White space fix only. Translators can ignore.

Sponsored by: iXsystems
svn path=/head/; revision=44404
2014-03-31 21:09:35 +00:00 · 2014-03-31 21:09:35 +00:00 · bb698042d3 · 2020-12-08 03:00:23 +00:00
commit bb698042d3
parent bf62664294
1 changed files with 307 additions and 312 deletions
--- a/en_US.ISO8859-1/books/handbook/security/chapter.xml
+++ b/en_US.ISO8859-1/books/handbook/security/chapter.xml
@ -2515,11 +2515,11 @@ racoon_enable="yes"</programlisting>
      protocols.</para>
    <para>When data is sent over the network in an unencrypted form,
-	network sniffers anywhere in between the client and server
+      network sniffers anywhere in between the client and server can
-	can steal user/password information or data transferred
+      steal user/password information or data transferred during the
-	during the session.  <application>OpenSSH</application> offers
+      session.  <application>OpenSSH</application> offers a variety of
-	a variety of authentication and encryption methods to prevent
+      authentication and encryption methods to prevent this from
-	this from happening.</para>
+      happening.</para>
    <sect2>
      <title>Using the SSH Client Utilities</title>
@ -2590,9 +2590,9 @@ COPYRIGHT            100% |*****************************|  4735
      <sect3 xml:id="security-ssh-keygen">
 	<title>Key-based Authentication</title>
-      <para>Instead of using passwords, &man.ssh-keygen.1; can be used
+	<para>Instead of using passwords, &man.ssh-keygen.1; can be
-	to generate <acronym>DSA</acronym> or <acronym>RSA</acronym>
+	  used to generate <acronym>DSA</acronym> or
-	keys to authenticate a user:</para>
+	  <acronym>RSA</acronym> keys to authenticate a user:</para>
 	<screen>&prompt.user; <userinput>ssh-keygen -t <replaceable>dsa</replaceable></userinput>
 Generating public/private dsa key pair.
@ -2613,20 +2613,21 @@ bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8f:79:17 user@host.example.com</screen>
 	  <filename>~/.ssh/id_rsa.pub</filename>, respectively for the
 	  <acronym>DSA</acronym> and <acronym>RSA</acronym> key types.
 	  The public key must be placed in
-	<filename>~/.ssh/authorized_keys</filename> on the
+	  <filename>~/.ssh/authorized_keys</filename> on the remote
-	remote machine for both <acronym>RSA</acronym> or
+	  machine for both <acronym>RSA</acronym> or
 	  <acronym>DSA</acronym> keys in order for the setup to
 	  work.</para>
-      <para>This setup allows connections to the remote machine based
+	<para>This setup allows connections to the remote machine
-	upon <acronym>SSH</acronym> keys instead of passwords.</para>
+	  based upon <acronym>SSH</acronym> keys instead of
 	  passwords.</para>
 	<warning>
 	  <para>Many users believe that keys are secure by design and
 	    will use a key without a passphrase.  This is
-	  <emphasis>dangerous</emphasis> behavior and the method
+	    <emphasis>dangerous</emphasis> behavior and the method an
-	  an administrator may use to verify keys have a passphrase
+	    administrator may use to verify keys have a passphrase is
-	  is to view the key manually.  If the private key file
+	    to view the key manually.  If the private key file
 	    contains the word <literal>ENCRYPTED</literal> the key
 	    owner is using a passphrase.  While it may still be a weak
 	    passphrase, at least if the system is compromised, access
@ -2641,25 +2642,26 @@ bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8f:79:17 user@host.example.com</screen>
 	</warning>
 	<warning>
-	<para>The various options and files can be different according
+	  <para>The various options and files can be different
-	  to the <application>OpenSSH</application> version.  To avoid
+	    according to the <application>OpenSSH</application>
-	  problems, consult &man.ssh-keygen.1;.</para>
+	    version.  To avoid problems, consult
 	    &man.ssh-keygen.1;.</para>
 	</warning>
 	<para>If a passphrase is used in &man.ssh-keygen.1;, the user
-	will be prompted for the passphrase each time in order to use
+	  will be prompted for the passphrase each time in order to
-	the private key.  To load <acronym>SSH</acronym> keys into memory for use,
+	  use the private key.  To load <acronym>SSH</acronym> keys
-	without needing to type the passphrase each time, use
+	  into memory for use, without needing to type the passphrase
-	&man.ssh-agent.1; and &man.ssh-add.1;.</para>
+	  each time, use &man.ssh-agent.1; and &man.ssh-add.1;.</para>
-      <para>Authentication is handled by &man.ssh-agent.1;, using the
+	<para>Authentication is handled by &man.ssh-agent.1;, using
-	private key(s) that are loaded into it.  Then,
+	  the private key(s) that are loaded into it.  Then,
 	  &man.ssh-agent.1; should be used to launch another
-	application.  At the most basic level, it could spawn a shell
+	  application.  At the most basic level, it could spawn a
-	or a window manager.</para>
+	  shell or a window manager.</para>
-      <para>To use &man.ssh-agent.1; in a shell, start it with a shell
+	<para>To use &man.ssh-agent.1; in a shell, start it with a
-	as an argument.  Next, add the identity by running
+	  shell as an argument.  Next, add the identity by running
 	  &man.ssh-add.1; and providing it the passphrase for the
 	  private key.  Once these steps have been completed, the user
 	  will be able to &man.ssh.1; to any host that has the
@ -2672,12 +2674,12 @@ Identity added: /home/user/.ssh/id_dsa (/home/user/.ssh/id_dsa)
 &prompt.user;</screen>
 	<para>To use &man.ssh-agent.1; in
-	<application>&xorg;</application>, a call to &man.ssh-agent.1;
+	  <application>&xorg;</application>, a call to
-	needs to be placed in <filename>~/.xinitrc</filename>.  This
+	  &man.ssh-agent.1; needs to be placed in
-	provides the &man.ssh-agent.1; services to all programs
+	  <filename>~/.xinitrc</filename>.  This provides the
-	launched in <application>&xorg;</application>.  An example
+	  &man.ssh-agent.1; services to all programs launched in
-	<filename>~/.xinitrc</filename> might look like
+	  <application>&xorg;</application>.  An example
-	this:</para>
+	  <filename>~/.xinitrc</filename> might look like this:</para>
 	<programlisting>exec ssh-agent <replaceable>startxfce4</replaceable></programlisting>
@ -2732,7 +2734,8 @@ Identity added: /home/user/.ssh/id_dsa (/home/user/.ssh/id_dsa)
 	    <term><option>-f</option></term>
 	    <listitem>
-	    <para>Forces &man.ssh.1; to run in the background.</para>
+	      <para>Forces &man.ssh.1; to run in the
 		background.</para>
 	    </listitem>
 	  </varlistentry>
@ -2758,17 +2761,17 @@ Identity added: /home/user/.ssh/id_dsa (/home/user/.ssh/id_dsa)
 	<para>An <acronym>SSH</acronym> tunnel works by creating a
 	  listen socket on <systemitem>localhost</systemitem> on the
-	specified port.  It then forwards any connections received on
+	  specified port.  It then forwards any connections received
-	the local host/port via the <acronym>SSH</acronym> connection
+	  on the local host/port via the <acronym>SSH</acronym>
-	to the specified remote host and port.</para>
+	  connection to the specified remote host and port.</para>
 	<para>In the example, port <replaceable>5023</replaceable> on
 	  <systemitem>localhost</systemitem> is forwarded to port
 	  <replaceable>23</replaceable> on
 	  <systemitem>localhost</systemitem> of the remote machine.
-	Since <replaceable>23</replaceable> is used by &man.telnet.1;,
+	  Since <replaceable>23</replaceable> is used by
-	this creates an encrypted &man.telnet.1; session through an
+	  &man.telnet.1;, this creates an encrypted &man.telnet.1;
-	<acronym>SSH</acronym> tunnel.</para>
+	  session through an <acronym>SSH</acronym> tunnel.</para>
 	<para>This can be used to wrap any number of insecure TCP
 	  protocols such as SMTP, POP3, and FTP.</para>
@ -2785,11 +2788,12 @@ Connected to localhost.
 Escape character is '^]'.
 220 mailserver.example.com ESMTP</screen>
-	<para>This can be used in conjunction with &man.ssh-keygen.1;
+	  <para>This can be used in conjunction with
-	  and additional user accounts to create a more seamless
+	    &man.ssh-keygen.1; and additional user accounts to create
-	  <acronym>SSH</acronym> tunneling environment.  Keys can be
+	    a more seamless <acronym>SSH</acronym> tunneling
-	  used in place of typing a password, and the tunnels can be
+	    environment.  Keys can be used in place of typing a
-	  run as a separate user.</para>
+	    password, and the tunnels can be run as a separate
 	    user.</para>
 	</example>
 	<example>
@ -2939,11 +2943,10 @@ user@unfirewalled-system.example.org's password: <userinput>*******</userinput><
      <primary>ACL</primary>
    </indexterm>
-    <para>Access Control Lists (<acronym>ACL</acronym>s)
+    <para>Access Control Lists (<acronym>ACL</acronym>s) extend the
-      extend the standard &unix; permission model in a &posix;.1e
+      standard &unix; permission model in a &posix;.1e compatible way.
-      compatible way.  This permits an administrator to
+      This permits an administrator to take advantage of a more
-      take advantage of a more fine-grained permissions
+      fine-grained permissions model.</para>
      model.</para>
    <para>The &os; <filename>GENERIC</filename> kernel provides
      <acronym>ACL</acronym> support for <acronym>UFS</acronym> file
@ -2956,8 +2959,7 @@ user@unfirewalled-system.example.org's password: <userinput>*******</userinput><
    <para>If this option is not compiled in, a warning message will be
      displayed when attempting to mount a file system with
      <acronym>ACL</acronym> support.  <acronym>ACL</acronym>s rely on
-      extended attributes which
+      extended attributes which are natively supported in
      are natively supported in
      <acronym>UFS2</acronym>.</para>
    <para>This chapter describes how to enable
@ -2977,19 +2979,19 @@ user@unfirewalled-system.example.org's password: <userinput>*******</userinput><
      <itemizedlist>
 	<listitem>
-	<para>The superblock flag cannot be
+	  <para>The superblock flag cannot be changed by a remount
-	  changed by a remount using <option>mount -u</option> as it
+	    using <option>mount -u</option> as it requires a complete
-	  requires a complete <command>umount</command> and fresh <command>mount</command>.
+	    <command>umount</command> and fresh
-	  This means that <acronym>ACL</acronym>s cannot be enabled on
+	    <command>mount</command>.  This means that
-	  the root file system after boot.  It also means that
+	    <acronym>ACL</acronym>s cannot be enabled on the root file
-	  <acronym>ACL</acronym> support on
+	    system after boot.  It also means that
-	  a file system cannot be changed while the system is in
+	    <acronym>ACL</acronym> support on a file system cannot be
-	  use.</para>
+	    changed while the system is in use.</para>
 	</listitem>
 	<listitem>
-	<para>Setting the superblock flag causes the file system
+	  <para>Setting the superblock flag causes the file system to
-	  to always be mounted with <acronym>ACL</acronym>s enabled,
+	    always be mounted with <acronym>ACL</acronym>s enabled,
 	    even if there is not an <filename>fstab</filename> entry
 	    or if the devices re-order.  This prevents accidental
 	    mounting of the file system without <acronym>ACL</acronym>
@ -2998,17 +3000,18 @@ user@unfirewalled-system.example.org's password: <userinput>*******</userinput><
      </itemizedlist>
      <note>
-      <para>It is desirable to discourage accidental mounting without
+	<para>It is desirable to discourage accidental mounting
-	<acronym>ACL</acronym>s enabled because nasty things can
+	  without <acronym>ACL</acronym>s enabled because nasty things
-	happen if <acronym>ACL</acronym>s are enabled, then disabled,
+	  can happen if <acronym>ACL</acronym>s are enabled, then
-	then re-enabled without flushing the extended attributes.  In
+	  disabled, then re-enabled without flushing the extended
-	general, once <acronym>ACL</acronym>s are enabled on a
+	  attributes.  In general, once <acronym>ACL</acronym>s are
-	file system, they should not be disabled, as the resulting file
+	  enabled on a file system, they should not be disabled, as
-	protections may not be compatible with those intended by the
+	  the resulting file protections may not be compatible with
-	users of the system, and re-enabling <acronym>ACL</acronym>s
+	  those intended by the users of the system, and re-enabling
-	may re-attach the previous <acronym>ACL</acronym>s to files
+	  <acronym>ACL</acronym>s may re-attach the previous
-	that have since had their permissions changed, resulting in
+	  <acronym>ACL</acronym>s to files that have since had their
-	unpredictable behavior.</para>
+	  permissions changed, resulting in unpredictable
 	  behavior.</para>
      </note>
      <para>File systems with <acronym>ACL</acronym>s enabled will
@ -3021,13 +3024,11 @@ drwxrwx---+ 2 robert  robert  512 Dec 22 10:20 directory2
 drwxrwx---+ 2 robert  robert  512 Dec 27 11:57 directory3
 drwxr-xr-x  2 robert  robert  512 Nov 10 11:54 public_html</programlisting>
-    <para>In this example,
+      <para>In this example, <filename>directory1</filename>,
      <filename>directory1</filename>,
 	<filename>directory2</filename>, and
-      <filename>directory3</filename>
+	<filename>directory3</filename> are all taking advantage of
-      are all taking advantage of <acronym>ACL</acronym>s, whereas
+	<acronym>ACL</acronym>s, whereas
-      <filename>public_html</filename>
+	<filename>public_html</filename> is not.</para>
      is not.</para>
    </sect2>
    <sect2>
@ -3047,11 +3048,11 @@ drwxr-xr-x  2 robert  robert  512 Nov 10 11:54 public_html</programlisting>
 	other::r--</screen>
      <para>To change the <acronym>ACL</acronym> settings on this
-	file, use <command>setfacl</command>.  To remove all of the currently defined
+	file, use <command>setfacl</command>.  To remove all of the
-	<acronym>ACL</acronym>s from a file or file system, include
+	currently defined <acronym>ACL</acronym>s from a file or file
-	<option>-k</option>.  However, the preferred method is to use
+	system, include <option>-k</option>.  However, the preferred
-	<option>-b</option> as it leaves the basic fields required
+	method is to use <option>-b</option> as it leaves the basic
-	for <acronym>ACL</acronym>s to work.</para>
+	fields required for <acronym>ACL</acronym>s to work.</para>
      <screen>&prompt.user; <userinput>setfacl -k test</userinput></screen>
@ -3060,12 +3061,12 @@ drwxr-xr-x  2 robert  robert  512 Nov 10 11:54 public_html</programlisting>
      <screen>&prompt.user; <userinput>setfacl -m u:trhodes:rwx,group:web:r--,o::--- test</userinput></screen>
-      <para>In this example, there were no
+      <para>In this example, there were no pre-defined entries, as
-	pre-defined entries, as they were removed by the previous
+	they were removed by the previous command.  This command
-	command.  This command restores the default options and assigns the
+	restores the default options and assigns the options listed.
-	options listed.  If a user or group is added which does not
+	If a user or group is added which does not exist on the
-	exist on the system, an <errorname>Invalid
+	system, an <errorname>Invalid argument</errorname> error will
-	  argument</errorname> error will be displayed.</para>
+	be displayed.</para>
      <para>Refer to &man.getfacl.1; and &man.setfacl.1; for more
 	information about the options available for these
@ -3494,12 +3495,12 @@ UWWemqWuz3lAZuORQ9KX
      their allocation among users, provide for system monitoring,
      and minimally track a user's commands.</para>
-    <para>Process accounting has both positive and negative points.  One
+    <para>Process accounting has both positive and negative points.
-      of the positives is that an intrusion may be narrowed down to
+      One of the positives is that an intrusion may be narrowed down
-      the point of entry.  A negative is the amount of logs
+      to the point of entry.  A negative is the amount of logs
      generated by process accounting, and the disk space they may
-      require.  This section walks an administrator through the
+      require.  This section walks an administrator through the basics
-      basics of process accounting.</para>
+      of process accounting.</para>
    <note>
      <para>If more fine-grained accounting is needed, refer to
@ -3520,16 +3521,16 @@ UWWemqWuz3lAZuORQ9KX
      <para>Once enabled, accounting will begin to track information
 	such as <acronym>CPU</acronym> statistics and executed
 	commands.  All accounting logs are in a non-human readable
-	format which can be viewed using <command>sa</command>.  If issued
+	format which can be viewed using <command>sa</command>.  If
-	without any options, <command>sa</command> prints information relating to
+	issued without any options, <command>sa</command> prints
-	the number of per-user calls, the total elapsed time in
+	information relating to the number of per-user calls, the
-	minutes, total <acronym>CPU</acronym> and user time in
+	total elapsed time in minutes, total <acronym>CPU</acronym>
-	minutes, and the average number of <acronym>I/O</acronym> operations.  Refer to
+	and user time in minutes, and the average number of
-	&man.sa.8; for the list of available options which control the
+	<acronym>I/O</acronym> operations.  Refer to &man.sa.8; for
-	output.</para>
+	the list of available options which control the output.</para>
-      <para>To display the commands issued
+      <para>To display the commands issued by users, use
-	by users, use <command>lastcomm</command>.  For example, this command
+	<command>lastcomm</command>.  For example, this command
 	prints out all usage of <command>ls</command> by <systemitem
 	  class="username">trhodes</systemitem> on the
 	<literal>ttyp1</literal> terminal:</para>
@ -3559,23 +3560,22 @@ UWWemqWuz3lAZuORQ9KX
      controlled through a flat file,
      <filename>/etc/login.conf</filename>.  While this method
      is still supported, any changes require a multi-step process of
-      editing this file in order to divide users into various group labels known as classes,
+      editing this file in order to divide users into various group
-      rebuilding the resource database using
+      labels known as classes, rebuilding the resource database using
-      <command>cap_mkdb</command>, making necessary changes
+      <command>cap_mkdb</command>, making necessary changes to
-      to <filename>/etc/master.passwd</filename>, and rebuilding
+      <filename>/etc/master.passwd</filename>, and rebuilding the
-      the password database using
+      password database using <command>pwd_mkdb</command>.  This
-      <command>pwd_mkdb</command>.  This  could be
+      could be time consuming, depending upon the number of users to
      time consuming, depending upon the number of users to
      configure.</para>
    <para>Beginning with &os;&nbsp;9.0-RELEASE,
-      <command>rctl</command> can be used to provide a more fine-grained
+      <command>rctl</command> can be used to provide a more
-      method of controlling resources limits for users.  This
+      fine-grained method of controlling resources limits for users.
-      command supports much more than users as it can be used to set
+      This command supports much more than users as it can be used to
-      resource constraints on processes, jails, and the original login
+      set resource constraints on processes, jails, and the original
-      class.  These advanced features provide administrators and users
+      login class.  These advanced features provide administrators and
-      with methods to control resources through the command line and
+      users with methods to control resources through the command line
-      to set rules on system initialization using a configuration
+      and to set rules on system initialization using a configuration
      file.</para>
    <sect2>
@ -3585,8 +3585,8 @@ UWWemqWuz3lAZuORQ9KX
 	not built-in, meaning that the kernel will first need to be
 	recompiled using the instructions in <xref
 	  linkend="kernelconfig"/>.  Add these lines to either
-      <filename>GENERIC</filename> or a custom kernel
+	<filename>GENERIC</filename> or a custom kernel configuration
-      configuration file, then rebuild the kernel:</para>
+	file, then rebuild the kernel:</para>
      <programlisting>options         RACCT
 options         RCTL</programlisting>
@ -3595,31 +3595,27 @@ options         RCTL</programlisting>
 	<command>rctl</command> may be used to set rules for the
 	system.</para>
-    <para>Rule syntax is controlled through the use of
+      <para>Rule syntax is controlled through the use of a subject,
-      a subject,
+	subject-id, resource, and action, as seen in this example
      subject-id, resource,
      and action, as seen in this example
 	rule:</para>
      <programlisting>user:trhodes:maxproc:deny=10/user</programlisting>
-    <para>In this rule, the subject
+      <para>In this rule, the subject is <literal>user</literal>, the
-      is <literal>user</literal>, the subject-id is
+	subject-id is <literal>trhodes</literal>, the resource,
-      <literal>trhodes</literal>, the resource,
+	<literal>maxproc</literal>, is the maximum number of
-      <literal>maxproc</literal>, is the maximum
+	processes, and the action is <literal>deny</literal>, which
-      number of processes, and the
+	blocks any new processes from being created.  This means that
-      action is <literal>deny</literal>, which blocks any
+	the user, <literal>trhodes</literal>, will be constrained to
-      new processes from being created.  This means that the
+	no greater than <literal>10</literal> processes.  Other
-      user, <literal>trhodes</literal>, will be constrained to no greater than
+	possible actions include logging to the console, passing a
      <literal>10</literal> processes.  Other possible
      actions include logging to the console, passing a
 	notification to &man.devd.8;, or sending a sigterm to the
 	process.</para>
-    <para>Some care must be taken when adding rules.  Since this user
+      <para>Some care must be taken when adding rules.  Since this
-      is constrained to <literal>10</literal> processes, this example
+	user is constrained to <literal>10</literal> processes, this
-      will prevent the user from performing other
+	example will prevent the user from performing other tasks
-      tasks after logging in and executing a
+	after logging in and executing a
 	<command>screen</command> session.  Once a resource limit has
 	been hit, an error will be printed, as in this example:</para>
@ -3627,28 +3623,27 @@ options         RCTL</programlisting>
    /usr/bin/man: Cannot fork: Resource temporarily unavailable
 eval: Cannot fork: Resource temporarily unavailable</screen>
-    <para>As another example,
+      <para>As another example, a jail can be prevented from exceeding
-      a jail can be prevented from exceeding a memory limit.  This rule could be
+	a memory limit.  This rule could be written as:</para>
      written as:</para>
      <screen>&prompt.root; <userinput>rctl -a jail:httpd:memoryuse:deny=2G/jail</userinput></screen>
-    <para>Rules will persist across reboots if they have been
+      <para>Rules will persist across reboots if they have been added
-      added to <filename>/etc/rctl.conf</filename>.  The format is a
+	to <filename>/etc/rctl.conf</filename>.  The format is a rule,
-      rule, without the preceding command.  For example, the previous
+	without the preceding command.  For example, the previous rule
-      rule could be added as:</para>
+	could be added as:</para>
      <programlisting># Block jail from using more than 2G memory:
 jail:httpd:memoryuse:deny=2G/jail</programlisting>
-    <para>To remove a rule, use <command>rctl</command> to
+      <para>To remove a rule, use <command>rctl</command> to remove it
-      remove it from the list:</para>
+	from the list:</para>
      <screen>&prompt.root; <userinput>rctl -r user:trhodes:maxproc:deny=10/user</userinput></screen>
-    <para>A method for removing all rules is documented in &man.rctl.8;.
+      <para>A method for removing all rules is documented in
-      However, if removing all rules for a single user is required,
+	&man.rctl.8;.  However, if removing all rules for a single
-      this command may be issued:</para>
+	user is required, this command may be issued:</para>
      <screen>&prompt.root; <userinput>rctl -r user:trhodes</userinput></screen>