White space fix only. Translators can ignore.
Sponsored by: iXsystems
This commit is contained in:
Dru Lavigne
parent
bf62664294
commit
bb698042d3
Notes:
svn2git
2020-12-08 03:00:23 +00:00
svn path=/head/; revision=44404
1 changed files with 307 additions and 312 deletions
|
|
@ -2514,12 +2514,12 @@ racoon_enable="yes"</programlisting>
|
||||||
compatible with both <acronym>SSH</acronym> version 1 and 2
|
compatible with both <acronym>SSH</acronym> version 1 and 2
|
||||||
protocols.</para>
|
protocols.</para>
|
||||||
|
|
||||||
<para>When data is sent over the network in an unencrypted form,
|
<para>When data is sent over the network in an unencrypted form,
|
||||||
network sniffers anywhere in between the client and server
|
network sniffers anywhere in between the client and server can
|
||||||
can steal user/password information or data transferred
|
steal user/password information or data transferred during the
|
||||||
during the session. <application>OpenSSH</application> offers
|
session. <application>OpenSSH</application> offers a variety of
|
||||||
a variety of authentication and encryption methods to prevent
|
authentication and encryption methods to prevent this from
|
||||||
this from happening.</para>
|
happening.</para>
|
||||||
|
|
||||||
<sect2>
|
<sect2>
|
||||||
<title>Using the SSH Client Utilities</title>
|
<title>Using the SSH Client Utilities</title>
|
||||||
|
|
@ -2587,14 +2587,14 @@ COPYRIGHT 100% |*****************************| 4735
|
||||||
arguments takes the form
|
arguments takes the form
|
||||||
<option>user@host:<path_to_remote_file></option>.</para>
|
<option>user@host:<path_to_remote_file></option>.</para>
|
||||||
|
|
||||||
<sect3 xml:id="security-ssh-keygen">
|
<sect3 xml:id="security-ssh-keygen">
|
||||||
<title>Key-based Authentication</title>
|
<title>Key-based Authentication</title>
|
||||||
|
|
||||||
<para>Instead of using passwords, &man.ssh-keygen.1; can be used
|
<para>Instead of using passwords, &man.ssh-keygen.1; can be
|
||||||
to generate <acronym>DSA</acronym> or <acronym>RSA</acronym>
|
used to generate <acronym>DSA</acronym> or
|
||||||
keys to authenticate a user:</para>
|
<acronym>RSA</acronym> keys to authenticate a user:</para>
|
||||||
|
|
||||||
<screen>&prompt.user; <userinput>ssh-keygen -t <replaceable>dsa</replaceable></userinput>
|
<screen>&prompt.user; <userinput>ssh-keygen -t <replaceable>dsa</replaceable></userinput>
|
||||||
Generating public/private dsa key pair.
|
Generating public/private dsa key pair.
|
||||||
Enter file in which to save the key (/home/user/.ssh/id_dsa):
|
Enter file in which to save the key (/home/user/.ssh/id_dsa):
|
||||||
Created directory '/home/user/.ssh'.
|
Created directory '/home/user/.ssh'.
|
||||||
|
|
@ -2605,179 +2605,182 @@ Your public key has been saved in /home/user/.ssh/id_dsa.pub.
|
||||||
The key fingerprint is:
|
The key fingerprint is:
|
||||||
bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8f:79:17 user@host.example.com</screen>
|
bb:48:db:f2:93:57:80:b6:aa:bc:f5:d5:ba:8f:79:17 user@host.example.com</screen>
|
||||||
|
|
||||||
<para>&man.ssh-keygen.1; will create a public and private key
|
<para>&man.ssh-keygen.1; will create a public and private key
|
||||||
pair for use in authentication. The private key is stored
|
pair for use in authentication. The private key is stored
|
||||||
in <filename>~/.ssh/id_dsa</filename> or
|
in <filename>~/.ssh/id_dsa</filename> or
|
||||||
<filename>~/.ssh/id_rsa</filename>, whereas the public key
|
<filename>~/.ssh/id_rsa</filename>, whereas the public key
|
||||||
is stored in <filename>~/.ssh/id_dsa.pub</filename> or
|
is stored in <filename>~/.ssh/id_dsa.pub</filename> or
|
||||||
<filename>~/.ssh/id_rsa.pub</filename>, respectively for the
|
<filename>~/.ssh/id_rsa.pub</filename>, respectively for the
|
||||||
<acronym>DSA</acronym> and <acronym>RSA</acronym> key types.
|
<acronym>DSA</acronym> and <acronym>RSA</acronym> key types.
|
||||||
The public key must be placed in
|
The public key must be placed in
|
||||||
<filename>~/.ssh/authorized_keys</filename> on the
|
<filename>~/.ssh/authorized_keys</filename> on the remote
|
||||||
remote machine for both <acronym>RSA</acronym> or
|
machine for both <acronym>RSA</acronym> or
|
||||||
<acronym>DSA</acronym> keys in order for the setup to
|
<acronym>DSA</acronym> keys in order for the setup to
|
||||||
work.</para>
|
work.</para>
|
||||||
|
|
||||||
<para>This setup allows connections to the remote machine based
|
<para>This setup allows connections to the remote machine
|
||||||
upon <acronym>SSH</acronym> keys instead of passwords.</para>
|
based upon <acronym>SSH</acronym> keys instead of
|
||||||
|
passwords.</para>
|
||||||
|
|
||||||
<warning>
|
<warning>
|
||||||
<para>Many users believe that keys are secure by design and
|
<para>Many users believe that keys are secure by design and
|
||||||
will use a key without a passphrase. This is
|
will use a key without a passphrase. This is
|
||||||
<emphasis>dangerous</emphasis> behavior and the method
|
<emphasis>dangerous</emphasis> behavior and the method an
|
||||||
an administrator may use to verify keys have a passphrase
|
administrator may use to verify keys have a passphrase is
|
||||||
is to view the key manually. If the private key file
|
to view the key manually. If the private key file
|
||||||
contains the word <literal>ENCRYPTED</literal> the key
|
contains the word <literal>ENCRYPTED</literal> the key
|
||||||
owner is using a passphrase. While it may still be a weak
|
owner is using a passphrase. While it may still be a weak
|
||||||
passphrase, at least if the system is compromised, access
|
passphrase, at least if the system is compromised, access
|
||||||
to other sites will still require some level of password
|
to other sites will still require some level of password
|
||||||
guessing. In addition, to better secure end users, the
|
guessing. In addition, to better secure end users, the
|
||||||
<literal>from</literal> may be placed in the public key
|
<literal>from</literal> may be placed in the public key
|
||||||
file. For example, adding
|
file. For example, adding
|
||||||
<literal>from="192.168.10.5</literal> in the front of
|
<literal>from="192.168.10.5</literal> in the front of
|
||||||
<literal>ssh-rsa</literal> or <literal>rsa-dsa</literal>
|
<literal>ssh-rsa</literal> or <literal>rsa-dsa</literal>
|
||||||
prefix will only allow that specific user to login from
|
prefix will only allow that specific user to login from
|
||||||
that host <acronym>IP</acronym>.</para>
|
that host <acronym>IP</acronym>.</para>
|
||||||
</warning>
|
</warning>
|
||||||
|
|
||||||
<warning>
|
<warning>
|
||||||
<para>The various options and files can be different according
|
<para>The various options and files can be different
|
||||||
to the <application>OpenSSH</application> version. To avoid
|
according to the <application>OpenSSH</application>
|
||||||
problems, consult &man.ssh-keygen.1;.</para>
|
version. To avoid problems, consult
|
||||||
</warning>
|
&man.ssh-keygen.1;.</para>
|
||||||
|
</warning>
|
||||||
|
|
||||||
<para>If a passphrase is used in &man.ssh-keygen.1;, the user
|
<para>If a passphrase is used in &man.ssh-keygen.1;, the user
|
||||||
will be prompted for the passphrase each time in order to use
|
will be prompted for the passphrase each time in order to
|
||||||
the private key. To load <acronym>SSH</acronym> keys into memory for use,
|
use the private key. To load <acronym>SSH</acronym> keys
|
||||||
without needing to type the passphrase each time, use
|
into memory for use, without needing to type the passphrase
|
||||||
&man.ssh-agent.1; and &man.ssh-add.1;.</para>
|
each time, use &man.ssh-agent.1; and &man.ssh-add.1;.</para>
|
||||||
|
|
||||||
<para>Authentication is handled by &man.ssh-agent.1;, using the
|
<para>Authentication is handled by &man.ssh-agent.1;, using
|
||||||
private key(s) that are loaded into it. Then,
|
the private key(s) that are loaded into it. Then,
|
||||||
&man.ssh-agent.1; should be used to launch another
|
&man.ssh-agent.1; should be used to launch another
|
||||||
application. At the most basic level, it could spawn a shell
|
application. At the most basic level, it could spawn a
|
||||||
or a window manager.</para>
|
shell or a window manager.</para>
|
||||||
|
|
||||||
<para>To use &man.ssh-agent.1; in a shell, start it with a shell
|
<para>To use &man.ssh-agent.1; in a shell, start it with a
|
||||||
as an argument. Next, add the identity by running
|
shell as an argument. Next, add the identity by running
|
||||||
&man.ssh-add.1; and providing it the passphrase for the
|
&man.ssh-add.1; and providing it the passphrase for the
|
||||||
private key. Once these steps have been completed, the user
|
private key. Once these steps have been completed, the user
|
||||||
will be able to &man.ssh.1; to any host that has the
|
will be able to &man.ssh.1; to any host that has the
|
||||||
corresponding public key installed. For example:</para>
|
corresponding public key installed. For example:</para>
|
||||||
|
|
||||||
<screen>&prompt.user; ssh-agent <replaceable>csh</replaceable>
|
<screen>&prompt.user; ssh-agent <replaceable>csh</replaceable>
|
||||||
&prompt.user; ssh-add
|
&prompt.user; ssh-add
|
||||||
Enter passphrase for /home/user/.ssh/id_dsa:
|
Enter passphrase for /home/user/.ssh/id_dsa:
|
||||||
Identity added: /home/user/.ssh/id_dsa (/home/user/.ssh/id_dsa)
|
Identity added: /home/user/.ssh/id_dsa (/home/user/.ssh/id_dsa)
|
||||||
&prompt.user;</screen>
|
&prompt.user;</screen>
|
||||||
|
|
||||||
<para>To use &man.ssh-agent.1; in
|
<para>To use &man.ssh-agent.1; in
|
||||||
<application>&xorg;</application>, a call to &man.ssh-agent.1;
|
<application>&xorg;</application>, a call to
|
||||||
needs to be placed in <filename>~/.xinitrc</filename>. This
|
&man.ssh-agent.1; needs to be placed in
|
||||||
provides the &man.ssh-agent.1; services to all programs
|
<filename>~/.xinitrc</filename>. This provides the
|
||||||
launched in <application>&xorg;</application>. An example
|
&man.ssh-agent.1; services to all programs launched in
|
||||||
<filename>~/.xinitrc</filename> might look like
|
<application>&xorg;</application>. An example
|
||||||
this:</para>
|
<filename>~/.xinitrc</filename> might look like this:</para>
|
||||||
|
|
||||||
<programlisting>exec ssh-agent <replaceable>startxfce4</replaceable></programlisting>
|
<programlisting>exec ssh-agent <replaceable>startxfce4</replaceable></programlisting>
|
||||||
|
|
||||||
<para>This launches &man.ssh-agent.1;, which in turn launches
|
<para>This launches &man.ssh-agent.1;, which in turn launches
|
||||||
<application>XFCE</application>, every time
|
<application>XFCE</application>, every time
|
||||||
<application>&xorg;</application> starts. Once
|
<application>&xorg;</application> starts. Once
|
||||||
<application>&xorg;</application> has been restarted so that
|
<application>&xorg;</application> has been restarted so that
|
||||||
the changes can take effect, run &man.ssh-add.1; to load all
|
the changes can take effect, run &man.ssh-add.1; to load all
|
||||||
of the <acronym>SSH</acronym> keys.</para>
|
of the <acronym>SSH</acronym> keys.</para>
|
||||||
</sect3>
|
</sect3>
|
||||||
|
|
||||||
<sect3 xml:id="security-ssh-tunneling">
|
<sect3 xml:id="security-ssh-tunneling">
|
||||||
<title><acronym>SSH</acronym> Tunneling</title>
|
<title><acronym>SSH</acronym> Tunneling</title>
|
||||||
|
|
||||||
<indexterm>
|
<indexterm>
|
||||||
<primary>OpenSSH</primary>
|
<primary>OpenSSH</primary>
|
||||||
<secondary>tunneling</secondary>
|
<secondary>tunneling</secondary>
|
||||||
</indexterm>
|
</indexterm>
|
||||||
|
|
||||||
<para><application>OpenSSH</application> has the ability to
|
<para><application>OpenSSH</application> has the ability to
|
||||||
create a tunnel to encapsulate another protocol in an
|
create a tunnel to encapsulate another protocol in an
|
||||||
encrypted session.</para>
|
encrypted session.</para>
|
||||||
|
|
||||||
<para>The following command tells &man.ssh.1; to create a
|
<para>The following command tells &man.ssh.1; to create a
|
||||||
tunnel for &man.telnet.1;:</para>
|
tunnel for &man.telnet.1;:</para>
|
||||||
|
|
||||||
<screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5023:localhost:23 user@foo.example.com</replaceable></userinput>
|
<screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5023:localhost:23 user@foo.example.com</replaceable></userinput>
|
||||||
&prompt.user;</screen>
|
&prompt.user;</screen>
|
||||||
|
|
||||||
<para>This example uses the following options:</para>
|
<para>This example uses the following options:</para>
|
||||||
|
|
||||||
<variablelist>
|
<variablelist>
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><option>-2</option></term>
|
<term><option>-2</option></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Forces &man.ssh.1; to use version 2 to connect to
|
<para>Forces &man.ssh.1; to use version 2 to connect to
|
||||||
the server.</para>
|
the server.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><option>-N</option></term>
|
<term><option>-N</option></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Indicates no command, or tunnel only. If omitted,
|
<para>Indicates no command, or tunnel only. If omitted,
|
||||||
&man.ssh.1; initiates a normal session.</para>
|
&man.ssh.1; initiates a normal session.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><option>-f</option></term>
|
<term><option>-f</option></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Forces &man.ssh.1; to run in the background.</para>
|
<para>Forces &man.ssh.1; to run in the
|
||||||
</listitem>
|
background.</para>
|
||||||
</varlistentry>
|
</listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><option>-L</option></term>
|
<term><option>-L</option></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Indicates a local tunnel in
|
<para>Indicates a local tunnel in
|
||||||
<replaceable>localport:remotehost:remoteport</replaceable>
|
<replaceable>localport:remotehost:remoteport</replaceable>
|
||||||
format.</para>
|
format.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><option>user@foo.example.com</option></term>
|
<term><option>user@foo.example.com</option></term>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The login name to use on the specified remote
|
<para>The login name to use on the specified remote
|
||||||
<acronym>SSH</acronym> server.</para>
|
<acronym>SSH</acronym> server.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
|
|
||||||
<para>An <acronym>SSH</acronym> tunnel works by creating a
|
<para>An <acronym>SSH</acronym> tunnel works by creating a
|
||||||
listen socket on <systemitem>localhost</systemitem> on the
|
listen socket on <systemitem>localhost</systemitem> on the
|
||||||
specified port. It then forwards any connections received on
|
specified port. It then forwards any connections received
|
||||||
the local host/port via the <acronym>SSH</acronym> connection
|
on the local host/port via the <acronym>SSH</acronym>
|
||||||
to the specified remote host and port.</para>
|
connection to the specified remote host and port.</para>
|
||||||
|
|
||||||
<para>In the example, port <replaceable>5023</replaceable> on
|
<para>In the example, port <replaceable>5023</replaceable> on
|
||||||
<systemitem>localhost</systemitem> is forwarded to port
|
<systemitem>localhost</systemitem> is forwarded to port
|
||||||
<replaceable>23</replaceable> on
|
<replaceable>23</replaceable> on
|
||||||
<systemitem>localhost</systemitem> of the remote machine.
|
<systemitem>localhost</systemitem> of the remote machine.
|
||||||
Since <replaceable>23</replaceable> is used by &man.telnet.1;,
|
Since <replaceable>23</replaceable> is used by
|
||||||
this creates an encrypted &man.telnet.1; session through an
|
&man.telnet.1;, this creates an encrypted &man.telnet.1;
|
||||||
<acronym>SSH</acronym> tunnel.</para>
|
session through an <acronym>SSH</acronym> tunnel.</para>
|
||||||
|
|
||||||
<para>This can be used to wrap any number of insecure TCP
|
<para>This can be used to wrap any number of insecure TCP
|
||||||
protocols such as SMTP, POP3, and FTP.</para>
|
protocols such as SMTP, POP3, and FTP.</para>
|
||||||
|
|
||||||
<example>
|
<example>
|
||||||
<title>Using &man.ssh.1; to Create a Secure Tunnel for
|
<title>Using &man.ssh.1; to Create a Secure Tunnel for
|
||||||
SMTP</title>
|
SMTP</title>
|
||||||
|
|
||||||
<screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5025:localhost:25 user@mailserver.example.com</replaceable></userinput>
|
<screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5025:localhost:25 user@mailserver.example.com</replaceable></userinput>
|
||||||
user@mailserver.example.com's password: <userinput>*****</userinput>
|
user@mailserver.example.com's password: <userinput>*****</userinput>
|
||||||
&prompt.user; <userinput>telnet localhost 5025</userinput>
|
&prompt.user; <userinput>telnet localhost 5025</userinput>
|
||||||
Trying 127.0.0.1...
|
Trying 127.0.0.1...
|
||||||
|
|
@ -2785,14 +2788,15 @@ Connected to localhost.
|
||||||
Escape character is '^]'.
|
Escape character is '^]'.
|
||||||
220 mailserver.example.com ESMTP</screen>
|
220 mailserver.example.com ESMTP</screen>
|
||||||
|
|
||||||
<para>This can be used in conjunction with &man.ssh-keygen.1;
|
<para>This can be used in conjunction with
|
||||||
and additional user accounts to create a more seamless
|
&man.ssh-keygen.1; and additional user accounts to create
|
||||||
<acronym>SSH</acronym> tunneling environment. Keys can be
|
a more seamless <acronym>SSH</acronym> tunneling
|
||||||
used in place of typing a password, and the tunnels can be
|
environment. Keys can be used in place of typing a
|
||||||
run as a separate user.</para>
|
password, and the tunnels can be run as a separate
|
||||||
</example>
|
user.</para>
|
||||||
|
</example>
|
||||||
|
|
||||||
<example>
|
<example>
|
||||||
<title>Secure Access of a POP3 Server</title>
|
<title>Secure Access of a POP3 Server</title>
|
||||||
|
|
||||||
<para>In this example, there is an <acronym>SSH</acronym>
|
<para>In this example, there is an <acronym>SSH</acronym>
|
||||||
|
|
@ -2939,11 +2943,10 @@ user@unfirewalled-system.example.org's password: <userinput>*******</userinput><
|
||||||
<primary>ACL</primary>
|
<primary>ACL</primary>
|
||||||
</indexterm>
|
</indexterm>
|
||||||
|
|
||||||
<para>Access Control Lists (<acronym>ACL</acronym>s)
|
<para>Access Control Lists (<acronym>ACL</acronym>s) extend the
|
||||||
extend the standard &unix; permission model in a &posix;.1e
|
standard &unix; permission model in a &posix;.1e compatible way.
|
||||||
compatible way. This permits an administrator to
|
This permits an administrator to take advantage of a more
|
||||||
take advantage of a more fine-grained permissions
|
fine-grained permissions model.</para>
|
||||||
model.</para>
|
|
||||||
|
|
||||||
<para>The &os; <filename>GENERIC</filename> kernel provides
|
<para>The &os; <filename>GENERIC</filename> kernel provides
|
||||||
<acronym>ACL</acronym> support for <acronym>UFS</acronym> file
|
<acronym>ACL</acronym> support for <acronym>UFS</acronym> file
|
||||||
|
|
@ -2956,78 +2959,76 @@ user@unfirewalled-system.example.org's password: <userinput>*******</userinput><
|
||||||
<para>If this option is not compiled in, a warning message will be
|
<para>If this option is not compiled in, a warning message will be
|
||||||
displayed when attempting to mount a file system with
|
displayed when attempting to mount a file system with
|
||||||
<acronym>ACL</acronym> support. <acronym>ACL</acronym>s rely on
|
<acronym>ACL</acronym> support. <acronym>ACL</acronym>s rely on
|
||||||
extended attributes which
|
extended attributes which are natively supported in
|
||||||
are natively supported in
|
|
||||||
<acronym>UFS2</acronym>.</para>
|
<acronym>UFS2</acronym>.</para>
|
||||||
|
|
||||||
<para>This chapter describes how to enable
|
<para>This chapter describes how to enable
|
||||||
<acronym>ACL</acronym> support and provides some usage
|
<acronym>ACL</acronym> support and provides some usage
|
||||||
examples.</para>
|
examples.</para>
|
||||||
|
|
||||||
<sect2>
|
<sect2>
|
||||||
<title>Enabling <acronym>ACL</acronym> Support</title>
|
<title>Enabling <acronym>ACL</acronym> Support</title>
|
||||||
|
|
||||||
<para><acronym>ACL</acronym>s are enabled by the mount-time
|
<para><acronym>ACL</acronym>s are enabled by the mount-time
|
||||||
administrative flag, <option>acls</option>, which may be added
|
administrative flag, <option>acls</option>, which may be added
|
||||||
to <filename>/etc/fstab</filename>. The mount-time flag can
|
to <filename>/etc/fstab</filename>. The mount-time flag can
|
||||||
also be automatically set in a persistent manner using
|
also be automatically set in a persistent manner using
|
||||||
&man.tunefs.8; to modify a superblock <acronym>ACL</acronym>s
|
&man.tunefs.8; to modify a superblock <acronym>ACL</acronym>s
|
||||||
flag in the file system header. In general, it is preferred
|
flag in the file system header. In general, it is preferred
|
||||||
to use the superblock flag for several reasons:</para>
|
to use the superblock flag for several reasons:</para>
|
||||||
|
|
||||||
<itemizedlist>
|
<itemizedlist>
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>The superblock flag cannot be
|
<para>The superblock flag cannot be changed by a remount
|
||||||
changed by a remount using <option>mount -u</option> as it
|
using <option>mount -u</option> as it requires a complete
|
||||||
requires a complete <command>umount</command> and fresh <command>mount</command>.
|
<command>umount</command> and fresh
|
||||||
This means that <acronym>ACL</acronym>s cannot be enabled on
|
<command>mount</command>. This means that
|
||||||
the root file system after boot. It also means that
|
<acronym>ACL</acronym>s cannot be enabled on the root file
|
||||||
<acronym>ACL</acronym> support on
|
system after boot. It also means that
|
||||||
a file system cannot be changed while the system is in
|
<acronym>ACL</acronym> support on a file system cannot be
|
||||||
use.</para>
|
changed while the system is in use.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
|
|
||||||
<listitem>
|
<listitem>
|
||||||
<para>Setting the superblock flag causes the file system
|
<para>Setting the superblock flag causes the file system to
|
||||||
to always be mounted with <acronym>ACL</acronym>s enabled,
|
always be mounted with <acronym>ACL</acronym>s enabled,
|
||||||
even if there is not an <filename>fstab</filename> entry
|
even if there is not an <filename>fstab</filename> entry
|
||||||
or if the devices re-order. This prevents accidental
|
or if the devices re-order. This prevents accidental
|
||||||
mounting of the file system without <acronym>ACL</acronym>
|
mounting of the file system without <acronym>ACL</acronym>
|
||||||
support.</para>
|
support.</para>
|
||||||
</listitem>
|
</listitem>
|
||||||
</itemizedlist>
|
</itemizedlist>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>It is desirable to discourage accidental mounting without
|
<para>It is desirable to discourage accidental mounting
|
||||||
<acronym>ACL</acronym>s enabled because nasty things can
|
without <acronym>ACL</acronym>s enabled because nasty things
|
||||||
happen if <acronym>ACL</acronym>s are enabled, then disabled,
|
can happen if <acronym>ACL</acronym>s are enabled, then
|
||||||
then re-enabled without flushing the extended attributes. In
|
disabled, then re-enabled without flushing the extended
|
||||||
general, once <acronym>ACL</acronym>s are enabled on a
|
attributes. In general, once <acronym>ACL</acronym>s are
|
||||||
file system, they should not be disabled, as the resulting file
|
enabled on a file system, they should not be disabled, as
|
||||||
protections may not be compatible with those intended by the
|
the resulting file protections may not be compatible with
|
||||||
users of the system, and re-enabling <acronym>ACL</acronym>s
|
those intended by the users of the system, and re-enabling
|
||||||
may re-attach the previous <acronym>ACL</acronym>s to files
|
<acronym>ACL</acronym>s may re-attach the previous
|
||||||
that have since had their permissions changed, resulting in
|
<acronym>ACL</acronym>s to files that have since had their
|
||||||
unpredictable behavior.</para>
|
permissions changed, resulting in unpredictable
|
||||||
</note>
|
behavior.</para>
|
||||||
|
</note>
|
||||||
|
|
||||||
<para>File systems with <acronym>ACL</acronym>s enabled will
|
<para>File systems with <acronym>ACL</acronym>s enabled will
|
||||||
show a plus (<literal>+</literal>) sign in their permission
|
show a plus (<literal>+</literal>) sign in their permission
|
||||||
settings:</para>
|
settings:</para>
|
||||||
|
|
||||||
<programlisting>drwx------ 2 robert robert 512 Dec 27 11:54 private
|
<programlisting>drwx------ 2 robert robert 512 Dec 27 11:54 private
|
||||||
drwxrwx---+ 2 robert robert 512 Dec 23 10:57 directory1
|
drwxrwx---+ 2 robert robert 512 Dec 23 10:57 directory1
|
||||||
drwxrwx---+ 2 robert robert 512 Dec 22 10:20 directory2
|
drwxrwx---+ 2 robert robert 512 Dec 22 10:20 directory2
|
||||||
drwxrwx---+ 2 robert robert 512 Dec 27 11:57 directory3
|
drwxrwx---+ 2 robert robert 512 Dec 27 11:57 directory3
|
||||||
drwxr-xr-x 2 robert robert 512 Nov 10 11:54 public_html</programlisting>
|
drwxr-xr-x 2 robert robert 512 Nov 10 11:54 public_html</programlisting>
|
||||||
|
|
||||||
<para>In this example,
|
<para>In this example, <filename>directory1</filename>,
|
||||||
<filename>directory1</filename>,
|
<filename>directory2</filename>, and
|
||||||
<filename>directory2</filename>, and
|
<filename>directory3</filename> are all taking advantage of
|
||||||
<filename>directory3</filename>
|
<acronym>ACL</acronym>s, whereas
|
||||||
are all taking advantage of <acronym>ACL</acronym>s, whereas
|
<filename>public_html</filename> is not.</para>
|
||||||
<filename>public_html</filename>
|
|
||||||
is not.</para>
|
|
||||||
</sect2>
|
</sect2>
|
||||||
|
|
||||||
<sect2>
|
<sect2>
|
||||||
|
|
@ -3047,11 +3048,11 @@ drwxr-xr-x 2 robert robert 512 Nov 10 11:54 public_html</programlisting>
|
||||||
other::r--</screen>
|
other::r--</screen>
|
||||||
|
|
||||||
<para>To change the <acronym>ACL</acronym> settings on this
|
<para>To change the <acronym>ACL</acronym> settings on this
|
||||||
file, use <command>setfacl</command>. To remove all of the currently defined
|
file, use <command>setfacl</command>. To remove all of the
|
||||||
<acronym>ACL</acronym>s from a file or file system, include
|
currently defined <acronym>ACL</acronym>s from a file or file
|
||||||
<option>-k</option>. However, the preferred method is to use
|
system, include <option>-k</option>. However, the preferred
|
||||||
<option>-b</option> as it leaves the basic fields required
|
method is to use <option>-b</option> as it leaves the basic
|
||||||
for <acronym>ACL</acronym>s to work.</para>
|
fields required for <acronym>ACL</acronym>s to work.</para>
|
||||||
|
|
||||||
<screen>&prompt.user; <userinput>setfacl -k test</userinput></screen>
|
<screen>&prompt.user; <userinput>setfacl -k test</userinput></screen>
|
||||||
|
|
||||||
|
|
@ -3060,12 +3061,12 @@ drwxr-xr-x 2 robert robert 512 Nov 10 11:54 public_html</programlisting>
|
||||||
|
|
||||||
<screen>&prompt.user; <userinput>setfacl -m u:trhodes:rwx,group:web:r--,o::--- test</userinput></screen>
|
<screen>&prompt.user; <userinput>setfacl -m u:trhodes:rwx,group:web:r--,o::--- test</userinput></screen>
|
||||||
|
|
||||||
<para>In this example, there were no
|
<para>In this example, there were no pre-defined entries, as
|
||||||
pre-defined entries, as they were removed by the previous
|
they were removed by the previous command. This command
|
||||||
command. This command restores the default options and assigns the
|
restores the default options and assigns the options listed.
|
||||||
options listed. If a user or group is added which does not
|
If a user or group is added which does not exist on the
|
||||||
exist on the system, an <errorname>Invalid
|
system, an <errorname>Invalid argument</errorname> error will
|
||||||
argument</errorname> error will be displayed.</para>
|
be displayed.</para>
|
||||||
|
|
||||||
<para>Refer to &man.getfacl.1; and &man.setfacl.1; for more
|
<para>Refer to &man.getfacl.1; and &man.setfacl.1; for more
|
||||||
information about the options available for these
|
information about the options available for these
|
||||||
|
|
@ -3494,12 +3495,12 @@ UWWemqWuz3lAZuORQ9KX
|
||||||
their allocation among users, provide for system monitoring,
|
their allocation among users, provide for system monitoring,
|
||||||
and minimally track a user's commands.</para>
|
and minimally track a user's commands.</para>
|
||||||
|
|
||||||
<para>Process accounting has both positive and negative points. One
|
<para>Process accounting has both positive and negative points.
|
||||||
of the positives is that an intrusion may be narrowed down to
|
One of the positives is that an intrusion may be narrowed down
|
||||||
the point of entry. A negative is the amount of logs
|
to the point of entry. A negative is the amount of logs
|
||||||
generated by process accounting, and the disk space they may
|
generated by process accounting, and the disk space they may
|
||||||
require. This section walks an administrator through the
|
require. This section walks an administrator through the basics
|
||||||
basics of process accounting.</para>
|
of process accounting.</para>
|
||||||
|
|
||||||
<note>
|
<note>
|
||||||
<para>If more fine-grained accounting is needed, refer to
|
<para>If more fine-grained accounting is needed, refer to
|
||||||
|
|
@ -3520,16 +3521,16 @@ UWWemqWuz3lAZuORQ9KX
|
||||||
<para>Once enabled, accounting will begin to track information
|
<para>Once enabled, accounting will begin to track information
|
||||||
such as <acronym>CPU</acronym> statistics and executed
|
such as <acronym>CPU</acronym> statistics and executed
|
||||||
commands. All accounting logs are in a non-human readable
|
commands. All accounting logs are in a non-human readable
|
||||||
format which can be viewed using <command>sa</command>. If issued
|
format which can be viewed using <command>sa</command>. If
|
||||||
without any options, <command>sa</command> prints information relating to
|
issued without any options, <command>sa</command> prints
|
||||||
the number of per-user calls, the total elapsed time in
|
information relating to the number of per-user calls, the
|
||||||
minutes, total <acronym>CPU</acronym> and user time in
|
total elapsed time in minutes, total <acronym>CPU</acronym>
|
||||||
minutes, and the average number of <acronym>I/O</acronym> operations. Refer to
|
and user time in minutes, and the average number of
|
||||||
&man.sa.8; for the list of available options which control the
|
<acronym>I/O</acronym> operations. Refer to &man.sa.8; for
|
||||||
output.</para>
|
the list of available options which control the output.</para>
|
||||||
|
|
||||||
<para>To display the commands issued
|
<para>To display the commands issued by users, use
|
||||||
by users, use <command>lastcomm</command>. For example, this command
|
<command>lastcomm</command>. For example, this command
|
||||||
prints out all usage of <command>ls</command> by <systemitem
|
prints out all usage of <command>ls</command> by <systemitem
|
||||||
class="username">trhodes</systemitem> on the
|
class="username">trhodes</systemitem> on the
|
||||||
<literal>ttyp1</literal> terminal:</para>
|
<literal>ttyp1</literal> terminal:</para>
|
||||||
|
|
@ -3559,102 +3560,96 @@ UWWemqWuz3lAZuORQ9KX
|
||||||
controlled through a flat file,
|
controlled through a flat file,
|
||||||
<filename>/etc/login.conf</filename>. While this method
|
<filename>/etc/login.conf</filename>. While this method
|
||||||
is still supported, any changes require a multi-step process of
|
is still supported, any changes require a multi-step process of
|
||||||
editing this file in order to divide users into various group labels known as classes,
|
editing this file in order to divide users into various group
|
||||||
rebuilding the resource database using
|
labels known as classes, rebuilding the resource database using
|
||||||
<command>cap_mkdb</command>, making necessary changes
|
<command>cap_mkdb</command>, making necessary changes to
|
||||||
to <filename>/etc/master.passwd</filename>, and rebuilding
|
<filename>/etc/master.passwd</filename>, and rebuilding the
|
||||||
the password database using
|
password database using <command>pwd_mkdb</command>. This
|
||||||
<command>pwd_mkdb</command>. This could be
|
could be time consuming, depending upon the number of users to
|
||||||
time consuming, depending upon the number of users to
|
|
||||||
configure.</para>
|
configure.</para>
|
||||||
|
|
||||||
<para>Beginning with &os; 9.0-RELEASE,
|
<para>Beginning with &os; 9.0-RELEASE,
|
||||||
<command>rctl</command> can be used to provide a more fine-grained
|
<command>rctl</command> can be used to provide a more
|
||||||
method of controlling resources limits for users. This
|
fine-grained method of controlling resources limits for users.
|
||||||
command supports much more than users as it can be used to set
|
This command supports much more than users as it can be used to
|
||||||
resource constraints on processes, jails, and the original login
|
set resource constraints on processes, jails, and the original
|
||||||
class. These advanced features provide administrators and users
|
login class. These advanced features provide administrators and
|
||||||
with methods to control resources through the command line and
|
users with methods to control resources through the command line
|
||||||
to set rules on system initialization using a configuration
|
and to set rules on system initialization using a configuration
|
||||||
file.</para>
|
file.</para>
|
||||||
|
|
||||||
<sect2>
|
<sect2>
|
||||||
<title>Enabling and Configuring Resource Limits</title>
|
<title>Enabling and Configuring Resource Limits</title>
|
||||||
|
|
||||||
<para>By default, kernel support for <command>rctl</command> is
|
<para>By default, kernel support for <command>rctl</command> is
|
||||||
not built-in, meaning that the kernel will first need to be
|
not built-in, meaning that the kernel will first need to be
|
||||||
recompiled using the instructions in <xref
|
recompiled using the instructions in <xref
|
||||||
linkend="kernelconfig"/>. Add these lines to either
|
linkend="kernelconfig"/>. Add these lines to either
|
||||||
<filename>GENERIC</filename> or a custom kernel
|
<filename>GENERIC</filename> or a custom kernel configuration
|
||||||
configuration file, then rebuild the kernel:</para>
|
file, then rebuild the kernel:</para>
|
||||||
|
|
||||||
<programlisting>options RACCT
|
<programlisting>options RACCT
|
||||||
options RCTL</programlisting>
|
options RCTL</programlisting>
|
||||||
|
|
||||||
<para>Once the system has rebooted into the new kernel,
|
<para>Once the system has rebooted into the new kernel,
|
||||||
<command>rctl</command> may be used to set rules for the
|
<command>rctl</command> may be used to set rules for the
|
||||||
system.</para>
|
system.</para>
|
||||||
|
|
||||||
<para>Rule syntax is controlled through the use of
|
<para>Rule syntax is controlled through the use of a subject,
|
||||||
a subject,
|
subject-id, resource, and action, as seen in this example
|
||||||
subject-id, resource,
|
rule:</para>
|
||||||
and action, as seen in this example
|
|
||||||
rule:</para>
|
|
||||||
|
|
||||||
<programlisting>user:trhodes:maxproc:deny=10/user</programlisting>
|
<programlisting>user:trhodes:maxproc:deny=10/user</programlisting>
|
||||||
|
|
||||||
<para>In this rule, the subject
|
<para>In this rule, the subject is <literal>user</literal>, the
|
||||||
is <literal>user</literal>, the subject-id is
|
subject-id is <literal>trhodes</literal>, the resource,
|
||||||
<literal>trhodes</literal>, the resource,
|
<literal>maxproc</literal>, is the maximum number of
|
||||||
<literal>maxproc</literal>, is the maximum
|
processes, and the action is <literal>deny</literal>, which
|
||||||
number of processes, and the
|
blocks any new processes from being created. This means that
|
||||||
action is <literal>deny</literal>, which blocks any
|
the user, <literal>trhodes</literal>, will be constrained to
|
||||||
new processes from being created. This means that the
|
no greater than <literal>10</literal> processes. Other
|
||||||
user, <literal>trhodes</literal>, will be constrained to no greater than
|
possible actions include logging to the console, passing a
|
||||||
<literal>10</literal> processes. Other possible
|
notification to &man.devd.8;, or sending a sigterm to the
|
||||||
actions include logging to the console, passing a
|
process.</para>
|
||||||
notification to &man.devd.8;, or sending a sigterm to the
|
|
||||||
process.</para>
|
|
||||||
|
|
||||||
<para>Some care must be taken when adding rules. Since this user
|
<para>Some care must be taken when adding rules. Since this
|
||||||
is constrained to <literal>10</literal> processes, this example
|
user is constrained to <literal>10</literal> processes, this
|
||||||
will prevent the user from performing other
|
example will prevent the user from performing other tasks
|
||||||
tasks after logging in and executing a
|
after logging in and executing a
|
||||||
<command>screen</command> session. Once a resource limit has
|
<command>screen</command> session. Once a resource limit has
|
||||||
been hit, an error will be printed, as in this example:</para>
|
been hit, an error will be printed, as in this example:</para>
|
||||||
|
|
||||||
<screen>&prompt.user; <userinput>man test</userinput>
|
<screen>&prompt.user; <userinput>man test</userinput>
|
||||||
/usr/bin/man: Cannot fork: Resource temporarily unavailable
|
/usr/bin/man: Cannot fork: Resource temporarily unavailable
|
||||||
eval: Cannot fork: Resource temporarily unavailable</screen>
|
eval: Cannot fork: Resource temporarily unavailable</screen>
|
||||||
|
|
||||||
<para>As another example,
|
<para>As another example, a jail can be prevented from exceeding
|
||||||
a jail can be prevented from exceeding a memory limit. This rule could be
|
a memory limit. This rule could be written as:</para>
|
||||||
written as:</para>
|
|
||||||
|
|
||||||
<screen>&prompt.root; <userinput>rctl -a jail:httpd:memoryuse:deny=2G/jail</userinput></screen>
|
<screen>&prompt.root; <userinput>rctl -a jail:httpd:memoryuse:deny=2G/jail</userinput></screen>
|
||||||
|
|
||||||
<para>Rules will persist across reboots if they have been
|
<para>Rules will persist across reboots if they have been added
|
||||||
added to <filename>/etc/rctl.conf</filename>. The format is a
|
to <filename>/etc/rctl.conf</filename>. The format is a rule,
|
||||||
rule, without the preceding command. For example, the previous
|
without the preceding command. For example, the previous rule
|
||||||
rule could be added as:</para>
|
could be added as:</para>
|
||||||
|
|
||||||
<programlisting># Block jail from using more than 2G memory:
|
<programlisting># Block jail from using more than 2G memory:
|
||||||
jail:httpd:memoryuse:deny=2G/jail</programlisting>
|
jail:httpd:memoryuse:deny=2G/jail</programlisting>
|
||||||
|
|
||||||
<para>To remove a rule, use <command>rctl</command> to
|
<para>To remove a rule, use <command>rctl</command> to remove it
|
||||||
remove it from the list:</para>
|
from the list:</para>
|
||||||
|
|
||||||
<screen>&prompt.root; <userinput>rctl -r user:trhodes:maxproc:deny=10/user</userinput></screen>
|
<screen>&prompt.root; <userinput>rctl -r user:trhodes:maxproc:deny=10/user</userinput></screen>
|
||||||
|
|
||||||
<para>A method for removing all rules is documented in &man.rctl.8;.
|
<para>A method for removing all rules is documented in
|
||||||
However, if removing all rules for a single user is required,
|
&man.rctl.8;. However, if removing all rules for a single
|
||||||
this command may be issued:</para>
|
user is required, this command may be issued:</para>
|
||||||
|
|
||||||
<screen>&prompt.root; <userinput>rctl -r user:trhodes</userinput></screen>
|
<screen>&prompt.root; <userinput>rctl -r user:trhodes</userinput></screen>
|
||||||
|
|
||||||
<para>Many other resources exist which can be used to exert
|
<para>Many other resources exist which can be used to exert
|
||||||
additional control over various <literal>subjects</literal>.
|
additional control over various <literal>subjects</literal>.
|
||||||
See &man.rctl.8; to learn about them.</para>
|
See &man.rctl.8; to learn about them.</para>
|
||||||
</sect2>
|
</sect2>
|
||||||
</sect1>
|
</sect1>
|
||||||
</chapter>
|
</chapter>
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue