en_US.ISO_8859-1/books/handbook/introduction/chapter.sgml,v 1.30 2000/07/12 14:39:18 nbm Exp $
$FreeBSD: doc/en_US.ISO_8859-1/books/handbook/introduction/chapter.sgml,v 1.31 2000/08/26 17:44:28 marko Exp $
-->
<chapter id="introduction">
@ -688,23 +688,6 @@
<para>You can also view the master (and most frequently updated)
copies at <ulink
url="http://www.FreeBSD.org/">http://www.FreeBSD.org/</ulink>.</para>
<para>The core of FreeBSD does not contain DES code which would
inhibit its being exported outside the United States. There is an
add-on package to the core distribution, for use only in the United
States, which contains the programs that normally use DES. The
auxiliary packages provided separately can be used by anyone. A
freely (from outside the U.S.) exportable European distribution of
DES for our non-U.S. users also exists and is described in the
<ulink url="../faq/index.html">FreeBSD FAQ</ulink>.</para>
<para>If password security for FreeBSD is all you need, and you have
no requirement for copying encrypted passwords from different hosts
(Suns, DEC machines, etc) into FreeBSD password entries, then
FreeBSD's MD5 based security may be all you require! We feel that
our default security model is more than a match for DES, and avoids
dealing with any messy export issues. If you are outside (or even
inside) the U.S., give it a try!</para>
</sect2>
</sect1>
</chapter>

129
en_US.ISO_8859-1/books/handbook/security/chapter.sgml
View file

@ -1,7 +1,7 @@
<!--
The FreeBSD Documentation Project
$FreeBSD: doc/en_US.ISO_8859-1/books/handbook/security/chapter.sgml,v 1.35 2000/07/20 13:45:19 alex Exp $
$FreeBSD: doc/en_US.ISO_8859-1/books/handbook/security/chapter.sgml,v 1.36 2000/08/14 17:48:24 ben Exp $
-->
<chapter id="security">
@ -763,7 +763,7 @@
<para>Unfortunately the only secure way to encrypt passwords when
UNIX came into being was based on DES, the Data Encryption
Standard. This is not such a problem for users that live in
the US, but since the source code for DES cannot be exported
the US, but since the source code for DES could not be exported
outside the US, FreeBSD had to find a way to both comply with
US law and retain compatibility with all the other UNIX
variants that still use DES.</para>
@ -813,6 +813,16 @@ lrwxr-xr-x 1 root wheel 15 Mar 19 06:56 libcrypt_p.a -&gt; libdescrypt_p.a</s
<para>On a system using the MD5-based libraries, the same links will
be present, but the target will be <filename>libscrypt</filename>
rather than <filename>libdescrypt</filename>.</para>
<para>If you have installed the DES-capable crypt library
<filename>libdescrypt</filename> (e.g. by installing the
"crypto" distribution), then which password format will be used
for new passwords is controlled by the
<quote>passwd_format</quote> login capability in
<filename>/etc/login.conf</filename>, which takes values of
either <quote>des</quote> or <quote>md5</quote>. See the
login.conf(5) manpage for more information about login
capabilities.</para>
</sect2>
</sect1>
@ -1127,15 +1137,9 @@ permit port ttyd0</programlisting>
<para>In FreeBSD, the Kerberos is not that from the original 4.4BSD-Lite,
distribution, but eBones, which had been previously ported to FreeBSD
1.1.5.1, and was sourced from outside the USA/Canada, and is thus
available to system owners outside those countries.</para>
<para>For those needing to get a legal foreign distribution of this
software, please <emphasis>do not</emphasis> get it from a USA or Canada
site. You will get that site in <emphasis>big</emphasis> trouble! A
legal copy of this is available from <hostid
role="fqdn">ftp.internat.FreeBSD.org</hostid>, which is in South
Africa and an official FreeBSD mirror site.</para>
1.1.5.1, and was sourced from outside the USA/Canada, and was thus
available to system owners outside those countries during the era
of restrictive export controls on cryptographic code from the USA.</para>
<sect2>
<title>Creating the initial database</title>
@ -2309,13 +2313,16 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
Secure Sockets Layer v2/v3 (SSLv2/SSLv3) and Transport Layer
Security v1 (TLSv1) network security protocols.</para>
<para>However, some of the algorithms (specifically, RSA and IDEA)
included in OpenSSL are protected by patents in the USA and
elsewhere, and are not available for unrestricted use (in
particular, IDEA is not available at all in FreeBSD's version of
OpenSSL). As a result, FreeBSD has available two different
versions of the OpenSSL RSA libraries depending on geographical
location (USA/non-USA).</para>
<para>However, one of the algorithms (specifically IDEA)
included in OpenSSL is protected by patents in the USA and
elsewhere, and is not available for unrestricted use.
IDEA is included in the OpenSSL sources in FreeBSD, but it is not
built by default. If you wish to use it, and you comply with the
license terms, enable the MAKE_IDEA switch in /etc/make.conf and
rebuild your sources using 'make world'.</para>
<para>Today, the RSA algorithm is free for use in USA and other
countries. In the past it was protected by a patent.</para>
<sect2>
<title>Source Code Installations</title>
@ -2326,92 +2333,6 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
information about obtaining and updating FreeBSD source
code.</para>
</sect2>
<sect2>
<title>International (Non-USA) Users</title>
<para>People who are located outside the USA, and who obtain their
crypto sources from <hostid
role="fqdn">internat.FreeBSD.org</hostid> (the International
Crypto Repository) or an international mirror site, will build a
version of OpenSSL which includes the <quote>native</quote> OpenSSL
implementation of
RSA, but does not include IDEA, because the latter is restricted
in certain locations elsewhere in the world. In the future a more
flexible geographical identification system may allow building of
IDEA in countries for which it is not restricted.</para>
<para>Please be aware of any local restrictions on the import, use
and redistribution of cryptography which may exist in your
country.</para>
</sect2>
<sect2>
<title>USA Users</title>
<para>As noted above, RSA is patented in the USA, with terms
preventing general use without an appropriate license. Therefore
the standard OpenSSL RSA code may not be used in the USA, and has been
removed from the version of OpenSSL carried on USA mirror sites.
The RSA patent is due to expire on September 20, 2000, at which
time it is intended to add the <quote>full</quote> RSA code back to
the USA version of OpenSSL.</para>
<para>However (and fortunately), the RSA patent holder (<ulink
url="http://www.rsasecurity.com/">RSA Security</ulink>, has
provided a <quote>RSA reference implementation</quote> toolkit
(RSAREF) which is available for <emphasis>certain classes of
use</emphasis>, including <emphasis>non-commercial use</emphasis>
(see the RSAREF license for their definition of
non-commercial).</para>
<para>If you meet the conditions of the RSAREF license and wish to
use it in conjunction with OpenSSL to provide RSA support, you can
install the rsaref port, which is located in
<filename>/usr/ports/security/rsaref</filename>, or the
<literal>rsaref-2.0</literal> package. The OpenSSL library will
then automatically detect and use the RSAREF libraries. Please obtain
legal advice if you are unsure of your compliance with the license
terms.</para>
<para> The RSAREF implementation is inferior to the
<quote>native</quote> OpenSSL implementation (it is much slower,
and cannot be used with keys larger than 1024 bits). If you are not
located in the USA then you are doing yourself a disadvantage by
using RSAREF.</para>
<para>Users who have purchased an appropriate RSA source code
license from RSA Security may use the International version of
OpenSSL described above to obtain native RSA support.</para>
<para>IDEA code is also removed from the USA version of OpenSSL for
patent reasons.</para>
</sect2>
<sect2>
<title>Binary Installations</title>
<para>If your FreeBSD installation was a binary installation (e.g.,
installed from the Walnut Creek CDROM, or from a snapshot
downloaded from
<hostid role="fqdn">ftp.FreeBSD.org</hostid>) and you selected to
install the <literal>crypto</literal> collection, then the
<literal>sysinstall</literal> utility will automatically select
the correct version to install during the installation
process. If the international version was selected but could
not be installed during sysinstall (e.g. you have not
configured network access, and the version must be downloaded
from a FTP site) then you can add the international RSA library
after installation as a package.</para>
<para>The <literal>librsaintl</literal> package contains the RSA
code for International (non-USA) users. This is not legal for
use in the USA, but international users should use this version
because the RSA implementation is faster and more flexible. It
is available from <hostid
role="fqdn">ftp.internat.FreeBSD.org</hostid> and does not
require RSAREF.</para>
</sect2>
</sect1>
<sect1 id="ipsec">

8
en_US.ISO_8859-1/books/porters-handbook/book.sgml
View file

@ -1,7 +1,7 @@
<!--
The FreeBSD Documentation Project
$FreeBSD: doc/en_US.ISO_8859-1/books/porters-handbook/book.sgml,v 1.127 2000/09/22 07:06:02 sobomax Exp $
$FreeBSD: doc/en_US.ISO_8859-1/books/porters-handbook/book.sgml,v 1.128 2000/09/22 08:26:05 asami Exp $
-->
<!DOCTYPE BOOK PUBLIC "-//FreeBSD//DTD DocBook V3.1-Based Extension//EN" [
@ -2003,8 +2003,8 @@ PLIST_SUB= OCTAVE_VERSION=${OCTAVE_VERSION}</programlisting>
<title>Licensing Problems</title>
<para>Some software packages have restrictive licenses or can be in
violation of the law (PKP's patent on public key crypto, ITAR (export
of crypto software) to name just two of them). What we can do with
violation of the law in some countries (such as violating a patent).
What we can do with
them varies a lot, depending on the exact wordings of the respective
licenses.</para>
@ -2039,7 +2039,7 @@ PLIST_SUB= OCTAVE_VERSION=${OCTAVE_VERSION}</programlisting>
<listitem>
<para>If the port has legal restrictions on who can use it (e.g.,
crypto stuff) or has a &ldquo;no commercial use&rdquo; license,
patented stuff) or has a &ldquo;no commercial use&rdquo; license,
set the variable <makevar>RESTRICTED</makevar> to be the string
describing the reason why. For such ports, the distfiles/packages
will not be available even from our ftp sites.</para>