os/doc
3
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Run through aspell.

Browse source
This commit is contained in:
Tom Rhodes 2004-08-31 20:13:37 +00:00
parent 9e8bc7243d
commit e95945c072
Notes: svn2git 2020-12-08 03:00:23 +00:00 
svn path=/head/; revision=22194
1 changed files with 12 additions and 12 deletions

24
en_US.ISO8859-1/books/handbook/security/chapter.sgml
View file

@ -85,7 +85,7 @@
</listitem> </listitem>
<listitem> <listitem>
<para>How to utililize the &os; security advisories <para>How to utilize the &os; security advisories
publications.</para> publications.</para>
</listitem> </listitem>
@ -116,7 +116,7 @@
servers &mdash; meaning that external entities can connect and talk servers &mdash; meaning that external entities can connect and talk
to them. As yesterday's mini-computers and mainframes become to them. As yesterday's mini-computers and mainframes become
today's desktops, and as computers become networked and today's desktops, and as computers become networked and
internetworked, security becomes an even bigger issue.</para> internetwork, security becomes an even bigger issue.</para>
<para>Security is best implemented through a layered <para>Security is best implemented through a layered
<quote>onion</quote> approach. In a nutshell, what you want to do is <quote>onion</quote> approach. In a nutshell, what you want to do is
@ -269,7 +269,7 @@
<listitem> <listitem>
<para>Securing the kernel core, raw devices, and <para>Securing the kernel core, raw devices, and
filesystems.</para> file systems.</para>
</listitem> </listitem>
<listitem> <listitem>
@ -325,7 +325,7 @@
machine. What it does mean is that you should not make it machine. What it does mean is that you should not make it
possible to use the password outside of the console or possibly possible to use the password outside of the console or possibly
even with the &man.su.1; command. For example, make sure that even with the &man.su.1; command. For example, make sure that
your pty's are specified as being insecure in the your ptys are specified as being insecure in the
<filename>/etc/ttys</filename> file so that direct <filename>/etc/ttys</filename> file so that direct
<username>root</username> logins <username>root</username> logins
via <command>telnet</command> or <command>rlogin</command> are via <command>telnet</command> or <command>rlogin</command> are
@ -545,7 +545,7 @@
and thus read the encrypted password file, potentially compromising and thus read the encrypted password file, potentially compromising
any passworded account. Alternatively an intruder who breaks any passworded account. Alternatively an intruder who breaks
group <literal>kmem</literal> can monitor keystrokes sent through group <literal>kmem</literal> can monitor keystrokes sent through
pty's, including pty's used by users who login through secure ptys, including Pt's used by users who login through secure
methods. An intruder that breaks the <groupname>tty</groupname> methods. An intruder that breaks the <groupname>tty</groupname>
group can write to group can write to
almost any user's tty. If a user is running a terminal program or almost any user's tty. If a user is running a terminal program or
@ -589,7 +589,7 @@
<sect2> <sect2>
<title>Securing the Kernel Core, Raw Devices, and <title>Securing the Kernel Core, Raw Devices, and
Filesystems</title> File systems</title>
<para>If an attacker breaks <username>root</username> he can do <para>If an attacker breaks <username>root</username> he can do
just about anything, but just about anything, but
@ -667,7 +667,7 @@
allow the limited-access box to ssh to allow the limited-access box to ssh to
the other machines. Except for its network traffic, NFS is the the other machines. Except for its network traffic, NFS is the
least visible method &mdash; allowing you to monitor the least visible method &mdash; allowing you to monitor the
filesystems on each client box virtually undetected. If your file systems on each client box virtually undetected. If your
limited-access server is connected to the client boxes through a limited-access server is connected to the client boxes through a
switch, the NFS method is often the better choice. If your switch, the NFS method is often the better choice. If your
limited-access server is connected to the client boxes through a limited-access server is connected to the client boxes through a
@ -952,7 +952,7 @@
<para>We recommend that you use ssh in <para>We recommend that you use ssh in
combination with Kerberos whenever possible for staff logins. combination with Kerberos whenever possible for staff logins.
<application>ssh</application> can be compiled with Kerberos <application>ssh</application> can be compiled with Kerberos
support. This reduces your reliance on potentially exposable support. This reduces your reliance on potentially exposed
ssh keys while at the same time ssh keys while at the same time
protecting passwords via Kerberos. ssh protecting passwords via Kerberos. ssh
keys should only be used for automated tasks from secure machines keys should only be used for automated tasks from secure machines
@ -1419,7 +1419,7 @@ permit port ttyd0</programlisting>
&unix; passwords at any time. Generally speaking, this should only &unix; passwords at any time. Generally speaking, this should only
be used for people who are either unable to use the be used for people who are either unable to use the
<command>key</command> program, like those with dumb terminals, or <command>key</command> program, like those with dumb terminals, or
those who are uneducable.</para> those who are ineducable.</para>
<para>The third line (<literal>permit port</literal>) allows all <para>The third line (<literal>permit port</literal>) allows all
users logging in on the specified terminal line to use &unix; users logging in on the specified terminal line to use &unix;
@ -1997,7 +1997,7 @@ FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
description.</para> description.</para>
<para>For purposes of demonstrating a <application>Kerberos</application> <para>For purposes of demonstrating a <application>Kerberos</application>
installation, the various namespaces will be handled as follows:</para> installation, the various name spaces will be handled as follows:</para>
<itemizedlist> <itemizedlist>
<listitem> <listitem>
@ -2591,7 +2591,7 @@ jdoe@example.org</screen>
<application>Kerberos</application> enabling all remote shells <application>Kerberos</application> enabling all remote shells
(via <command>rsh</command> and <command>telnet</command>, for (via <command>rsh</command> and <command>telnet</command>, for
example) but not converting the <acronym>POP3</acronym> mail example) but not converting the <acronym>POP3</acronym> mail
server which sends passwords in plaintext.</para> server which sends passwords in plain text.</para>
</sect3> </sect3>
@ -2679,7 +2679,7 @@ jdoe@example.org</screen>
<listitem> <listitem>
<para><ulink url="http://web.mit.edu/Kerberos/www/dialogue.html">Designing <para><ulink url="http://web.mit.edu/Kerberos/www/dialogue.html">Designing
an Authentication System: a Dialogue in Four Scenes</ulink></para> an Authentication System: a Dialog in Four Scenes</ulink></para>
</listitem> </listitem>
<listitem> <listitem>