Changeset 2197589 for postlfs/security

Timestamp:

06/30/2004 09:20:29 PM (20 years ago)

Author:

Randy McMurchy <randy@…>

Branches:

10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.0, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal

Children:

e40cb61

Parents:

f3e295d5

Message:

Updated to iptables-1.2.11; added missing tags in various package instructions

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@2403 af4574ff-66df-0310-9fd7-8a98e5e911e0

Location:

postlfs/security

Files:

• cracklib.xml (modified) (6 diffs)
• iptables.xml (modified) (7 diffs)
• linux_pam.xml (modified) (4 diffs)
• shadow.xml (modified) (6 diffs)

postlfs/security/cracklib.xml

@@ -18 +18 @@
 <title>cracklib-&cracklib-version;</title>
 
-
 <sect2>
 <title>Introduction to <application>cracklib</application></title>
 
-<para>The cracklib package contains a library used to enforce strong passwords
-by comparing user selected passwords to words in a chosen wordlist.</para>
+<para>The <application>cracklib</application> package contains a library used 
+to enforce strong passwords by comparing user selected passwords to words in a 
+chosen wordlist.</para>
 
 <sect3><title>Package information</title>
@@ -46 +46 @@
 </itemizedlist>
 
-<para>You will also need to download a wordlist for use with cracklib.  There
-are two wordlists to choose from at the following location.  Use the
-<filename>cracklib</filename> word list for good security, or opt for the
-<filename>allwords</filename> word list for lightweight machines short on
-<acronym>RAM</acronym>.  You can of course choose any other word list that you
-have at your disposal.</para>
+<para>You will also need to download a wordlist for use with 
+<application>cracklib</application>. There are two wordlists to choose from at 
+the following location.  Use the <filename>cracklib</filename> word list for 
+good security, or opt for the <filename>allwords</filename> word list for 
+lightweight machines short on <acronym>RAM</acronym>. You can of course choose 
+any other word list that you have at your disposal.</para>
 
-<para>cracklib (&crackdict-size;): <ulink url="http://www.cotse.com/wordlists/cracklib"/></para>
-<para>allwords (&alldict-size;): <ulink url="http://www.cotse.com/wordlists/allwords"/></para>
+<itemizedlist spacing='compact'>
+<listitem><para>cracklib (&crackdict-size;): <ulink 
+url="http://www.cotse.com/wordlists/cracklib"/></para></listitem>
+<listitem><para>allwords (&alldict-size;): <ulink 
+url="http://www.cotse.com/wordlists/allwords"/></para></listitem>
+</itemizedlist>
 
 </sect3>
@@ -63 +67 @@
 <title>Installation of <application>cracklib</application></title>
 
-<para>First, we need to install the chosen word list for cracklib:</para>
+<para>First, install the chosen word list for cracklib:</para>
 
 <screen><userinput><command>install -d -m755 /usr/share/dict &amp;&amp;
@@ -72 +76 @@
 <para>The wordlist is linked to <filename>/usr/share/dict/words</filename> as 
 historically, <filename>words</filename> is the primary wordlist in the 
-<filename class="directory">/usr/share/dict</filename> directory.  We also echo 
-the value of hostname to a file called <filename>extra.words</filename>.  This 
-extra file is intended to be a site specific list which includes easy to guess 
-passwords such as company or department names, user's names, product 
-names, computer names, domain names, etc.</para>
+<filename class="directory">/usr/share/dict</filename> directory. Additionally, 
+the value of <command>hostname</command> is echoed to a file called 
+<filename>extra.words</filename>. This extra file is intended to be a site 
+specific list which includes easy to guess passwords such as company or 
+department names, user's names, product names, computer names, domain names, 
+etc.</para>
 
-<para>Now apply the BLFS patch:</para>
+<para>Now apply the <acronym>BLFS</acronym> patch:</para>
 
 <screen><userinput><command>patch -Np1 -i ../cracklib,&cracklib-version;-blfs-1.patch</command></userinput></screen>
 
-<para>If necessary, apply the heimdal patch:</para>
+<para>If necessary, apply the <application>Heimdal</application> patch:</para>
 
 <screen><userinput><command>cp -R cracklib cracklib_krb5 &amp;&amp;
 patch -Np1 -i ../cracklib,&cracklib-version;-heimdal-1.patch</command></userinput></screen>
 
-<para>Finally install the package:</para>
+<para>Finally, install the package:</para>
 <screen><userinput><command>make install</command></userinput></screen>
 
@@ -95 +100 @@
 <title>Contents</title>
 
-<para>The <application>cracklib</application> package 
-contains the <filename class="libraryfile">libcrack</filename> 
-library.</para>
+<para>The <application>cracklib</application> package contains the 
+<filename class="libraryfile">libcrack</filename> and optionally, the 
+<filename class="libraryfile">libcrack_krb5</filename> libraries.</para>
 
 </sect2>
@@ -103 +108 @@
 <sect2><title>Description</title>
 
-<sect3><title>libcrack library</title>
-<para>The <filename class="libraryfile">libcrack</filename> library
-provides a fast dictionary lookup method for strong password
-enforcement.</para></sect3>
+<sect3><title>libcrack libraries</title>
+<para>The <filename class="libraryfile">libcrack</filename> libraries provide 
+a fast dictionary lookup method for strong password enforcement.</para></sect3>
 
 </sect2>

postlfs/security/iptables.xml

@@ -7 +7 @@
   <!ENTITY iptables-download-http "http://www.iptables.org/files/iptables-&iptables-version;.tar.bz2">
   <!ENTITY iptables-download-ftp  "ftp://ftp.netfilter.org/pub/iptables/iptables-&iptables-version;.tar.bz2">
-  <!ENTITY iptables-size          "183 KB">
-  <!ENTITY iptables-buildsize     "3.4 MB">
+  <!ENTITY iptables-size          "157 KB">
+  <!ENTITY iptables-buildsize     "4.4 MB">
   <!ENTITY iptables-time          "0.13 SBU">
 ]>
@@ -30 +30 @@
 <application>iptables</application>, you will need
 to configure the relevant options into your kernel.  This is discussed
-in the next part of this chapter - <xref linkend="postlfs-security-fw-kernel"/>.</para>
+in the next part of this chapter &ndash; 
+<xref linkend="postlfs-security-fw-kernel"/>.</para>
 
 <para>If you intend to use <acronym>IP</acronym>v6 you might consider extending
 the kernel by running <command>make patch-o-matic</command> in the top-level
-directory of the sources of <application>iptables</application>.  If you are 
+source tree directory of <application>iptables</application>.  If you are 
 going to do this, on a freshly untarred kernel, you need to run 
 <command>yes "" | make config &amp;&amp; make dep</command> first because 
@@ -47 +48 @@
 into <application>iptables</application> for the features recognized at 
 compile-time.  Applying a kernel patch may result in errors, often because the 
-hooks for the patches have changed or because the runme script doesn't 
-recognize that a patch has already been incorporated.</para>
+hooks for the patches have changed or because the <command>runme</command> 
+script doesn't recognize that a patch has already been incorporated.</para>
 
 <para>Note that for most people, patching the kernel is unnecessary.
@@ -71 +72 @@
 </sect2>
 
-
 <sect2>
 <title>Installation of <application>iptables</application></title>
 
-<para>Install <application>iptables</application> by running the following commands:</para>
+<para>Install <application>iptables</application> by running the following 
+commands:</para>
 
 <screen><userinput><command>make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin &amp;&amp;
@@ -82 +83 @@
 </sect2>
 
-
 <sect2>
 <title>Command explanations</title>
 
-<para><parameter>PREFIX=/usr LIBDIR=/lib BINDIR=/sbin</parameter>: Compiles and installs 
-<application>iptables</application> libraries into <filename
-class="directory">/lib</filename>, binaries into <filename
-class="directory">/sbin</filename> and the remainder into the 
+<para><parameter>PREFIX=/usr LIBDIR=/lib BINDIR=/sbin</parameter>: Compiles 
+and installs <application>iptables</application> libraries into 
+<filename class="directory">/lib</filename>, binaries into 
+<filename class="directory">/sbin</filename> and the remainder into the 
 <filename class="directory">/usr</filename> hierarchy instead of 
 <filename class="directory">/usr/local</filename>. Firewalls are
-generally set during the boot process and <filename
-class="directory">/usr</filename> may not be mounted at that time.</para>
+generally activated during the boot process and 
+<filename class="directory">/usr</filename> may not be mounted at that 
+time.</para>
 
 </sect2>
@@ -100 +101 @@
 <title>Contents</title>
 
-<para>The <application>iptables</application> package contains <command>iptables</command>,
-<command>iptables-restore</command>, <command>iptables-save</command>,
-<command>ip6tables</command> and some libraries.</para>
+<para>The <application>iptables</application> package contains 
+<command>iptables</command>, <command>iptables-restore</command>, 
+<command>iptables-save</command>, <command>ip6tables</command> 
+and the <filename class='libraryfile'>libip*.so</filename> library
+modules.</para>
 
 </sect2>
@@ -122 +125 @@
 <para>This is the same as <command>iptables</command> but for use with
 <acronym>IP</acronym>v6.  As of v1.2.5, it is not as complete as the standard 
-<acronym>IP</acronym>v4 version, especially with regard to some of the modules.</para>
+<acronym>IP</acronym>v4 version, especially with regard to some of the 
+modules.</para>
 </sect3>
 
-<sect3><title>libip*.so</title>
+<sect3><title>libip*.so library modules</title>
 <para>These are various modules (implemented as dynamic libraries) which
 extend the core functionality of <command>iptables</command>.</para>

postlfs/security/linux_pam.xml

@@ -75 +75 @@
 
 <para><command>autoconf</command>:  This is necessary because the patch 
-changes where <acronym>PAM</acronym> looks for the cracklib libraries, 
-requiring regeneration of the configure script.</para>
+changes where <acronym>PAM</acronym> looks for the 
+<application>cracklib</application> libraries, requiring regeneration of the 
+configure script.</para>
 
 <para><option>--enable-static-libpam</option>: This switch builds
@@ -99 +100 @@
 
 <sect3><title>Config files</title>
-<para><filename>/etc/pam.d</filename> or <filename>/etc/pam.conf</filename>
+<para><filename>/etc/pam.d/*</filename> or <filename>/etc/pam.conf</filename>
 </para></sect3>
 
 <sect3><title>Configuration Information</title>
 
-<para>Configuration information is placed in <filename>/etc/pam.d</filename> or
+<para>Configuration information is placed in 
+<filename class='directory'>/etc/pam.d/</filename> or
 <filename>/etc/pam.conf</filename> depending on user preference.  Below are
 example files of each type:</para>
@@ -145 +147 @@
 
 <para>The <application>Linux-<acronym>PAM</acronym></application> package 
-contains <command>unix-chkpwd</command> and <filename
-class="libraryfile">libpam</filename> 
-libraries.</para>
+contains <command>unix-chkpwd</command>, 
+<filename class="libraryfile">libpam</filename> libraries and 
+<acronym>PAM</acronym> modules.</para>
 
 </sect2>
@@ -159 +161 @@
 <sect3><title>libpam libraries</title>
 <para><filename class="libraryfile">libpam</filename> libraries provide the 
-interfaces between applications and the modules included with 
-<acronym>PAM</acronym>.</para></sect3>
+interfaces between applications and the <acronym>PAM</acronym> modules.</para>
+</sect3>
+
+<sect3><title><acronym>PAM</acronym> modules</title>
+<para><acronym>PAM</acronym> modules are the Pluggable Authentication Modules 
+installed in <filename class='directory'>/lib/security/</filename>.</para>
+</sect3>
 
 </sect2>

postlfs/security/shadow.xml

@@ -32 +32 @@
 -->
 
-
 <sect2>
 <title>Introduction to <application>Shadow</application></title>
@@ -56 +55 @@
 </sect2>
 
-
-<sect2>
-<title>Installation of <application>shadow</application></title>
-
-<para>Reinstall shadow by running the following commands:</para>
+<sect2>
+<title>Installation of <application>Shadow</application></title>
+
+<para>Reinstall <application>Shadow</application> by running the following 
+commands:</para>
 
 <screen><userinput><command>patch -Np1 -i ../shadow-&shadow-version;-pam-1.patch &amp;&amp;
@@ -77 +76 @@
 </sect2>
 
-
 <sect2>
 <title>Command explanations</title>
 
-<para><parameter>--without-libcrack</parameter>: This switch tells shadow
-not to use libcrack. This is desired as
-<application>Linux-<acronym>PAM</acronym></application> already
-contains libcrack.</para>
+<para><parameter>--without-libcrack</parameter>: This switch tells 
+<application>Shadow</application> not to use 
+<filename class='libraryfile'>libcrack</filename>. This is desired as
+<application>Linux-<acronym>PAM</acronym></application> already contains 
+<filename class='libraryfile'>libcrack</filename>.</para>
 
 <!--  Leftover from older instructions????
@@ -93 +92 @@
 </sect2>
 
-
-<sect2>
-<title>Configuring <application><acronym>PAM</acronym></application> to work 
-with <application>shadow</application></title>
+<sect2>
+<title>Configuring <application>Linux-<acronym>PAM</acronym></application> to work 
+with <application>Shadow</application></title>
 
 <sect3><title>Config files</title>
@@ -102 +100 @@
 <filename>/etc/pam.d/passwd</filename>,
 <filename>/etc/pam.d/su</filename>,
-<filename>/etc/pam.d/shadow</filename>, and
-<filename>/etc/pam.d/useradd</filename></para>
+<filename>/etc/pam.d/shadow</filename>, 
+<filename>/etc/pam.d/useradd</filename>, and 
+<filename>/etc/pam.d/chage</filename> &ndash; 
+alternatively, <filename>/etc/pam.conf</filename></para>
 </sect3>
 
 <sect3><title>Configuration Information</title>
 
-<para>Add the following <application><acronym>PAM</acronym></application> 
-configuration files to <filename class="directory">/etc/pam.d</filename> (or add them to
-<filename>/etc/pam.conf</filename> with the additional field for the program).
-</para>
+<para>Add the following <application>Linux-<acronym>PAM</acronym></application> 
+configuration files to <filename class="directory">/etc/pam.d/</filename> (or 
+add them to <filename>/etc/pam.conf</filename> with the additional field for 
+the program).</para>
+
 <screen><userinput><command>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"</command>
 # Begin /etc/pam.d/login
@@ -183 +184 @@
 allow anyone with an account on the machine to use programs
 that do not specifically have a configuration file of their own. After
-testing <application><acronym>PAM</acronym></application> for proper 
+testing <application>Linux-<acronym>PAM</acronym></application> for proper 
 configuration, it can be changed to the following:</para>