Subversion Repositories svn LFS-FR

Compare Revisions

Ignore whitespace Rev 1047 → Rev 1048

/trunk/blfs/postlfs/config/profile.xml
1,82 → 1,108
<?xml version="1.0" encoding="ISO-8859-1"?>
<sect1 id="postlfs-config-profile" xreflabel="Les fichiers de démarrage Bash">
<?dbhtml filename="profile.html"?>
<title>Les fichiers de démarrage du shell Bash</title>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
]>
 
<para>Le programme shell <filename>/bin/bash</filename> (que l'on nommera
simplement "le shell" à partir de maintenant) utilise une collection de fichiers
de démarrage pour aider à la création d'un environnement de travail. Chaque
fichier a une utilisation spécifique et peut affecter différemment la connexion
et les environnements interactifs. Les fichiers dans le répertoire
<filename class="directory">/etc</filename> apportent habituellement une configuration globale.
Si un fichier équivalent existe dans votre répertoire personnel, il pourrait
écraser les paramètrages globaux.</para>
<sect1 id="postlfs-config-profile" xreflabel="The Bash Shell Startup Files">
<?dbhtml filename="profile.html"?>
 
<para>Un shell interactif de connexion est lancé après une connexion réussie en
utilisant <filename>/bin/login</filename> et en lisant le fichier
<filename>/etc/passwd</filename>. Cet appel lit habituellement
<filename>/etc/profile</filename> et son équivalent personnel
<filename>~/.bash_profile</filename> au lancement.</para>
<sect1info>
<othername>$LastChangedBy: ken $</othername>
<date>$Date: 2009-06-27 12:10:28 +0200 (sam 27 jun 2009) $</date>
</sect1info>
 
<para>Un shell interactif sans connexion est habituellement lancé à la ligne de
commande (c'est-à-dire <prompt>[invite]$</prompt><command>/bin/bash</command>)
ou par la commande <command>/bin/su</command>. Un shell interactif sans
connexion est aussi lancé avec un programme de type terminal comme
<command>xterm</command> ou <command>konsole</command> à l'intérieur d'un
environnement graphique. Ce type d'appel de shell copie normalement
l'environnement parent puis lit le fichier <filename>~/.bashrc</filename> de
l'utilisateur pour les instructions de configuration supplémentaires.</para>
<title>The Bash Shell Startup Files</title>
 
<para>Un shell non interactif est généralement présent lorsqu'un script shell
est lancé. Il est non interactif car il exécute un script et n'attend pas une
saisie de l'utilisateur entre les commandes. Pour ces appels de shell, seul
l'environnement hérité du shell parent est utilisé.</para>
<para>The shell program <filename>/bin/bash</filename> (hereafter
referred to as just "the shell") uses a collection of startup files to
help create an environment. Each file has a specific use et
may affect login et interactive environments differently. The files in
the <filename class="directory">/etc</filename> directory generally provide
global settings. If an equivalent file exists in your home directory it may
override the global settings.</para>
 
<para>Le fichier <filename>~/.bash_logout</filename> n'est pas utilisé pour un
appel du shell. Il est lu et exécuté à la sortie du shell par un
utilisateur.</para>
<para>An interactive login shell is started after a successful login, using
<filename>/bin/login</filename>, by reading the <filename>/etc/passwd</filename>
file. This shell invocation normally reads <filename>/etc/profile</filename>
et its private equivalent <filename>~/.bash_profile</filename> upon
startup.</para>
 
<para>Aux fichiers standards, nous pouvons aussi
ajouter <filename>/etc/bashrc</filename>, appelé à partir du
<filename>~/.bashrc</filename> de l'utilisateur pour l'initialisation système
des shells sans connexion.</para>
<para>An interactive non-login shell is normally started at the command-line
using a shell program (e.g.,
<prompt>[prompt]$</prompt><command>/bin/bash</command>) or by the
<command>/bin/su</command> command. An interactive non-login shell is also
started with a terminal program such as <command>xterm</command> or
<command>konsole</command> from within a graphical environment. This type of
shell invocation normally copies the parent environment et then reads the
user's <filename>~/.bashrc</filename> file for additional startup configuration
instructions.</para>
 
<para>Pour plus d'informations, voir <command>info bash</command> --
<emphasis role="strong">Noeud: Bash Startup Files and Interactive
Shells</emphasis>.</para>
<para>A non-interactive shell is usually present when a shell script is
running. It is non-interactive because it is processing a script et not
waiting for user input between commands. For these shell invocations, only
the environment inherited from the parent shell is used.</para>
 
<sect2>
<title><filename>/etc/profile</filename></title>
<para> The file <filename>~/.bash_logout</filename> is not used for an
invocation of the shell. It is read et executed when a user exits from an
interactive login shell.</para>
 
<para>Voici un <filename>/etc/profile</filename> de base. Ce fichier commence
par l'initialisation de quelques fontions d'aide et autres paramètres basiques.
Il spécifie quelques paramètres d'historique pour <filename>bash</filename>
et, pour des raisons de sécurité, désactive la conservation du fichier
d'historique permanent de l'utilisateur root. Il initialise aussi une invite
par défaut. Il appelle ensuite des petits scripts à but unique dans le
répertoire <filename class='directory'>/etc/profile.d</filename> fournissant
d'autres initialisations.</para>
<para>Many distributions use <filename>/etc/bashrc</filename> for system wide
initialization of non-login shells. This file is usually called from the
user's <filename>~/.bashrc</filename> file et is not built directly into
<command>bash</command> itself. This convention is followed in this
section.</para>
 
<para>Pour plus d'informations sur les séquences d'échappement que vous
pouvez utiliser avec votre invite (c'est-à-dire la variable d'environnement
n<envar>PS1</envar>), voir <command>info
bash</command> -- <emphasis role="strong">N&oelig;ud&nbsp;: afficher une
invite.</emphasis></para>
<para>For more information see <command>info bash</command> --
<emphasis role="strong">Nodes: Bash Startup Files et Interactive
Shells</emphasis>.</para>
 
<screen><userinput><command>cat &gt; /etc/profile &lt;&lt; "EOF"</command>
# Début de /etc/profile
# Écrit pour Beyond Linux From Scratch
# par James Robertson &lt;jameswrobertson@earthlink.net&gt;
# modifications par Dagmar d'Surreal &lt;rivyqntzne@pbzpnfg.arg&gt;
<note>
<para>Most of the instructions below are used to create files located in
the <filename class='directory'>/etc</filename> directory structure which
requires you to execute the commands as the
<systemitem class='username'>root</systemitem> user. If you elect to create
the files in user's home directories instead, you should run the commands
as an unprivileged user.</para>
</note>
 
# Variables d'environnement globales et programmes de démarrage
<sect2 id="etc-profile-profile">
<title>/etc/profile</title>
 
# Les alias systèmes et les fonctions doivent aller dans /etc/bashrc. Les
# variables d'environnements et les programmes de lancement personnels doivent
# aller dans ~/.bash_profile. Les alias et fonctions personnels doivent aller
# dans ~/.bashrc.
<indexterm zone="postlfs-config-profile etc-profile-profile">
<primary sortas="e-etc-profile">/etc/profile</primary>
</indexterm>
 
# Fonction d'aide à la gestion des chemins.
<para>Here is a base <filename>/etc/profile</filename>. This file starts by
setting up some helper functions et some basic parameters. It specifies some
<command>bash</command> history parameters et, for security purposes,
disables keeping a permanent history file for the <systemitem
class="username">root</systemitem> user. It also sets a
default user prompt. It then calls small, single purpose scripts in the
<filename class='directory'>/etc/profile.d</filename> directory to provide most
of the initialization.</para>
 
<para>For more information on the escape sequences you can use for your prompt
(i.e., the <envar>PS1</envar> environment variable) see <command>info
bash</command> -- <emphasis role="strong">Node: Printing a
Prompt</emphasis>.</para>
 
<screen role="root"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/profile &lt;&lt; "EOF"
<literal># Begin /etc/profile
# Written for Beyond Linux From Scratch
# by James Robertson &lt;jameswrobertson@earthlink.net&gt;
# modifications by Dagmar d'Surreal &lt;rivyqntzne@pbzpnfg.arg&gt;
 
# System wide environment variables et startup programs.
 
# System wide aliases et functions should go in /etc/bashrc. Personal
# environment variables et startup programs should go into
# ~/.bash_profile. Personal aliases et functions should go into
# ~/.bashrc.
 
# Functions to help us manage paths. Second argument is the name of the
# path variable to be modified (default: PATH)
pathremove () {
local IFS=':'
local NEWPATH
89,83 → 115,111
done
export $PATHVARIABLE="$NEWPATH"
}
 
pathprepend () {
pathremove $1 $2
local PATHVARIABLE=${2:-PATH}
export $PATHVARIABLE="$1${!PATHVARIABLE:+:${!PATHVARIABLE}}"
}
 
pathappend () {
pathremove $1 $2
local PATHVARIABLE=${2:-PATH}
export $PATHVARIABLE="${!PATHVARIABLE:+${!PATHVARIABLE}:}$1"
}
 
 
# Set the initial path
export PATH=/bin:/usr/bin
 
if [ $EUID -eq 0 ] ; then
pathappend /sbin:/usr/sbin
unset HISTFILE
fi
# Configuration de quelques variables d'environnement.
 
# Setup some environment variables.
export HISTSIZE=1000
export HISTIGNORE="&amp;:[bf]g:exit"
#export PS1="[\u@\h \w]\\$ "
export PS1='\u@\h:\w\$ '
 
# Setup a red prompt for root et a green one for users.
NORMAL="\[\e[0m\]"
RED="\[\e[1;31m\]"
GREEN="\[\e[1;32m\]"
if [[ $EUID == 0 ]] ; then
PS1="$RED\u [ $NORMAL\w$RED ]# $NORMAL"
else
PS1="$GREEN\u [ $NORMAL\w$GREEN ]\$ $NORMAL"
fi
 
for script in /etc/profile.d/*.sh ; do
if [ -x $script ] ; then
if [ -r $script ] ; then
. $script
fi
done
# Now to clean up after ourselves
unset pathremove pathprepend pathappend
 
# Fin /etc/profile
<command>EOF</command></userinput></screen>
# Now to clean up
unset pathremove pathprepend pathappend
 
<para>Maintenant, créez le répertoire <filename
class='directory'>/etc/profile.d</filename>.</para>
# End /etc/profile</literal>
EOF</userinput></screen>
 
<screen><userinput><command>install --directory --mode=0755 --owner=root --group=root /etc/profile.d</command></userinput></screen>
<sect3 id="etc-profile.d">
<title>The /etc/profile.d Directory</title>
 
<sect3>
<title><filename>/etc/profile.d/dircolors.sh</filename></title>
<indexterm zone="postlfs-config-profile etc-profile.d">
<primary sortas="e-etc-profile.d">/etc/profile.d</primary>
</indexterm>
 
<para>Ce script utilise les fichiers <filename>~/.dircolors</filename> et
<filename>/etc/dircolors</filename> pour contrôler les couleurs des noms de
fichiers dans une liste du répertoire. Ils contrôlent la sortie colorisée de
choses comme <command>ls --color</command>. L'explication sur l'initialisation
de ces fichiers se trouve à la fin de cette section.</para>
<para>Maintenant create the <filename class='directory'>/etc/profile.d</filename>
directory, where the individual initialization scripts are placed:</para>
 
<screen role="root"><userinput>install --directory --mode=0755 --owner=root --group=root /etc/profile.d</userinput></screen>
 
<screen><userinput><command>cat &gt; /etc/profile.d/dircolors.sh &lt;&lt; "EOF"</command>
# Configuration pour le support de la couleur dans /bin/ls, l'alias est
#+ dans /etc/bashrc.
</sect3>
 
<sect3 id="etc-profile.d-dircolors.sh">
<title>/etc/profile.d/dircolors.sh</title>
 
<indexterm zone="postlfs-config-profile etc-profile.d-dircolors.sh">
<primary sortas="e-etc-profile.d-dircolors.sh">/etc/profile.d/dircolors.sh</primary>
</indexterm>
 
<para>This script uses the <filename>~/.dircolors</filename> et
<filename>/etc/dircolors</filename> files to control the colors of file names in a
directory listing. They control colorized output of things like <command>ls
--color</command>. The explanation of how to initialize these files is at the
end of this section.</para>
 
<screen role="root"><userinput>cat &gt; /etc/profile.d/dircolors.sh &lt;&lt; "EOF"
<literal># Setup for /bin/ls to support color, the alias is in /etc/bashrc.
if [ -f "/etc/dircolors" ] ; then
eval $(dircolors -b /etc/dircolors)
 
if [ -f "$HOME/.dircolors" ] ; then
eval $(dircolors -b $HOME/.dircolors)
fi
fi
alias ls='ls --color=auto'
<command>EOF</command></userinput></screen>
</sect3>
alias ls='ls --color=auto'</literal>
EOF</userinput></screen>
 
</sect3>
 
<sect3>
<title><filename>/etc/profile.d/extrapaths.sh</filename></title>
<sect3 id="extrapaths.sh">
<title>/etc/profile.d/extrapaths.sh</title>
 
<para>Ce script ajoute quelques chemins utiles aux variables d'environnement
<envar>PATH</envar> et <envar>PKG_CONFIG_PATH</envar>. Si vous voulez, vous
pouvez décommenter la dernière section pour placer un point à la fin de votre
chemin. Ceci permettra l'exécution d'applications du répertoire courant sans
avoir à spécifier un ./. Néanmoins, vous êtes prévenu que ceci est généralement
considéré comme un problème de sécurité.</para>
<screen><userinput><command>cat &gt; /etc/profile.d/extrapaths.sh &lt;&lt; "EOF"</command>
if [ -d /usr/local/lib/pkgconfig ] ; then
<indexterm zone="postlfs-config-profile extrapaths.sh">
<primary sortas="e-etc-profile.d-extrapaths.sh">/etc/profile.d/extrapaths.sh</primary>
</indexterm>
 
<para>This script adds several useful paths to the <envar>PATH</envar> et
<envar>PKG_CONFIG_PATH</envar> environment variables. If you want, you
can uncomment the last section to put a dot at the end of your path. This will
allow executables in the current working directory to be executed without
specifying a ./, however you are warned that this is generally considered a
security hazard.</para>
 
<screen role="root"><userinput>cat &gt; /etc/profile.d/extrapaths.sh &lt;&lt; "EOF"
<literal>if [ -d /usr/local/lib/pkgconfig ] ; then
pathappend /usr/local/lib/pkgconfig PKG_CONFIG_PATH
fi
if [ -d /usr/local/bin ]; then
174,275 → 228,304
if [ -d /usr/local/sbin -a $EUID -eq 0 ]; then
pathprepend /usr/local/sbin
fi
for directory in $(find /opt/*/lib/pkgconfig -type d); do
pathappend $directory PKG_CONFIG_PATH
done
for directory in $(find /opt/*/bin -type d); do
pathappend $directory
done
 
if [ -d ~/bin ]; then
pathprepend ~/bin
fi
#if [ $EUID -gt 99 ]; then
# pathappend .
#fi
<command>EOF</command></userinput></screen>
</sect3>
#fi</literal>
EOF</userinput></screen>
 
<sect3>
<title><filename>/etc/profile.d/readline.sh</filename></title>
</sect3>
 
<para>Ce script initialise le fichier de configuration par défaut
<filename>inputrc</filename>. Si l'utilisateur n'a pas de configurations
individuelles, il utilise le fichier global.</para>
<sect3 id="readline.sh">
<title>/etc/profile.d/readline.sh</title>
 
<screen><userinput><command>cat &gt; /etc/profile.d/readline.sh &lt;&lt; "EOF"</command>
# Configuration de la variable d'environnement.
<indexterm zone="postlfs-config-profile readline.sh">
<primary sortas="e-etc-profile.d-readline.sh">/etc/profile.d/readline.sh</primary>
</indexterm>
 
<para>This script sets up the default <filename>inputrc</filename>
configuration file. If the user does not have individual settings, it uses the
global file.</para>
 
<screen role="root"><userinput>cat &gt; /etc/profile.d/readline.sh &lt;&lt; "EOF"
<literal># Setup the INPUTRC environment variable.
if [ -z "$INPUTRC" -a ! -f "$HOME/.inputrc" ] ; then
INPUTRC=/etc/inputrc
fi
export INPUTRC
<command>EOF</command></userinput></screen>
</sect3>
export INPUTRC</literal>
EOF</userinput></screen>
 
<sect3>
<title><filename>/etc/profile.d/tinker-term.sh</filename></title>
</sect3>
 
<para>Quelques applications ont besoin d'un paramètrage spécifique de
<envar>TERM</envar> pour supporter la couleur.</para>
<sect3 id="umask.sh">
<title>/etc/profile.d/umask.sh</title>
 
<screen><userinput><command>cat &gt; /etc/profile.d/tinker-term.sh &lt;&lt; "EOF"</command>
# Ceci va améliorer la valeur de TERM pour convaincre certaines applications que
# nous pouvons vraiment afficher de la couleur dans leur fenêtre.
if [ -n "$COLORTERM" ]; then
export TERM=xterm-color
fi
if [ "$TERM" = "xterm" ]; then
export TERM=xterm-color
fi
<command>EOF</command></userinput></screen>
</sect3>
<indexterm zone="postlfs-config-profile umask.sh">
<primary sortas="e-etc-profile.d-umask.sh">/etc/profile.d/umask.sh</primary>
</indexterm>
 
<sect3>
<title><filename>/etc/profile.d/umask.sh</filename></title>
<para>Initialiser la valeur d'<command>umask</command> est important pour la
sécurité. Ici, nous désactivons les droits d'écriture du groupe sur les
utilisateurs système et lorsque nom d'utilisateur et nom de groupe ne sont pas
identiques.</para>
<para>Setting the <command>umask</command> value is important for security.
Here the default group write permissions are turned off for system users et when
the user name et group name are not the same.</para>
 
<screen><userinput><command>cat &gt; /etc/profile.d/umask.sh &lt;&lt; "EOF"</command>
# Par défaut, nous voulons qu'umask soit initialisée.
<screen role="root"><userinput>cat &gt; /etc/profile.d/umask.sh &lt;&lt; "EOF"
<literal># By default we want the umask to get set.
if [ "$(id -gn)" = "$(id -un)" -a $EUID -gt 99 ] ; then
umask 002
else
umask 022
fi
<command>EOF</command></userinput></screen>
</sect3>
fi</literal>
EOF</userinput></screen>
 
<sect3>
<title><filename>/etc/profile.d/X.sh</filename></title>
</sect3>
 
<para>Si <application>X</application> est installé, nous allons aussi mettre à
jour les variables <envar>PATH</envar> et <envar>PKG_CONFIG_PATH</envar>.</para>
<sect3 id="X.sh">
<title>/etc/profile.d/X.sh</title>
 
<screen><userinput><command>cat &gt; /etc/profile.d/X.sh &lt;&lt; "EOF"</command>
if [ -x /usr/X11R6/bin/X ]; then
<indexterm zone="postlfs-config-profile X.sh">
<primary sortas="e-etc-profile.d-X.sh">/etc/profile.d/X.sh</primary>
</indexterm>
 
<para>If <application>X</application> is installed, the <envar>PATH</envar>
et <envar>PKG_CONFIG_PATH</envar> variables are also updated.</para>
 
<screen role="root"><userinput>cat &gt; /etc/profile.d/X.sh &lt;&lt; "EOF"
<literal>if [ -x /usr/X11R6/bin/X ]; then
pathappend /usr/X11R6/bin
fi
if [ -d /usr/X11R6/lib/pkgconfig ] ; then
pathappend /usr/X11R6/lib/pkgconfig PKG_CONFIG_PATH
fi
<command>EOF</command></userinput></screen>
</sect3>
fi</literal>
EOF</userinput></screen>
 
<sect3>
<title><filename>/etc/profile.d/xterm-titlebars.sh</filename></title>
<para>Ce script affiche un exemple d'une autre façon d'initialiser l'invite.
La variable d'environnement normale, <envar>PS1</envar>, est remplacée par
<envar>PROMPT_COMMAND</envar>. Si ell est initialisée, la valeur de
<envar>PROMPT_COMMAND</envar> est exécutée comme une commande avant chaque
invote primaire. </para>
<screen><userinput><command>cat &gt; /etc/profile.d/xterm-titlebars.sh &lt;&lt; "EOF"</command>
# The substring match ensures this will work for "xterm" and "xterm-xfree86".
if [ "${TERM:0:5}" = "xterm" ]; then
PROMPT_COMMAND='echo -ne "\033]0;${USER}@${HOSTNAME} : ${PWD}\007"'
export PROMPT_COMMAND
fi
<command>EOF</command></userinput></screen>
</sect3>
 
<para>D'autres initialisations peuvent facilement être ajoutées au
<filename>profile</filename> en ajoutant des scripts supplémentaires vers le
répertoire <filename class='directory'>/etc/profile.d</filename>.</para>
</sect3>
</sect2>
<sect3 id="i18n.sh">
<title>/etc/profile.d/i18n.sh</title>
 
<sect2>
<title><filename>/etc/bashrc</filename></title>
<para>Ceci est une base pour <filename>/etc/bashrc</filename>. Les commentaires
inclus dans le fichier devraient tout expliquer.</para>
<indexterm zone="postlfs-config-profile i18n.sh">
<primary sortas="e-etc-profile.d-i18n.sh">/etc/profile.d/i18n.sh</primary>
</indexterm>
 
<screen><userinput><command>cat &gt; /etc/bashrc &lt;&lt; "EOF"</command>
# Début de /etc/bashrc
# Écrit pour Beyond Linux From Scratch
# par James Robertson &lt;jameswrobertson@earthlink.net&gt;
<para>This script sets an environment variable necessary for
native language support. A full discussion on determining this
variable can be found on the <ulink
url="&lfs-root;/chapter07/profile.html">LFS Bash Shell
Startup Files</ulink> page.</para>
 
# Alias et fonctions système.
<screen role="root"><userinput>cat &gt; /etc/profile.d/i18n.sh &lt;&lt; "EOF"
<literal># Set up i18n variables
export LANG=<replaceable>&lt;ll&gt;</replaceable>_<replaceable>&lt;CC&gt;</replaceable>.<replaceable>&lt;charmap&gt;</replaceable><replaceable>&lt;@modifiers&gt;</replaceable></literal>
EOF</userinput></screen>
 
# Les variables d'environnement système et les programmes de lancement
# devraient aller sous /etc/profile. Les variables d'environnement personnel
# et les programmes de lancement devraient aller dans ~/.bash_profile. Les
# alias personnels et les fonctions devraient aller dans ~/.bashrc
</sect3>
 
# Fournit une commmande /bin/ls colorée. Utilisé avec du code provenant de
<sect3>
<title>Other Initialization Values</title>
 
<para>Other initialization can easily be added to the
<filename>profile</filename> by adding additional scripts to the
<filename class='directory'>/etc/profile.d</filename> directory.</para>
 
</sect3>
 
</sect2>
 
<sect2 id="etc-bashrc-profile">
<title>/etc/bashrc</title>
 
<indexterm zone="postlfs-config-profile etc-bashrc-profile">
<primary sortas="e-etc-bashrc">/etc/bashrc</primary>
</indexterm>
 
<para>Here is a base <filename>/etc/bashrc</filename>. Comments in the
file should explain everything you need.</para>
 
<screen role="root"><userinput>cat &gt; /etc/bashrc &lt;&lt; "EOF"
<literal># Begin /etc/bashrc
# Written for Beyond Linux From Scratch
# by James Robertson &lt;jameswrobertson@earthlink.net&gt;
# updated by Bruce Dubbs &lt;bdubbs@&lfs-domainname;&gt;
 
# System wide aliases et functions.
 
# System wide environment variables et startup programs should go into
# /etc/profile. Personal environment variables et startup programs
# should go into ~/.bash_profile. Personal aliases et functions should
# go into ~/.bashrc
 
# Provides a colored /bin/ls command. Used in conjunction with code in
# /etc/profile.
 
alias ls='ls --color=auto'
 
# Fournit une invite pour les shells sans connexion, spécialement les shells
# lancés dans l'environnement <application>X</application>. [Revoir les
# archives LFS, dont celle titrée
# PS1 Environment Variable for a great case study behind this script addendum.]
# Provides prompt for non-login shells, specifically shells started
# in the X environment. [Review the LFS archive thread titled
# PS1 Environment Variable for a great case study behind this script
# addendum.]
 
#export PS1="[\u@\h \w]\\$ "
export PS1='\u@\h:\w\$ '
NORMAL="\[\e[0m\]"
RED="\[\e[1;31m\]"
GREEN="\[\e[1;32m\]"
if [[ $EUID == 0 ]] ; then
PS1="$RED\u [ $NORMAL\w$RED ]# $NORMAL"
else
PS1="$GREEN\u [ $NORMAL\w$GREEN ]\$ $NORMAL"
fi
 
# Fin de /etc/bashrc
<command>EOF</command></userinput></screen>
</sect2>
# End /etc/bashrc</literal>
EOF</userinput></screen>
 
</sect2>
 
<sect2>
<title><filename>~/.bash_profile</filename></title>
<sect2 id="bash_profile-profile">
<title>~/.bash_profile</title>
 
<para>Voici la base de <filename>~/.bash_profile</filename>. Si vous voulez que
chaque nouvel utilisateur ait ce fichier automatiquement, modifiez
simplement la sortie de la commande par
<filename>/etc/skel/.bash_profile</filename> et vérifiez les droits après le
lancement de la commande. Vous pouvez ensuite copier
<filename>/etc/skel/.bash_profile</filename> dans les répertoires personnels
des utilisateurs déjà existants, ceci incluant root, et configurer les
utilisateur et groupe de façon appropriée.</para>
<indexterm zone="postlfs-config-profile bash_profile-profile">
<primary sortas="e-AA.bash_profile">~/.bash_profile</primary>
</indexterm>
 
<screen><userinput><command>cat &gt; ~/.bash_profile &lt;&lt; "EOF"</command>
# Début de ~/.bash_profile
# Écrit pour Beyond Linux From Scratch
# par James Robertson &lt;jameswrobertson@earthlink.net&gt;
# mis à jour par Bruce Dubbs &lt;bdubbs@linuxfromscratch.org&gt;
<para>Here is a base <filename>~/.bash_profile</filename>. If you want each
new user to have this file automatically, just change the output of
the command to <filename>/etc/skel/.bash_profile</filename> et check the
permissions after the command is run. You can then copy
<filename>/etc/skel/.bash_profile</filename> to the home directories of already
existing users, including <systemitem class="username">root</systemitem>,
et set the owner and group appropriately.</para>
 
# Variables d'environnement personnelles et programmes de lancement.
<screen><userinput>cat &gt; ~/.bash_profile &lt;&lt; "EOF"
<literal># Begin ~/.bash_profile
# Written for Beyond Linux From Scratch
# by James Robertson &lt;jameswrobertson@earthlink.net&gt;
# updated by Bruce Dubbs &lt;bdubbs@&lfs-domainname;&gt;
 
# Les alias personnels et les fonctions devraient aller dans ~/.bashrc.
# Les variables d'environnement système et les programmes de lancement sont
# dans /etc/profile.
# Les alias et les fonctions système sont dans /etc/bashrc.
# Personal environment variables et startup programs.
 
# Personal aliases et functions should go in ~/.bashrc. System wide
# environment variables et startup programs are in /etc/profile.
# System wide aliases et functions are in /etc/bashrc.
 
append () {
# Tout d'abord, supprimez le répertoire
# First remove the directory
local IFS=':'
local NEWPATH
for DIR in $PATH; do
if [ "$DIR" != "$1" ]; then
NEWPATH = ${NEWPATH:+$NEWPATH:}$DIR
fi
NEWPATH=${NEWPATH:+$NEWPATH:}$DIR
fi
done
# Puis, ajoutez le répertoire
 
# Then append the directory
export PATH=$NEWPATH:$1
}
 
if [ -f "$HOME/.bashrc" ] ; then
source $HOME/.bashrc
source $HOME/.bashrc
fi
 
if [ -d "$HOME/bin" ] ; then
append $HOME/bin
append $HOME/bin
fi
 
unset append
 
# Fin de ~/.bash_profile
<command>EOF</command></userinput></screen>
</sect2>
<sect2>
<title><filename>~/.bashrc</filename></title>
# End ~/.bash_profile</literal>
EOF</userinput></screen>
 
<para>Voici la base d'un <filename>~/.bashrc</filename>. Les commentaires et
instructions pour utiliser <filename class="directory">/etc/skel</filename> de
<filename>.bash_profile</filename> s'appliquent ici aussi. Seuls les noms de
fichiers cibles sont différents.</para>
</sect2>
 
<screen><userinput><command>cat &gt; ~/.bashrc &lt;&lt; "EOF"</command>
# Début de ~/.bashrc
# Écrit pour Beyond Linux From Scratch
# par James Robertson &lt;jameswrobertson@earthlink.net&gt;
<sect2 id="bashrc-profile">
<title>~/.bashrc</title>
 
# Alias personnels et fonctions.
<indexterm zone="postlfs-config-profile bashrc-profile">
<primary sortas="e-AA.bashrc">~/.bashrc</primary>
</indexterm>
 
# Les alias personnels et les fonctions devraient aller dans ~/.bashrc.
# Les variables d'environnement système et les programmes de lancement sont
# dans /etc/profile.
# Les alias et les fonctions système sont dans /etc/bashrc.
<para>Here is a base <filename>~/.bashrc</filename>. The comments et
instructions for using <filename class="directory">/etc/skel</filename> for
<filename>.bash_profile</filename> above also apply here. Only the target file
names are different.</para>
 
<screen><userinput>cat &gt; ~/.bashrc &lt;&lt; "EOF"
<literal># Begin ~/.bashrc
# Written for Beyond Linux From Scratch
# by James Robertson &lt;jameswrobertson@earthlink.net&gt;
 
# Personal aliases et functions.
 
# Personal environment variables et startup programs should go in
# ~/.bash_profile. System wide environment variables et startup
# programs are in /etc/profile. System wide aliases et functions are
# in /etc/bashrc.
 
if [ -f "/etc/bashrc" ] ; then
source /etc/bashrc
source /etc/bashrc
fi
 
# Fin de ~/.bashrc
<command>EOF</command></userinput></screen>
</sect2>
<sect2>
<title><filename>~/.bash_logout</filename></title>
# End ~/.bashrc</literal>
EOF</userinput></screen>
 
<para>C'est un <filename>~/.bash_logout</filename> vide qui peut être utilisé
comme modèle. Vous noterez que la base <filename>~/.bash_logout</filename>
n'inclut pas de commande <userinput>clear</userinput>. En effet, celui-ci est
géré par le fichier <filename>/etc/issue</filename>.</para>
</sect2>
 
<screen><userinput><command>cat &gt; ~/.bash_logout &lt;&lt; "EOF"</command>
# Début de ~/.bash_logout
# Écrit pour Beyond Linux From Scratch
# par James Robertson &lt;jameswrobertson@earthlink.net&gt;
 
# Éléments personnels pour lancer une déconnexion.
<sect2 id="bash_logout-profile">
<title>~/.bash_logout</title>
 
# Fin de ~/.bash_logout
<command>EOF</command></userinput></screen>
</sect2>
<sect2>
<title><filename>/etc/dircolors</filename></title>
<indexterm zone="postlfs-config-profile bash_logout-profile">
<primary sortas="e-AA.bash_logout">~/.bash_logout</primary>
</indexterm>
 
<para>Si vous voulez utiliser la fonctionnalité <filename>dircolors</filename>,
alors lancez la commande suivante. Les étapes de configuration de
<filename class="directory">/etc/skel</filename> peuvent aussi être utilisées
ici pour fournir un fichier <filename>.dircolors</filename> quand un nouvel
utilisateur est créé. Comme auparavant, modifiez simplement le nom du fichier
en sortie sur la ligne de commande et assurez-vous que les droits,
propriétaire et groupe sont corrects sur les fichiers créés et/ou copiés.
</para>
<para>This is an empty <filename>~/.bash_logout</filename> that can be used as
a template. You will notice that the base <filename>~/.bash_logout</filename>
does not include a <userinput>clear</userinput> command. This is because the
clear is handled in the <filename>/etc/issue</filename> file.</para>
 
<screen><userinput><command>dircolors -p > /etc/dircolors</command></userinput></screen>
<screen><userinput>cat &gt; ~/.bash_logout &lt;&lt; "EOF"
<literal># Begin ~/.bash_logout
# Written for Beyond Linux From Scratch
# by James Robertson &lt;jameswrobertson@earthlink.net&gt;
 
<para>Si vous souhaitez personnaliser les couleurs utilisées par différents
types de fichiers, vous pouvez éditer le fichier
<filename>/etc/dircolors</filename>. Les instructions de configuration des
couleurs sont intégrées au fichier.</para>
# Personal items to perform on logout.
 
# End ~/.bash_logout</literal>
EOF</userinput></screen>
 
<para>Enfin, Ian Macdonald a écrit une excellente collection d'astuces et de
conseils pour améliorer votre environnement shell. Vous pouvez le lire en ligne
sur <ulink
url="http://www.caliban.org/bash/index.shtml">http://www.caliban.org/bash/index.
shtml</ulink>.</para>
</sect2>
</sect2>
 
 
<sect2 id="etc-dircolors-profile">
<title>/etc/dircolors</title>
 
<indexterm zone="postlfs-config-profile etc-dircolors-profile">
<primary sortas="e-etc-dircolors">/etc/dircolors</primary>
</indexterm>
 
<indexterm zone="postlfs-config-profile etc-dircolors-profile">
<primary sortas="e-AA.dircolors">~/.dircolors</primary>
</indexterm>
 
<para> If you want to use the <filename>dircolors</filename> capability, then
run the following command. The <filename class="directory">/etc/skel</filename>
setup steps shown above also can be used here to provide a
<filename>~/.dircolors</filename> file when a new user is set up. As before,
just change the output file name on the following command et assure the
permissions, owner, et group are correct on the files created and/or
copied.</para>
 
<screen role="root"><userinput>dircolors -p > /etc/dircolors</userinput></screen>
 
<para>If you wish to customize the colors used for different file types, you can
edit the <filename>/etc/dircolors</filename> file. The instructions for setting
the colors are embedded in the file.</para>
 
 
<para>Finally, Ian Macdonald has written an excellent collection of tips et
tricks to enhance your shell environment. You can read it online at
<ulink url="http://www.caliban.org/bash/index.shtml"/>.</para>
 
</sect2>
 
</sect1>
/trunk/blfs/postlfs/config/random.xml
1,25 → 1,40
<?xml version="1.0" encoding="ISO-8859-1"?>
<sect1 id="postlfs-config-random" xreflabel="random">
<?dbhtml filename="random.html"?>
<title>Génération de nombres aléatoires</title>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
]>
 
<para>Le noyau Linux apporte un générateur de nombres aléatoires auquel on
accède par <filename class="devicefile">/dev/random</filename> et
<filename class="devicefile">/dev/urandom</filename>. Les programmes utilisant
les périphériques random et urandom, tels que
<application>OpenSSH</application>, bénéficieront de ces instructions.</para>
<sect1 id="postlfs-config-random" xreflabel="Random number generation">
<?dbhtml filename="random.html"?>
 
<para>Quand un système Linux démarre sans trop d'interaction de l'opérateur, le
pool d'entropies, les données utilisées pour calculer un nombre aléatoire, peut
se trouver dans un état à peu près prévisible. Ceci crée une possibilité réelle
que les nombres générés au démarrage peuvent être les mêmes. Pour réagir à cet
effet, vous devez apporter au pool d'entropies des informations entre vos
arrêts et démarrages. Le script init.d suivant et ses liens vont réaliser cette
fonction pour vous automatiquement.</para>
<sect1info>
<othername>$LastChangedBy: randy $</othername>
<date>$Date: 2007-04-04 21:42:53 +0200 (mer, 04 avr 2007) $</date>
</sect1info>
 
<para>Installez le script de démarrage <filename>/etc/rc.d/init.d/random</filename>
inclus dans le paquetage <xref linkend="intro-important-bootscripts"/>.</para>
<screen><userinput><command>make install-random</command></userinput></screen>
<title>Random Number Generation</title>
 
<indexterm zone="postlfs-config-random">
<primary sortas="f-random">random</primary>
</indexterm>
 
<para>The Linux kernel supplies a random number generator which is accessed
through <filename class="devicefile">/dev/random</filename> et
<filename class="devicefile">/dev/urandom</filename>. Programs that utilize
the random et urandom devices, such as <application>OpenSSH</application>,
will benefit from these instructions.</para>
 
<para>When a Linux system starts up without much operator interaction, the
entropy pool (data used to compute a random number) may be in a fairly
predictable state. This creates the real possibility that the number generated
at startup may always be the same. In order to counteract this effect,
you should carry the entropy pool information across your shut-downs et
start-ups.</para>
 
<para>Installez the <filename>/etc/rc.d/init.d/random</filename> init script
included with the <xref linkend="bootscripts"/> package.</para>
 
<screen role="root"><userinput>make install-random</userinput></screen>
 
</sect1>
 
/trunk/blfs/postlfs/config/vimrc.xml
1,94 → 1,117
<?xml version="1.0" encoding="ISO-8859-1"?>
<sect1 id="postlfs-config-vimrc" xreflabel="/etc/vimrc, ~/.vimrc">
<?dbhtml filename="vimrc.html"?>
<title>/etc/vimrc, ~/.vimrc</title>
<!DOCTYPE part PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
]>
 
<para>Le livre <acronym>LFS</acronym> installe vim comme son éditeur. A ce
point, nous devons établir qu'il existe <emphasis>beaucoup</emphasis> d'éditeurs
différents incluant <application>emacs</application>,
<application>nano</application>, <application>joe</application> et bien d'autres.
Tous ceux qui ont été sur Internet (et plus spécialement usenet) pendant un petit
instant ont certainement vu au moins une guerre de clochers, habituellement
incluant les utilisateurs de <application>vim</application> et
<application>emacs</application>&nbsp;!</para>
<sect1 id="postlfs-config-vimrc" xreflabel="The vimrc Files">
<?dbhtml filename="vimrc.html"?>
 
<para>Le livre <acronym>LFS</acronym> donne un fichier <filename>vimrc</filename>
basique. Ici, nous essaierons d'améliorer ce fichier. Au démarrage,
<command>vim</command> lit <filename>/etc/vimrc</filename> et
<filename>~/.vimrc</filename> (c'est-à-dire le fichier global et le fichier
spécifique aux utilisateurs). Notez que ceci est seulement vrai si vous avez
compilé <application>vim</application> en utilisant <acronym>LFS</acronym>-3.1.
Avant ceci, le fichier global vimrc était <filename>/usr/share/vim/vimrc</filename>.
</para>
<sect1info>
<othername>$LastChangedBy: randy $</othername>
<date>$Date: 2007-10-16 15:02:24 +0200 (mar, 16 oct 2007) $</date>
</sect1info>
 
<para>Ici se trouve un exemple légèrement étendu de <filename>vimrc</filename> que vous pouvez
mettre dans <filename>/etc/vimrc</filename> pour un effet global. Bien sûr, si
vous le placez dans <filename>/etc/skel/.vimrc</filename>, il sera mis à
disposition de tous les utilisateurs que vous ajouterez plus tard au système.
Vous pouvez aussi copier le fichier de <filename>/etc/skel/.vimrc</filename>
dans <filename>/etc/vimrc</filename> et dans le répertoire personnel de chaque
utilisateur existant déjà sur le système, comme root. Assurez-vous de configurer
les droits, propriétaire et groupe si vous copiez tout directement à partir de
<filename>/etc/skel</filename>.</para>
<title>The /etc/vimrc et ~/.vimrc Files</title>
 
<screen>" Début .vimrc
<indexterm zone="postlfs-config-vimrc">
<primary sortas="e-etc-vimrc">/etc/vimrc</primary>
</indexterm>
 
set nocompatible
set bs=2
set columns=80
set background=dark
set wrapmargin=8
syntax on
set ruler
<indexterm zone="postlfs-config-vimrc">
<primary sortas="e-AA.vimrc">~/.vimrc</primary>
</indexterm>
 
" Fin .vimrc</screen>
<para>The LFS book installs <application>Vim</application>
as its text editor. At this point it should be noted that there are a
<emphasis>lot</emphasis> of different editing applications out there including
<application>Emacs</application>, <application>nano</application>,
<application>Joe</application> et many more. Anyone who has been around the
Internet (especially usenet) for a short time will certainly have observed at
least one flame war, usually involving <application>Vim</application> et
<application>Emacs</application> users!</para>
 
<para>Une <acronym>FAQ</acronym> sur les listes lfs parle des tags de
commentaires dans <filename>vimrc</filename>. Notez qu'on utilise " au lieu du
plus usuel # ou //. C'est correct, la syntaxe
pour <filename>vimrc</filename> est légèrement inhabituelle.</para>
<para>The LFS book creates a basic <filename>vimrc</filename> file. In this
section you'll find an attempt to enhance this file. At startup,
<command>vim</command> reads the global configuration file
(<filename>/etc/vimrc</filename>) as well as a user-specific file
(<filename>~/.vimrc</filename>). Either or both can be tailored to suit
the needs of your particular system.</para>
 
<para>Nous allons nous lancer dans une rapide explication de chaque option du
fichier exemple:</para>
<itemizedlist>
<listitem><para><option>set nocompatible</option> : cette option
empêche <command>vim</command> de se comporter d'une façon trop compatible avec
<command>vi</command>. Il devrait être au début de chaque fichier
<filename>vimrc</filename> cat il affecte un grand nombre des autres options que
vous voulez surcharger.</para></listitem>
<para>Here is a slightly expanded <filename>.vimrc</filename> that you can
put in <filename>~/.vimrc</filename> to provide user specific effects. Of
course, if you put it into <filename>/etc/skel/.vimrc</filename> instead, it
will be made available to users you add to the system later. You can also copy
the file from <filename>/etc/skel/.vimrc</filename> to the home directory of
users already on the system, such as
<systemitem class='username'>root</systemitem>. Be sure to set permissions,
owner, et group if you do copy anything directly from
<filename class="directory">/etc/skel</filename>.</para>
 
<listitem><para><option>set bs=2</option> :
Ceci influence le comportement de l'option backspace. Elle est assez complexe,
donc voir <command>:help 'bs'</command> pour plus de détails.
</para></listitem>
<screen><literal>" Begin .vimrc
 
<listitem><para><option>set columns=80</option> :
Ceci indique simplement le nombre de colonnes utilisées sur l'écran.
</para></listitem>
set columns=80
set wrapmargin=8
set ruler
 
<listitem><para><option>set background=dark</option> :
Ceci dit à <command>vim</command> d'utiliser des couleurs correctes sur un fond noir.
</para></listitem>
" End .vimrc</literal></screen>
 
<listitem><para><option>set wrapmargin=8</option> :
Il s'agit du nombre de caractères du bord droit de la fenêtre où le 'wrapping'
commence.</para></listitem>
<para>Note that the comment tags are " instead of the more
usual # or //. This is correct, the syntax for
<filename>vimrc</filename> is slightly unusual.</para>
 
<listitem><para><option>syntax on</option> :
Active le surlignage syntaxique de <command>vim</command>.</para></listitem>
<para>Below you'll find a quick explanation of what each of the
options in this example file means here:</para>
 
<listitem><para><option>set ruler</option> :
Ceci fait que <command>vim</command> affiche la ligne et la colonne courantes dans le bas droit de
l'écran.</para></listitem>
<itemizedlist>
<!--
<listitem>
<para><option>set nocompatible</option> : This option
stops <command>vim</command> from behaving in a strongly <command>vi
</command>-compatible way. It should be at the start of any <filename>vimrc
</filename> file as it can affect lots of other options which you may want to
override.</para>
</listitem>
<listitem>
<para><option>set bs=2</option>: This influences the behavior
of the backspace option. It is fairly complex so see <command>:help 'bs'
</command> for more details.</para>
</listitem>
-->
<listitem>
<para><option>set columns=80</option>: This simply sets the
number of columns used on the screen.</para>
</listitem>
<!--
<listitem>
<para><option>set background=dark</option>: This tells
<command>vim</command> to use colors which look good on a dark
background.</para>
</listitem>
-->
<listitem>
<para><option>set wrapmargin=8</option>: This is the number of
characters from the right window border where wrapping starts.</para>
</listitem>
<!--
<listitem>
<para><option>syntax on</option>: Enables
<command>vim</command>'s syntax highlighting.</para>
</listitem>
-->
<listitem>
<para><option>set ruler</option>: This makes <command>vim</command>
show the current row et column at the bottom right of the screen.</para>
</listitem>
</itemizedlist>
 
</itemizedlist>
<para>More information on the <emphasis>many</emphasis>
<command>vim</command> options can be found by reading the help
inside <command>vim</command> itself. Do this by typing
<command>:</command><option>help</option> in
<command>vim</command> to get the general help, or by typing
<command>:</command><option>help usr_toc.txt</option> to view
the User Manual Table of Contents.</para>
 
<para>Plus d'informations sur les <emphasis>nombreuses</emphasis> options de
<command>vim</command> peuvent être trouvées en lisant l'aide dans
<command>vim</command> lui-même. Faites ceci en tapant
<command>:</command><option>help</option> dans <command>vim</command> pour
accéder à l'aide général, ou en tapant <command>:help</command><option>
usr_toc.txt</option> pour voir le sommaire du manuel utilisateur.</para>
 
</sect1>
 
/trunk/blfs/postlfs/config/autofs.xml
1,242 → 1,313
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
 
<!ENTITY autofs-download-http "http://ftp.kernel.org/pub/linux/daemons/autofs/v4/autofs-&autofs-version;.tar.bz2">
<!ENTITY autofs-download-ftp "ftp://ftp.kernel.org/pub/linux/daemons/autofs/v4/autofs-&autofs-version;.tar.bz2">
<!ENTITY autofs-md5sum "f43a09e94c4bd512ec58ac06e9d42c60">
<!ENTITY autofs-size "122 KB">
<!ENTITY autofs-buildsize "1.4 MB">
<!ENTITY autofs-time "0.01 SBU">
<!ENTITY autofs-patch-dir "http://ftp.kernel.org/pub/linux/daemons/autofs/v5">
<!ENTITY autofs-download-http "http://ftp.kernel.org/pub/linux/daemons/autofs/v5/autofs-&autofs-version;.tar.bz2">
<!ENTITY autofs-download-ftp "ftp://ftp.kernel.org/pub/linux/daemons/autofs/v5/autofs-&autofs-version;.tar.bz2">
<!ENTITY autofs-md5sum "27839fe6fa8105b2b7d31bc922fd7cf6">
<!ENTITY autofs-size "221 Kio">
<!ENTITY autofs-buildsize "9 Mio">
<!ENTITY autofs-time "moins de 0.1 SBU">
]>
 
<sect1 id="autofs" xreflabel="autofs-&autofs-version;">
<sect1info>
<othername>$LastChangedBy: larry $</othername>
<date>$Date: 2005-06-16 06:20:36 $</date>
</sect1info>
<?dbhtml filename="autofs.html"?>
<title>Automate Mounting of File Systems</title>
<indexterm zone="autofs">
<primary sortas="a-Autofs">Autofs</primary></indexterm>
<sect1 id="autofs" xreflabel="Autofs-&autofs-version;">
<?dbhtml filename="autofs.html"?>
 
<sect2>
<title>Introduction to <application>autofs</application></title>
<sect1info>
<othername>$LastChangedBy: randy $</othername>
<date>$Date: 2008-08-11 22:01:52 +0200 (lun, 11 aoû 2008) $</date>
</sect1info>
 
<para>The <application>autofs</application> package contains userspace
tools that work with the kernel to mount and un-mount removable file
systems. This is useful for allowing users to mount floppies, cdroms and
other removable storage devices without requiring the system
administrator to mount the devices. This may not be ideal for all
installations, so be aware of the risks before implementing this feature.</para>
<title>Automate Mounting of File Systems</title>
 
<sect3><title>Package information</title>
<itemizedlist spacing="compact">
<listitem><para>Download (HTTP):
<ulink url="&autofs-download-http;"/></para></listitem>
<listitem><para>Download (FTP):
<ulink url="&autofs-download-ftp;"/></para></listitem>
<listitem><para>Download MD5 sum: &autofs-md5sum;</para></listitem>
<listitem><para>Download size: &autofs-size;</para></listitem>
<listitem><para>Estimated disk space required:
&autofs-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&autofs-time;</para></listitem></itemizedlist>
</sect3>
<indexterm zone="autofs">
<primary sortas="a-Autofs">Autofs</primary>
</indexterm>
 
<sect3><title>Additional downloads</title>
<itemizedlist spacing="compact">
<listitem><para>Recommended Patch: <ulink
url="http://ftp.kernel.org/pub/linux/daemons/autofs/v4/autofs-4.1.3-strict.patch"/></para>
</listitem>
<listitem><para>Recommended Patch: <ulink
url="http://ftp.kernel.org/pub/linux/daemons/autofs/v4/autofs-4.1.3-bad_chdir.patch
"/></para>
</listitem>
<listitem><para>Recommended Patch: <ulink
url="http://ftp.kernel.org/pub/linux/daemons/autofs/v4/autofs-4.1.3-mtab_lock.patch
"/></para>
</listitem>
<listitem><para>Recommended Patch: <ulink
url="http://ftp.kernel.org/pub/linux/daemons/autofs/v4/autofs-4.1.3-non_block_ping.patch
"/></para>
</listitem>
<listitem><para>Recommended Patch: <ulink
url="http://ftp.kernel.org/pub/linux/daemons/autofs/v4/autofs-4.1.3-signal-race-fix.patch
"/></para>
</listitem>
<listitem><para>Recommended Patch: <ulink
url="http://ftp.kernel.org/pub/linux/daemons/autofs/v4/autofs-4.1.3-sock-leak-fix.patch
"/></para>
</listitem>
<listitem><para>Recommended Patch: <ulink
url="http://ftp.kernel.org/pub/linux/daemons/autofs/v4/autofs-4.1.3-replicated_server_select.patch
"/></para>
</listitem>
<listitem><para>Recommended Patch: <ulink
url="http://ftp.kernel.org/pub/linux/daemons/autofs/v4/autofs-4.1.3-multi-over.patch
"/></para>
</listitem>
</itemizedlist>
</sect3>
<!---
<sect3><title><application>template</application> dependencies</title>
<sect4><title>Required</title>
<para><xref linkend="BLFS DEPENDENCY"/></para>
</sect4>
<sect2 role="package">
<title>Introduction à Autofs</title>
 
<sect4><title>Optional</title>
<para><ulink url="http://www.some.url/">EXTERNAL DEPENDENCY</ulink></para>
</sect4>
</sect3> -->
<para>The <application>Autofs</application> package contains userspace
tools that work with the kernel to mount et un-mount removable file
systems. The primary use is to mount external network file systems like
NFS (see <xref linkend="nfs-utils"/>) or Samba (see <xref linkend="samba3"/>)
on demand.</para>
 
</sect2>
<para>It may also be useful for allowing users to mount floppies, cdroms et
other removable storage devices without requiring the system
administrator to mount the devices although this capability is now generally
provided by HAL (see <xref linkend="hal"/>). This may not be ideal for all
installations, so be aware of the risks before implementing this feature.</para>
 
<sect2 id="autofs-kernel">
<title>Installation of <application>autofs</application></title>
<indexterm zone="autofs autofs-kernel">
<primary sortas="d-Automounter">Automounter</primary></indexterm>
<bridgehead renderas="sect3">Informations sur le paquet</bridgehead>
<itemizedlist spacing="compact">
<listitem>
<para>Téléchargement (HTTP)&nbsp;: <ulink url="&autofs-download-http;"/></para>
</listitem>
<listitem>
<para>Téléchargement (FTP)&nbsp;: <ulink url="&autofs-download-ftp;"/></para>
</listitem>
<listitem>
<para>Somme de contrôle MD5 du téléchargement&nbsp;: &autofs-md5sum;</para>
</listitem>
<listitem>
<para>Taille du téléchargement&nbsp;: &autofs-size;</para>
</listitem>
<listitem>
<para>Estimation de l'espace disque requis&nbsp;: &autofs-buildsize;</para>
</listitem>
<listitem>
<para>Estimation du temps de construction&nbsp;: &autofs-time;</para>
</listitem>
</itemizedlist>
 
<para>Verify that kernel support has been compiled in or built as
modules in the following areas:
<screen>File systems
Kernel automounter version 4 support Y or M
Network File Systems
NFS file system support Y or M
SMB file system support Y or M</screen>
Recompile and install the new kernel, if necessary.</para>
<bridgehead renderas="sect3">Téléchargements supplémentaires</bridgehead>
 
<para>Install <application>autofs</application> by running the following
commands:</para>
<para>Recommandées Patches: There are frequent patches issued for
<application>Autofs</application>. One method you can use to get the
current patches requires first installing the <xref linkend="wget"/>
package. After ensuring the <command>wget</command> command is installed
in a directory identified in the <envar>PATH</envar> variable, start in
the same directory as the main tar file et issue the following
suivantes&nbsp;:</para>
 
<screen><userinput><command>patch -Np1 -i ../autofs-4.1.3-strict.patch &amp;&amp;
patch -Np1 -i ../autofs-4.1.3-bad_chdir.patch &amp;&amp;
patch -Np1 -i ../autofs-4.1.3-mtab_lock.patch &amp;&amp;
patch -Np1 -i ../autofs-4.1.3-non_block_ping.patch &amp;&amp;
patch -Np1 -i ../autofs-4.1.3-signal-race-fix.patch &amp;&amp;
patch -Np1 -i ../autofs-4.1.3-sock-leak-fix.patch &amp;&amp;
patch -Np1 -i ../autofs-4.1.3-replicated_server_select.patch &amp;&amp;
patch -Np1 -i ../autofs-4.1.3-multi-over.patch &amp;&amp;
<screen><userinput>wget &autofs-patch-dir;/patch_order-&autofs-version; &amp;&amp;
sed 's;autofs;&autofs-patch-dir;/autofs;' \
patch_order-&autofs-version; &gt; wget-list &amp;&amp;
wget -i wget-list</userinput></screen>
 
<bridgehead renderas="sect3">Autofs Dependencies</bridgehead>
 
<bridgehead renderas="sect4">Facultatives</bridgehead>
<para role="optional"><xref linkend="openldap"/> et
<xref linkend="cyrus-sasl"/></para>
 
<para condition="html" role="usernotes">Notes utilisateur&nbsp;:
<ulink url="&blfs-wiki;/autofs"/></para>
 
</sect2>
 
<sect2 role="kernel" id="autofs-kernel">
<title>Kernel Configuration</title>
 
<indexterm zone="autofs autofs-kernel">
<primary sortas="d-Automounter">Automounter</primary>
</indexterm>
 
<para>Verify that kernel support has been compiled in or built as
modules in the following areas:</para>
 
<screen><literal>File systems &rArr;
Kernel automounter version 4 support Y or M
Network File Systems &rArr;
NFS file system support Y or M (optional)
SMB file system support Y or M (optional)</literal></screen>
 
<para>Recompile et install the new kernel, if necessary.</para>
 
</sect2>
 
<sect2 role="installation">
 
<title>Installation de Autofs</title>
 
<para>Installez <application>Autofs</application> en lançant les commandes
suivantes&nbsp;:</para>
 
<screen><userinput>for f in `cat ../patch_order-&autofs-version;`; do
patch -Np1 -i ../$f
done &amp;&amp;
./configure --prefix=/ --mandir=/usr/share/man &amp;&amp;
make</command></userinput></screen>
make</userinput></screen>
 
<para>Now, as the root user:</para>
<para>Ce paquet n'est pas fourni avec une suite de tests.</para>
 
<screen><userinput role='root'><command>make install &amp;&amp;
rm /etc/rc.d/init.d/autofs</command></userinput></screen>
<para>Maintenant, en tant qu'utilisateur <systemitem class="username">root</systemitem>&nbsp;:</para>
 
</sect2>
<screen role="root"><userinput>make install &amp;&amp;
ln -sf ../init.d/autofs /etc/rc.d/rcsysinit.d/S52autofs</userinput></screen>
 
<sect2>
<title>Command explanations</title>
</sect2>
 
<para><command>rm /etc/rc.d/init.d/autofs</command>: This command
removes the installed script which only works on specific distributions.</para>
<sect2 role="commands">
<title>Explication des commandes</title>
 
</sect2>
<para><command>for f in `cat ../patch_order-&autofs-version;`; do
patch -Np1 -i ../$f; done</command>: This command applies all the
patches downloaded earlier in the correct order.</para>
 
<sect2>
<title>Configuring <application>autofs</application></title>
<para><command>ln -sf ../init.d/autofs
/etc/rc.d/rcsysinit.d/S52autofs</command>: This command sets the
link to properly start autofs upon boot.</para>
 
<sect3 id="autofs-config"><title>Config files</title>
<para><filename>/etc/sysconfig/autofs.conf</filename>,
<filename>/etc/auto.master</filename>,
<filename>/etc/auto.misc</filename>, and
<filename>/etc/auto.net</filename></para>
<indexterm zone="autofs autofs-config" >
<primary
sortas="e-etc-sysconfig-autofs.conf">/etc/sysconfig/autofs.conf</primary>
</indexterm>
<indexterm zone="autofs autofs-config">
<primary sortas="e-etc-auto.master">/etc/auto.master</primary></indexterm>
<indexterm zone="autofs autofs-config">
<primary sortas="e-etc-auto.misc">/etc/auto.misc</primary></indexterm>
<indexterm zone="autofs autofs-config">
<primary sortas="e-etc-auto.net">/etc/auto.net</primary></indexterm>
</sect3>
</sect2>
 
<sect3><title>Configuration Information</title>
<sect2 role="configuration">
<title>Configuration de Autofs</title>
 
<para>The installation process creates <filename>auto.master</filename>,
<filename>auto.misc</filename> and <filename>auto.net</filename>. You
will replace the <filename>auto.master</filename> with the following
commands.
<sect3 id="autofs-config">
<title>Fichiers de configuration</title>
 
<screen><userinput role='root'><command>mv /etc/auto.master /etc/auto.master.bak &amp;&amp;
cat &gt; /etc/auto.master &lt;&lt; "EOF"</command>
# Begin /etc/auto.master
<para><filename>/etc/sysconfig/autofs.conf</filename>,
<filename>/etc/auto.master</filename>,
<filename>/etc/auto.misc</filename> et
<filename>/etc/auto.net</filename></para>
 
/media /etc/auto.misc
<indexterm zone="autofs autofs-config" >
<primary sortas="e-etc-sysconfig-autofs.conf">/etc/sysconfig/autofs.conf</primary>
</indexterm>
 
# End /etc/auto.master
<command>EOF</command></userinput></screen></para>
<indexterm zone="autofs autofs-config">
<primary sortas="e-etc-auto.master">/etc/auto.master</primary>
</indexterm>
 
<note><para>This file mounts a new media directory over the one created by
<acronym>LFS</acronym> and will therefore hide any mounts made by the
<filename>fstab</filename> file into that directory.</para></note>
<indexterm zone="autofs autofs-config">
<primary sortas="e-etc-auto.misc">/etc/auto.misc</primary>
</indexterm>
 
<para>While this package could be used to mount <acronym>NFS</acronym>
shares and <acronym>SMB</acronym> shares, that feature is not configured
in these instructions. <acronym>NFS</acronym> shares are covered on the
next page.
</para>
<indexterm zone="autofs autofs-config">
<primary sortas="e-etc-auto.net">/etc/auto.net</primary>
</indexterm>
 
<para>The <filename>auto.misc</filename> must be configured to your
working hardware. The loaded configuration file should load your cdrom
if <filename>/dev/cdrom</filename> is active or it can be edited to
match your device setup and examples for floppies are available in the file
and easily activated. Documentation for this file is available using the
<command>man 5 autofs</command> command.</para>
</sect3>
 
<para id="autofs-init">Install the
<filename>/etc/rc.d/init.d/autofs</filename> mount script and
<filename>/etc/sysconfig/autofs.conf</filename> support file
included with the <xref linkend="intro-important-bootscripts"/>
package.</para>
<indexterm zone="autofs autofs-init">
<primary sortas="f-autofs-init">autofs</primary></indexterm>
<sect3>
<title>Informations de configuration</title>
 
<screen><userinput role='root'><command>make install-autofs</command></userinput></screen>
<para>The installation process creates <filename>auto.master</filename>,
<filename>auto.misc</filename>, <filename>auto.smb</filename> et
<filename>auto.net</filename>. Replace the
<filename>auto.master</filename> file with les commandes suivantes&nbsp;:</para>
 
<para>The time-out variable is set in
<filename>/etc/sysconfig/autofs.conf</filename>. The installed file sets
a default of 60 seconds of inactivity before unmounting the device. A
much shorter time may be necessary to protect buffer writing to a
floppy if users tend to remove the media prior to the timeout
setting.</para>
</sect3>
<screen role="root"><userinput>mv /etc/auto.master /etc/auto.master.bak &amp;&amp;
cat &gt; /etc/auto.master &lt;&lt; "EOF"
<literal># Begin /etc/auto.master
 
</sect2>
/media/auto /etc/auto.misc --ghost
#/home /etc/auto.home
 
<sect2>
<title>Contents</title>
# End /etc/auto.master</literal>
EOF</userinput></screen>
 
<segmentedlist>
<segtitle>Installed Program</segtitle>
<segtitle>Installed Libraries</segtitle>
<seglistitem>
<seg>automount</seg>
<seg>autofs modules</seg>
</seglistitem>
</segmentedlist>
<para>This file creates a new media directory, <filename>/media/auto</filename>
that will overlay any existing directory of the same name. In this example,
the file, <filename>/etc/auto.misc</filename>, has a line:</para>
 
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>
<screen>cd -fstype=iso9660,ro,nosuid,nodev :/dev/cdrom</screen>
 
<varlistentry id="automount">
<term><command>automount</command></term>
<listitem><para>is the daemon that performs the mounting when a request is
made for the device.</para>
<indexterm zone="autofs automount">
<primary sortas="b-automount">automount</primary></indexterm>
</listitem>
</varlistentry>
</variablelist>
<para>that will mount a cdrom as <filename>/media/auto/cd</filename> if
that directory is accessed. The <option>--ghost</option> option tells
the automounter to create <quote>ghost</quote> versions (i.e. empty
directories) of all the mount points listed in the configuration file
regardless whether any of the file systems are actually mounted or not.
This is very convenient et highly recommended, because it will show you
the available auto-mountable file systems as existing directories, even
when their file systems aren't currently mounted. Without the
<option>--ghost</option> option, you'll have to remember the names of the
directories. As soon as you try to access one of them, the directory will
be created et the file system will be mounted. When the file system gets
unmounted again, the directory is destroyed too, unless the
<option>--ghost</option> option was given.</para>
 
</sect2>
<note>
<para>An alternative method would be to specify another automount
location such as <filename
class='directory'>/var/lib/auto/cdrom</filename> et create a
symbolic link from <filename class='directory'>/media/cdrom</filename>
to the automount location.</para>
</note>
 
<para>The <filename>auto.misc</filename> file must be configured to your
working hardware. The loaded configuration file should load your cdrom
if <filename>/dev/cdrom</filename> is active or it can be edited to
match your device setup. Examples for floppies are available in the file
et easily activated. Documentation for this file is available using the
<command>man 5 autofs</command> command.</para>
 
<para>In the second line, if enabled, a user's home directory would be
mounted via NFS upon login. The <filename>/etc/home.auto</filename>
would need to exist et have an entry similar to:</para>
 
<screen>joe example.org:/export/home/joe</screen>
 
<para>where the directory <filename>/export/home/joe</filename> is
exported via NFS from the system example.org. NFS shares
are covered on the next page.</para>
 
<para>This package could also be used to mount SMB shares, however that
feature is not configured in these instructions. For additional
configuration information, see the man pages for auto.master(5). There
are also web resources such as this <ulink
url='http://gentoo-wiki.com/HOWTO_Auto_mount_filesystems_(AUTOFS)#Config_files'>AUTOFS
HOWTO</ulink> available.</para>
 
</sect3>
 
<!--
<sect3 id="autofs-init">
<title>Boot Script</title>
 
 
<para>Installez the <filename>/etc/rc.d/init.d/autofs</filename> mount script
et <filename>/etc/sysconfig/autofs.conf</filename> support file included
with the <xref linkend="bootscripts"/> package.</para>
 
<indexterm zone="autofs autofs-init">
<primary sortas="f-autofs-init">autofs</primary>
</indexterm>
 
<screen role="root"><userinput>make install-autofs</userinput></screen>
 
<para>The time-out variable is set in
<filename>/etc/sysconfig/autofs.conf</filename>. The installed file sets
a default of 60 seconds of inactivity before unmounting the device. A
much shorter time may be necessary to protect buffer writing to a floppy
if users tend to remove the media prior to the timeout setting.</para>
 
</sect3>
-->
 
</sect2>
 
<sect2 role="content">
<title>Contenu</title>
 
<segmentedlist>
<segtitle>Installed Program</segtitle>
<segtitle>Bibliothèques installées</segtitle>
<segtitle>Répertoires installés</segtitle>
 
<seglistitem>
<seg>automount</seg>
<seg>lookup_file.so, lookup_hosts.so, lookup_multi.so,
lookup_nisplus.so, lookup_program.so, lookup_userhome.so,
lookup_yp.so, mount_afs.so, mount_autofs.so, mount_bind.so,
mount_changer.so, mount_ext2.so, mount_generic.so,
mount_nfs.so, parse_sun.so</seg>
<seg>/lib/autofs et /var/run/autofs</seg>
</seglistitem>
</segmentedlist>
 
<variablelist>
<bridgehead renderas="sect3">Descriptions courtes</bridgehead>
<?dbfo list-presentation="list"?>
<?dbhtml list-presentation="table"?>
 
<varlistentry id="automount">
<term><command>automount</command></term>
<listitem>
<para>is the daemon that performs the mounting when a request is
made for the device.</para>
<indexterm zone="autofs automount">
<primary sortas="b-automount">automount</primary>
</indexterm>
</listitem>
</varlistentry>
 
</variablelist>
 
</sect2>
 
</sect1>
 
/trunk/blfs/postlfs/config/compressdoc.xml
1,150 → 1,184
<?xml version="1.0" encoding="ISO-8859-1"?>
<sect1 id="postlfs-config-compressdoc" xreflabel="compressdoc">
<?dbhtml filename="compressdoc.html"?>
<title>Compresser les pages man et info</title>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
]>
 
<para>Les programmes de lecture de pages man et peuvent traiter de manière
transparente des pages compressées avec <application>gzip</application>
et <application>bzip</application>, fonctionnalité intéressante pour gagner en
espace disque tout en conservant votre documentation. Néanmoins, les choses ne
sont pas aussi simple&nbsp;: les répertoires man ont tendance à contenir des
liens, physiques et symboliques, qui empêchent les idées simples comme l'appel
récursif de <command>gzip</command>. Une meilleur façon de faire est d'utiliser
le script ci-dessous.
</para>
<sect1 id="compressdoc" xreflabel="Compressing man et info pages">
<?dbhtml filename="compressdoc.html"?>
 
<screen><userinput><command>cat &gt; /usr/sbin/compressdoc &lt;&lt; "EOF"</command>
#!/bin/bash
# VERSION: 20040320.0026
<sect1info>
<othername>$LastChangedBy: dnicholson $</othername>
<date>$Date: 2008-04-22 01:27:43 +0200 (mar, 22 avr 2008) $</date>
</sect1info>
 
<title>Compressing Man et Info Pages</title>
 
<indexterm zone="compressdoc">
<primary sortas="b-compressdoc">compressdoc</primary>
</indexterm>
 
<para>Man et info reader programs can transparently process files compressed
with <command>gzip</command> or <command>bzip2</command>, a feature you can
use to free some disk space while keeping your documentation
available. However, things are not that simple; man directories tend to
contain links&mdash;hard et symbolic&mdash;which defeat simple ideas like
recursively calling <command>gzip</command> on them. A better way to go is
to use the script below. If you would prefer to download the file instead of
creating it by typing or cut-and-pasting, you can find it at
<ulink url="&files-anduin;/compressdoc"/> (the file should be installed in
the <filename class="directory">/usr/sbin</filename> directory).</para>
 
<screen role="root"><?dbfo keep-together="auto"?><userinput>cat &gt; /usr/sbin/compressdoc &lt;&lt; "EOF"
<literal>#!/bin/bash
# VERSION: 20080421.1623
#
# Compresse (avec bzip2 ou gzip) toutes les pages man dans un ensemble de
# répertoires et met à jour les liens symboliques - Par Marc Heerdink &lt;marc @ koelkast.net&gt;
# Modifiez pour être capable de compresser les fichiers avec gzip ou bzip2
# suivant une option et pour gérer tous les liens symboliques proprement par
# Mark Hymers &lt;markh @ linuxfromscratch.org&gt;
# Compress (with bzip2 or gzip) all man pages in a hierarchy et
# update symlinks - By Marc Heerdink &lt;marc @ koelkast.net&gt;
#
# Modifié 20030930 par Yann E. Morin &lt;yann.morin.1998 @ anciens.enib.fr&gt;
# pour accepter la compression/décompression, pour gérer correctement les liens
# physiques, pour permettre la modification de liens physiques en liens
# symboliques, pour spécifier le niveau de compression, pour analyser man.conf
# pour toutes les occurrences de MANPATH, pour permettre une sauvegarde, pour
# autoriser la conservation de la version la plus récente d'une page.
# Modifié 20040330 par Tushar Teredesai pour remplacer $0 par le nom du script.
# (Note: il est supposé que le script se trouve dans le chemin (PATH) de l'utilisateur)
# Modified to be able to gzip or bzip2 files as an option et to deal
# with all symlinks properly by Mark Hymers &lt;markh @ &lfs-domainname;&gt;
#
# Modified 20030930 by Yann E. Morin &lt;yann.morin.1998 @ anciens.enib.fr&gt;
# to accept compression/decompression, to correctly handle hard-links,
# to allow for changing hard-links into soft- ones, to specify the
# compression level, to parse the man.conf for all occurrences of MANPATH,
# to allow for a backup, to allow to keep the newest version of a page.
#
# Modified 20040330 by Tushar Teredesai to replace $0 by the name of the
# script.
# (Note: It is assumed that the script is in the user's PATH)
#
# Modified 20050112 by Randy McMurchy to shorten line lengths et
# correct grammar errors.
#
# Modified 20060128 by Alexander E. Patrakov for compatibility with Man-DB.
#
# Modified 20060311 by Archaic to use Man-DB manpath utility which is a
# replacement for man --path from Man.
#
# Modified 20080421 by Dan Nicholson to properly execute the correct
# compressdoc when working recursively. This means the same compressdoc
# will be used whether a full path was given or it was resolved from PATH.
#
# Modified 20080421 by Dan Nicholson to be more robust with directories
# that don't exist or don't have sufficient permissions.
#
# Modified 20080421 by Lars Bamberger to (sort of) automatically choose
# a compression method based on the size of the manpage. A couple bug
# fixes were added by Dan Nicholson.
#
# Modified 20080421 by Dan Nicholson to suppress warnings from manpath
# since these are emitted when $MANPATH is set. Removed the TODO for
# using the $MANPATH variable since manpath(1) handles this already.
#
# TODO:
# - choisir une méthode de compression par défaut suivant la
# disponibilité des outils : gzip ou bzip2;
# - offrir une option pour choisir automatiquement la meilleure méthode
# de compression sur une base page par page (c'est-à-dire, vérifier
# lequel des outils de compression, entre gzip/bzip2/autre, est le plus
# performant, et ceci page par page);
# - lorsque la variable d'environnement MANPATH existe, l'utilisez plutôt
# que /etc/man.conf (utile pour les utilisateurs souhaitant
# (dé)compresser leurs man pages;
# - offrir une option pour restaurer une sauvegarde précédente;
# - ajouter d'autres outils de compression (compress, zip, etc?).
# Nécessaire?
# - choose a default compress method to be based on the available
# tool : gzip or bzip2;
# - offer an option to restore a previous backup;
# - add other compression engines (compress, zip, etc?). Needed?
 
# Assez logiquement, cette fonction affiche de l'aide.
# Funny enough, this function prints some help.
function help ()
{
if [ -n "$1" ]; then
echo "Option inconnue : $1"
echo "Unknown option : $1"
fi
( echo "Usage: $MY_NAME &lt;méthode_compression&gt; [options] [dirs]" &amp;&amp; \
( echo "Usage: $MY_NAME &lt;comp_method&gt; [options] [dirs]" &amp;&amp; \
cat &lt;&lt; EOT
Où méthode_compression est :
Where comp_method is one of :
--gzip, --gz, -g
--bzip2, --bz2, -b
Compresse en utilisant gzip ou bzip2.
Compress using gzip or bzip2.
--automatic
Compress using either gzip or bzip2, depending on the
size of the file to be compressed. Files larger than 5
kB are bzipped, files larger than 1 kB are gzipped et
files smaller than 1 kB are not compressed.
 
--decompress, -d
Décompresse les pages man.
Decompress the man pages.
 
--backup Spécifie qu'une sauvegarde .tar doit être faire pour chaque
répertoire.
Au cas où une sauvegarde existe déjà, elle est sauvegardée dans
.tar.old avant de créer la nouvelle sauvegarde. Si une
sauvegarde .tar.old existe, elle est supprimée avant de
sauvegarder l'ancienne sauvegarde. En mode sauvegarde, aucune
autre action n'est effectuée.
--backup Specify a .tar backup shall be done for all directories.
In case a backup already exists, it is saved as .tar.old
prior to making the new backup. If a .tar.old backup
exists, it is removed prior to saving the backup.
In backup mode, no other action is performed.
 
Et où les options sont :
And where options are :
-1 to -9, --fast, --best
Le niveau de compression, telle que gérée par gzip et bzip2. Si
elle n'est pas spécifiée, utilise le niveau de compression par
défaut de la méthode donnée (-6 pour gzip, et -9 pour bzip2).
Inutilisée en mode sauvegarde et en mode décompression.
The compression level, as accepted by gzip et bzip2.
When not specified, uses the default compression level
for the given method (-6 for gzip, et -9 for bzip2).
Not used when in backup or decompress modes.
 
--force, -F Force la (re-)compression, même si l'ancien utilisait la même
méthode. Utile lors d'un changement de niveau de compression.
Par défaut, une page ne sera pas re-compressée si elle se
termine avec le même suffixe que la méthode utilisée
(.bz2 pour bzip2, .gz pour gzip).
--force, -F Force (re-)compression, even if the previous one was
the same method. Useful when changing the compression
ratio. By default, a page will not be re-compressed if
it ends with the same suffix as the method adds
(.bz2 for bzip2, .gz for gzip).
 
--soft, -S Modifie les liens physiques en liens symboliques. A utiliser
avec précaution car le premier fichier rencontré sera utilisé
comme référence. Inutilisée en mode sauvegarde.
--soft, -S Change hard-links into soft-links. Use with _caution_
as the first encountered file will be used as a
reference. Not used when in backup mode.
 
--hard, -H Modifie les liens symboliques en liens physiques. Inutilisée en
mode sauvegarde.
--hard, -H Change soft-links into hard-links. Not used when in
backup mode.
 
--conf=dir, --conf dir
Spécifie l'emplacement de man.conf. Par défaut, /etc.
Specify the location of man_db.conf. Defaults to /etc.
 
--verbose, -v Mode verbeux, affiche le nom du répertoire en cours de
traitement. Doublez l'option pour qu'elle soit encore plus
verbeuse et pour qu'elle affiche le nom du fichier en cours de
traitement.
--verbose, -v Verbose mode, print the name of the directory being
processed. Double the flag to turn it even more verbose,
et to print the name of the file being processed.
 
--fake, -f Mode émulation. Affiche les paramètres réels que compman
utilisera.
--fake, -f Fakes it. Print the actual parameters compressdoc will use.
 
dirs Une liste de chemins absolus séparés par des espaces menant aux
répertoires man.
Si vide, et seulement dans ce cas, analyse ${MAN_CONF}/man.conf
pour toutes les occurrences de MANPATH.
dirs A list of space-separated _absolute_ pathnames to the
man directories. When empty, et only then, use manpath
to parse ${MAN_CONF}/man_db.conf for all valid occurrences
of MANDATORY_MANPATH.
 
Note sur la compression
Il y a eu une discussion sur blfs-support concernant les niveaux de
compression de gzip et bzip2 sur les pages man, en prenant en compte le
système de fichiers hôte, l'architecture, etc... En résumé, la conclusion
était que gzip était plus efficace sur les 'petits' fichiers, que bzip2
l'était sur les 'gros' fichiers, petit et gros dépendant beaucoup du contenu
des fichiers.
Note about compression:
There has been a discussion on blfs-support about compression ratios of
both gzip et bzip2 on man pages, taking into account the hosting fs,
the architecture, etc... On the overall, the conclusion was that gzip
was much more efficient on 'small' files, et bzip2 on 'big' files,
small et big being very dependent on the content of the files.
 
Voir le message original de Mickael A. Peters, intitulé "Bootable Utility CD",
et daté de 20030409.1816(+0200), ainsi que les messages consécutifs:
http://linuxfromscratch.org/pipermail/blfs-support/2003-April/038817.html
See the original post from Mickael A. Peters, titled
"Bootable Utility CD", dated 20030409.1816(+0200), et subsequent posts:
http://&lfs-domainname;/pipermail/blfs-support/2003-April/038817.html
 
Sur mon système (x86, ext3), les pages man faisaient 35564kiB avant compression. gzip -9
les a compressé pour arriver à 20372kiB (57,28%), bzip2 -9 arrivait à 19812kiB
(55,71%). Cela représente un gain de 1,57%. YMMV.
On my system (x86, ext3), man pages were 35564KB before compression.
gzip -9 compressed them down to 20372KB (57.28%), bzip2 -9 got down to
19812KB (55.71%). That is a 1.57% gain in space. YMMV.
 
Ce qui n'a pas été pris en considération est le temps de décompression. Mais
cela a-t'il aussi un sens ? Vous gagnez en rapidité d'accès avec des pages man
non compressées ou vous gagnez de l'espace disque contre un léger
contre-temps. En fait, mon P4-2.5GHz ne me permet même pas de l'apprécier... :-)
What was not taken into consideration was the decompression speed. But
does it make sense to? You gain fast access with uncompressed man
pages, or you gain space at the expense of a slight overhead in time.
Well, my P4-2.5GHz does not even let me notice this... :-)
 
EOT
) | less
}
 
# Cette fonction vérifie que la page man est unique parmi les versions bzip2,
# gzip et non compressés.
# $1 le répertoire où réside le fichier
# $2 le nom du fichier de la page man
# Renvoit 0 (true) si le fichier est le dernier et doit être pris en
# considération et 1 (false) si le fichier n'est pas le dernier (et a donc été
# supprimé).
# This function checks that the man page is unique amongst bzip2'd,
# gzip'd et uncompressed versions.
# $1 the directory in which the file resides
# $2 the file name for the man page
# Returns 0 (true) if the file is the latest et must be taken care of,
# et 1 (false) if the file is not the latest (and has therefore been
# deleted).
function check_unique ()
{
# NB. Lorsqu'il y a des liens physiques vers ce fichier, ils ne sont _pas_
# supprimés. En fait, si ce sont des liens physiques, ils ont tous la même
# date/heure, les préparant à la suppression plus tard.
# NB. When there are hard-links to this file, these are
# _not_ deleted. In fact, if there are hard-links, they
# all have the same date/time, thus making them ready
# for deletion later on.
 
# Construit la liste de toutes les pages man de même nom
# Build the list of all man pages with the same name
DIR=$1
BASENAME=`basename "${2}" .bz2`
BASENAME=`basename "${BASENAME}" .gz`
151,24 → 185,26
GZ_FILE="$BASENAME".gz
BZ_FILE="$BASENAME".bz2
 
# Recherche, et conserve, le plus récent
LATEST=`(cd "$DIR"; ls -1rt "${BASENAME}" "${GZ_FILE}" "${BZ_FILE}" 2&gt;/dev/null | tail -n 1)`
# Look for, et keep, the most recent one
LATEST=`(cd "$DIR"; ls -1rt "${BASENAME}" "${GZ_FILE}" "${BZ_FILE}" \
2&gt;/dev/null | tail -n 1)`
for i in "${BASENAME}" "${GZ_FILE}" "${BZ_FILE}"; do
[ "$LATEST" != "$i" ] &amp;&amp; rm -f "$DIR"/"$i"
done
 
# Au cas où le fichier spécifié est le dernier, renvoit 0
# In case the specified file was the latest, return 0
[ "$LATEST" = "$2" ] &amp;&amp; return 0
# Si le fichier n'est pas le dernier, renvoit 1
# If the file was not the latest, return 1
return 1
}
 
# Nom du script
# Name of the script
MY_NAME=`basename $0`
 
# OK, analyse les arguments de la ligne de commande et initialise à un état
# particulier : ne pas modifier les liens, analyser /etc/man.conf, être le plus
# silencieux, rechercher man.conf dans /etc et ne pas forcer la (re-)compression.
# OK, parse the command-line for arguments, et initialize to some
# sensible state, that is: don't change links state, parse
# /etc/man_db.conf, be most silent, search man_db.conf in /etc, et don't
# force (re-)compression.
COMP_METHOD=
COMP_SUF=
COMP_LVL=
191,6 → 227,11
COMP_METHOD=$1
shift
;;
--automatic)
COMP_SUF=TBD
COMP_METHOD=$1
shift
;;
--decompress|-d)
COMP_SUF=
COMP_LVL=
246,7 → 287,7
exit 1
;;
*)
echo "\"$1\" n'est pas un chemin absolu"
echo "\"$1\" is not an absolute path name"
exit 1
;;
esac
255,19 → 296,19
# Redirections
case $VERBOSE_LVL in
0)
# O, être silencieux
# O, be silent
DEST_FD0=/dev/null
DEST_FD1=/dev/null
VERBOSE_OPT=
;;
1)
# 1, être un peu verbeux
# 1, be a bit verbose
DEST_FD0=/dev/stdout
DEST_FD1=/dev/null
VERBOSE_OPT=-v
;;
*)
# 2 et au-dessus, être très verbeux
# 2 et above, be most verbose
DEST_FD0=/dev/stdout
DEST_FD1=/dev/stdout
VERBOSE_OPT="-v -v"
274,10 → 315,10
;;
esac
 
# Note: sur ma machine, 'man --path' donne /usr/share/man deux fois, une fois
# avec un '/' en fin, une fois sans.
# Note: on my machine, 'man --path' gives /usr/share/man twice, once
# with a trailing '/', once without.
if [ -z "$MAN_DIR" ]; then
MAN_DIR=`man --path -C "$MAN_CONF"/man.conf \
MAN_DIR=`manpath -q -C "$MAN_CONF"/man_db.conf \
| sed 's/:/\\n/g' \
| while read foo; do dirname "$foo"/.; done \
| sort -u \
284,96 → 325,139
| while read bar; do echo -n "$bar "; done`
fi
 
# Si aucun MANPATH dans ${MAN_CONF}/man.conf, annuler tout
# If no MANDATORY_MANPATH in ${MAN_CONF}/man_db.conf, abort as well
if [ -z "$MAN_DIR" ]; then
echo "Aucun répertoire spécifié et aucun répertoire trouvé avec \`man --path'"
echo "No directory specified, et no directory found with \`manpath'"
exit 1
fi
 
# Faux?
# Check that the specified directories actually exist et are readable
for DIR in $MAN_DIR; do
if [ ! -d "$DIR" -o ! -r "$DIR" ]; then
echo "Directory '$DIR' does not exist or is not readable"
exit 1
fi
done
 
# Fake?
if [ "$FAKE" != "no" ]; then
echo "Paramètres utilisés:"
echo -n "Compression........: "
echo "Actual parameters used:"
echo -n "Compression.......: "
case $COMP_METHOD in
--bzip2|--bz2|-b) echo -n "bzip2";;
--gzip|__gz|-g) echo -n "gzip";;
--decompress|-d) echo -n "décompression";;
--gzip|--gz|-g) echo -n "gzip";;
--automatic) echo -n "compressing";;
--decompress|-d) echo -n "decompressing";;
*) echo -n "unknown";;
esac
echo " ($COMP_METHOD)"
echo "Niveau de compression.: $COMP_LVL"
echo "Suffixe de compression: $COMP_SUF"
echo -n "Forcer la compression: "
echo "Compression level.: $COMP_LVL"
echo "Compression suffix: $COMP_SUF"
echo -n "Force compression.: "
[ "foo$FORCE_OPT" = "foo-F" ] &amp;&amp; echo "yes" || echo "no"
echo "man.conf est..........: ${MAN_CONF}/man.conf"
echo -n "Hard-links............: "
[ "foo$LN_OPT" = "foo-S" ] &amp;&amp; echo "convert to soft-links" || echo "leave as is"
echo -n "Liens symboliques.....: "
[ "foo$LN_OPT" = "foo-H" ] &amp;&amp; echo "convert to hard-links" || echo "leave as is"
echo "Sauvegarde............: $BACKUP"
echo "Faux (oui!)...........: $FAKE"
echo "Répertoires...........: $MAN_DIR"
echo "Niveau de verbosité...: $VERBOSE_LVL"
echo "man_db.conf is....: ${MAN_CONF}/man_db.conf"
echo -n "Hard-links........: "
[ "foo$LN_OPT" = "foo-S" ] &amp;&amp;
echo "convert to soft-links" || echo "leave as is"
echo -n "Soft-links........: "
[ "foo$LN_OPT" = "foo-H" ] &amp;&amp;
echo "convert to hard-links" || echo "leave as is"
echo "Backup............: $BACKUP"
echo "Faking (yes!).....: $FAKE"
echo "Directories.......: $MAN_DIR"
echo "Verbosity level...: $VERBOSE_LVL"
exit 0
fi
 
# Si aucune méthode n'a été spécifiée, affichez l'aide
# If no method was specified, print help
if [ -z "${COMP_METHOD}" -a "${BACKUP}" = "no" ]; then
help
exit 1
fi
 
# En mode sauvegarde, faire uniquement la sauvegarde
# In backup mode, do the backup solely
if [ "$BACKUP" = "yes" ]; then
for DIR in $MAN_DIR; do
cd "${DIR}/.."
if [ ! -w "`pwd`" ]; then
echo "Directory '`pwd`' is not writable"
exit 1
fi
DIR_NAME=`basename "${DIR}"`
echo "Sauvegarde de $DIR..." &gt; $DEST_FD0
echo "Backing up $DIR..." &gt; $DEST_FD0
[ -f "${DIR_NAME}.tar.old" ] &amp;&amp; rm -f "${DIR_NAME}.tar.old"
[ -f "${DIR_NAME}.tar" ] &amp;&amp; mv "${DIR_NAME}.tar" "${DIR_NAME}.tar.old"
tar cfv "${DIR_NAME}.tar" "${DIR_NAME}" &gt; $DEST_FD1
[ -f "${DIR_NAME}.tar" ] &amp;&amp;
mv "${DIR_NAME}.tar" "${DIR_NAME}.tar.old"
tar -cvf "${DIR_NAME}.tar" "${DIR_NAME}" &gt; $DEST_FD1
done
exit 0
fi
 
# Je sais que MAN_DIR n'a que des noms de chemins absolus
# Je dois prendre en considération les pages man localisées, donc je deviens
# récursif
# I know MAN_DIR has only absolute path names
# I need to take into account the localized man, so I'm going recursive
for DIR in $MAN_DIR; do
MEM_DIR=`pwd`
if [ ! -w "$DIR" ]; then
echo "Directory '$DIR' is not writable"
exit 1
fi
cd "$DIR"
for FILE in *; do
# Corrige le cas où le répertoire est vide
# Fixes the case were the directory is empty
if [ "foo$FILE" = "foo*" ]; then continue; fi
 
# Corrige le cas où les liens symboliques voient leur schéma de compression
# changé (de non compressé à compressé, ou de bz2 à gz, ou de gz à bz2)
# Corrige aussi le cas où plusieurs versions de la page sont présentes,
# compressées ou non.
# Fixes the case when hard-links see their compression scheme change
# (from not compressed to compressed, or from bz2 to gz, or from gz
# to bz2)
# Also fixes the case when multiple version of the page are present,
# which are either compressed or not.
if [ ! -L "$FILE" -a ! -e "$FILE" ]; then continue; fi
 
# Ne compresse pas les fichiers whatis
# Do not compress whatis files
if [ "$FILE" = "whatis" ]; then continue; fi
 
if [ -d "$FILE" ]; then
cd "${MEM_DIR}" # Retourne en arrière où nous avons lancé "$0", au cas où "$0"=="./compressdoc" ...
# Nous devenons récursif pour ce répertoire
# We are going recursive to that directory
echo "-&gt; Entering ${DIR}/${FILE}..." &gt; $DEST_FD0
# Je ne dois pas passé --conf, car je spécifie le répertoire de travail
# Mais je dois sortir en cas d'erreur
"$MY_NAME" ${COMP_METHOD} ${COMP_LVL} ${LN_OPT} ${VERBOSE_OPT} ${FORCE_OPT} "${DIR}/${FILE}" || exit 1
echo "&lt;- Sortie de ${DIR}/${FILE}." &gt; $DEST_FD1
cd "$DIR" # Nécessaire pour la prochaine itération de la boucle
# I need not pass --conf, as I specify the directory to work on
# But I need exit in case of error. We must change back to the
# original directory so $0 is resolved correctly.
(cd "$MEM_DIR" &amp;&amp; eval "$0" ${COMP_METHOD} ${COMP_LVL} ${LN_OPT} \
${VERBOSE_OPT} ${FORCE_OPT} "${DIR}/${FILE}") || exit $?
echo "&lt;- Leaving ${DIR}/${FILE}." &gt; $DEST_FD1
 
else # !dir
if ! check_unique "$DIR" "$FILE"; then continue; fi
 
# Vérifie si le fichier est déjà compressé avec la méthode spécifiée
# With automatic compression, get the uncompressed file size of
# the file (dereferencing symlinks), et choose an appropriate
# compression method.
if [ "$COMP_METHOD" = "--automatic" ]; then
declare -i SIZE
case "$FILE" in
*.bz2)
SIZE=$(bzcat "$FILE" | wc -c) ;;
*.gz)
SIZE=$(zcat "$FILE" | wc -c) ;;
*)
SIZE=$(wc -c &lt; "$FILE") ;;
esac
if (( $SIZE &gt;= (5 * 2**10) )); then
COMP_SUF=.bz2
elif (( $SIZE &gt;= (1 * 2**10) )); then
COMP_SUF=.gz
else
COMP_SUF=
fi
fi
 
# Check if the file is already compressed with the specified method
BASE_FILE=`basename "$FILE" .gz`
BASE_FILE=`basename "$BASE_FILE" .bz2`
if [ "${FILE}" = "${BASE_FILE}${COMP_SUF}" -a "foo${FORCE_OPT}" = "foo" ]; then continue; fi
if [ "${FILE}" = "${BASE_FILE}${COMP_SUF}" \
-a "foo${FORCE_OPT}" = "foo" ]; then continue; fi
 
# Si nous avons un lien symbolique
# If we have a symlink
if [ -h "$FILE" ]; then
case "$FILE" in
*.bz2)
385,7 → 469,8
esac
 
if [ ! "$EXT" = "none" ]; then
LINK=`ls -l "$FILE" | cut -d "&gt;" -f2 | tr -d " " | sed s/\.$EXT$//`
LINK=`ls -l "$FILE" | cut -d "&gt;" -f2 \
| tr -d " " | sed s/\.$EXT$//`
NEWNAME=`echo "$FILE" | sed s/\.$EXT$//`
mv "$FILE" "$NEWNAME"
FILE="$NEWNAME"
394,34 → 479,33
fi
 
if [ "$LN_OPT" = "-H" ]; then
# Modifie le lien symbolique en lien physique
# Change this soft-link into a hard- one
rm -f "$FILE" &amp;&amp; ln "${LINK}$COMP_SUF" "${FILE}$COMP_SUF"
chmod --reference "${LINK}$COMP_SUF" "${FILE}$COMP_SUF"
else
# Modifie le lien physique en lien symbolique
# Keep this soft-link a soft- one.
rm -f "$FILE" &amp;&amp; ln -s "${LINK}$COMP_SUF" "${FILE}$COMP_SUF"
fi
echo "Modification du lien $FILE" &gt; $DEST_FD1
echo "Relinked $FILE" &gt; $DEST_FD1
 
# Sinon, nous avons un fichier standard
# else if we have a plain file
elif [ -f "$FILE" ]; then
# Prenons en considération les liens physiques: construire la liste des
# liens physiques allant sur le fichier que nous sommes en train de
# {dé,}compresser.
# NB. Ceci n'est pas optimum car le fichier sera éventuellement
# compressé autant de fois qu'il a de liens compressés. Mais, pour
# l'instant, c'est le moyen le plus sûr.
# Take care of hard-links: build the list of files hard-linked
# to the one we are {de,}compressing.
# NB. This is not optimum has the file will eventually be
# compressed as many times it has hard-links. But for now,
# that's the safe way.
inode=`ls -li "$FILE" | awk '{print $1}'`
HLINKS=`find . \! -name "$FILE" -inum $inode`
 
if [ -n "$HLINKS" ]; then
# Nous avons de liens physiques! A supprimer maintenant.
# We have hard-links! Remove them now.
for i in $HLINKS; do rm -f "$i"; done
fi
 
# Maintenant, occupons-nous du fichier qui n'a pas de liens physiques
# Nous décompressons avant de re-compresser avec le niveau de
# compression sélectionné précédemment...
# Now take care of the file that has no hard-link
# We do decompress first to re-compress with the selected
# compression ratio later on...
case "$FILE" in
*.bz2)
bunzip2 $FILE
433,79 → 517,83
;;
esac
 
# Compresse le fichier avec le taux de compression indiqué si nécessaire
# Compress the file with the given compression ratio, if needed
case $COMP_SUF in
*bz2)
bzip2 ${COMP_LVL} "$FILE" &amp;&amp; chmod 644 "${FILE}${COMP_SUF}"
echo "$FILE compressé " &gt; $DEST_FD1
echo "Compressed $FILE" &gt; $DEST_FD1
;;
*gz)
gzip ${COMP_LVL} "$FILE" &amp;&amp; chmod 644 "${FILE}${COMP_SUF}"
echo "$FILE compressé " &gt; $DEST_FD1
echo "Compressed $FILE" &gt; $DEST_FD1
;;
*)
echo "$FILE non compressé " &gt; $DEST_FD1
echo "Uncompressed $FILE" &gt; $DEST_FD1
;;
esac
 
# Si le fichier a des liens physiques, nous devons les recréer (soit en
# physique soit en symbolique)
# If the file had hard-links, recreate those (either hard or soft)
if [ -n "$HLINKS" ]; then
for i in $HLINKS; do
NEWFILE=`echo "$i" | sed s/\.gz$// | sed s/\.bz2$//`
if [ "$LN_OPT" = "-S" ]; then
# Modifie ce lien symbolique en lien physique
# Make this hard-link a soft- one
ln -s "${FILE}$COMP_SUF" "${NEWFILE}$COMP_SUF"
else
# Modifie ce lien physique en lien symbolique
# Keep the hard-link a hard- one
ln "${FILE}$COMP_SUF" "${NEWFILE}$COMP_SUF"
fi
chmod 644 "${NEWFILE}$COMP_SUF" # Really work only for hard-links. Harmless for soft-links
# Really work only for hard-links. Harmless for soft-links
chmod 644 "${NEWFILE}$COMP_SUF"
done
fi
 
else
# Il reste un problème où nous n'avons ni un lien symbolique ni un lien
# physique
# Evidemment, nous ne devrions jamais arriver là... :-(
echo "Whaooo... \"${DIR}/${FILE}\" n'est ni un lien symbolique ni un
lien physique. Merci de vérifier:"
# There is a problem when we get neither a symlink nor a plain
# file. Obviously, we shall never ever come here... :-(
echo -n "Whaooo... \"${DIR}/${FILE}\" is neither a symlink "
echo "nor a plain file. Please check:"
ls -l "${DIR}/${FILE}"
exit 1
fi
fi
done # for FILE
done # for DIR
<command>EOF
chmod 755 /usr/sbin/compressdoc</command></userinput></screen>
done # for DIR</literal>
 
<para>Maintenant, en tant qu'utilisateur root, vous pouvez lancer
<command>compressdoc --bz2</command> pour compresser toutes les pages man de
votre système. Vous pouvez aussi lancer <command>compressdoc --help</command>
pour obtenir une aide compréhensible sur ce que le script est capable de faire.
</para>
EOF</userinput></screen>
 
<para>N'oubliez que certains programmes, comme le système <application>X</application>
Window et <application>XEmacs</application>, installent aussi leur
documentation dans des emplacements non standard (tels que <filename class="directory">
/usr/X11R6/man</filename>, etc...). N'oubliez pas d'ajouter ces emplacements
dans le fichier <filename>/etc/man.conf</filename>, comme une section
<envar>MANPATH</envar>=<replaceable>/path</replaceable>.</para>
<para>Exemple:</para><screen><userinput>
...
MANPATH=/usr/share/man
MANPATH=/usr/local/man
MANPATH=/usr/X11R6/man
MANPATH=/opt/qt/doc/man
...</userinput></screen>
<para>As <systemitem class="username">root</systemitem>, make
<command>compressdoc</command> executable for all users:</para>
 
<para>Habituellement, les systèmes d'installation de packages ne compressent pas
les pages man/info, ce qui signifie que vous aurez besoin de lancer le script de
nouveau su vous souhaitez conserver la taille de votre documentation le plus bas
possible. De même, notez que lancer le script après avoir mis à jour un package
est sûr&nbsp;: quand vous avez plusieurs versions d'une page (par exemple, une
compressée et une non compressée), la plus récente est conservée et l'autre est
supprimée.</para>
<screen><userinput>chmod -v 755 /usr/sbin/compressdoc</userinput></screen>
 
<para>Maintenant, as <systemitem class="username">root</systemitem>, you can issue
the command <command>compressdoc --bz2</command> to compress all your system man
pages. You can also run <command>compressdoc --help</command> to get
comprehensive help about what the script is able to do.</para>
 
<para>Don't forget that a few programs, like the <application>X Window
System</application> et <application>XEmacs</application> also
install their documentation in non-standard places (such as
<filename class="directory">/usr/X11R6/man</filename>, etc.). Be sure
to add these locations to the file <filename>/etc/man_db.conf</filename>, as
<envar>MANDATORY_MANPATH</envar> <replaceable>&lt;/path&gt;</replaceable>
lines.</para>
 
<para>Example:</para>
 
<screen><literal> ...
MANDATORY_MANPATH /usr/share/man
MANDATORY_MANPATH /usr/X11R6/man
MANDATORY_MANPATH /usr/local/man
MANDATORY_MANPATH /opt/qt/doc/man
...</literal></screen>
 
<para>Generally, package installation systems do not compress man/info pages,
which means you will need to run the script again if you want to keep the size
of your documentation as small as possible. Also, note that running the script
after upgrading a package is safe; when you have several versions of a page
(for example, one compressed et one uncompressed), the most recent one is kept
et the others are deleted.</para>
 
</sect1>
 
/trunk/blfs/postlfs/config/users.xml
5,15 → 5,15
%general-entities;
]>
 
<sect1 id="postlfs-users-groups" xreflabel="About System Users and Groups">
<sect1 id="postlfs-users-groups" xreflabel="About System Users et Groups">
<?dbhtml filename="users.html"?>
 
<sect1info>
<othername>$LastChangedBy: randy $</othername>
<date>$Date: 2008-11-16 21:28:01 $</date>
<othername>$LastChangedBy: bdubbs $</othername>
<date>$Date: 2008-12-30 08:51:39 +0100 (mar 30 déc 2008) $</date>
</sect1info>
 
<title>About System Users and Groups</title>
<title>About System Users et Groups</title>
 
<indexterm zone="postlfs-users-groups">
<primary sortas="e-etc-passwd">/etc/passwd</primary>
32,17 → 32,17
assigned. Generally these names are used to map a user ID (uid) or group
ID (gid) for system use. Generally the specific uid or gid numbers used
by these applications are not significant. The exception of course, is
that <systemitem class='username'>root</systemitem> has a uid and gid of 0
that <systemitem class='username'>root</systemitem> has a uid et gid of 0
(zero) that is indeed special. The uid values are stored in
<filename>/etc/passwd</filename> and the gid values
<filename>/etc/passwd</filename> et the gid values
are found in <filename>/etc/group</filename>.</para>
 
<para>Customarily, Unix systems classify users and groups into two
categories: system users and regular users. The system users and groups are
given low numbers and regular users and groups have numeric values greater
<para>Customarily, Unix systems classify users et groups into two
categories: system users et regular users. The system users and groups are
given low numbers et regular users and groups have numeric values greater
than all the system values. The cutoff for these numbers is found in two
parameters in the <filename>/etc/login.defs</filename> configuration file.
The default UID_MIN value is 1000 and the default GID_MIN value is 100. If a
The default UID_MIN value is 1000 et the default GID_MIN value is 100. If a
specific uid or gid value is not specified when creating a user with
<command>useradd</command> or a group with <command>groupadd</command> the values
assigned will always be above these cutoff values.</para>
49,7 → 49,7
 
<para>Additionally, the <ulink
url='http://refspecs.freestandards.org/LSB_3.0.0/LSB-Core-generic/LSB-Core-generic/usernames.html'>
Linux Standard Base</ulink> recommends that system uid and gid values should be
Linux Standard Base</ulink> recommends that system uid et gid values should be
below 100.</para>
 
<para>Below is a table of suggested uid/gid values used in BLFS beyond those
96,6 → 96,7
<row><entry>svn </entry><entry>56</entry><entry>56</entry></row>
<row><entry>svntest </entry><entry> </entry><entry>57</entry></row>
<row><entry>games </entry><entry>60</entry><entry>60</entry></row>
<row><entry>scanner </entry><entry> </entry><entry>70</entry></row>
<row><entry>anonymous</entry><entry>98</entry><entry> </entry></row>
<row><entry>nobody </entry><entry>99</entry><entry> </entry></row>
<row><entry>nogroup </entry><entry> </entry><entry>99</entry></row>
104,8 → 105,8
</table>
 
<para>One value that is missing is 65534. This value is customarily assigned
to the user <systemitem class="username">nobody</systemitem> and group
<systemitem class="groupname">nogroup</systemitem> and is unnecessary. The
to the user <systemitem class="username">nobody</systemitem> et group
<systemitem class="groupname">nogroup</systemitem> et is unnecessary. The
issue is explained in more detail in the first note in the <xref
linkend="nfs-utils-install"/> section.</para>
 
/trunk/blfs/postlfs/config/devices.xml
9,8 → 9,8
<?dbhtml filename="devices.html"?>
 
<sect1info>
<othername>$LastChangedBy: manuel $</othername>
<date>$Date: 2008-11-16 21:28:01 $</date>
<othername>$LastChangedBy: bdubbs $</othername>
<date>$Date: 2008-12-30 21:35:05 +0100 (mar 30 déc 2008) $</date>
</sect1info>
 
<title>About Devices</title>
20,12 → 20,12
</indexterm>
 
 
<para>Although most devices needed by packages in BLFS and beyond are set up
<para>Although most devices needed by packages in BLFS et beyond are set up
properly by <application>udev</application> using the default rules installed
by LFS in <filename class="directory">/etc/udev/rules.d</filename>, there are
cases where the rules must be modified or augmented.</para>
 
<para condition="html" role="usernotes">User Notes:
<para condition="html" role="usernotes">Notes utilisateur&nbsp;:
<ulink url="&blfs-wiki;/aboutdevices"/></para>
 
<sect2>
36,7 → 36,7
depends on whether the drivers are modules or not. If the sound card
drivers are compiled into the kernel, control is via kernel command line
parameters in <filename>/boot/grub/menu.lst</filename>. For example,
if a system has both an FM801 card and a SoundBlaster PCI card, the
if a system has both an FM801 card et a SoundBlaster PCI card, the
following can be appended to the command line:</para>
 
<screen><literal>snd-fm801.index=0 snd-ens1371.index=1</literal></screen>
53,17 → 53,21
<sect2>
<title>Udev Device Attributes</title>
 
<para>Fine-tuning of device attributes such as group name and permissions
<para>Fine-tuning of device attributes such as group name et permissions
is possible by creating extra <application>udev</application> rules,
matching on something like this (on one line). The vendor and product can
matching on something like this. The vendor et product can
be found by searching the /sys/devices directory entries or using
<command>udevinfo</command> after the device has been attached. See the
documentation in the current <application>udev</application> directory of
<filename class='directory'>/usr/share/doc</filename> for details.</para>
 
<screen><literal>SUBSYSTEM=="usb_device", SYSFS{idVendor}=="05d8",
SYSFS{idProduct}=="4002", GROUP:="scanner", MODE:="0640"</literal></screen>
<screen><literal>SUBSYSTEM=="usb_device", SYSFS{idVendor}=="05d8", SYSFS{idProduct}=="4002", \
GROUP:="scanner", MODE:="0660"</literal></screen>
 
<note><para>The above line is used for descriptive purposes only. The
scanner <application>udev</application> rules are put into place when
installing <xref linkend='sane'/>.</para></note>
 
</sect2>
 
<sect2>
89,7 → 93,7
<title>Devices for Servers</title>
 
<para>In some cases, it makes sense to disable
<application>udev</application> completely and create static devices.
<application>udev</application> completely et create static devices.
Servers are one example of this situation. Does a server need the
capability of handling dynamic devices? Only the system administrator can
answer that question, but in many cases the answer will be no.</para>
116,8 → 120,8
 
<para>If you want to restore the dynamic devices, recreate the
<filename>/etc/rc.d/rcsysinit.d/{S10udev,S45udev_retry}</filename> symbolic
links and reboot again. Static devices do not need to be removed (console
and null are always needed) because they are covered by the <systemitem
links et reboot again. Static devices do not need to be removed (console
et null are always needed) because they are covered by the <systemitem
class="filesystem">tmpfs</systemitem> partition. Disk usage for devices is
negligible (about 20&ndash;30 bytes per entry.)</para>
 
/trunk/blfs/postlfs/config/inputrc.xml
1,75 → 1,91
<?xml version="1.0" encoding="ISO-8859-1"?>
<sect1 id="postlfs-config-inputrc" xreflabel="/etc/inputrc">
<?dbhtml filename="inputrc.html"?>
<title>/etc/inputrc</title>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
]>
 
<para><filename>inputrc</filename> réalise la configuration du clavier pour
certaines situations. Ce fichier est le fichier de démarrage utilisé par
<application>readline</application>, la bibliothèque relative aux entrées
utilisée par <application>bash</application> et la plupart des autres shells.
</para>
<sect1 id="postlfs-config-inputrc" xreflabel="Introduction à /etc/inputrc">
<?dbhtml filename="inputrc.html"?>
 
<para>Pour plus d'informations, voir <command>info bash</command> --
<emphasis role="strong">Noeud: Readline Init</emphasis> file mais aussi
<command>info readline</command>. Beaucoup de choses peuvent être faite avec ce
seul fichier rc.</para>
<sect1info>
<othername>$LastChangedBy: randy $</othername>
<date>$Date: 2007-04-04 21:42:53 +0200 (mer, 04 avr 2007) $</date>
</sect1info>
 
<para>Les valeurs globales sont configurées dans
<filename>/etc/inputrc</filename>. Les valeurs personnelles de l'utilisateur
sont configurées dans <filename>~/.inputrc</filename>. Le fichier
<filename>~/.inputrc</filename> écrasera le fichier des paramètrages globaux.
Une autre page plus loin configure <application>Bash</application> pour
utiliser <filename>/etc/inputrc</filename> si il n'existe aucun
<filename>.inputrc</filename> pour un utilisateur lorsque
<filename>/etc/profile</filename> est lu read (habituellement à la connexion).
Si vous voulez que votre système utilise les deux, ou que vous ne voulez pas
une gestion <emphasis>globale</emphasis> du clavier, c'est une bonne idée de
placer un <filename>.inputrc</filename> par défaut dans le répertoire
<filename>/etc/skel</filename> pour que les nouveaux utilisateurs en disposent.
</para>
<title>Introduction à /etc/inputrc</title>
 
<para>Ci-dessous se trouve un <filename>/etc/inputrc</filename> de base avec
des commentaires expliquant ce que font les différentes options. Notez que les
commentaires ne peuvent <emphasis>pas</emphasis> être sur la même ligne que les
commandes.</para>
<indexterm zone="postlfs-config-inputrc">
<primary sortas="e-etc-inputrc">/etc/inputrc</primary>
</indexterm>
 
<para>Si vous créez un <filename>.inputrc</filename> dans
<filename>/etc/skel</filename> en utilisant la commande ci-dessous, modifiez
la sortie de la commande par <filename>/etc/skel/.inputrc</filename> et
assurez-vous de vérifier/configurer les droits après. Ensuite, vous pouvez
simplement copier ce fichier dans <filename>/etc/inputrc</filename> et le
répertoire personnel de tout utilisateur existant déjà dans le système, sans
oublier root, ayant besoin d'une version privée de ce fichier. Assurez-vous
d'utiliser le paramètre <parameter>-p</parameter> de <command>cp</command>
pour conserver les droits et assurez-vous
de changer le propriétaire et le groupe de façon appropriée.</para>
<indexterm zone="postlfs-config-inputrc">
<primary sortas="e-AA.inputrc">~/.inputrc</primary>
</indexterm>
 
<screen><userinput><command>cat &gt; /etc/inputrc &lt;&lt; "EOF"</command>
# Begin /etc/inputrc
<para><filename>/etc/inputrc</filename> deals with the mapping of the
keyboard for certain situations. This file is the start-up file used by
<application>readline</application>, the input related library used by
<application>bash</application> et most other shells.</para>
 
# S'assure que nous ne sortons pas tout sur une ligne
<para>For more information see <command>info bash</command>&mdash;<emphasis
role="strong">Node: Readline Init</emphasis> file as well as
<command>info readline</command>. There is a lot that can be done with this
one rc file.</para>
 
<para>Global values are set in <filename>/etc/inputrc</filename>.
Personal user values are set in <filename>~/.inputrc</filename>. The
<filename>~/.inputrc</filename> file will override the global settings
file. A later page sets up <application>Bash</application> to use
<filename>/etc/inputrc</filename> if there is no <filename>.inputrc</filename>
for a user when <filename>/etc/profile</filename> is read (usually at login).
If you want your system to use both, or don't want <emphasis>global</emphasis>
keyboard handling, it is a good idea to place a default
<filename>.inputrc</filename> into the <filename
class="directory">/etc/skel</filename> directory for use with new users.</para>
 
<para>Below is a base <filename>/etc/inputrc</filename> along with
comments to explain what the various options do. Note that comments
can <emphasis>not</emphasis> be on the same line as commands.</para>
 
<para>If you will create an <filename>.inputrc</filename> in
<filename class="directory">/etc/skel</filename> using the command below,
change the command's output to <filename>/etc/skel/.inputrc</filename> et
be sure to check/set permissions afterward. Then you can just copy that
file to <filename>/etc/inputrc</filename> et the home directory
of any user already existing in the system, including <systemitem
class="username">root</systemitem>, that needs
a private version of the file. Be sure to use the <option>-p</option>
parameter of <command>cp</command> to maintain permissions et be sure to
change owner et group appropriately.</para>
 
<screen role="root"><userinput>cat &gt; /etc/inputrc &lt;&lt; "EOF"
<literal># Begin /etc/inputrc
 
# Make sure we don't output everything on the 1 line
set horizontal-scroll-mode Off
 
# Active l'entrée 8bit
set meta-flag On
# Enable 8bit input
set meta-flag On
set input-meta On
 
# Turns off 8th bit stripping
set convert-meta Off
 
# Conserve le 8ème bit pour l'affichage
# Keep the 8th bit for display
set output-meta On
 
# rien, visible ou audible
# none, visible or audible
set bell-style none
 
# Toutes les indications ci-dessous font correspondre une séquence d'échappement
# à une fonction readline spécifique
# All of the following map the escape sequence of the
# value contained inside the 1st argument to the
# readline specific functions
 
"\eOd": backward-word
"\eOc": forward-word
 
# pour la console linux
# for linux console
"\e[1~": beginning-of-line
"\e[4~": end-of-line
"\e[5~": beginning-of-history
77,11 → 93,11
"\e[3~": delete-char
"\e[2~": quoted-insert
 
# pour xterm
# for xterm
"\eOH": beginning-of-line
"\eOF": end-of-line
 
# Fin /etc/inputrc
<command>EOF</command></userinput></screen>
# End /etc/inputrc</literal>
EOF</userinput></screen>
 
</sect1>
/trunk/blfs/postlfs/config/config.xml
1,47 → 1,61
<?xml version="1.0" encoding="ISO-8859-1"?>
<chapter id="postlfs-config">
<?dbhtml filename="config.html"?>
<title>Après la configuration de <acronym>LFS</acronym></title>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
]>
 
<para>L'intention de <acronym>LFS</acronym> est d'apporter un système basique à partir duquel vous
pouvez continuer la construction. Beaucoup de personnes se posent des questions
sur comment améliorer leur système une fois qu'ils ont terminé l'installation
de base. Nous espérons couvrir ces questions dans ce chapitre.</para>
<!--
$LastChangedBy: dj $
$Date: 2009-03-12 04:57:30 +0100 (jeu 12 mar 2009) $
-->
 
<para>Beaucoup de personnes venant de Windows et passant à Linux trouvent le
concept de fichiers de configurations texte légèrement étrange. Sur Linux,
pratiquement toute la configuration est faite via des fichiers textes. La
majorité de ces fichiers peut être trouvé dans le répertoire
<filename>/etc</filename>. Il existe souvent des programmes graphiques de
configuration pour différents sous-systèmes, mais ce sont en majorité de simples
et jolis outils qui s'occupent de l'édition du fichier. L'avantage de la
configuration en texte seulement est que vous pouvez éditer les paramètres en
utilisant votre éditeur de texte favori, qu'il soit vim, emacs ou un autre.
</para>
<chapter id="postlfs-config" xreflabel="After LFS Configuration Issues">
<?dbhtml filename="config.html"?>
 
<para>La première tâche concerne la création d'une disquette de démarrage
parce qu'il s'agit du besoin le plus critique. Ensuite, le système est
configuré pour faciliter l'ajout de nouveaux utilisateurs, dans "Configurer
l'ajout d'utilisateurs", parce que ceci peut affecter les choix à faire dans
les trois thèmes suivants - "/etc/inputrc", "Fichiers de démarrage du Shell
Bash" et "/etc/vimrc, ~/.vimrc".
</para>
<title>After LFS Configuration Issues</title>
 
<para>Les thèmes restants, "/etc/issue (Personnaliser votre connexion)", "/etc/shells",
"Génération de nombres aléatoires", "Problèmes de pages man" et "Problèmes des
pages info" sont ensuite couverts. Ils n'ont pas beaucoup d'interaction avec
les autres thèmes de ce chapitre.</para>
<para>The intention of LFS is to provide a basic system which you can
build upon. There are several things about tidying up the system which
many people wonder about once they have done the base install.
We hope to cover these issues in this chapter.</para>
 
&postlfs-config-bootdisk;
&postlfs-config-skel;
&postlfs-config-inputrc;
&postlfs-config-profile;
&postlfs-config-vimrc;
&postlfs-config-logon;
&postlfs-config-shells;
&postlfs-config-random;
&postlfs-config-compressdoc;
&postlfs-config-netfs;
<para>Most people coming from non-Unix like backgrounds to Linux find the
concept of text-only configuration files slightly strange. In Linux, just
about all configuration is done via the manipulation of text files. The
majority of these files can be found in the
<filename class='directory'>/etc</filename> hierarchy. There are often
graphical configuration programs available for different subsystems but most
are simply pretty front ends to the process of editing a text file. The
advantage of text-only configuration is that you can edit parameters using
your favorite text editor, whether that be <command>vim</command>,
<command>emacs</command>, or any other editor.</para>
 
<para>The first task is making a recovery boot device in
<xref linkend="postlfs-config-bootdisk"/> because it's the most critical need.
Then the system is configured to ease addition of new users, because this
can affect the choices you make in the two subsequent
topics&mdash;<xref linkend="postlfs-config-profile"/> et
<xref linkend="postlfs-config-vimrc"/>.</para>
 
<para> The remaining topics, <xref linkend="postlfs-config-logon"/>,
<xref linkend="postlfs-config-shells"/>, <xref linkend="postlfs-config-random"/>,
<xref linkend="compressdoc"/>, <xref linkend="autofs"/> et
<xref linkend="postlfs-config-netfs"/> are then addressed, in that order. They
don't have much interaction with the other topics in this chapter.</para>
 
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="bootdisk.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="skel.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="users.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="devices.xml"/>
<!-- <xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="inputrc.xml"/> -->
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="profile.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="vimrc.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="logon.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="etcshells.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="random.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="compressdoc.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="autofs.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="netfs.xml"/>
 
</chapter>
 
/trunk/blfs/postlfs/config/etcshells.xml
1,31 → 1,48
<?xml version="1.0" encoding="ISO-8859-1"?>
<sect1 id="postlfs-config-shells">
<?dbhtml filename="etcshells.html"?>
<title>/etc/shells</title>
<!DOCTYPE part PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
]>
 
<para>Le fichier <filename>shells</filename> contient une liste de shells de
connexions sur le système. Les applications utilisent ce fichier pour déterminer
si un shell est valide. Pour chaque shell, une seule ligne devrait être présente,
consistant en le chemin du shell, relatif à la racine.</para>
<sect1 id="postlfs-config-shells" xreflabel="The /etc/shells File">
<?dbhtml filename="etcshells.html"?>
 
<para>Par exemple, ce fichier est consulté par <command>chsh</command> pour
déterminer si un utilisateur normal peut changer son shell de connexion. Si le
nom de la commande n'est pas indiqué, l'utilisateur se verra refusé le changement.
</para>
<sect1info>
<othername>$LastChangedBy: randy $</othername>
<date>$Date: 2007-04-04 21:42:53 +0200 (mer, 04 avr 2007) $</date>
</sect1info>
 
<para>Il est requis pour les applications comme <acronym>GDM</acronym> de ne pas
indiquer toutes les personnes ayant un shell ne trouvant pas dans
<filename>/etc/shells</filename> ou comme le démon <acronym>FTP</acronym> de
désactiver l'accès aux utilisateurs dont le shell n'est pas inclus dans ce
fichier.</para>
<title>The /etc/shells File</title>
 
<screen><userinput><command>cat &gt; /etc/shells &lt;&lt; "EOF"</command>
# Début /etc/shells
<indexterm zone="postlfs-config-shells">
<primary sortas="e-etc-shells">/etc/shells</primary>
</indexterm>
 
<para>The <filename>shells</filename> file contains a list of
login shells on the system. Applications use this file to determine
whether a shell is valid. For each shell a single line should be
present, consisting of the shell's path, relative to the root of the
directory structure (/).</para>
 
<para>For example, this file is consulted by <command>chsh</command>
to determine whether an unprivileged user may change the login shell for her
own account. If the command name is not listed, the user will be denied of
change.</para>
 
<para>It is a requirement for applications such as
<application>GDM</application> which does not populate the
face browser if it can't find <filename>/etc/shells</filename>, or
FTP daemons which traditionally disallow access to users
with shells not included in this file.</para>
 
<screen role="root"><userinput>cat &gt; /etc/shells &lt;&lt; "EOF"
<literal># Begin /etc/shells
 
/bin/sh
/bin/bash
 
# Fin /etc/shells
<command>EOF</command></userinput></screen>
# End /etc/shells</literal>
EOF</userinput></screen>
 
</sect1>
/trunk/blfs/postlfs/config/bootdisk.xml
1,672 → 1,87
<?xml version="1.0" encoding="ISO-8859-1"?>
<sect1 id="postlfs-config-bootdisk">
<?dbhtml filename="bootdisk.html"?>
<title>Créer un disque de démarrage personnalisé</title>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
]>
 
<sect2>
<title>Besoins décents pour une disque de démarrage de dépannage</title>
<para>Cette section se concentre particulièrement sur la création d'une
disquette de dépannage (<emphasis>rescue</emphasis>). Comme le nom l'indique,
le système hôte a un problème, souvent des informations de partition perdues
ou des systèmes de fichiers corrompus qui l'empêchent de se lancer ou d'opérer
correctement. Pour cette raison, vous <emphasis>ne devez pas</emphasis>
dépendre de ressources disponibles sur l'hôte à réparer. Présumer qu'une
partition ou un disque dur donné <emphasis>sera</emphasis> disponible est très
risqué.</para>
<sect1 id="postlfs-config-bootdisk" xreflabel="Creating a Custom Boot Device">
<?dbhtml filename="bootdisk.html"?>
 
<para>Suivant cet avertissement, le disque de dépannage créé ici n'a pas de
dépendances avec les ressources de l'hôte système, autres que le démarrage et le
matériel. Au minimum, les raisons les plus communes d'échec nécessitant un
disque de dépannage devraient être résolues par le contenu de ce disque. Ceci
inclut la perte d'une partition (<acronym>MBR</acronym> perdu ou corrompu), la
corruption d'un système de fichiers et le besoin de permettre la création et
l'édition de fichiers qui pourraient avoir été perdus ou corrompus, un possible
effet des deux autres problèmes.</para>
<sect1info>
<othername>$LastChangedBy: randy $</othername>
<date>$Date: 2008-03-12 17:05:41 +0100 (mer, 12 mar 2008) $</date>
</sect1info>
 
<para>Des utilitaires supplémentaires doivent être disponibles pour rechercher
du texte ou des fichiers, copier, déplacer et supprimer des fichiers et plein
d'autres opérations normales qui pourraient être nécessaires lors de la
reconstruction.</para>
</sect2>
<title>Creating a Custom Boot Device</title>
 
<sect2>
<title>La disquette de dépannage minimale</title>
<sect2>
<title>Decent Rescue Boot Device Needs</title>
 
<para>Le but ici est de créer une disquette de démarrage qui supportera les
opérations communes listées ci-dessus. Ces fonctions sont fournies en incluant
les exécutables sélectionnés à partir de <application><ulink
url="http://www.busybox.net/downloads/busybox-0.60.4.tar.bz2">busybox
</ulink></application> et <application><ulink
url="http://freshmeat.net/projects/e2fsprogs/">e2fsprogs</ulink></application>.
Un éditeur basique et un outil de partionnement rudimentaire pourraient aussi
être inclus, de manière optionnelle.</para>
<para>This section is really about creating a <emphasis>rescue</emphasis>
device. As the name <emphasis>rescue</emphasis> implies, the host
system has a problem, often lost partition information or corrupted file
systems, that prevents it from booting et/or operating normally. For
this reason, you <emphasis>must not</emphasis> depend on resources from
the host being "rescued". To presume that any given partition or hard
drive <emphasis>will</emphasis> be available is a risky presumption.</para>
 
<para>Néanmoins, ceci n'est pas la limite. Un disque minimal est décrit ici mais
vous pouvez ajouter tout ce qui peut tenir sur la disquette. De plus, si un
disquette n'est pas suffisante pour vos besoins, vous pouvez réaliser un système
multi-disquettes de secours, ce qui sous-entend que vous n'avez pas de limite.
Ceci est discuté plus bas. Le nombre des variations est trop grand pour être
mentionné ici.</para>
</sect2>
<para>In a modern system, there are many devices that can be
used as a rescue device: floppy, cdrom, usb drive, or even a network card.
Which one you use depends on your hardware et your BIOS. In the past,
we usually thought of rescue device as a floppy disk. Today, many
systems do not even have a floppy drive.</para>
 
<sect2>
<title>Construire la disquette de dépannage</title>
<sect3>
<title>Prérequis</title>
<para>Building a complete rescue device is a challenging task. In many
ways, it is equivalent to building an entire LFS system.
In addition, it would be a repetition of information already available.
For these reasons, the procedures for a rescue device image are not
presented here.</para>
 
<para>Vous devez avoir des disquettes, reconnues bonnes. Certains préfèrent
utiliser la commande <command>fdformat</command> pour les préparer parce qu'elle
effectue aussi une vérification. Voir la page man pour plus de détails. Une
autre bonne idée est de toujours préparer des duplications de la disquette de
dépannage. Un média peut se déteriorer.</para>
</sect2>
 
<para>Ces instructions présument une installation <acronym>LFS</acronym> de base
utilisant le système de fichiers ext2/ext3.</para>
<sect2>
<title>Creating a Rescue Floppy</title>
 
<para>Vous avez besoin du support du périphérique loopback activé dans le noyau
de votre hôte pour utiliser cette procédure.</para>
<para>The software of today's systems has grown large. Linux 2.6 no longer
supports booting directly from a floppy. In spite of this, there are solutions
available using older versions of Linux. One of the best is Tom's Root/Boot
Disk available at <ulink url='http://www.toms.net/rb/'/>. This will provide a
minimal Linux system on a single floppy disk et provides the ability to
customize the contents of your disk if necessary.</para>
 
<para>Vous devez construire un noyau personnalisé incluant seulement les
fonctionnalités nécessaires pour dépanner votre système, de façon à ce qu'il ait
la plus petite taille possible. Aucune raison de compiler ici le support de
fonctionnalités comme <application>XFree86</application>,
<application>DRI</application>, etc, car la plupart des dépannages sont réalisés
à partir de la ligne de commande. Si vous avez <xref linkend="gcc2"/>, celui-ci est
connu pour produire des noyaux petits. Donc, vous pouvez utiliser ce compilateur
pour ce noyau. Si vous le faites, n'oubliez pas les modules chargeables dont
vous avez besoin, ils devront nécessairement être compilé avec le même
compilateur que celui qui a créé le noyau.</para>
</sect2>
 
<para>L'image de la disquette de dépannage doit inclure le support du système de
fichiers de votre choix (nous présummons ext2/3 ici), d'un disque ram et d'un
disque ram initial (initrd). Désactivez tout ce que vous pouvez dans la
configuration du noyau. Vous devez conserver le support du système de fichiers
proc et tempfs à cause de leur utilité générame. Le système de fichiers proc est
nécessaire notamment à la commande <command>mount</command> pour travailler
correctement.</para>
<sect2>
<title>Creating a Bootable CD-ROM</title>
 
<para>Si vous installez <emphasis>seulement</emphasis> l'ensemble minimal de
composants indiqués dans ce document, vous aurez un noyau de 643 blocs, voire
plus petit. Si vous voulez des programmes optionnels - un éditeur basique comme
<command>ed</command> et un outil de partionnement rudimentaire comme
<command>sfdisk</command> - le noyau aura besoin d'une taille de 595 blocs. Cela
ne devrait pas être un problème majeur à moins que vos besoins ne soient
ésotériques. Sur le système utilisé pour développer cette version des
procédures, en utilisant seulement les systèmes de fichiers ext2 et en
n'utilisant pas le réseau ou les <acronym>CD</acronym> pour le dépannage,
l'image du noyau pèse seulement 481 blocs. Et vous pouvez gagner plus - aucun
examen plus complet n'a été effectué pour des gains supplémentaires.</para>
<para>There are several sources that can be used for a rescue CD-ROM.
Just about any commercial distribution's installation CD-ROMs or
DVDs will work. These include RedHat, Mandrake, et SuSE. One
very popular option is Knoppix.</para>
 
<para>Cette image du noyau sera appelée "rescueimage" après. Vous pouvez appeler
votre image de la façon que vous voulez et utiliser simplement ce nom dans
toutes les commandes qui incluent "rescueimage".</para>
<para>Also, the LFS Community has developed its own LiveCD available at
<ulink url='http://www.&lfs-domainname;/livecd/'/>. This LiveCD, in
addition to having boot et rescue capabilities, is capable of building an
entire LFS/BLFS system. A copy of this CD-ROM is available with the
printed version of the Linux From Scratch book. If you download the ISO
image, use <xref linkend="cdrecord"/> to copy the image to a CD-ROM.</para>
 
<para>Si vous ne pouvez pas diminuer la taille de votre image de démarrage à une
taille suffisante pour que tout tienne sur le disque, pas d'inquiétude. Vous
pouvez toujours construire un ensemble de deux disquettes, une de démarrage et
une disquette root. Le noyau vous demandera d'insérer la disquette de démarrage
root. Ceci donnera plus de place à l'image de disque ram compressée. Ceci
autorisera l'image du disque ram compressé d'avoir une taille de 1440 blocs et
une image de démarrage de même taille.</para>
</sect2>
 
<para>Les limites en taille de l'image de démarrage données ci-dessus pourraient
varier suivant les modifications de locale. Utilisez-les seulement comme exemple
et non comme un bible. La taille de l'image de dépannage, montrée par
<command>ls -sk</command> est seulement une approximation à cause de
l'"overhead". Sur le système utilisé pour développer cette version de ces
procédures, la commande affiche 488 blocs mais le vrai nombre de blocs écrits
est seulement de 480 et une fraction, ce qui signifie que 481 blocs sont
réellements utilisés.</para>
</sect3>
<sect2>
<title>Creating a Bootable USB Drive</title>
 
<sect3>
<title>Etapes de la construction de la disquette de dépannage</title>
<para>A USB Pen drive, sometimes called a Thumb drive, is recognized by Linux as
a SCSI device. Using one of these devices as a rescue device has the advantage
that it is usually large enough to hold more than a minimal boot image. You
can save critical data to the drive as well as use it to diagnose et recover
a damaged system. Booting such a drive requires BIOS support, but building the
system consists of formatting the drive, adding <application>GRUB</application>
as well as the Linux kernel et supporting files.</para>
 
<para>Les étapes de base seront&nbsp;:</para>
<itemizedlist>
<listitem><para>créer un point de montage pour un système de fichiers</para></listitem>
<listitem><para>créer un fichier vide pour contenir le système de fichiers</para></listitem>
<listitem><para>lier le fichier vide à un périphérique loopback</para></listitem>
<listitem><para>créer un système de fichiers de 4&nbsp;Mo</para></listitem>
<listitem><para>monter le système de fichiers</para></listitem>
<listitem><para>ajouter les composants au système de fichiers</para></listitem>
<listitem><para>créer l'initrd compressé</para></listitem>
<listitem><para>joindre rescueimage et initrd sur une disquette</para></listitem>
</itemizedlist>
<para condition="html" role="usernotes">Notes utilisateur&nbsp;:
<ulink url='&blfs-wiki;/CreatingaCustomBootDevice'/></para>
 
<para>Le disque ram initial sera automatiquement chargé au démarrage si la
configuration est faite correctement.</para>
 
<para><emphasis>Créer un point de montage et un fichier vide pour contenir le
système de fichiers</emphasis></para>
 
<screen><userinput><command>mkdir -p /mnt/loop1
dd if=/dev/zero of=/tmp/rfloppy bs=1k count=4096</command></userinput></screen>
 
<para><emphasis>Explication des commandes</emphasis></para>
 
<para><command>dd</command>: C'est un outil général de copie entrée-vers-sortie
disposant de nombreuses fonctionnalités de transformation.</para>
 
<para><parameter>if=/dev/zero</parameter>: Ce paramètre affecte le fichier
d'entrée de <command>dd</command> à un périphérique renvoyant un flux infini de
zéros.</para>
 
<para><parameter>of=/tmp/rfloppy</parameter>: Ce paramètre redirige la sortie de
<command>dd</command> vers <filename>/tmp/rfloppy</filename>.</para>
 
<para><parameter>bs=1k count=4096</parameter>: Ces paramètres indiquent à
<command>dd</command> de lire et écrire par paquets de 1024 octets et d'en
traiter 4096.</para>
 
<para><emphasis>Lier le fichier au périphérique loopback, créer un système de
fichier et le monter.</emphasis></para>
 
<para>La raison pour laquelles ces commandes sont utilisées est qu'elles
fonctionnent quelle que soit la version de <command>mount</command> (les plus
anciennes n'ont pas l'option <userinput>-o loop</userinput>) ou si <filename>/etc/mtab</filename>
est un lien symbolique de <filename class="directory">/proc</filename> (ce qui
fait que mount se révèle incapable de "délier" proprement un périphérique loop,
à cause de la "perte" d'informations).
Un autre ensemble de commandes est fourni, après ces trois commandes, que vous
pouvez utiliser si vous n'êtes dans aucune de ces situations.</para>
 
<screen><userinput><command>losetup /dev/loop1 /tmp/rfloppy
mke2fs -m 0 -N 504 /dev/loop1
mount -t ext2 /dev/loop1 /mnt/loop1</command></userinput></screen>
 
<para><emphasis>Explication des commandes</emphasis></para>
 
<para><command>losetup /dev/loop1 /tmp/rfloppy</command>: Cette commande
"lie" le périphérique loopback au fichier vide.</para>
 
<para><command>mke2fs -m 0 -N 504 /dev/loop1</command>: Cette
commande crée un système de fichiers ext2 sur le périphérique loopback (ce qui
signifie réellement qu'il est créé dans le fichier vers lequel pointe le
périphérique loopback) et ne réserve aucun bloc. Le paramètre
<userinput>-N 504</userinput> fait que seules 504 inodes sont allouées, laissant
plus d'espace pour d'autres choses nécessaires dans le système de fichiers.
</para>
 
<para><command>mount -t ext2 /dev/loop1 /mnt/loop1</command>: Ceci monte le
système de fichiers tout juste créé, comme s'il s'agissait d'un vrai
périphérique comme un disque dur ou une disquette. Ceci permet toutes les
commandes habituelles du système d'entrées/sorties comme si un vrai périphérique
était présent.</para>
 
<para>Si votre commande <command>mount</command> supporte l'option
<option>-o loop</option> <emphasis>et</emphasis> que votre
<filename>/etc/mtab</filename> est un vrai fichier, plutôt qu'un lien symbolique
vers <filename class="directory">/proc</filename>, les trois commandes ci-dessus
peuvent être remplacées par ces deux commandes.</para>
 
<screen><userinput><command>mke2fs -F -m 0 -N 504 /tmp/rfloppy
mount -o loop /tmp/rfloppy /mnt/loop1</command></userinput></screen>
 
<para><emphasis>Explication des commandes</emphasis></para>
 
<para><command>mke2fs -F -m 0 -N 504 /tmp/rfloppy</command>: Comme auparavant,
un système de fichiers est créé avec seulement 504 inodes et aucun bloc réservé,
qui sera lié au périphérique loopback. Le paramètre <userinput>-F</userinput>
supprime simplement une question irritante lorsque <command>mke2fs</command>
réalisé que vous n'accédez pas à un périphérique.</para>
 
<para><command>mount -o loop /tmp/rfloppy /mnt/loop1</command>: Cette
commande indique à <command>mount</command> de lier le fichier nommé vers un
périphérique loopback qu'il détecte automatiquement (le premier disponible) et
monte le périphérique sur <filename class="directory">/mnt/loop1</filename>.</para>
 
<para><emphasis>Ajouter des composants au système de fichiers</emphasis></para>
 
<para><emphasis>Note d'avertissement:</emphasis> Si vous n'êtes pas dans un
environnement <command>chroot</command>, assurez-vous que vous n'omettez pas
accidentellement la référence <filename class="directory">/mnt/loop1</filename>
dans les commandes. Si vous le faites, vous pourriez remplacer les composants
équivalents de votre hôte avec les composants installés avec ces procédures.
Même si vous vous trouvez dans un environnement chroot, vous aurez besoin de
faire attention si l'environnement est votre système <acronym>LFS</acronym>
fraichement construit que vous comptez utiliser comme hôte dans le futur.
</para>
 
<para>Tout d'abord, pour conserver autant de place libre que possible, supprimez
le répertoire <filename>lost+found</filename>, qui n'est pas nécessaire sauf
dans le cas d'un <command>fsck</command>. Comme <command>fsck</command> ne sera
jamais exécuté sur ce système de fichiers, il n'est pas nécessaire.</para>
 
<screen><userinput><command>rmdir /mnt/loop1/lost+found/</command></userinput></screen>
 
<para>Maintenant, créez un ensemble minimal de répertoires.</para>
 
<screen><userinput><command>mkdir /mnt/loop1/{dev,proc,etc,sbin,bin,lib,mnt,usr,var}</command></userinput></screen>
 
<para>Ajoutez les périphérique nécessaires pour l'image initrd. Si vous utilisez
devfs, la commande suivante fonctionne aussi, car vous n'avez que les
périphériques que vous utilisez.</para>
 
<screen><userinput><command>cp -dpR /dev/* /mnt/loop1/dev</command></userinput></screen>
 
<para>Si vous utilisez <command>MAKEDEV</command> pour créer vos périphériques
dans votre hôte, vous voudrez utiliser quelque chose de similaire à cette
longue commande, pour minimiser l'espace perdu si les inodes ne sont pas
nécessaires.</para>
 
<para><emphasis>Vous devez modifier ceci pour convenir à la configuration de la
disquette de démarrage.</emphasis> Par exemple, vous avez besoin de
périphériques <acronym>SCSI</acronym> et vous n'avez pas besoin des
périphériques frame buffer ou des pseudo-terminaux. De même, le nombre de
disques durs et de partitions que vous incluez doit être minimal. Des analyses
poussées n'ont pas été effectuées dans la liste di-dessous, donc il peut rester
des inodes et de l'espace disque à récupérer en optimisant cet ensemble.
</para>
 
<screen><userinput><command>mkdir /mnt/loop1/dev/pts
cp -a \
&nbsp;&nbsp;&nbsp;&nbsp;/dev/null /dev/console \
&nbsp;&nbsp;&nbsp;&nbsp;/dev/fb[0-7] /dev/fd /dev/fd0 /dev/fd0h1440 /dev/full \
&nbsp;&nbsp;&nbsp;&nbsp;/dev/hda* /dev/hdb* /dev/hdc* /dev/hdd* /dev/initctl /dev/kmem \
&nbsp;&nbsp;&nbsp;&nbsp;/dev/loop[0-3] /dev/lp0 /dev/mem /dev/port \
&nbsp;&nbsp;&nbsp;&nbsp;/dev/psaux /dev/ram \
&nbsp;&nbsp;&nbsp;&nbsp;/dev/ram0 /dev/ram1 /dev/ram2 /dev/ram3 /dev/random /dev/rtc \
&nbsp;&nbsp;&nbsp;&nbsp;/dev/shm /dev/stderr /dev/stdin /dev/stdout /dev/tty \
&nbsp;&nbsp;&nbsp;&nbsp;/dev/tty[0-9] /dev/ttyS0 /dev/ttyS1 /dev/urandom /dev/zero \
&nbsp;&nbsp;/mnt/loop1/dev</command></userinput></screen>
 
<para><emphasis>Qu'est-il nécessaire dans le répertoire <filename class="directory">/etc</filename></emphasis></para>
 
<para>Si vous voulez, vous pouvez copier tout ou partie de vos fichiers
<filename>/etc/passwd</filename> et <filename>/etc/group</filename>. Mais même
si chacun d'entre eux fait moins que 1024 octets, vous perdrez deux inodes et
deux blocs sur le disque ram initial. Cela a vraiment une importance car nous
essayons de gagner tout ce qui est possible comme espace disque sur cette
disquette de 1,44 Mo. Chaque bit nous aide. La stratégie prise ici est de créer
ces deux fichiers los de la phase de démarrage et d'initialisation. Les
commandes pour créer ces deux fichiers seront intégrées dans le script
<filename>rcS</filename> que <filename>linuxrc</filename> (en fait
<application><ulink
url="http://www.busybox.net/downloads/busybox-0.60.4.tar.bz2">busybox
</ulink></application>) appelle après le chargement de initrd. De cette façon,
aucune inode et bloc n'est utilisé sur la disquette pour emporter ces fichiers.
</para>
 
<para>Certains aimeraient copier leur répertoire <filename class="directory">/etc/rc*</filename>
dans l'image du disque ram mais ceci pourrait n'avoir aucune valeur, autre
qu'une archive, dans un scénario de dépannage grave. Si vous voulez une
initialisation automatique du système après réparation, ils pourraient avoir une
certaine valeur. Mais peu de personnes en ont besoin ou le souhaitent. Si un
système de fichiers sur les disques durs est corrompu, quel intérêt auront les
scripts de montage ? Certains scripts pourraient être utile, comme l'accès au
réseau pour copier des données sauvegardées une fois que les systèmes de fichier
sont de nouveau utilisables. Le but est que vous devez copier seulement les
parties que vous pouvez utiliser parce que l'espace disque est le point
critique.</para>
 
<para>Ici, seul <filename>fstab</filename> sera inclus. Il facilite le montage
des partitions qui pourraient être utiles et peut être utilisé comme guide sur
les partitions disponibles et pouvant avoir besoin d'être reconstruites. Comme
il pourrait être plus gros que nécessaire, vous devez l'éditre pour supprimer
toute entrée inutile et pour minimiser les commentaires. Aucune autre édition
n'est nécessaire parce que les scripts de démarrage ne sont pas inclus et
qu'aucun montage automatique ne sera fait en utilisant <filename>fstab</filename>.
Si vous décidez d'inclure certains scripts de démarrage qui pourraient essayer
de monter quelque chose, modifiez les entrées de <filename>fstab</filename> avec
l'option <command>noauto</command> dans le champ des options pour qu'ils
n'essaient pas de monter une partition potentiellement corrompue. Copiez-le dans
<filename class="directory">/tmp</filename>, éditez-le puis faites:</para>
 
<screen><userinput><command>cp -a /tmp/fstab /mnt/loop1/etc</command></userinput></screen>
 
<para>Maintenant, le script d'initialisation va être ajouté. Comme mentionné
ci-dessus, <command>linuxrc</command> est lié symboliquement à <application><ulink
url="http://www.busybox.net/downloads/busybox-0.60.4.tar.bz2">busybox
</ulink></application>.
Après le chargement du noyau et du disque ram initial, le noyau donne le
contrôle à <command>linuxrc</command> (<application><ulink
url="http://www.busybox.net/downloads/busybox-0.60.4.tar.bz2">busybox
</ulink></application>). Il veut lancer un script <filename class="directory">/etc/init.d/rcS</filename>
pour réaliser la configuration initiale.</para>
 
<para>Si vous utilisez devfsd, vous aurez besoin de configurer le script
<filename>rcS</filename> pour gérer le lancement de devfsd. Placez les commandes
suivantes dans <filename class="directory">/mnt/loop1/etc/init.d/rcS</filename>.
Vous pouvez aussi ajouter quelques-unes des étapes montrées dans la version non devfs
qui suit.</para>
 
<screen><userinput>#!/bin/sh
mount -t devfs devfs /dev
/sbin/devfsd /dev</userinput></screen>
 
<para>Si vous ne voulez pas utiliser devfsd, mais que vous souhaitez créer un
répertoire <filename class="directory">/dev</filename> statique en utilisant
<command>MAKEDEV</command>, ou tout autre outil, le script
<filename>rcS</filename> fera les choses d'une façon légèrement différente. De
même, n'oubliez pas qu'il crée les fichiers <filename>/etc/passwd</filename> et
<filename>/etc/group</filename> sauvant ainsi de l'espace sur la disquette.</para>
 
<para>Ensuite, le script montera <filename class="directory">/proc</filename>,
activera le swap (aucun problème si cela échoue), crée les fichiers
<filename>/etc/passwd</filename> et <filename>/etc/group</filename>, crée un
répertoire de traces. Créez le script avec:</para>
 
<screen><userinput><command>mkdir -p /mnt/loop1/etc/init.d
cat &gt;/mnt/loop1/etc/init.d/rcS &lt;&lt; EOD</command>
#!/bin/sh
mount -t proc proc /proc
swapon -a
 
echo "root:x:0:0:root:/root:/bin/bash" &gt; /etc/passwd
 
<command>cat &gt; /etc/group &lt;&lt;EOF</command>
root:x:0:
bin:x:1:
sys:x:2:
kmem:x:3:
tty:x:4:
tape:x:5:
daemon:x:6:
floppy:x:7:
disk:x:8:
lp:x:9:
dialout:x:10:
audio:x:11:
<command>EOF
chmod 644 /etc/passwd /etc/group</command>
 
mkdir /var/log
 
<command>EOD
chmod u+x /mnt/loop1/etc/init.d/rcS</command></userinput></screen>
 
<para>Sauf si vous ajoutez beaucoup de commandes dans ce script, ce qui
<emphasis>est</emphasis> encouragé, ce qui se trouve ci-dessus est
raisonnablement proche de ce dont vous avez besoin.</para>
 
<para><emphasis>Installer les packages</emphasis></para>
 
<para>Deux packages doivent êtres installés. Le package <application><ulink
url="http://www.busybox.net/downloads/busybox-0.60.4.tar.bz2">busybox</ulink></application>
incorpore les fonctions de base fournissant un shell et beaucoup d'outils
basiques. Un package pour le système de fichiers, comme <application><ulink
url="http://freshmeat.net/projects/e2fsprogs/">e2fsprogs</ulink></application>, ou
le package pour le système de fichiers que vous utilisez, fournira un ensemble
minimal d'outils pour la vérification et la reconstruction du système de
fichiers. Le package complet ne sera pas installé car nous n'avons besoin que de
certains composants.</para>
 
<para>Si vous utilisez devfsd, vous aurez aussi besoin d'installer ce logiciel.</para>
 
<para>Installez <application><ulink
url="http://www.busybox.net/downloads/busybox-0.60.4.tar.bz2">busybox</ulink></application>
dans l'image du disque ram initial. Busybox incorpore un grand nombre d'outils
Unix en un seul petit exécutable.</para>
 
<screen><userinput><command>make &amp;&amp;
make PREFIX=/mnt/loop1 install &amp;&amp;
&gt; /mnt/loop1/var/utmp</command></userinput></screen>
 
<para>Un fichier <filename>var/utmp</filename> est créé parce que <application><ulink
url="http://www.busybox.net/downloads/busybox-0.60.4.tar.bz2">busybox</ulink></application>
en a besoin pour que la commande de redémarrage fonctionne correctement. Si ce
fichier n'existe pas lorsque <application><ulink
url="http://www.busybox.net/downloads/busybox-0.60.4.tar.bz2">busybox</ulink></application>
est démarré, la commande <command>reboot</command> ne fonctionnera pas. Ceci
serait une mauvaise chose pour les personnes ne disposant pas du bouton de
réinitialisation.</para>
 
<para>Si vous utilisez devfs pour créer les périphériques à la volée et libérer
ainsi quelques précieuses inodes sur la disquette, vous installerez aussi devfsd
pour faciliter l'usage des périphériques que <application><ulink
url="http://www.busybox.net/downloads/busybox-0.60.4.tar.bz2">busybox</ulink></application>
s'attend à trouver. Utilisez les commandes suivantes pour faire l'installation.</para>
 
<screen><userinput><command>mv GNUmakefile Makefile &amp;&amp;
make &amp;&amp;
make PREFIX=/mnt/loop1 install</command></userinput></screen>
 
<para><emphasis>Installez une partie de <application>e2fsprogs</application></emphasis></para>
 
<para>Si vous utilisez le système de fichiers ext2 ou ext3 (journalisé), vous
pouvez utiliser les commandes ci-dessous pour installer les fonctionnalités
minimales qui devraient vous permettre de ré-utiliser vos disques durs. Si vous
utilisez ext3, gardez en tête qu'il fait partie du package <application>e2fsprogs</application>
et que vous pouvez obtenir les composants qui ne sont pratiquement que des liens
physiques à partir des mêmes endroits montrés ci-dessous. Si vous utilisez un
autre système de fichiers, tel que reiserfs, vous deviez appliquer le
<emphasis>principal</emphasis> de ce que vous voyez ici pour installler les
parties de votre package.</para>
 
<screen><userinput><command>LDFLAGS='-s'
mkdir build &amp;&amp;
cd build &amp;&amp;
../configure --prefix=/mnt/loop1/usr --with-root-prefix="" \
--disable-swapfs --disable-debugfs \
--enable-dynamic-e2fsck --disable-nls --disable-evms \
--disable-rpath &amp;&amp;
make LDFLAGS="$LDFLAGS" &amp;&amp;
strip -p --strip-unneeded --remove-section=.comment \
-o /mnt/loop1/sbin/mke2fs misc/mke2fs &amp;&amp;
strip -p --strip-unneeded --remove-section=.comment \
-o /mnt/loop1/sbin/e2fsck e2fsck/e2fsck &amp;&amp;
chmod 555 /mnt/loop1/sbin/{mke2fs,e2fsck}
</command></userinput></screen>
 
<para><emphasis>Deux outils bien utiles</emphasis></para>
 
<para>Voici deux outils que devrait posséder toute disquette de dépannage. Le
premier est un outil de partitionnement. Le programme <command>sfdisk</command>
est utilisé ici à cause de sa petite taille et de ses grandes capacités. Faites
attention - il n'est pas considéré comme étant très facile d'utilisation. Mais
les programmes <command>fdisk</command> et <command>cfdisk</command> sont bien
plus gros et requièrent bien plus d'objets partagés comme
<application>ncurses</application>.</para>
 
<para>Le second outil est un éditeur. La plupart des éditeurs graphiques sont
très gros et nécessitent aussi des objets partagés supplémentaires. Pour cette
raison, <command>ed</command> est utilisé ici. Il est petit, requiert aucun
objet partagé et est un éditeur basé sur les expressions régulières, ancêtre de
pratiquement tous les éditeurs suivants supportant l'édition basée sur les
expressions régulières, graphiques ou non. C'est un éditeur contextuel et offre
des fonctionnalités d'édition puissantes, mais non graphiques. Il existe plein
d'autres éditeurs qui pourraient convenir - vous pouvez choisir un d'entre eux à
la place.</para>
 
<para>Lisez les fichiers <filename>INSTALL</filename> et
<filename>README</filename> de <application>busybox</application> pour voir
comment inclure un éditeur <command>vi</command>. Cela n'a pas encore été testé,
donc cela pourrait tenir ou pas dans une seule image de disquette.</para>
 
<para>Vous pouvez les installer ou non, mais il est important pour vous d'avoir
certaines des capacités qu'ils offrent. La façon exacte de l'installation des
outils que vous avez choisi devra être déterminé par vous.</para>
 
<para><command>Sfdisk</command> et <command>ed</command> sont installés
essentiellement par une copie depuis votre hôte. Strip est utilisé uniquement
pour s'assurer qu'ils font le point minimum, même si l'installation de base de
<acronym>LFS</acronym> devrait déjà les avoir passé sur cette commande. Utilisez
les commandes suivantes:</para>
 
<screen><userinput><command>strip -p --strip-unneeded --remove-section=.comment \
-o /mnt/loop1/sbin/sfdisk /sbin/sfdisk
strip -p --strip-unneeded --remove-section=.comment \
-o /mnt/loop1/bin/ed /bin/ed
chmod 555 /mnt/loop1/sbin/sfdisk /mnt/loop1/bin/ed</command></userinput></screen>
 
<para>De même, gardez en tête vos limitations en espace disque, copiez tous les
autres binaires et bibliothèques dont vous avez besoin sur l'image. Utilisez la
commande <command>ldd</command> pour savoir de quelles bibliothèques vous aurez
besoin pour utiliser ces exécutables. N'oubliez pas de lancer
<command>strip</command> <emphasis>avant</emphasis> de les copier sur l'image
du disque ram ou d'utiliser <command>strip</command>, comme ci-dessus, pour les
"copier".</para>
 
<para><emphasis>Configurer le répertoire lib</emphasis></para>
 
<para>Une fois que vous avez installé tous les outils ci-dessus et y compris
ceux que vous souhaitez, utilisez la commande <command>ldd</command> command,
comme indiquée co-dessus, sur ceux qui n'ont pas été donné dans ce document. Si
des bibliothèques supplémentaires sont nécessaires, ajoutez-les aux commandes de
configuration montrées ci-dessous.</para>
 
<para>Si vous avez installé seulement ceux du document, les objets partagés
nécessaires seront minimes. Vous pouvez les ajouter au disque ram avec:</para>
 
<screen><userinput><command>strip -p --strip-unneeded --remove-section=.comment \
&nbsp;&nbsp;&nbsp;&nbsp;-o /mnt/loop1/lib/libc.so.6 /lib/libc-2.3.3.so &amp;&amp;
strip -p --strip-unneeded --remove-section=.comment \
&nbsp;&nbsp;&nbsp;&nbsp;-o /mnt/loop1/lib/ld-linux.so.2 /lib/ld-2.3.3.so &amp;&amp;
strip -p --strip-unneeded --remove-section=.comment \
&nbsp;&nbsp;&nbsp;&nbsp;-o /mnt/loop1/lib/libdl.so.2 /lib/libdl-2.3.3.so &amp;&amp;
chmod 555 /mnt/loop1/lib/{libc.so.6,ld-linux.so.2,libdl.so.2}</command></userinput></screen>
 
<para>Notez que les commandes ci-dessus modifient le nom des bibliothèques,
supprimant le besoin des liens symboliques habituels. Si vous ajoutez des objets
partagés supplémentaires, profitez des opportunités similaires mais faites
attention aux problèmes qui pourraient se présenter.</para>
 
<para><emphasis>Créer le fichier initrd compressé</emphasis></para>
 
<para>Démontez le fichier loopback. Si vous utilisez l'option <option>-o
loop</option> de la commande <command>mount</command>, le lien entre le
périphérique loop et le fichier sera supprimé lorsque le démontage sera terminé.
Omettez simplement le <command>losetup -d /dev/loop1</command> de la séquence
suivante. Le paramètre <userinput>-9</userinput> est utilisé avec
<command>gzip</command> pour compresser au maximum l'image. Pour s'assurer
qu'elle tient sur la disquette, affichez la taille du fichier.</para>
 
<screen><userinput><command>umount /mnt/loop1 &amp;&amp;
losetup -d /dev/loop1 &amp;&amp; # Oubliez l'option -o loop de mount a été utilisé
gzip -9 &lt; /tmp/rfloppy &gt; /tmp/rootfs.gz
ls -l /tmp/rootfs.gz</command></userinput></screen>
 
<para><emphasis>Joindre l'image de dépannage et le disque ram initial sur une disquette</emphasis></para>
 
<para>Maintenant, l'image de dépannage et le disque ram initial vont être écrit
sur une disquette démarrable. Avant de le faire, calculez le nombre de blocs
nécessaires pour l'image de dépannage et pour <filename>/tmp/rootfs.gz</filename>
(le disque ram initial), individuellement, en divisant leur taille par 1024 et
en ajoutant un s'il y a un reste. Additionnez ces deux résultats. Ils doivent
avoir un total de maximum 1440 blocs. Si le résultat est plus important, ne
vous inquiétez pas trop. Les modifications nécessaires pour créer un ensemble de
deux disquettes sont présentées plus tard. Bien sûr, vous pouvez ré-examiner vos
choix et essayer de diminuer soit le disque de dépannage soit l'image de disque
ram initial.</para>
 
<para>Pour créer une disquette de dépannage, utilisant devfs, utilisez les
commandes suivantes. Si vous utilisez la configuration du
<filename class="directory">/dev</filename> statique, utilisez
<filename>/dev/fd0</filename> au lieu de /dev/floppy/0.</para>
 
<screen><userinput><command>dd if=rescueimage of=/dev/floppy/0 bs=1k
rdev /dev/floppy/0 0,0
rdev -R /dev/floppy/0 0</command></userinput></screen>
 
<para><emphasis>Explication des commandes</emphasis></para>
 
<para><command>rdev /dev/floppy/0 0,0</command>: initialise le système de
fichiers racine que le noyau utilisera au démarrage. Parce qu'il charge le
disque ram initial, il configurera automatiquement le périphérique root. Donc,
<option>0,0</option> lui donnera "sans valeur", indiquant au noyau de ne pas
monter les autres périphériques. Certains donnent <filename>/dev/fd0</filename> ou
quelque chose de similaire. Mais, ceci a un effet <emphasis>seulement</emphasis>
lorsque <command>linuxrc</command> (en fait <application><ulink
url="http://www.busybox.net/downloads/busybox-0.60.4.tar.bz2">busybox
</ulink></application>) quitte et que les processus <command>init</command>
normaux sont appelés. Comme cela n'est pas le cas ici et que la disquette n'est
<emphasis>pas</emphasis> un système de fichiers valide, cela serait inutile ici.
Un disque dur serait un meilleur choix si vous cherchez à relancer
automatiquement le système après réparation. Comme <application><ulink
url="http://www.busybox.net/downloads/busybox-0.60.4.tar.bz2">busybox
</ulink></application> fournit la commande <command>reboot</command>, une
initialisation automatique n'est pas nécessaire.</para>
 
<para><command>rdev -R /dev/floppy/0 0</command> initialisera les options de la
racine à zéro. Elles n'ont pas d'utilité dans cette application.</para>
 
<para>La commande <command>dd</command> ci-dessus affichera quelques résultats
du type</para>
 
<screen> 480+1 records in
480+1 records out</screen>
 
<para>Dans cet exemple, l'image de dépannage (noyau) faisait une taille de 480+1 blocs.
Assurez-vous que ce nombre, qui pourrait être différent pour vous, correspond à
vos calculs ci-dessus. Vous avez besoin de calculer le "nombre magique" qui sera
inséré dans l'image de dépannage. La valeur consiste en trois parties
distinctes. Deux sont discutées ici. La troisième est abordée plus tard.</para>
 
<para>Les bits 0 - 10 contiendront la taille de l'image de dépannage en blocs
que vous avez calculé ci-dessus et qui doit correspondre au résultat du dd. Le
bit 14 (le 15è, qui est 2 puissant 14, soit 16,384) est un drapeau qui,
initialisé à 1, indique au noyau que le disque ram initial doit être chargé.
Donc, pour la disquette de dépannage, les deux nombres
16384 et 481 (ou quelque soit le bon nombre pour votre taille d'image de
dépannage) sont ajoutés ensemble pour produire une valeur décimale, comme 16865.
Cette valeur est insérée à sa bonne place dans l'image de dépannage par la
commande <command>rdev</command> exécutée tout de suite après.</para>
 
<para>Insérez le "nombre magique" dans l'image de dépannage puis écrivez le
système de fichiers racine juste après l'image de dépannage sur la disquette en
exécutant les commandes suivantes avec les bons nombres insérés. Notez que le
numéro de paramètre de <command>seek</command> doit être la taille, en blocs, de
votre image de dépannage. Si vous utilisez la configuration du <filename
class="directory">/dev</filename> statique, utilisez
<filename>/dev/fd0</filename> dans la commande ci-dessous, au lieu de
<filename>/dev/floppy/0</filename>.</para>
 
<screen><userinput><command>rdev -r /dev/floppy/0 <replaceable>16865</replaceable>
dd if=/tmp/rootfs.gz of=/dev/floppy/0 bs=1k seek=<replaceable>481</replaceable></command></userinput></screen>
 
<para>Dans cette commande, <command>seek</command> a été utilisé pour
positionner le bloc suivant la fin de l'image de dépannage (480+1) et commencé
l'écriture du système de fichiers racine sur la disquette.</para>
</sect3>
</sect2>
 
<sect2>
<title>Configurer un ensemble de deux disquettes de dépannage</title>
 
<para>Si vous ne pouvez pas vivre avec un système à seule disquette de
dépannage, voici comment faire un système à deux disquettes. Notez que les
possibilités infinies présentés par la disponibilité de
<command>linuxrc</command> et d'autres composants ne sont pas adressées ici.
Ici, vous utiliserez seulement la capacité du noyau à demander une seconde
disquette contenant l'image du disque ram initial pour le charger.</para>
 
<para>Modifiez les instructions ci-dessus de la façon suivante. Tout d'abord, un
nombre magique différent est nécessaire. Le quinzième bit est toujours
nécessaire mais la taille de l'image du disque ram est remplacé par un zéro. Le
troisième composant, qui n'a pas été discuté ci-dessus, est maintenant utilisé.
C'est le seizième bit (bit 15) du nombre magique. Une fois activé, il
indique au noyau de demander à l'utiliser d'insérer la disquette "root". Il
charge ensuite l'image du disque ram initial à partir de cette disquette. Comme
la taille de l'image de dépannage a été diminué à zéro, le noyau commence à
charger à partir du bloc zéro (le premier) de la seconde disquette.</para>
 
<para>Le seizième bit (bit 15) représente 2 à la puissance 15, soit
32768. Donc le nouveau nombre magique est 32768 + 16384, ce qui vaut 49152.
Cette valeur indique au noyau de réclamer puis de charger l'image du disque ram
initiale à partir du premier bloc de la disquette insérée. Donc votre première
modification concerne la commande d'écriture du nombre magique sur l'image de
dépannage de la disquette.</para>
 
<screen><userinput><command>rdev -r /dev/floppy/0 <replaceable>49152</replaceable></command></userinput></screen>
 
<para>Notez que l'image du disque ram initial n'est <emphasis>pas</emphasis>
encore copiée sur la disquette. Supprimez la disquette de démarrage et insérez
une autre disquette qui contiendra votre système de fichiers racine. Lancez
cette commande modifiée (n'oubliez pas d'utiliser <filename>/dev/fd0</filename>
si vous n'utilisez pas devfs). Notez qu'aucun paramètre <command>seek</command>
n'est utilisé.</para>
 
<screen><userinput><command>dd if=/tmp/rootfs.gz of=/dev/floppy/0 bs=1k</command></userinput></screen>
 
<para>Voici tout ce qu'il y avait à faire. Les possibilités à partir de là sont
limitées seulement par votre imagination et par votre ténacité à poursuivre vos
améliorations. Et par votre volonté de rechercher la documentation disponible.
Un bon point de départ est le répertoire Documentation du répertoire des sources
du noyau. Plus d'aide sont disponibles dans les <ulink
url="http://linuxfromscratch.org/hints/news.html">astuces <acronym>LFS </acronym></ulink>
(merci d'utiliser un miroir convenable) et au
<ulink url="http://www.tldp.org">TLDP</ulink>.</para>
 
</sect2>
</sect1>
</sect2>
</sect1>
/trunk/blfs/postlfs/config/logon.xml
1,57 → 1,76
<?xml version="1.0" encoding="ISO-8859-1"?>
<sect1 id="postlfs-config-logon">
<?dbhtml filename="logon.html"?>
<title>/etc/issue (Personnaliser votre connexion)</title>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
]>
 
<para>Lorsque vous démarrez pour la première fois votre nouveau système
<acronym>LFS</acronym>, l'écran de connexion sera joli et texte (comme il doit
être dans un système dépouillé). Néanmoins, beaucoup de gens voudront que leur
système affiche quelques informations dans le message de connexion. Ceci peut
se faire en utilisant le fichier <filename>/etc/issue</filename>.</para>
<sect1 id="postlfs-config-logon" xreflabel="Customizing your Logon with /etc/issue">
<?dbhtml filename="logon.html"?>
 
<para>Le fichier <filename>/etc/issue</filename> est un fichier de texte qui
accepte aussi certaines séquences d'échappement (voir plus bas) pour insérer
des informations sur le système. Il existe aussi le fichier
<filename>issue.net</filename> pouvant être utilisé lors de connexions à
distance. Néanmoins, <command>ssh</command> va seulement l'utiliser si vous
avez mis en place l'option dans les fichiers de configuration et ne va
<emphasis>pas</emphasis> interpréter les séquences d'échappement indiquées
ci-dessous.</para>
<sect1info>
<othername>$LastChangedBy: randy $</othername>
<date>$Date: 2007-04-04 21:42:53 +0200 (mer, 04 avr 2007) $</date>
</sect1info>
 
<para>Une des actions les plus communes que les gens veulent est d'effacer
l'écran à chaque connexion. Le moyen le plus simple pour y arriver est de placer
la séquence d'échappement "clear" dans <filename>/etc/issue</filename>. Un moyen
simple est de faire
<userinput><command>clear &gt; /etc/issue</command></userinput>. Ceci insèrera
le code d'échappement au début du fichier <filename>/etc/issue</filename>. Notez
que si vous faites ceci, quand vous éditez le fichier, vous devez laisser le
caractère ^[c sur la première ligne.</para>
<title>Customizing your Logon with /etc/issue</title>
 
<para>Les séquences d'échappement suivantes sont reconnues par agetty (le
programme qui analyse habituellement <filename>/etc/issue</filename>). Cette
information provient de <command>man agetty</command> où vous pouvez
trouver des informations supplémentaires sur le processus de connexion.</para>
<indexterm zone="postlfs-config-logon">
<primary sortas="e-etc-issue">/etc/issue</primary>
</indexterm>
 
<para>Le fichier <filename>issue</filename> peut contenir certains codes
d'échappement pour afficher des informations variées. Toutes les séquences
d'échappement consistent d'un backslash (\) immédiatement suivi d'une des
lettres expliquées ci-dessous (donc <option>\d</option> dans <filename>/etc/issue</filename>
insère la date courante).</para>
<para>When you first boot up your new LFS system, the logon screen will
be nice et plain (as it should be in a bare-bones system). Many people
however, will want their system to display some information in the logon
message. This can be accomplished using the
file <filename>/etc/issue</filename>.</para>
 
<screen>b Insérer la vitesse de la ligne.
d Insérer la date courante.
s Insérer le nom du système, le nom du système d'exploitation.
l Insérer le nom de la ligne tty courante.
m Insérer l'identifieur de l'architecture de la machine, par exemple i486
n Insérer le nom du noeud de la machine, aussi connu sous le nom de nom
d'hôte.
o Insérer le nom de domaine de la machine.
r Insérer le numéro de version du noyau, par exemple 2.4.16.
t Insérer la date courante.
u Insérer le nomre d'utilisateurs connectés en ce moment.
U Insérer la phrase "1 user" ou "&lt;n&gt; users" où &lt;n&gt; est le nombre
d'utilisateurs actuellement connectés.
v Insérer la version de l'OS, par exemple la date de construction.</screen>
<para>The <filename>/etc/issue</filename> file is a plain text file
which will also accept certain escape sequences (see below) in order to
insert information about the system. There is also the file
<filename>issue.net</filename> which can be used when logging on remotely.
<command>ssh</command> however, will only use it if you set the option in the
configuration file et will <emphasis>not</emphasis> interpret the
escape sequences shown below.</para>
 
<para>One of the most common things which people want to do is clear the
screen at each logon. The easiest way of doing that is to put a "clear"
escape sequence into <filename>/etc/issue</filename>. A simple way of doing
this is to issue the command <command>clear &gt; /etc/issue</command>. This
will insert the relevant escape code into the start of the
<filename>/etc/issue</filename> file. Note that if you do this, when you
edit the file, you should leave the characters (normally '^[[H^[[2J') on the
first line alone.</para>
 
<note><para>Terminal escape sequences are special codes recognized by the
terminal. The ^[ represents an ASCII ESC character. The sequence ESC [ H
puts the cursor in the upper left hand corner of the screen et ESC 2 J
erases the screen. For more information on terminal escape sequences see
<ulink url='http://rtfm.etla.org/xterm/ctlseq.html'/></para></note>
 
<para>The following sequences are recognized by <command>agetty</command>
(the program which usually parses <filename>/etc/issue</filename>). This
information is from <command>man agetty</command> where you can find
extra information about the logon process.</para>
 
<para>The <filename>issue</filename> file can contain certain character
sequences to display various information. All <filename>issue</filename>
sequences consist of a backslash (\) immediately followed by one of the
letters explained below (so <option>\d</option> in
<filename>/etc/issue</filename> would insert the current date).</para>
 
<screen><literal>b Insert the baudrate of the current line.
d Insert the current date.
s Insert the system name, the name of the operating system.
l Insert the name of the current tty line.
m Insert the architecture identifier of the machine, e.g., i686.
n Insert the nodename of the machine, also known as the hostname.
o Insert the domainname of the machine.
r Insert the release number of the kernel, e.g., 2.6.11.12.
t Insert the current time.
u Insert the number of current users logged in.
U Insert the string "1 user" or "&lt;n&gt; users" where &lt;n&gt; is the
number of current users logged in.
v Insert the version of the OS, e.g., the build-date etc.</literal></screen>
 
</sect1>
 
/trunk/blfs/postlfs/config/skel.xml
1,114 → 1,115
<?xml version="1.0" encoding="ISO-8859-1"?>
<sect1 id="postlfs-config-skel">
<?dbhtml filename="skel.html"?>
<title>Configurer l'ajout d'utilisateurs</title>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
]>
 
<para>Ensemble, la commande <command>/usr/sbin/useradd</command> et le
répertoire <filename class="directory">/etc/skel</filename> (tous les deux simple à configurer et
à utiliser) sont un moyen de vous assurer que les nouveaux utilisateurs de votre
système <acronym>LFS</acronym> disposeront au départ des mêmes configurations
sur des éléments comme <envar>PATH</envar>, la gestion du clavier et les
variables d'environnement. Utiliser ces deux moyens rendra ceci plus facile et
vous assure de l'état initial de chaque nouvel utilisateur.</para>
<sect1 id="postlfs-config-skel" xreflabel="Configuring for Adding Users">
<?dbhtml filename="skel.html"?>
 
<para>Le répertoire <filename class="directory">/etc/skel</filename> tient des copies de
différents fichiers d'initialisation et autres qui devront être copiés dans le
répertoire personnel du nouvel utilisateur lorsque le programme
<command>/usr/sbin/useradd</command> ajoutera cet utilisateur.</para>
<sect1info>
<othername>$LastChangedBy: randy $</othername>
<date>$Date: 2007-10-16 15:49:09 +0200 (mar, 16 oct 2007) $</date>
</sect1info>
 
<para><emphasis>Useradd</emphasis></para>
<title>Configuration de for Adding Users</title>
 
<para>Le programme <command>useradd</command> utilise une collection de valeurs
par défaut conservée dans <filename>/etc/default/useradd</filename>, si il
existe. S'il n'existe pas, alors il utilise quelques valeurs internes par
défaut. Vous pouvez voir les valeurs par défaut en lançant
<command>/usr/sbin/useradd -D</command>.
</para>
<indexterm zone="postlfs-config-skel">
<primary sortas="e-etc-skel">/etc/skel/*</primary>
</indexterm>
 
<para>Pour changer ces valeurs en quelque chose de nouveau, créez un fichier
<filename>/etc/default/useradd</filename> de base avec les mêmes valeurs que la
sortie de <command>/usr/sbin/useradd -D</command>. Voici
un exemple.</para>
<indexterm zone="postlfs-config-skel">
<primary sortas="e-etc-default-useradd">/etc/default/useradd</primary>
</indexterm>
 
<screen># Début /etc/default/useradd
<para>Together, the <command>/usr/sbin/useradd</command> command et
<filename class="directory">/etc/skel</filename> directory (both are easy to
set up et use) provide a way to assure new users are added to your LFS
system with the same beginning settings for things such as the
<envar>PATH</envar>, keyboard processing et other environmental variables.
Using these two facilities makes it easier to assure this initial state for
each new user added to the system.</para>
 
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=
SKEL=/etc/skel
<para>The <filename class="directory">/etc/skel</filename> directory holds
copies of various initialization et other files that may be copied to the
new user's home directory when the <command>/usr/sbin/useradd</command>
program adds the new user.</para>
 
# Fin /etc/default/useradd</screen>
<bridgehead renderas="sect5">Useradd</bridgehead>
 
<para>La seule chose manquant dans ce fichier est le shell par défaut.
Ajoutez-le en lançant:</para>
<para>The <command>useradd</command> program uses a collection of
default values kept in <filename>/etc/default/useradd</filename>. This file
is created in a base LFS installation by the
<application>Shadow</application> package. If it has been removed or renamed,
the <command>useradd</command> program uses some internal defaults. You can
see the default values by running
<command>/usr/sbin/useradd -D</command>.</para>
 
<screen><userinput><command>/usr/sbin/useradd -D -s/bin/bash</command></userinput></screen>
<para>To change these values, simply modify the
<filename>/etc/default/useradd</filename> file as the
<systemitem class='username'>root</systemitem> user. An alternative to
directly modifying the file is to run <command>useradd</command> as the
<systemitem class='username'>root</systemitem> user while supplying the
desired modifications on the command line. Information on how to do this
can be found in the <command>useradd</command> man page.</para>
 
<para>Ceci va configurer la ligne <envar>SHELL</envar>= en
<envar>SHELL</envar>=/bin/bash.</para>
<bridgehead renderas="sect5">/etc/skel</bridgehead>
 
<para><command>Useradd</command> a beaucoup d'autres paramètres pouvant être
configurés dans le fichier <filename>/etc/default/useradd</filename>.
</para>
<para>To get started, create an
<filename class="directory">/etc/skel</filename> directory et make sure it
is writable only by the system administrator, usually
<systemitem class="username">root</systemitem>. Creating the directory as
<systemitem class="username">root</systemitem> is the best way to go.</para>
 
<para>Pour plus d'informations, voir <command>man useradd</command>.</para>
<para>The mode of any files from this part of the book that you put in
<filename class="directory">/etc/skel</filename> should be writable only by
the owner. Also, since there is no telling what kind of sensitive information
a user may eventually place in their copy of these files, you should
make them unreadable by "group" et "other".</para>
 
<para><emphasis>/etc/skel</emphasis></para>
<para>You can also put other files in
<filename class="directory">/etc/skel</filename> et
different permissions may be needed for them.</para>
 
<para>Pour commencer, créez un répertoire <filename class="directory">/etc/skel</filename> et
assurez-vous que seul l'administrateur système a le droit d'écrire dedans, donc
habituellement root. Créer le répertoire en tant que root est la meilleure façon
de procéder.</para>
<para>Decide which initialization files should be provided in every (or most)
new user's home directory. The decisions you make will affect what you
do in the next two sections, <xref linkend="postlfs-config-profile"/> et
<xref linkend="postlfs-config-vimrc"/>. Some or all of those files will be
useful for <systemitem class="username">root</systemitem>, any
already-existing users, et new users.</para>
 
<para>Les droits de tous les fichiers dans cette partie du livre doivent
permettre l'écriture uniquement par le propriétaire. De même, comme il n'y a
aucune façon de savoir quel type d'informations sensibles un utilisateur
pourrait éventuelle placer dans leur copie de ces fichiers, vous devriez les
rendre illisible pour le groupe et les autres.</para>
<para>The files from those sections that you might want to place in
<filename class="directory">/etc/skel</filename> include
<filename>.inputrc</filename>, <filename>.bash_profile</filename>,
<filename>.bashrc</filename>, <filename>.bash_logout</filename>,
<filename>.dircolors</filename> et <filename>.vimrc</filename>. If
you are unsure which of these should be placed there, just continue to
the following sections, read each section et any references provided,
et then make your decision.</para>
 
<para>Vous pouvez aussi placer d'autres fichiers dans
<filename class="directory">/etc/skel</filename> et d'autres droits peuvent être nécessaires pour
ceux-là.</para>
<para>You will run a slightly modified set of commands for files which
are placed in <filename class="directory">/etc/skel</filename>. Each section
will remind you of this. In brief, the book's commands have been written for
files <emphasis>not</emphasis> added to
<filename class="directory">/etc/skel</filename> et instead just sends the
results to the user's home directory. If the file is going to be in
<filename class="directory">/etc/skel</filename>, change the book's command(s)
to send output there instead et then just copy the file from
<filename class="directory">/etc/skel</filename> to the appropriate
directories, like <filename class="directory">/etc</filename>,
<filename class="directory">~</filename> or the home directory
of any other user already in the system.</para>
 
<para>Décidez quels fichiers d'initialisation doivent être fournis à chaque
(ou tout) nouvel utilisateur. Les décisions que vous prenez affecteront ce que
vous ferez dans les trois prochaines sections, <xref
linkend="postlfs-config-inputrc"/>, <xref linkend="postlfs-config-profile"/> et
<xref linkend="postlfs-config-vimrc"/>. Certains ou tous ces
fichiers seront utiles à root, aux utilisateurs déjà existants et aux nouveaux
utilisateurs.</para>
<bridgehead renderas="sect5">When Adding a User</bridgehead>
 
<para>Les fichiers de ces sections que vous pourriez vouloir placer dans
<filename class="directory">/etc/skel</filename> incluent
<filename>.inputrc</filename>, <filename>.bash_profile</filename>,
<filename>.bashrc</filename>, <filename>.bash_logout</filename>,
<filename>.dircolors</filename> et <filename>.vimrc</filename>. Si vous n'êtes
pas sûr lesquels doivent y être mis, continuez simplement avec les sections
suivantes, lisez chaque section et toutes les références proposées, et enfin
décidez.</para>
<para>When adding a new user with <command>useradd</command>, use
the <option>-m</option> parameter, which tells
<command>useradd</command> to create the user's home directory et
copy files from <filename class="directory">/etc/skel</filename> (can be
overridden) to the new user's home directory. For example (perform as the
<systemitem class="username">root</systemitem> user)&nbsp;:</para>
 
<para>Vous lancerez un ensemble de commandes légèrement modifié des fichiers
placés dans <filename class="directory">/etc/skel</filename>. Chaque section vous le rappelera.
En bref, les commandes du livre ont été écrites pour des fichiers
<emphasis>non</emphasis> ajoutés dans <filename class="directory">/etc/skel</filename> et
envoient simplement les résultats dans le répertoire personnel de l'utilisateur.
Si le fichier se trouve être dans <filename class="directory">/etc/skel</filename>, changez les
commandes du livre pour envoyer la sortie là-bas et ensuite copiez le fichier
<filename class="directory">/etc/skel</filename> pour les répertoires appropriés, comme
<filename class="directory">/etc</filename>, <filename class="directory">~</filename> ou le répertoire personnel de
tout autre utilisateur existant déjà dans le système.</para>
<screen role="root"><userinput>useradd -m <replaceable>&lt;newuser&gt;</replaceable></userinput></screen>
 
<para><emphasis>Lors de l'ajout d'un utilisateur</emphasis></para>
 
<para>Lors de l'ajout d'un nouvel utilisateur avec <command>useradd</command>,
utilisez le paramètre <option>-m</option>, indiquant à
<command>useradd</command> de créer le répertoire personnel de l'utilisateur
et de copier les fichiers de <filename class="directory">/etc/skel</filename> (peut être
surchargé) dans le répertoire personnel du nouvel utilisateur. Par exemple:
</para>
 
<screen><command>useradd -m jwrober</command></screen>
 
</sect1>
/trunk/blfs/postlfs/config/netfs.xml
1,19 → 1,38
<?xml version="1.0" encoding="ISO-8859-1"?>
<sect1 id="postlfs-config-netfs" xreflabel="netfs">
<?dbhtml filename="netfs.html"?>
<title>Configurer les systèmes de fichiers réseau</title>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
]>
 
<para>Alors que <acronym>LFS</acronym> est capable de monter des systèmes de
fichiers réseau comme <acronym>NFS</acronym>, ils ne sont pas montés par le
script de démarrage <filename>mountfs</filename>. Les outils nécessaires pour
monter ces systèmes pourraient ne pas être disponibles sur la partition racine
et les systèmes de fichiers réseau auront besoin d'être montés après que le
réseau est activé. Ces systèmes de fichiers ont aussi besoin d'être démontés
avant que le réseau ne soit coupé.</para>
<sect1 id="postlfs-config-netfs" xreflabel="Configuring for Network Filesystems">
<?dbhtml filename="netfs.html"?>
 
<para>Installez le script de montage réseau <filename>/etc/rc.d/init.d/netfs</filename>
inclus dans le paquetage <xref linkend="intro-important-bootscripts"/>.</para>
<sect1info>
<othername>$LastChangedBy: randy $</othername>
<date>$Date: 2007-04-04 21:42:53 +0200 (mer, 04 avr 2007) $</date>
</sect1info>
 
<screen><userinput><command>make install-netfs</command></userinput></screen>
<title>Configuration de for Network Filesystems</title>
 
<!-- Fake the zone for index formatting -->
<indexterm zone="postlfs-config-netfs postlfs-config-netfs">
<primary sortas="f-netfs">netfs</primary>
</indexterm>
 
<para>While LFS is capable of mounting network file systems such as NFS,
these are not mounted by the <filename>mountfs</filename> init script.
Network file systems must be mounted after the networking is activated et
unmounted before the network goes down. The <filename>netfs</filename>
bootscript was written to handle both boot-time mounting of network
filesystems, if the entry in <filename>/etc/fstab</filename> contains the
<option>_netdev</option> option, et unmounting of all network filesystems
before the network is brought down.</para>
 
<para>As the <systemitem class="username">root</systemitem> user, install
the <filename>/etc/rc.d/init.d/netfs</filename> bootscript included with the
<xref linkend="bootscripts"/> package.</para>
 
<screen role='root'><userinput>make install-netfs</userinput></screen>
 
</sect1>
/trunk/blfs/postlfs/filesystems/xfs.xml
1,243 → 1,366
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
 
<!ENTITY xfsprogs-download-http "http://mirrors.sunsite.dk/xfs/download/cmd_tars/xfsprogs-&xfsprogs-version;.src.tar.gz">
<!ENTITY xfsprogs-download-ftp "ftp://oss.sgi.com/projects/xfs/download/cmd_tars/xfsprogs-&xfsprogs-version;.src.tar.gz">
<!ENTITY xfsprogs-md5sum "65fbf692f348b57f21edd4813733d9ae">
<!ENTITY xfsprogs-size "833 KB">
<!ENTITY xfsprogs-buildsize "25.2 MB">
<!ENTITY xfsprogs-time "0.59 SBU">
<!-- <!ENTITY xfsprogs-download-http "http://mirrors.sunsite.dk/xfs/download/cmd_tars/xfsprogs_&xfsprogs-version;-1.tar.gz"> -->
<!ENTITY xfsprogs-download-http "&files-anduin;/sources/xfsprogs_&xfsprogs-version;-1.tar.gz">
<!-- <!ENTITY xfsprogs-download-ftp "ftp://oss.sgi.com/projects/xfs/download/cmd_tars/xfsprogs_&xfsprogs-version;-1.tar.gz"> -->
<!ENTITY xfsprogs-download-ftp " ">
<!ENTITY xfsprogs-md5sum "2bba6d3e4183defacf99e5e8ce805460">
<!ENTITY xfsprogs-size "976 Kio">
<!ENTITY xfsprogs-buildsize "37 Mio">
<!ENTITY xfsprogs-time "0.6 SBU">
]>
 
<sect1 id="xfs" xreflabel="XFS-&xfsprogs-version;">
<sect1info>
<othername>$LastChangedBy: randy $</othername>
<date>$Date: 2005-06-16 06:20:37 $</date>
</sect1info>
<?dbhtml filename="xfsfs.html"?>
<title>XFS-&xfsprogs-version;</title>
<indexterm zone="xfs">
<primary sortas="a-XFS">XFS</primary>
</indexterm>
<?dbhtml filename="xfsfs.html"?>
 
<sect2>
<title>Introduction to
<application><acronym>XFS</acronym></application></title>
<sect1info>
<othername>$LastChangedBy: randy $</othername>
<date>$Date: 2008-05-09 15:00:42 +0200 (ven, 09 mai 2008) $</date>
</sect1info>
 
<para>The <application>XFS</application> package contains administration
and debugging tools for the <acronym>XFS</acronym> file system.</para>
<title>XFS-&xfsprogs-version;</title>
 
<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP): <ulink
url="&xfsprogs-download-http;"/></para></listitem>
<listitem><para>Download (FTP): <ulink
url="&xfsprogs-download-ftp;"/></para></listitem>
<listitem><para>Download MD5 sum: &xfsprogs-md5sum;</para></listitem>
<listitem><para>Download size: &xfsprogs-size;</para></listitem>
<listitem><para>Estimated disk space required:
&xfsprogs-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&xfsprogs-time;</para></listitem></itemizedlist>
</sect3>
<indexterm zone="xfs">
<primary sortas="a-XFS">XFS</primary>
</indexterm>
 
</sect2>
<sect2 role="package">
<title>Introduction à XFS</title>
 
<sect2>
<title>Installation of <application>XFS</application></title>
<para>The <application>XFS</application> package contains administration
et debugging tools for the XFS file system.</para>
 
<note><para>If you did not install the
<ulink url="&lfs-root;/chapter06/e2fsprogs.html">E2fsprogs</ulink> package in
<acronym>LFS</acronym>, you must install it, or
<ulink url="http://pecl.php.net/get/uuid-1.0.tgz">UUID</ulink> before
proceeding with the installation of
<application>XFS</application>.</para></note>
<bridgehead renderas="sect3">Informations sur le paquet</bridgehead>
<itemizedlist spacing="compact">
<listitem>
<para>Téléchargement (HTTP)&nbsp;: <ulink url="&xfsprogs-download-http;"/></para>
</listitem>
<listitem>
<para>Téléchargement (FTP)&nbsp;: <ulink url="&xfsprogs-download-ftp;"/></para>
</listitem>
<listitem>
<para>Somme de contrôle MD5 du téléchargement&nbsp;: &xfsprogs-md5sum;</para>
</listitem>
<listitem>
<para>Taille du téléchargement&nbsp;: &xfsprogs-size;</para>
</listitem>
<listitem>
<para>Estimation de l'espace disque requis&nbsp;: &xfsprogs-buildsize;</para>
</listitem>
<listitem>
<para>Estimation du temps de construction&nbsp;: &xfsprogs-time;</para>
</listitem>
</itemizedlist>
 
<para>Install <application>XFS</application> by running the following
commands:</para>
<caution><para>The XFS developers regularly remove the current
package when a new package is available. Unfortunately, this has led to
severe incompatibilities, including
<ulink url="http://bugs.debian.org/465737">unmountable filesystems</ulink>,
due to kernel version requirements in new versions of the package. Using a
version not in the book is strongly discouraged. Additional information,
is available at the
<ulink url="http://oss.sgi.com/projects/xfs/">XFS</ulink> project
page.</para></caution>
 
<screen><userinput><command>sed -i 's/autoconf//' Makefile &amp;&amp;
make</command></userinput></screen>
<!-- For more information on this problem, see this thread on BLFS-Dev
http://linuxfromscratch.org/pipermail/blfs-dev/2008-March/018311.html
-->
<para condition="html" role="usernotes">Notes utilisateur&nbsp;:
<ulink url="&blfs-wiki;/xfs"/></para>
 
<para>Now, as the root user:</para>
</sect2>
 
<screen><userinput role='root'><command>make install</command></userinput></screen>
<sect2 role="installation">
<title>Installation de XFS</title>
 
</sect2>
<para>Installez <application>XFS</application> en lançant les commandes
suivantes&nbsp;:</para>
 
<sect2>
<title>Contents</title>
<screen><userinput>make DEBUG=-DNDEBUG INSTALL_USER=root INSTALL_GROUP=root \
LOCAL_CONFIGURE_OPTIONS="--enable-readline=yes"</userinput></screen>
 
<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Library</segtitle>
<segtitle>Installed Directory</segtitle>
<para>Ce paquet n'est pas fourni avec une suite de tests.</para>
 
<seglistitem>
<seg>fsck.xfs, mkfs.xfs, xfs_admin, xfs_bmap, xfs_check, xfs_copy, xfs_db,
xfs_freeze, xfs_growfs, xfs_info, xfs_io, xfs_logprint, xfs_mkfile,
xfs_ncheck, xfs_repair and xfs_rtcp</seg>
<seg>libhandle.so</seg>
<seg>/usr/share/doc/xfsprogs</seg>
</seglistitem>
</segmentedlist>
<para>Maintenant, en tant qu'utilisateur <systemitem class="username">root</systemitem>&nbsp;:</para>
 
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>
<screen role="root"><userinput>make install &amp;&amp;
make install-dev &amp;&amp;
chmod -v 755 /lib/libhandle.so* &amp;&amp;
rm -f /lib/libhandle.{a,la,so} &amp;&amp;
ln -svf ../../lib/libhandle.so.1 /usr/lib/libhandle.so</userinput></screen>
 
<varlistentry id="fsck.xfs">
<term><command>fsck.xfs</command></term>
<listitem><para>simply exits with a zero status, since <acronym>XFS</acronym>
partitions are checked at mount time.</para>
<indexterm zone="xfs fsck.xfs">
<primary sortas="b-fsck.xfs">fsck.xfs</primary>
</indexterm></listitem>
</varlistentry>
</sect2>
 
<varlistentry id="mkfs.xfs">
<term><command>mkfs.xfs</command></term>
<listitem><para>constructs an <acronym>XFS</acronym> file system.</para>
<indexterm zone="xfs mkfs.xfs">
<primary sortas="b-mkfs.xfs">mkfs.xfs</primary>
</indexterm></listitem>
</varlistentry>
<sect2 role="commands">
<title>Explication des commandes</title>
 
<varlistentry id="xfs_admin">
<term><command>xfs_admin</command></term>
<listitem><para>changes the parameters of an <acronym>XFS</acronym> file
system.</para>
<indexterm zone="xfs xfs_admin">
<primary sortas="b-xfs_admin">xfs_admin</primary>
</indexterm></listitem>
</varlistentry>
<para><command>make DEBUG=-DNDEBUG</command>: Turns off debugging
symbols.</para>
 
<varlistentry id="xfs_bmap">
<term><command>xfs_bmap</command></term>
<listitem><para>prints block mapping for an <acronym>XFS</acronym> file.</para>
<indexterm zone="xfs xfs_bmap">
<primary sortas="b-xfs_bmap">xfs_bmap</primary>
</indexterm></listitem>
</varlistentry>
<para><parameter>INSTALL_USER=root INSTALL_GROUP=root</parameter>: This
sets the owner et group of the installed files.</para>
<!-- relevant only if building as non-root -->
 
<varlistentry id="xfs_check">
<term><command>xfs_check</command></term>
<listitem><para>checks <acronym>XFS</acronym> file system consistency.</para>
<indexterm zone="xfs xfs_check">
<primary sortas="b-xfs_check">xfs_check</primary>
</indexterm></listitem>
</varlistentry>
<para><parameter>LOCAL_CONFIGURE_OPTIONS="..."</parameter>: This passes
extra configuration options to the <filename>configure</filename> script.
The example <parameter>--enable-readline=yes</parameter> parameter
enables linking the XFS programs with the
<filename class="libraryfile">libreadline.so</filename> library, in order
to allow editing interactive commands.</para>
 
<varlistentry id="xfs_copy">
<term><command>xfs_copy</command></term>
<listitem><para>copies the contents of an <acronym>XFS</acronym> file system
to one or more targets in parallel.</para>
<indexterm zone="xfs xfs_copy">
<primary sortas="b-xfs_copy">xfs_copy</primary>
</indexterm></listitem>
</varlistentry>
<para><parameter>OPTIMIZER="..."</parameter>: Adding this parameter to
the end of the <command>make</command> command overrides the
default optimization settings.</para>
 
<varlistentry id="xfs_db">
<term><command>xfs_db</command></term>
<listitem><para>is used to debug an <acronym>XFS</acronym> file system.</para>
<indexterm zone="xfs xfs_db">
<primary sortas="b-xfs_db">xfs_db</primary>
</indexterm></listitem>
</varlistentry>
<para><command>make install-dev</command>: This command installs
static XFS libraries, their headers et the corresponding
documentation.</para>
 
<varlistentry id="xfs_freeze">
<term><command>xfs_freeze</command></term>
<listitem><para>suspends access to an <acronym>XFS</acronym> file
system.</para>
<indexterm zone="xfs xfs_freeze">
<primary sortas="b-xfs_freeze">xfs_freeze</primary>
</indexterm></listitem>
</varlistentry>
</sect2>
 
<varlistentry id="xfs_growfs">
<term><command>xfs_growfs</command></term>
<listitem><para>expands an <acronym>XFS</acronym> file system.</para>
<indexterm zone="xfs xfs_growfs">
<primary sortas="b-xfs_growfs">xfs_growfs</primary>
</indexterm></listitem>
</varlistentry>
<sect2 role="content">
<title>Contenu</title>
 
<varlistentry id="xfs_info">
<term><command>xfs_info</command></term>
<listitem><para>is equivalent to invoking <command>xfs_growfs</command>, but
specifying that no change to the file system is to be made.</para>
<indexterm zone="xfs xfs_info">
<primary sortas="b-xfs_info">xfs_info</primary>
</indexterm></listitem>
</varlistentry>
<segmentedlist>
<segtitle>Programmes installés</segtitle>
<segtitle>Bibliothèques installées</segtitle>
<segtitle>Répertoire installé</segtitle>
 
<varlistentry id="xfs_io">
<term><command>xfs_io</command></term>
<listitem><para>is a debugging tool like <command>xfs_db</command>, but is
aimed at examining the regular file I/O path rather than the raw
<acronym>XFS</acronym> volume itself.</para>
<indexterm zone="xfs xfs_io">
<primary sortas="b-xfs_io">xfs_io</primary>
</indexterm></listitem>
</varlistentry>
<seglistitem>
<seg>fsck.xfs, mkfs.xfs, xfs_admin, xfs_bmap, xfs_check, xfs_copy,
xfs_db, xfs_freeze, xfs_growfs, xfs_info, xfs_io, xfs_logprint,
xfs_mdrestore, xfs_metadump, xfs_mkfile, xfs_ncheck, xfs_quota,
xfs_repair, et xfs_rtcp</seg>
<seg>libdisk.a, libhandle.{so,a}, libxcmd.a, libxfs.a, et
libxlog.a </seg>
<seg>/usr/share/doc/xfsprogs</seg>
</seglistitem>
</segmentedlist>
 
<varlistentry id="xfs_logprint">
<term><command>xfs_logprint</command></term>
<listitem><para>prints the log of an <acronym>XFS</acronym> file system.</para>
<indexterm zone="xfs xfs_logprint">
<primary sortas="b-xfs_logprint">xfs_logprint</primary>
</indexterm></listitem>
</varlistentry>
<variablelist>
<bridgehead renderas="sect3">Descriptions courtes</bridgehead>
<?dbfo list-presentation="list"?>
<?dbhtml list-presentation="table"?>
 
<varlistentry id="xfs_mkfile">
<term><command>xfs_mkfile</command></term>
<listitem><para>creates an <acronym>XFS</acronym> file, padded with zeroes by
default.</para>
<indexterm zone="xfs xfs_mkfile">
<primary sortas="b-xfs_mkfile">xfs_mkfile</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="fsck.xfs">
<term><command>fsck.xfs</command></term>
<listitem>
<para>simply exits with a zero status, since XFS
partitions are checked at mount time.</para>
<indexterm zone="xfs fsck.xfs">
<primary sortas="b-fsck.xfs">fsck.xfs</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="xfs_ncheck">
<term><command>xfs_ncheck</command></term>
<listitem><para>generates pathnames from inode numbers for an
<acronym>XFS</acronym> file system.</para>
<indexterm zone="xfs xfs_ncheck">
<primary sortas="b-xfs_ncheck">xfs_ncheck</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="mkfs.xfs">
<term><command>mkfs.xfs</command></term>
<listitem>
<para>constructs an XFS file system.</para>
<indexterm zone="xfs mkfs.xfs">
<primary sortas="b-mkfs.xfs">mkfs.xfs</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="xfs_repair">
<term><command>xfs_repair</command></term>
<listitem><para>repairs corrupt or damaged <acronym>XFS</acronym>file
systems.</para>
<indexterm zone="xfs xfs_repair">
<primary sortas="b-xfs_repair">xfs_repair</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="xfs_admin">
<term><command>xfs_admin</command></term>
<listitem>
<para>changes the parameters of an XFS file system.</para>
<indexterm zone="xfs xfs_admin">
<primary sortas="b-xfs_admin">xfs_admin</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="xfs_rtcp">
<term><command>xfs_rtcp</command></term>
<listitem><para>copies a file to the real-time partition on an
<acronym>XFS</acronym> file system.</para>
<indexterm zone="xfs xfs_rtcp">
<primary sortas="b-xfs_rtcp">xfs_rtcp</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="xfs_bmap">
<term><command>xfs_bmap</command></term>
<listitem>
<para>prints block mapping for an XFS file.</para>
<indexterm zone="xfs xfs_bmap">
<primary sortas="b-xfs_bmap">xfs_bmap</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="libhandle">
<term><filename class='libraryfile'>libhandle.so</filename></term>
<listitem><para>contains functions to map filesystem handles to a
corresponding open file descriptor for that filesystem.</para>
<indexterm zone="xfs libhandle">
<primary sortas="c-libhandle">libhandle.so</primary>
</indexterm></listitem>
</varlistentry>
</variablelist>
<varlistentry id="xfs_check">
<term><command>xfs_check</command></term>
<listitem>
<para>checks XFS file system consistency.</para>
<indexterm zone="xfs xfs_check">
<primary sortas="b-xfs_check">xfs_check</primary>
</indexterm>
</listitem>
</varlistentry>
 
</sect2>
<varlistentry id="xfs_copy">
<term><command>xfs_copy</command></term>
<listitem>
<para>copies the contents of an XFS file system
to one or more targets in parallel.</para>
<indexterm zone="xfs xfs_copy">
<primary sortas="b-xfs_copy">xfs_copy</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="xfs_db">
<term><command>xfs_db</command></term>
<listitem>
<para>is used to debug an XFS file system.</para>
<indexterm zone="xfs xfs_db">
<primary sortas="b-xfs_db">xfs_db</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="xfs_freeze">
<term><command>xfs_freeze</command></term>
<listitem>
<para>suspends access to an XFS file system.</para>
<indexterm zone="xfs xfs_freeze">
<primary sortas="b-xfs_freeze">xfs_freeze</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="xfs_growfs">
<term><command>xfs_growfs</command></term>
<listitem>
<para>expands an XFS file system.</para>
<indexterm zone="xfs xfs_growfs">
<primary sortas="b-xfs_growfs">xfs_growfs</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="xfs_info">
<term><command>xfs_info</command></term>
<listitem>
<para>is equivalent to invoking <command>xfs_growfs</command>, but
specifying that no change to the file system is to be made.</para>
<indexterm zone="xfs xfs_info">
<primary sortas="b-xfs_info">xfs_info</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="xfs_io">
<term><command>xfs_io</command></term>
<listitem>
<para>is a debugging tool like <command>xfs_db</command>, but is
aimed at examining the regular file I/O path rather than the raw
XFS volume itself.</para>
<indexterm zone="xfs xfs_io">
<primary sortas="b-xfs_io">xfs_io</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="xfs_logprint">
<term><command>xfs_logprint</command></term>
<listitem>
<para>prints the log of an XFS file system.</para>
<indexterm zone="xfs xfs_logprint">
<primary sortas="b-xfs_logprint">xfs_logprint</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="xfs_mdrestore">
<term><command>xfs_mdrestore</command></term>
<listitem>
<para>restores an XFS metadump image to a filesystem image.</para>
<indexterm zone="xfs xfs_mdrestore">
<primary sortas="b-xfs_mdrestore">xfs_mdrestore</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="xfs_metadump">
<term><command>xfs_metadump</command></term>
<listitem>
<para>copies XFS filesystem metadata to a file.</para>
<indexterm zone="xfs xfs_metadump">
<primary sortas="b-xfs_metadump">xfs_metadump</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="xfs_mkfile">
<term><command>xfs_mkfile</command></term>
<listitem>
<para>creates an XFS file, padded with zeroes by default.</para>
<indexterm zone="xfs xfs_mkfile">
<primary sortas="b-xfs_mkfile">xfs_mkfile</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="xfs_ncheck">
<term><command>xfs_ncheck</command></term>
<listitem>
<para>generates pathnames from inode numbers for an
XFS file system.</para>
<indexterm zone="xfs xfs_ncheck">
<primary sortas="b-xfs_ncheck">xfs_ncheck</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="xfs_quota">
<term><command>xfs_quota</command></term>
<listitem>
<para>is a utility for reporting et editing various
aspects of filesystem quota.</para>
<indexterm zone="xfs xfs_quota">
<primary sortas="b-xfs_quota">xfs_quota</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="xfs_repair">
<term><command>xfs_repair</command></term>
<listitem>
<para>repairs corrupt or damaged XFS file systems.</para>
<indexterm zone="xfs xfs_repair">
<primary sortas="b-xfs_repair">xfs_repair</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="xfs_rtcp">
<term><command>xfs_rtcp</command></term>
<listitem>
<para>copies a file to the real-time partition on an
XFS file system.</para>
<indexterm zone="xfs xfs_rtcp">
<primary sortas="b-xfs_rtcp">xfs_rtcp</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="libhandle">
<term><filename class='libraryfile'>libhandle.so</filename></term>
<listitem>
<para>contains XFS-specific functions that provide a way to perform
certain filesystem operations without using a file descriptor to
access filesystem objects.</para>
<indexterm zone="xfs libhandle">
<primary sortas="c-libhandle">libhandle.so</primary>
</indexterm>
</listitem>
</varlistentry>
 
 
<!-- FIXME: other libraries are undocumented 20080221 -->
 
</variablelist>
 
</sect2>
 
</sect1>
/trunk/blfs/postlfs/filesystems/ext3.xml
1,58 → 1,61
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
]>
 
<sect1 id="postlfs-filesystems-ext3">
<sect1info>
<othername>$LastChangedBy: larry $</othername>
<date>$Date: 2005-06-16 06:20:37 $</date>
</sect1info>
<?dbhtml filename="ext3.html"?>
<title>Ext3</title>
<?dbhtml filename="ext3.html"?>
 
<para>Ext3 is a journaling file system that is an extension to the ext2
file system. It is backward compatible with ext2 and the conversion from ext2
to ext3 is trivial.</para>
<sect1info>
<othername>$LastChangedBy: randy $</othername>
<date>$Date: 2007-04-04 21:42:53 +0200 (mer, 04 avr 2007) $</date>
</sect1info>
 
<para>You don't need to install anything to use ext3, all the required
packages are available with a bare <acronym>LFS</acronym> system.</para>
<title>Ext3</title>
 
<para>When building the kernel, ensure that you have compiled in ext3
support. If you want your root partition to be ext3, then compile the ext3
support in the kernel, else you may compile it as a module. Recompile the
kernel if needed.</para>
<para>Ext3 is a journaling file system that is an extension to the ext2
file system. It is backward compatible with ext2 et the conversion from
ext2 to ext3 is trivial.</para>
 
<para>Edit your <filename>/etc/fstab</filename>. For each partition that you
want to convert into ext3, edit the entry so that it looks similar to the
following line.</para>
<para>You don't need to install anything to use ext3, all the required
packages are available with a bare LFS system.</para>
 
<screen>/dev/hd<replaceable>XX</replaceable> /mnt_point ext3 defaults 1 0</screen>
<para>When building the kernel, ensure that you have compiled in ext3
support. If you want your root partition to be ext3, then compile the ext3
support in the kernel, else you may compile it as a module. Recompile the
kernel if needed.</para>
 
<para>In the above line, replace
<filename>/dev/hd<replaceable>XX</replaceable></filename> by the
partition (e.g., <filename>/dev/hda2</filename>),
<filename class="directory">/mnt_point</filename> by the mount point (e.g.,
<filename class="directory">/home</filename>). The <option>0</option> in the
last field ensures that the partition will not be checked for
consistency during the boot process by the <command>checkfs</command> script.
You may replace the <option>ext3</option> fs type in the above by
<option>auto</option> if you want to ensure that the partition is mounted
if you accidentally skip enabling the ext3 support in the kernel.</para>
<para>Edit your <filename>/etc/fstab</filename>. For each partition that you
want to convert into ext3, edit the entry so that it looks similar to the
following line.</para>
 
<para>For each partition that you have converted to ext3 in <filename>
/etc/fstab</filename>, enable the journal for the partition by running the
following command.</para>
<screen><literal>/dev/hd<replaceable>&lt;XX&gt;</replaceable> /mnt_point ext3 defaults 1 1</literal></screen>
 
<screen><userinput role='root'><command>tune2fs -j /dev/hd<replaceable>XX</replaceable></command></userinput></screen>
<para>In the above line, replace
<filename>/dev/hd<replaceable>&lt;XX&gt;</replaceable></filename> by the
partition (e.g., <filename>/dev/hda2</filename>),
<filename class="directory">/mnt_point</filename> by the mount point (e.g.,
<filename class="directory">/home</filename>). The <option>1</option> in the
last field ensures that the partition will be checked for
consistency during the boot process by the <command>checkfs</command> script
as recommended by the maintainer.
You may replace the <option>ext3</option> fs type in the above by
<option>auto</option> if you want to ensure that the partition is mounted
even if you accidentally disable ext3 support in the kernel.</para>
 
<para>Remount the concerned partitions, or simply reboot if you have
recompiled the kernel to enable ext3 support.</para>
<para>For each partition that you have converted to ext3 in <filename>
/etc/fstab</filename>, enable the journal for the partition by running the
following command.</para>
 
<para>More information is available at <ulink
url="http://www.zip.com.au/~akpm/linux/ext3/ext3-usage.html"/>. This
informaion is still relevant to the 2.6 kernels.</para>
<screen role="root"><userinput>tune2fs -j /dev/hd<replaceable>&lt;XX&gt;</replaceable></userinput></screen>
 
<para>Remount the concerned partitions, or simply reboot if you have
recompiled the kernel to enable ext3 support.</para>
 
<para>More information is available at <ulink
url="http://www.zip.com.au/~akpm/linux/ext3/ext3-usage.html"/>. This
information is still relevant to the 2.6 kernels.</para>
 
</sect1>
/trunk/blfs/postlfs/filesystems/filesystems.xml
1,27 → 1,29
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
]>
 
<!--
$LastChangedBy: randy $
$Date: 2008-05-09 15:00:42 +0200 (ven, 09 mai 2008) $
-->
 
<chapter id="postlfs-filesystems">
<?dbhtml filename="filesystems.html"?>
<title>File Systems</title>
<?dbhtml filename="filesystems.html"?>
 
<para>Journaling file systems reduce the time needed to recover a
file system that was not unmounted properly. While this can be extremely
important in reducing downtime for servers, it has also become popular for
desktop environments. This chapter contains a variety of journaling
file systems.</para>
<title>File Systems</title>
 
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="ext3.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="reiser.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="xfs.xml"/>
<para>Journaling file systems reduce the time needed to recover a
file system that was not unmounted properly. While this can be extremely
important in reducing downtime for servers, it has also become popular for
desktop environments. This chapter contains two other journaling file
systems you can use instead of the default LFS third extended file
system.</para>
 
<!-- &postlfs-filesystems-ext3;
&reiser;
&xfs;
-->
<!-- <xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="ext3.xml"/> -->
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="reiser.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="xfs.xml"/>
 
</chapter>
/trunk/blfs/postlfs/filesystems/reiser.xml
1,151 → 1,178
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
 
<!ENTITY reiser-download-http "http://ftp.namesys.com/pub/reiserfsprogs/reiserfsprogs-&reiser-version;.tar.gz">
<!ENTITY reiser-download-ftp "ftp://ftp.namesys.com/pub/reiserfsprogs/reiserfsprogs-&reiser-version;.tar.gz">
<!ENTITY reiser-md5sum "b42cf15f6651c3ceff5cb84996c0d539">
<!ENTITY reiser-size "400 KB">
<!ENTITY reiser-buildsize "7.9 MB">
<!ENTITY reiser-time "0.16 SBU">
<!ENTITY reiser-download-http "http://www.kernel.org/pub/linux/utils/fs/reiserfs/reiserfsprogs-&reiser-version;.tar.bz2">
<!ENTITY reiser-download-ftp "&sources-anduin-ftp;/r/reiserfsprogs-&reiser-version;.tar.bz2">
<!ENTITY reiser-md5sum "0639cefac8f8150536cfa7531c2aa2d2">
<!ENTITY reiser-size "320 Kio">
<!ENTITY reiser-buildsize "9.3 Mio">
<!ENTITY reiser-time "0.2 SBU">
]>
 
<sect1 id="reiserfs" xreflabel="ReiserFS-&reiser-version;">
<sect1info>
<othername>$LastChangedBy: randy $</othername>
<date>$Date: 2005-06-16 06:20:37 $</date>
</sect1info>
<?dbhtml filename="reiserfs.html"?>
<title>ReiserFS-&reiser-version;</title>
<indexterm zone="reiserfs">
<primary sortas="a-ReiserFS">ReiserFS</primary>
</indexterm>
<?dbhtml filename="reiserfs.html"?>
 
<sect2>
<title>Introduction to <application>ReiserFS</application></title>
<sect1info>
<othername>$LastChangedBy: bdubbs $</othername>
<date>$Date: 2009-02-24 10:53:46 +0100 (mar 24 fév 2009) $</date>
</sect1info>
 
<para>The <application>ReiserFS</application> package contains various
utilities for use with the Reiser file system.</para>
<title>ReiserFS-&reiser-version;</title>
 
<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP): <ulink
url="&reiser-download-http;"/></para></listitem>
<listitem><para>Download (FTP): <ulink
url="&reiser-download-ftp;"/></para></listitem>
<listitem><para>Download MD5 sum: &reiser-md5sum;</para></listitem>
<listitem><para>Download size: &reiser-size;</para></listitem>
<listitem><para>Estimated disk space required:
&reiser-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&reiser-time;</para></listitem></itemizedlist>
</sect3>
<indexterm zone="reiserfs">
<primary sortas="a-ReiserFS">ReiserFS</primary>
</indexterm>
 
</sect2>
<sect2 role="package">
<title>Introduction à ReiserFS</title>
 
<sect2>
<title>Installation of <application>ReiserFS</application></title>
<para>The <application>ReiserFS</application> package contains various
utilities for use with the Reiser file system.</para>
 
<para>Install <application>ReiserFS</application> by running the following
commands:</para>
<bridgehead renderas="sect3">Informations sur le paquet</bridgehead>
<itemizedlist spacing="compact">
<listitem>
<para>Téléchargement (HTTP)&nbsp;: <ulink url="&reiser-download-http;"/></para>
</listitem>
<listitem>
<para>Téléchargement (FTP)&nbsp;: <ulink url="&reiser-download-ftp;"/></para>
</listitem>
<listitem>
<para>Somme de contrôle MD5 du téléchargement&nbsp;: &reiser-md5sum;</para>
</listitem>
<listitem>
<para>Taille du téléchargement&nbsp;: &reiser-size;</para>
</listitem>
<listitem>
<para>Estimation de l'espace disque requis&nbsp;: &reiser-buildsize;</para>
</listitem>
<listitem>
<para>Estimation du temps de construction&nbsp;: &reiser-time;</para>
</listitem>
</itemizedlist>
 
<screen><userinput><command>./configure --prefix=/usr --sbindir=/sbin &amp;&amp;
make</command></userinput></screen>
<para condition="html" role="usernotes">Notes utilisateur&nbsp;:
<ulink url="&blfs-wiki;/reiser"/></para>
 
<para>Now, as the root user:</para>
</sect2>
 
<screen><userinput role='root'><command>make install &amp;&amp;
<sect2 role="installation">
<title>Installation de ReiserFS</title>
 
<para>Installez <application>ReiserFS</application> en lançant les commandes
suivantes&nbsp;:</para>
 
<screen><userinput>./configure --prefix=/usr --sbindir=/sbin &amp;&amp;
make</userinput></screen>
 
<para>Ce paquet n'est pas fourni avec une suite de tests.</para>
 
<para>Maintenant, en tant qu'utilisateur <systemitem class="username">root</systemitem>&nbsp;:</para>
 
<screen role="root"><userinput>make install &amp;&amp;
ln -sf reiserfsck /sbin/fsck.reiserfs &amp;&amp;
ln -sf mkreiserfs /sbin/mkfs.reiserfs</command></userinput></screen>
ln -sf mkreiserfs /sbin/mkfs.reiserfs</userinput></screen>
 
</sect2>
</sect2>
 
<sect2>
<title>Command explanations</title>
<sect2 role="commands">
<title>Explication des commandes</title>
 
<para><parameter>--prefix=/usr</parameter>: This ensures that
the manual pages are installed in the correct location while still
installing the programs in <filename class="directory">/sbin</filename> as
they should be.</para>
<para><parameter>--prefix=/usr</parameter>: This ensures that
the manual pages are installed in the correct location while still
installing the programs in <filename class="directory">/sbin</filename> as
they should be.</para>
 
<para><parameter>--sbindir=/sbin</parameter>: This ensures that the
<application>ReiserFS</application> utilities are installed in
<filename class="directory">/sbin</filename> as they should be.</para>
<para><parameter>--sbindir=/sbin</parameter>: This ensures that the
<application>ReiserFS</application> utilities are installed in
<filename class="directory">/sbin</filename> as they should be.</para>
 
</sect2>
</sect2>
 
<sect2>
<title>Contents</title>
<sect2 role="content">
<title>Contenu</title>
 
<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directories</segtitle>
<segmentedlist>
<segtitle>Programmes installés</segtitle>
<segtitle>Bibliothèques installées</segtitle>
<segtitle>Répertoires installés</segtitle>
 
<seglistitem>
<seg>debugreiserfs, mkreiserfs, reiserfsck, reiserfstune and
resize_reiserfs</seg>
<seg>None</seg>
<seg>None</seg>
</seglistitem>
</segmentedlist>
<seglistitem>
<seg>debugreiserfs, mkreiserfs, reiserfsck, reiserfstune, et
resize_reiserfs</seg>
<seg>None</seg>
<seg>None</seg>
</seglistitem>
</segmentedlist>
 
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>
<variablelist>
<bridgehead renderas="sect3">Descriptions courtes</bridgehead>
<?dbfo list-presentation="list"?>
<?dbhtml list-presentation="table"?>
 
<varlistentry id="debugreiserfs">
<term><command>debugreiserfs</command></term>
<listitem><para>can sometimes help to solve problems with
<application>ReiserFS</application> file systems. If it is called without
options, it prints the super block of any reiserfs file system found on the
device.</para>
<indexterm zone="reiserfs debugreiserfs">
<primary sortas="b-debugreiserfs">debugreiserfs</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="debugreiserfs">
<term><command>debugreiserfs</command></term>
<listitem>
<para>can sometimes help to solve problems with
<application>ReiserFS</application> file systems. If it is called
without options, it prints the super block of any
<application>ReiserFS</application> file
system found on the device.</para>
<indexterm zone="reiserfs debugreiserfs">
<primary sortas="b-debugreiserfs">debugreiserfs</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="mkreiserfs">
<term><command>mkreiserfs</command></term>
<listitem><para>creates a <application>ReiserFS</application> file
system.</para>
<indexterm zone="reiserfs mkreiserfs">
<primary sortas="b-mkreiserfs">mkreiserfs</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="mkreiserfs">
<term><command>mkreiserfs</command></term>
<listitem>
<para>creates a <application>ReiserFS</application> file system.</para>
<indexterm zone="reiserfs mkreiserfs">
<primary sortas="b-mkreiserfs">mkreiserfs</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="reiserfsck">
<term><command>reiserfsck</command></term>
<listitem><para>is used to check or repair a
<application>ReiserFS</application> file system.</para>
<indexterm zone="reiserfs reiserfsck">
<primary sortas="b-reiserfsck">reiserfsck</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="reiserfsck">
<term><command>reiserfsck</command></term>
<listitem>
<para>is used to check or repair a
<application>ReiserFS</application> file system.</para>
<indexterm zone="reiserfs reiserfsck">
<primary sortas="b-reiserfsck">reiserfsck</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="reiserfstune">
<term><command>reiserfstune</command></term>
<listitem><para>is used for tuning the <application>ReiserFS</application>
journal. <emphasis>WARNING</emphasis>: Don't use this utility without first
reading the man page thoroughly.</para>
<indexterm zone="reiserfs reiserfstune">
<primary sortas="b-reiserfstune">reiserfstune</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="reiserfstune">
<term><command>reiserfstune</command></term>
<listitem>
<para>is used for tuning the <application>ReiserFS</application>
journal. <emphasis>WARNING</emphasis>: Don't use this utility without
first reading the man page thoroughly.</para>
<indexterm zone="reiserfs reiserfstune">
<primary sortas="b-reiserfstune">reiserfstune</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="resize_reiserfs">
<term><command>resize_reiserfs</command></term>
<listitem><para>is used to resize an unmounted
<application>ReiserFS</application> file system.</para>
<indexterm zone="reiserfs resize_reiserfs">
<primary sortas="b-resize_reiserfs">resize_reiserfs</primary>
</indexterm></listitem>
</varlistentry>
</variablelist>
<varlistentry id="resize_reiserfs">
<term><command>resize_reiserfs</command></term>
<listitem>
<para>is used to resize an unmounted
<application>ReiserFS</application> file system.</para>
<indexterm zone="reiserfs resize_reiserfs">
<primary sortas="b-resize_reiserfs">resize_reiserfs</primary>
</indexterm>
</listitem>
</varlistentry>
 
</sect2>
</variablelist>
 
</sect2>
 
</sect1>
 
/trunk/blfs/postlfs/security/syslog.xml
1,10 → 1,10
<sect1 id="postlfs-security-syslog">
<sect1info>
<othername>$LastChangedBy: archaic $</othername>
<date>$Date: 2005-06-16 06:20:37 $</date>
<othername>$LastChangedBy: bdubbs $</othername>
<date>$Date: 2005-08-01 21:29:19 +0200 (lun, 01 aoû 2005) $</date>
</sect1info>
<?dbhtml filename="syslog.html"?>
<title>Configuring syslog</title>
<title>Configuration de syslog</title>
 
<para>TO BE WRITTEN - NEW</para>
 
/trunk/blfs/postlfs/security/gnupg.xml
1,140 → 1,205
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
 
<!ENTITY gnupg-download-http "http://public.ftp.planetmirror.com/pub/gnupg/gnupg-&gnupg-version;.tar.bz2">
<!ENTITY gnupg-download-http "&sources-anduin-http;/g/gnupg-&gnupg-version;.tar.bz2">
<!--<!ENTITY gnupg-download-http "http://public.ftp.planetmirror.com/pub/gnupg/gnupg-&gnupg-version;.tar.bz2"> -->
<!ENTITY gnupg-download-ftp "ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-&gnupg-version;.tar.bz2">
<!ENTITY gnupg-md5 "8c303606aaf73b7756b9fe6f3d8b58c2">
<!ENTITY gnupg-size "2.7 MB">
<!ENTITY gnupg-buildsize "25 MB">
<!ENTITY gnupg-time "0.44 SBU">
<!ENTITY gnupg-md5sum "cc52393087480ac8d245625004a6a30c">
<!ENTITY gnupg-size "3.250 Mio">
<!ENTITY gnupg-buildsize "40 Mio">
<!ENTITY gnupg-time "0.5 SBU">
]>
 
<sect1 id="gnupg" xreflabel="GnuPG-&gnupg-version;">
<sect1info>
<othername>$LastChangedBy: larry $</othername>
<date>$Date: 2005-06-16 06:20:37 $</date>
</sect1info>
<?dbhtml filename="gnupg.html"?>
<title>GnuPG-&gnupg-version;</title>
<indexterm zone="gnupg">
<primary sortas="a-GnuPG">GnuPG</primary></indexterm>
<?dbhtml filename="gnupg.html"?>
 
<sect2>
<title>Introduction to <application>GnuPG</application></title>
<sect1info>
<othername>$LastChangedBy: ag $</othername>
<date>$Date: 2009-01-24 19:37:23 +0100 (sam 24 jan 2009) $</date>
</sect1info>
 
<para>The <application>GnuPG</application> package contains a public/private
key encryptor. This is becoming useful for signing files or emails as proof
of identity and preventing tampering with contents of the file or email.</para>
<title>GnuPG-&gnupg-version;</title>
 
<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP): <ulink
url="&gnupg-download-http;"/></para></listitem>
<listitem><para>Download (FTP): <ulink
url="&gnupg-download-ftp;"/></para></listitem>
<listitem><para>Download MD5 Sum: &gnupg-md5;</para></listitem>
<listitem><para>Download size: &gnupg-size;</para></listitem>
<listitem><para>Estimated disk space required:
&gnupg-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&gnupg-time;</para></listitem></itemizedlist>
</sect3>
<indexterm zone="gnupg">
<primary sortas="a-GnuPG">GnuPG</primary>
</indexterm>
 
<!-- <sect3><title>Additional downloads</title>
<itemizedlist spacing='compact'>
<listitem><para>Required Patch: <ulink
url="&patch-root;/gnupg-&gnupg-version;-po_install_fix-1.patch"/>
</para></listitem>
</itemizedlist>
</sect3> -->
<sect2 role="package">
<title>Introduction à GnuPG</title>
 
<sect3><title><application>GnuPG</application> dependencies</title>
<sect4><title>Optional</title>
<para><xref linkend="openldap"/>,
<ulink url="../server/mail.html">MTA</ulink>,
<xref linkend="docbook-utils"/> and <ulink
url="http://www.oasis-open.org/docbook/tools/dtm/">docbook-to-man</ulink>
</para></sect4>
</sect3>
<para>The <application>GnuPG</application> package contains a
public/private key encryptor. This is becoming useful for signing
files or emails as proof of identity et preventing tampering with
the contents of the file or email. For a more enhanced version of
GnuPG which supports S/MIME, see the <xref linkend="gnupg2"/>
package.</para>
 
</sect2>
<bridgehead renderas="sect3">Informations sur le paquet</bridgehead>
<itemizedlist spacing="compact">
<listitem>
<para>Téléchargement (HTTP)&nbsp;: <ulink url="&gnupg-download-http;"/></para>
</listitem>
<listitem>
<para>Téléchargement (FTP)&nbsp;: <ulink url="&gnupg-download-ftp;"/></para>
</listitem>
<listitem>
<para>Somme de contrôle MD5 du téléchargement&nbsp;: &gnupg-md5sum;</para>
</listitem>
<listitem>
<para>Taille du téléchargement&nbsp;: &gnupg-size;</para>
</listitem>
<listitem>
<para>Estimation de l'espace disque requis&nbsp;: &gnupg-buildsize;</para>
</listitem>
<listitem>
<para>Estimation du temps de construction&nbsp;: &gnupg-time;</para>
</listitem>
</itemizedlist>
 
<sect2>
<title>Installation of <application>GnuPG</application></title>
<bridgehead renderas="sect3">Téléchargements supplémentaires</bridgehead>
<itemizedlist spacing='compact'>
<listitem>
<para>Requises Patch (if you have <application>Curl</application>
already installed et is linked against a SSL/TLS library)&nbsp;: <ulink
url="&patch-root;/gnupg-&gnupg-version;-curl_fix-1.patch"/>
</para>
</listitem>
</itemizedlist>
 
<para>Install <application>GnuPG</application> by running the following
commands:</para>
<bridgehead renderas="sect3">GnuPG Dependencies</bridgehead>
 
<screen><userinput><command>./configure --prefix=/usr --libexecdir=/usr/lib &amp;&amp;
make</command></userinput></screen>
<bridgehead renderas="sect4">Facultatives</bridgehead>
<para role="optional"><xref linkend="openssl"/>,
<xref linkend="openldap"/>,
<xref linkend="libusb-compat"/>,
<xref linkend="curl"/>,
an <xref linkend="server-mail"/>,
<xref linkend="docbook-utils"/> et <ulink
url="http://www.oasis-open.org/docbook/tools/dtm/">docbook-to-man</ulink></para>
 
<para>Now, as the root user:</para>
<para condition="html" role="usernotes">Notes utilisateur&nbsp;:
<ulink url="&blfs-wiki;/gnupg"/></para>
 
<screen><userinput role='root'><command>make install &amp;&amp;
chmod 4755 /usr/bin/gpg</command></userinput></screen>
</sect2>
 
</sect2>
<sect2 role="installation">
<title>Installation de GnuPG</title>
 
<sect2>
<title>Command explanations</title>
<para>If <application>Curl</application> is already installed,
apply the patch:</para>
 
<para><parameter>--libexecdir=/usr/lib</parameter>: This command
creates a <filename class="directory">gnupg</filename> directory in
<filename class="directory">/usr/lib</filename> instead of
<filename class="directory">/usr/libexec</filename>.</para>
<screen><userinput>patch -Np1 -i ../gnupg-&gnupg-version;-curl_fix-1.patch
</userinput></screen>
 
<para><command>chmod 4755 /usr/bin/gpg</command>: <command>gpg</command>
is installed setuid root to avoid swapping out sensitive data.</para>
<para>Installez <application>GnuPG</application> en lançant les commandes
suivantes&nbsp;:</para>
 
</sect2>
<screen><userinput>./configure --prefix=/usr --libexecdir=/usr/lib &amp;&amp;
make</userinput></screen>
 
<sect2>
<title>Contents</title>
<para>If you have <xref linkend="tetex"/> installed et you wish to create
documentation in alternate formats, issue the following command:</para>
 
<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directories</segtitle>
<seglistitem>
<seg>gpg, gpgsplit and gpgv</seg>
<seg>None</seg>
<seg>/usr/lib/gnupg and /usr/share/gnupg</seg>
</seglistitem>
</segmentedlist>
<screen><userinput>make -C doc pdf html</userinput></screen>
 
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>
<para>Pour tester les résultats, lancez&nbsp;: <command>make check</command>.</para>
 
<varlistentry id="gpg">
<term><command>gpg</command></term>
<listitem><para>is the backend (command-line interface) for
this Open<acronym>PGP</acronym> implementation.</para>
<indexterm zone="gnupg gpg">
<primary sortas="b-gpg">gpg</primary></indexterm>
</listitem>
</varlistentry>
<para>Maintenant, en tant qu'utilisateur <systemitem class="username">root</systemitem>&nbsp;:</para>
 
<varlistentry id="gpgsplit">
<term><command>gpgsplit</command></term>
<listitem><para>separates key rings.</para>
<indexterm zone="gnupg gpgsplit">
<primary sortas="b-gpgsplit">gpgsplit</primary></indexterm>
</listitem>
</varlistentry>
<screen role="root"><userinput>make install &amp;&amp;
 
<varlistentry id="gpgv">
<term><command>gpgv</command></term>
<listitem><para>is a verify only version of <command>gpg</command>.</para>
<indexterm zone="gnupg gpgv">
<primary sortas="b-gpgv">gpgv</primary></indexterm>
</listitem>
</varlistentry>
</variablelist>
install -v -m755 -d /usr/share/doc/gnupg-&gnupg-version; &amp;&amp;
mv -v /usr/share/gnupg/{FAQ,faq.html} /usr/share/doc/gnupg-&gnupg-version; &amp;&amp;
install -v -m644 \
doc/{highlights-1.4.txt,OpenPGP,samplekeys.asc,DETAILS,*.texi} \
/usr/share/doc/gnupg-&gnupg-version;</userinput></screen>
 
</sect2>
<para>If you created alternate formats of the documentation, install it
using the following command as the
<systemitem class="username">root</systemitem>&nbsp;:</para>
 
<!-- (ag) Comment out. See #2687. Remove comments in the next update.
chmod -v 4755 /usr/bin/gpg &amp;&amp;
-->
<screen role="root"><userinput>cp -v -R doc/gnupg1.{html,pdf} /usr/share/doc/gnupg-&gnupg-version;</userinput></screen>
 
</sect2>
 
<sect2 role="commands">
<title>Explication des commandes</title>
 
<para><parameter>--libexecdir=/usr/lib</parameter>: This command
creates a <filename class="directory">gnupg</filename> directory in
<filename class="directory">/usr/lib</filename> instead of
<filename class="directory">/usr/libexec</filename>.</para>
 
<!-- (ag) See above comment
<para><command>chmod -v 4755 /usr/bin/gpg</command>:
<command>gpg</command> is installed setuid
<systemitem class='username'>root</systemitem> to avoid swapping
out sensitive data.</para>
-->
 
</sect2>
 
<sect2 role="content">
<title>Contenu</title>
 
<segmentedlist>
<segtitle>Programmes installés</segtitle>
<segtitle>Bibliothèques installées</segtitle>
<segtitle>Répertoires installés</segtitle>
 
<seglistitem>
<seg>gpg, gpg-zip, gpgsplit, et gpgv</seg>
<seg>None</seg>
<seg>/usr/lib/gnupg, /usr/share/gnupg et
/usr/share/doc/gnupg-&gnupg-version;</seg>
</seglistitem>
</segmentedlist>
 
<variablelist>
<bridgehead renderas="sect3">Descriptions courtes</bridgehead>
<?dbfo list-presentation="list"?>
<?dbhtml list-presentation="table"?>
 
<varlistentry id="gpg">
<term><command>gpg</command></term>
<listitem>
<para>is the backend (command-line interface) for
this OpenPGP implementation.</para>
<indexterm zone="gnupg gpg">
<primary sortas="b-gpg">gpg</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="gpgsplit">
<term><command>gpgsplit</command></term>
<listitem>
<para>separates key rings.</para>
<indexterm zone="gnupg gpgsplit">
<primary sortas="b-gpgsplit">gpgsplit</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="gpgv">
<term><command>gpgv</command></term>
<listitem>
<para>is a verify only version of <command>gpg</command>.</para>
<indexterm zone="gnupg gpgv">
<primary sortas="b-gpgv">gpgv</primary>
</indexterm>
</listitem>
</varlistentry>
 
</variablelist>
 
</sect2>
 
</sect1>
/trunk/blfs/postlfs/security/nessus.xml
1,7 → 1,7
<sect1 id="postlfs-security-nessus">
<sect1info>
<othername>$LastChangedBy: archaic $</othername>
<date>$Date: 2005-06-16 06:20:37 $</date>
<othername>$LastChangedBy: bdubbs $</othername>
<date>$Date: 2005-08-01 21:29:19 +0200 (lun, 01 aoû 2005) $</date>
</sect1info>
<?dbhtml filename="nessus.html"?>
<title>nessus</title>
/trunk/blfs/postlfs/security/openssl.xml
1,203 → 1,300
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
 
<!ENTITY openssl-download-http "http://www.openssl.org/source/openssl-&openssl-version;.tar.gz">
<!ENTITY openssl-download-ftp "ftp://ftp.openssl.org/source/openssl-&openssl-version;.tar.gz">
<!ENTITY openssl-md5sum "a8777164bca38d84e5eb2b1535223474">
<!ENTITY openssl-size "3.0 MB">
<!ENTITY openssl-buildsize "35 MB">
<!ENTITY openssl-time "1.16 SBU">
<!ENTITY openssl-download-http "http://www.openssl.org/source/openssl-&openssl-version;.tar.gz">
<!ENTITY openssl-download-ftp "ftp://ftp.openssl.org/source/openssl-&openssl-version;.tar.gz">
<!ENTITY openssl-md5sum "e555c6d58d276aec7fdc53363e338ab3">
<!ENTITY openssl-size "3.7 Mio">
<!ENTITY ca-bundle-download "http://anduin.linuxfromscratch.org/files/BLFS/BLFS-ca-bundle-&ca-bundle-version;.tar.bz2">
<!ENTITY ca-bundle-size "192 Kio">
<!ENTITY ca-bundle-md5sum "a5e85c3df9ef9a192eb5e5cdf94ebb72">
<!ENTITY openssl-buildsize "47 Mio">
<!ENTITY openssl-time "1.1 SBU (additional 0.3 SBU to run the test suite)">
]>
 
<sect1 id="openssl" xreflabel="OpenSSL-&openssl-version;">
<sect1info>
<othername>$LastChangedBy: larry $</othername>
<date>$Date: 2005-06-16 06:24:42 $</date>
</sect1info>
<?dbhtml filename="openssl.html"?>
<title>OpenSSL-&openssl-version;</title>
<indexterm zone="openssl">
<primary sortas="a-OpenSSL">OpenSSL</primary></indexterm>
<?dbhtml filename="openssl.html"?>
 
<sect2>
<title>Introduction to <application>Open<acronym>SSL</acronym></application>
</title>
<sect1info>
<othername>$LastChangedBy: gdalziel $</othername>
<date>$Date: 2009-07-06 21:12:40 +0200 (lun 06 jui 2009) $</date>
</sect1info>
 
<para>The <application>Open<acronym>SSL</acronym></application> package
contains management tools and libraries relating to cryptography. These are
useful for providing cryptography functions to other packages, notably
<application>OpenSSH</application>, email applications and web browsers (for
accessing <acronym>HTTPS</acronym> sites).</para>
<title>OpenSSL-&openssl-version;</title>
 
<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP):
<ulink url="&openssl-download-http;"/></para></listitem>
<listitem><para>Download (FTP):
<ulink url="&openssl-download-ftp;"/></para></listitem>
<listitem><para>Download MD5 sum: &openssl-md5sum;</para></listitem>
<listitem><para>Download size: &openssl-size;</para></listitem>
<listitem><para>Estimated disk space required:
&openssl-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&openssl-time;</para></listitem></itemizedlist>
</sect3>
<indexterm zone="openssl">
<primary sortas="a-OpenSSL">OpenSSL</primary>
</indexterm>
 
<sect3><title><application>Open<acronym>SSL</acronym></application>
dependencies</title>
<sect4><title>Optional</title>
<para><xref linkend="bc"/> (recommended
if you run the test suite during the build)</para>
</sect4>
</sect3>
<sect2 role="package">
<title>Introduction à OpenSSL</title>
 
</sect2>
<para>The <application>OpenSSL</application> package contains management
tools et libraries relating to cryptography. These are useful for
providing cryptography functions to other packages, notably
<application>OpenSSH</application>, email applications et web browsers
(for accessing HTTPS sites).</para>
 
<sect2>
<title>Installation of <application>Open<acronym>SSL</acronym></application>
</title>
<bridgehead renderas="sect3">Informations sur le paquet</bridgehead>
<itemizedlist spacing="compact">
<listitem>
<para>Téléchargement (HTTP)&nbsp;: <ulink url="&openssl-download-http;"/></para>
</listitem>
<listitem>
<para>Téléchargement (FTP)&nbsp;: <ulink url="&openssl-download-ftp;"/></para>
</listitem>
<listitem>
<para>Somme de contrôle MD5 du téléchargement&nbsp;: &openssl-md5sum;</para>
</listitem>
<listitem>
<para>Taille du téléchargement&nbsp;: &openssl-size;</para>
</listitem>
<listitem>
<para>CA Bundle Download: <ulink url="&ca-bundle-download;"/></para>
</listitem>
<listitem>
<para>CA Bundle size: &ca-bundle-size;</para>
</listitem>
<listitem>
<para>CA Bundle MD5 sum: &ca-bundle-md5sum;</para>
</listitem>
<listitem>
<para>Estimation de l'espace disque requis&nbsp;: &openssl-buildsize;</para>
</listitem>
<listitem>
<para>Estimation du temps de construction&nbsp;: &openssl-time;</para>
</listitem>
</itemizedlist>
 
<para>Install <application>Open<acronym>SSL</acronym></application> by running
the following commands:</para>
<bridgehead renderas="sect3">Téléchargements supplémentaires</bridgehead>
<itemizedlist spacing='compact'>
<listitem>
<para>Correctif requis&nbsp;: <ulink
url="&patch-root;/openssl-&openssl-version;-fix_manpages-1.patch"/></para>
</listitem>
</itemizedlist>
 
<screen><userinput><command>sed 's/^passwd/openssl-passwd/' doc/apps/passwd.pod \
> doc/apps/openssl-passwd.pod &amp;&amp;
rm doc/apps/passwd.pod &amp;&amp;
mv doc/crypto/{,openssl_}threads.pod &amp;&amp;
./config --openssldir=/etc/ssl --prefix=/usr shared &amp;&amp;
sed -i 's%SHLIBDIRS= fips crypto ssl%SHLIBDIRS= crypto ssl%g' Makefile &amp;&amp;
make MANDIR=/usr/share/man</command></userinput></screen>
<bridgehead renderas="sect3">OpenSSL Dependencies</bridgehead>
 
<para>Now, as the root user:</para>
<bridgehead renderas="sect4">Recommandées</bridgehead>
<para role="recommended"><xref linkend="bc"/>(if you run the test suite
during the build)</para>
 
<screen><userinput role='root'><command>make MANDIR=/usr/share/man install &amp;&amp;
cp -r certs /etc/ssl</command></userinput></screen>
<bridgehead renderas="sect4">Facultatives</bridgehead>
<para role="optional"><xref linkend="mitkrb"/> or
<xref linkend="heimdal"/></para>
 
</sect2>
<para condition="html" role="usernotes">Notes utilisateur&nbsp;:
<ulink url='&blfs-wiki;/OpenSSL'/></para>
 
<sect2>
<title>Command explanations</title>
</sect2>
 
<para><option>no-rc5 no-idea</option>: When added to the
<command>./config</command> command, this will eliminate the building of those
encryption methods. Patent licenses may be needed for you to utilize either of
those methods in your projects.</para>
<sect2 role="installation">
<title>Installation de OpenSSL</title>
 
<para><command>rm doc/apps/passwd.pod</command>: This command prevents
<application>Open<acronym>SSL</acronym></application> from installing its
passwd man page over an existing man page with the same name.</para>
<para>Installez <application>OpenSSL</application> by running
les commandes suivantes&nbsp;:</para>
 
<para><command>mv doc/crypto/{,openssl_}threads.pod</command>: This
commands prevents <application>Open<acronym>SSL</acronym></application> from
overwriting an existing man page from <application>Perl</application>.</para>
<screen><userinput>patch -Np1 -i ../openssl-&openssl-version;-fix_manpages-1.patch &amp;&amp;
tar -vxf ../BLFS-ca-bundle-&ca-bundle-version;.tar.bz2 &amp;&amp;
./config --prefix=/usr \
--openssldir=/etc/ssl \
shared \
zlib-dynamic &amp;&amp;
make</userinput></screen>
 
<para><command>sed -i 's%SHLIBDIRS= fips crypto ssl%SHLIBDIRS= crypto ssl%g'
Makefile</command>: This command prevents installation of the non-existent
<filename class="libraryfile">libfips</filename> library.</para>
<para>Pour tester les résultats, lancez&nbsp;: <command>make test</command>.</para>
 
<para><command>make MANDIR=/usr/share/man; make MANDIR=/usr/share/man
install</command>: These commands install
<application>Open<acronym>SSL</acronym></application> with the man pages in
<filename class='directory'>/usr/share/man</filename> instead of
<filename class='directory'>/etc/ssl/man</filename>.</para>
<!-- <para>Pour tester les résultats, lancez&nbsp;: <command>make test</command>. Note that the
test results/output depend on the availability of /etc/ssl/openssl.cnf. If
running the tests for the first time run the following as the
<systemitem class="username">root</systemitem> user before running the
tests:</para>
 
<para><command>cp -r certs /etc/ssl</command>: The certificates must be copied
manually since the install script skips this step.</para>
<screen role="root"><userinput>install -v -m755 d /etc/ssl &amp;&amp;
install -v ./apps/openssl.cnf /etc/ssl/</userinput></screen> -->
 
</sect2>
<para>Maintenant, en tant qu'utilisateur <systemitem class="username">root</systemitem>&nbsp;:</para>
 
<sect2>
<title>Configuring <application>OpenSSL</application></title>
<screen role="root"><userinput>make MANDIR=/usr/share/man install &amp;&amp;
 
<sect3 id="openssl-config"><title>Config files</title>
<para><filename>/etc/ssl/openssl.cnf</filename></para>
<indexterm zone="openssl openssl-config">
<primary sortas="e-etc-ssl-openssl.cnf">/etc/ssl/openssl.cnf</primary>
</indexterm>
</sect3>
cp -v -r certs /etc/ssl &amp;&amp;
 
<sect3><title>Configuration Information</title>
install -v -d -m755 /usr/share/doc/openssl-&openssl-version; &amp;&amp;
cp -v -r doc/{HOWTO,README,*.{txt,html,gif}} \
/usr/share/doc/openssl-&openssl-version;</userinput></screen>
 
<para>Most people who just want to use
<application>Open<acronym>SSL</acronym></application> for providing functions
to other programs such as <application>Open<acronym>SSH</acronym></application>
and web browsers won't need to worry about configuring
<application>Open<acronym>SSL</acronym></application>. Configuring
<application>Open<acronym>SSL</acronym></application> is an advanced topic and
so those who do would normally be expected to either know how to do it
or to be able to find out how to do it.</para>
</sect3>
<para>While still the <systemitem class="username">root</systemitem> user,
create a single file that contains all of the installed certificates:</para>
 
</sect2>
<screen role="root"><userinput>for pem in /etc/ssl/certs/*.pem
do
cat $pem
echo ""
done &gt; /etc/ssl/ca-bundle.crt</userinput></screen>
 
<sect2>
<title>Contents</title>
</sect2>
 
<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directories</segtitle>
<seglistitem>
<seg>c_rehash and openssl</seg>
<seg>libcrypto.[so,a] and libssl.[so,a]</seg>
<seg>/etc/ssl and /usr/include/ssl</seg>
</seglistitem>
</segmentedlist>
<sect2 role="commands">
<title>Explication des commandes</title>
 
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>
<para>
<command>tar -vxf ../BLFS-ca-bundle-&ca-bundle-version;.tar.bz2</command>:
OpenSSL no longer includes any root certificates. This package adds root
certificates as provided by mozilla.org.</para>
 
<varlistentry id="c_rehash">
<term><command>c_rehash</command></term>
<listitem><para>is a <application>Perl</application> script that scans all
files in a directory and adds symbolic links to their hash values.</para>
<indexterm zone="openssl c_rehash">
<primary sortas="b-c_rehash">c_rehash</primary></indexterm>
</listitem>
</varlistentry>
<para><parameter>shared</parameter>: This parameter forces the creation of
shared libraries along with the static libraries.</para>
 
<varlistentry id="openssl-prog">
<term><command>openssl</command></term>
<listitem><para>is a command-line tool for using the various cryptography
functions of <application>Open<acronym>SSL</acronym></application>'s crypto
library from the shell. It can be used for various functions which are
documented in <command>man 1 openssl</command>.</para>
<indexterm zone="openssl openssl-prog">
<primary sortas="b-openssl">openssl</primary></indexterm>
</listitem>
</varlistentry>
<para><parameter>zlib-dynamic</parameter>: This parameter adds
compression/decompression functionality using the
<filename class="libraryfile">libz</filename> library.</para>
 
<varlistentry id="libcrypto">
<term><filename class='libraryfile'>libcrypto.[so,a]</filename></term>
<listitem><para>implements a wide range of cryptographic algorithms used in
various Internet standards. The services provided by this library are used by
the <application>Open<acronym>SSL</acronym></application> implementations of
<acronym>SSL</acronym>, <acronym>TLS</acronym> and <acronym>S/MIME</acronym>,
and they have also been used to implement
<application>Open<acronym>SSH</acronym></application>,
<application>Open<acronym>PGP</acronym></application>, and other cryptographic
standards.</para>
<indexterm zone="openssl libcrypto">
<primary sortas="c-libcrypto">libcrypto.[so,a]</primary></indexterm>
</listitem>
</varlistentry>
<para><option>no-rc5 no-idea</option>: When added to the
<command>./config</command> command, this will eliminate the building
of those encryption methods. Patent licenses may be needed for you to
utilize either of those methods in your projects.</para>
 
<varlistentry id="libssl">
<term><filename class='libraryfile'>libssl.[so,a]</filename></term>
<listitem><para>implements the Secure Sockets Layer (<acronym>SSL</acronym>
v2/v3) and Transport Layer Security (<acronym>TLS</acronym> v1) protocols. It
provides a rich <acronym>API</acronym>, documentation on which can be found by
running <command>man 3 ssl</command>.</para>
<indexterm zone="openssl libssl">
<primary sortas="c-libssl">libssl.[so,a]</primary></indexterm>
</listitem>
</varlistentry>
</variablelist>
<para><command>make MANDIR=/usr/share/man install</command>: This command
installs <application>OpenSSL</application> with the man pages in
<filename class='directory'>/usr/share/man</filename> instead of
<filename class='directory'>/etc/ssl/man</filename>.</para>
 
</sect2>
<!-- <para><option>enable-tlsext</option>: When added to the
<command>./config</command> command, this switch will enable TLS
Extensions. Currently this is only RFC 3546 et 4507bis for Server Name
Indication. This allows the use of multiple SSL certificates with multiple
virtual hosts in Apache, while using only one IP address et one port for
all virtual hosts.</para> -->
 
<!-- <para><option>zlib-dynamic</option>: When added to the
<command>./config</command> command, this switch will enable
use of <filename>libz.so</filename> for compression/decompression.</para> -->
 
<para><command>cp -v -r certs /etc/ssl</command>: This installs both the
sample certificates et documentation included with OpenSSL, and the
certificates that were extracted from the BLFS-ca-bundle-&ca-bundle-version;
package.</para>
 
<para><command>for pem in /etc/ssl/certs/*.pem...</command>: This group of
commands creates a single-file certificate bundle
(<filename>/etc/ssl/ca-bundle.crt</filename>) that is usable by many
other software packages. <filename>ca-bundle.crt</filename> should be
recreated anytime that a certificate is added to
<filename class="directory">/etc/ssl/certs</filename>.</para>
 
</sect2>
 
<sect2 role="configuration">
<title>Configuration de OpenSSL</title>
 
<sect3 id="openssl-config">
<title>Fichiers de configuration</title>
 
<para><filename>/etc/ssl/openssl.cnf</filename></para>
 
<indexterm zone="openssl openssl-config">
<primary sortas="e-etc-ssl-openssl.cnf">/etc/ssl/openssl.cnf</primary>
</indexterm>
 
</sect3>
 
<sect3>
<title>Informations de configuration</title>
 
<para>Most people who just want to use <application>OpenSSL</application>
for providing functions to other programs such as
<application>OpenSSH</application> et web browsers won't need to worry
about configuring <application>OpenSSL</application>. Configuring
<application>OpenSSL</application> is an advanced topic et so those
who do would normally be expected to either know how to do it or to be
able to find out how to do it.</para>
 
</sect3>
 
</sect2>
 
<sect2 role="content">
<title>Contenu</title>
 
<segmentedlist>
<segtitle>Programmes installés</segtitle>
<segtitle>Bibliothèques installées</segtitle>
<segtitle>Répertoires installés</segtitle>
 
<seglistitem>
<seg>c_rehash et openssl</seg>
<seg>libcrypto.{so,a}, libssl.{so,a}, et additional encryption
libraries in /usr/lib/engines/ (lib4758cca.so, libaep.so,
libatalla.so, libcapi.so, libchil.so, libcswift.so, libgmp.so, libnuron.so,
libsureware.so, et libubsec.so)</seg>
<seg>/etc/ssl, /usr/include/ssl, /usr/lib/engines
et /usr/share/doc/openssl-&openssl-version;</seg>
</seglistitem>
</segmentedlist>
 
<variablelist>
<bridgehead renderas="sect3">Descriptions courtes</bridgehead>
<?dbfo list-presentation="list"?>
<?dbhtml list-presentation="table"?>
 
<varlistentry id="c_rehash">
<term><command>c_rehash</command></term>
<listitem>
<para>is a <application>Perl</application> script that scans
all files in a directory et adds symbolic links to their hash
values.</para>
<indexterm zone="openssl c_rehash">
<primary sortas="b-c_rehash">c_rehash</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="openssl-prog">
<term><command>openssl</command></term>
<listitem>
<para>is a command-line tool for using the various cryptography
functions of <application>OpenSSL</application>'s crypto
library from the shell. It can be used for various functions which are
documented in <command>man 1 openssl</command>.</para>
<indexterm zone="openssl openssl-prog">
<primary sortas="b-openssl">openssl</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="libcrypto">
<term><filename class='libraryfile'>libcrypto.{so,a}</filename></term>
<listitem>
<para>implements a wide range of cryptographic algorithms used in
various Internet standards. The services provided by this library
are used by the <application>OpenSSL</application> implementations of
SSL, TLS et S/MIME, and they have also been used to implement
<application>OpenSSH</application>, <application>OpenPGP</application>,
et other cryptographic standards.</para>
<indexterm zone="openssl libcrypto">
<primary sortas="c-libcrypto">libcrypto.{so,a}</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="libssl">
<term><filename class='libraryfile'>libssl.{so,a}</filename></term>
<listitem>
<para>implements the Secure Sockets Layer (SSL v2/v3) et Transport
Layer Security (TLS v1) protocols. It provides a rich API, documentation
on which can be found by running <command>man 3 ssl</command>.</para>
<indexterm zone="openssl libssl">
<primary sortas="c-libssl">libssl.{so,a}</primary>
</indexterm>
</listitem>
</varlistentry>
 
</variablelist>
 
</sect2>
 
</sect1>
/trunk/blfs/postlfs/security/shadow.xml
1,160 → 1,347
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
 
<!ENTITY shadow-download-http " ">
<!ENTITY shadow-download-ftp "ftp://ftp.pld.org.pl/software/shadow/old/shadow-&shadow-version;.tar.bz2">
<!ENTITY shadow-md5sum "3a3d17d3d7c630b602baf66ae7434c61">
<!ENTITY shadow-size "814 KB">
<!ENTITY shadow-buildsize "14.1 MB">
<!ENTITY shadow-time "0.42 SBU">
<!ENTITY shadow-download-ftp "ftp://pkg-shadow.alioth.debian.org/pub/pkg-shadow/shadow-&shadow-version;.tar.bz2">
<!ENTITY shadow-md5sum "f90f51908e9c3a62ac0eb6b3043421de">
<!ENTITY shadow-size "1.6 Mio">
<!ENTITY shadow-buildsize "25 Mio">
<!ENTITY shadow-time "0.4 SBU">
]>
 
<sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
<sect1info>
<othername>$LastChangedBy: randy $</othername>
<date>$Date: 2005-06-16 06:20:37 $</date>
</sect1info>
<?dbhtml filename="shadow.html"?>
<title>Shadow-&shadow-version;</title>
<indexterm zone="shadow">
<primary sortas="a-Shadow">Shadow</primary></indexterm>
<?dbhtml filename="shadow.html"?>
 
<!--
<sect2>
<title>Configuring shadow</title>
<sect1info>
<othername>$LastChangedBy: gdalziel $</othername>
<date>$Date: 2009-07-06 21:12:40 +0200 (lun 06 jui 2009) $</date>
</sect1info>
 
<para>Shadow's Configuration File</para>
<title>Shadow-&shadow-version;</title>
 
<para><userinput>/etc/login.defs</userinput></para>
<indexterm zone="shadow">
<primary sortas="a-Shadow">Shadow</primary>
</indexterm>
 
<para>Enabling <acronym>MD</acronym>5 Passwords</para>
<sect2 role="package">
<title>Introduction à Shadow</title>
 
<para>To enable <acronym>MD</acronym>5 Passwords, modify the line in the
<filename>login.defs</filename> file that reads:
<screen><userinput>#MD5_CRYPT_ENAB no</userinput></screen>
to read:
<screen><userinput>MD5_CRYPT_ENAB yes</userinput></screen>
Passwords created after this change will be encrypted using
<acronym>MD</acronym>5 (Message-Digest Algorithm) instead of using
<acronym>DES</acronym> encryption.
</para>
</sect2>
-->
<para><application>Shadow</application> was indeed installed in LFS et
there is no reason to reinstall it unless you installed
<application>CrackLib</application> or
<application>Linux-PAM</application> after your LFS system was completed.
If you have installed <application>CrackLib</application> after LFS, then
reinstalling <application>Shadow</application> will enable strong password
support. If you have installed <application>Linux-PAM</application>,
reinstalling <application>Shadow</application> will allow programs such as
<command>login</command> et <command>su</command> to utilize PAM.</para>
 
<sect2>
<title>Introduction to <application>Shadow</application></title>
<bridgehead renderas="sect3">Informations sur le paquet</bridgehead>
<itemizedlist spacing="compact">
<listitem>
<para>Téléchargement (HTTP)&nbsp;: <ulink url="&shadow-download-http;"/></para>
</listitem>
<listitem>
<para>Téléchargement (FTP)&nbsp;: <ulink url="&shadow-download-ftp;"/></para>
</listitem>
<listitem>
<para>Somme de contrôle MD5 du téléchargement&nbsp;: &shadow-md5sum;</para>
</listitem>
<listitem>
<para>Taille du téléchargement&nbsp;: &shadow-size;</para>
</listitem>
<listitem>
<para>Estimation de l'espace disque requis&nbsp;: &shadow-buildsize;</para>
</listitem>
<listitem>
<para>Estimation du temps de construction&nbsp;: &shadow-time;</para>
</listitem>
</itemizedlist>
 
<para>Shadow was indeed installed in <acronym>LFS</acronym> and there is
no reason to reinstall it unless you installed
<application>Linux-<acronym>PAM</acronym></application>. If you did,
this will allow programs like <command>login</command> and
<command>su</command> to utilize
<acronym>PAM</acronym>.</para>
<!-- <bridgehead renderas="sect3">Téléchargements supplémentaires</bridgehead>
<itemizedlist spacing='compact'>
<listitem>
<para>Correctif requis&nbsp;: <ulink
url="&patch-root;/shadow-&shadow-version;-useradd_fix-2.patch"/></para>
</listitem>
</itemizedlist> -->
 
<sect3><title>Package information</title>
<itemizedlist spacing="compact">
<listitem><para>Download (HTTP):
<ulink url="&shadow-download-http;"/></para></listitem>
<listitem><para>Download (FTP):
<ulink url="&shadow-download-ftp;"/></para></listitem>
<listitem><para>Download MD5 sum:
&shadow-md5sum;</para></listitem>
<listitem><para>Download size:
&shadow-size;</para></listitem>
<listitem><para>Estimated disk space required:
&shadow-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&shadow-time;</para></listitem></itemizedlist>
</sect3>
<bridgehead renderas="sect3">Shadow Dependencies</bridgehead>
 
<sect3><title>Additional downloads</title>
<itemizedlist spacing='compact'>
<listitem><para>Patch to fix linking against PAM:
<ulink url="&patch-root;/shadow-&shadow-version;-pam-1.patch"/></para>
</listitem>
</itemizedlist>
</sect3>
<bridgehead renderas="sect4">Requises</bridgehead>
<para role="required"><xref linkend="linux-pam"/> et/or
<xref linkend="cracklib"/></para>
 
<sect3><title><application>Shadow</application> dependencies</title>
<sect4><title>Required</title>
<para><xref linkend="Linux_PAM"/></para></sect4>
</sect3>
</sect2>
<para condition="html" role="usernotes">Notes utilisateur&nbsp;:
<ulink url="&blfs-wiki;/shadow"/></para>
 
<sect2>
<title>Installation of <application>Shadow</application></title>
</sect2>
 
<para>Reinstall <application>Shadow</application> by running the following
commands:</para>
<sect2 role="installation">
<title>Installation de Shadow</title>
 
<screen><userinput><command>patch -Np1 -i ../shadow-&shadow-version;-pam-1.patch &amp;&amp;
LIBS="-lpam -lpam_misc" ./configure --libdir=/usr/lib \
--enable-shared --with-libpam --without-libcrack &amp;&amp;
echo '#define HAVE_SETLOCALE 1' >> config.h &amp;&amp;
sed -i '/extern char/d' libmisc/xmalloc.c &amp;&amp;
make</command></userinput></screen>
<important>
<para>The installation commands shown below are for installations where
<application>Linux-PAM</application> has been installed (with or
without a <application>CrackLib</application> installation) et
<application>Shadow</application> is being reinstalled to support the
<application>Linux-PAM</application> installation.</para>
 
<para>Now, as the root user:</para>
<para> If you are reinstalling <application>Shadow</application> to
provide strong password support using the
<application>CrackLib</application> library without using
<application>Linux-PAM</application>, ensure you add the
<parameter>--with-libcrack</parameter> parameter to the
<command>configure</command> script below et also issue the following
command:</para>
 
<screen><userinput role='root'><command>make install &amp;&amp;
mv /bin/sg /usr/bin &amp;&amp;
mv /bin/vigr /usr/sbin &amp;&amp;
mv /usr/bin/passwd /bin &amp;&amp;
rm /bin/groups &amp;&amp;
mv /usr/lib/lib{misc,shadow}.so.0* /lib &amp;&amp;
ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so &amp;&amp;
ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so</command></userinput></screen>
<screen><userinput>sed -i 's@DICTPATH.*@DICTPATH\t/lib/cracklib/pw_dict@' etc/login.defs</userinput></screen>
</important>
 
</sect2>
<para>Reinstall <application>Shadow</application> en lançant les commandes
suivantes&nbsp;:</para>
 
<sect2>
<title>Command explanations</title>
<screen><userinput>sed -i 's/groups$(EXEEXT) //' src/Makefile.in &amp;&amp;
find man -name Makefile.in -exec sed -i 's/groups\.1 / /' {} \; &amp;&amp;
sed -i -e 's/ ko//' -e 's/ zh_CN zh_TW//' man/Makefile.in &amp;&amp;
 
<para><parameter>--without-libcrack</parameter>: This switch tells
<application>Shadow</application> not to use
<filename class='libraryfile'>libcrack</filename>. This is desired as
<application>Linux-<acronym>PAM</acronym></application> already contains
<filename class='libraryfile'>libcrack</filename>.</para>
for i in de fi fr id it pt_BR; do
convert-mans UTF-8 ISO-8859-1 man/${i}/*.?
done &amp;&amp;
 
<para><command>sed -i '/extern char/d' libmisc/xmalloc.c</command>: This
fixes a compilation problem when using <application>GCC</application>-3.4.x.
</para>
for i in cs hu pl; do
convert-mans UTF-8 ISO-8859-2 man/${i}/*.?
done &amp;&amp;
 
</sect2>
convert-mans UTF-8 EUC-JP man/ja/*.? &amp;&amp;
convert-mans UTF-8 KOI8-R man/ru/*.? &amp;&amp;
convert-mans UTF-8 ISO-8859-9 man/tr/*.? &amp;&amp;
 
<sect2>
<title>Configuring <application>Linux-<acronym>PAM</acronym></application> to
work with <application>Shadow</application></title>
sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD MD5@' \
-e 's@/var/spool/mail@/var/mail@' etc/login.defs &amp;&amp;
 
<sect3 id="pam.d"><title>Config files</title>
<para><filename>/etc/pam.d/login</filename>,
<filename>/etc/pam.d/passwd</filename>,
<filename>/etc/pam.d/su</filename>,
<filename>/etc/pam.d/shadow</filename>,
<filename>/etc/pam.d/useradd</filename>, and
<filename>/etc/pam.d/chage</filename> &ndash;
alternatively, <filename>/etc/pam.conf</filename></para>
<indexterm zone="shadow pam.d">
<primary sortas="e-etc-pam.d">/etc/pam.d/*</primary></indexterm>
<indexterm zone="shadow pam.d">
<primary sortas="e-etc-pam.conf">/etc/pam.conf</primary></indexterm>
</sect3>
./configure --sysconfdir=/etc &amp;&amp;
make</userinput></screen>
 
<sect3><title>Configuration Information</title>
<para>Ce paquet n'est pas fourni avec une suite de tests.</para>
 
<para>Add the following <application>Linux-<acronym>PAM</acronym></application>
configuration files to <filename class="directory">/etc/pam.d/</filename> (or
add them to <filename>/etc/pam.conf</filename> with the additional field for
the program).</para>
<para>Maintenant, en tant qu'utilisateur <systemitem class="username">root</systemitem>&nbsp;:</para>
 
<screen><userinput><command>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/login
<screen role="root"><userinput>make install &amp;&amp;
mv -v /usr/bin/passwd /bin</userinput></screen>
 
auth requisite pam_securetty.so
</sect2>
 
<sect2 role="commands">
<title>Explication des commandes</title>
 
<para><command>sed -i 's/groups$(EXEEXT) //' src/Makefile.in</command>:
This command is used to suppress the installation of the
<command>groups</command> program as the version from the
<application>Coreutils</application> package installed during LFS is
preferred.</para>
 
<para><command>find man -name Makefile.in -exec ... {} \;</command>: This
command is used to suppress the installation of the
<command>groups</command> man pages so the existing ones installed from
the <application>Coreutils</application> package are not replaced.</para>
 
<para><command>sed -i -e '...' -e '...' man/Makefile.in</command>: This
command disables the installation of Chinese et Korean manual pages, since
<application>Man-DB</application> cannot format them properly.</para>
 
<para><command>convert-mans ...</command>: These commands are used to
convert some of the man pages so that <application>Man-DB</application>
will display them in the expected encodings.</para>
 
<para><command>sed -i -e 's@#ENCRYPT_METHOD DES@ENCRYPT_METHOD MD5@'
-e 's@/var/spool/mail@/var/mail@' etc/login.defs</command>:
Instead of using the default 'crypt' method, this command modifies the
installation to use the more secure 'MD5' method of password encryption,
which also allows passwords longer than eight characters. It also changes
the obsolete <filename class="directory">/var/spool/mail</filename>
location for user mailboxes that <application>Shadow</application> uses by
default to the <filename class="directory">/var/mail</filename>
location.</para>
 
<para><command>mv -v /usr/bin/passwd /bin</command>: The
<command>passwd</command> program may be needed during times when the
<filename class='directory'>/usr</filename> filesystem is not mounted so
it is moved into the root partition.</para>
 
</sect2>
 
<sect2 role="configuration">
<title>Configuration de Shadow</title>
 
<para><application>Shadow</application>'s stock configuration for the
<command>useradd</command> utility may not be desirable for your
installation. One default parameter causes <command>useradd</command> to
create a mailbox file for any newly created user.
<command>useradd</command> will make the group ownership of this file to
the <systemitem class="groupname">mail</systemitem> group with 0660
permissions. If you would prefer that these mailbox files are not created
by <command>useradd</command>, issue the
following command en tant qu'utilisateur <systemitem class="username">root</systemitem>&nbsp;:</para>
 
<screen role="root"><userinput>sed -i 's/yes/no/' /etc/default/useradd</userinput></screen>
 
</sect2>
 
<sect2 role="configuration">
<title>Configuration de Linux-PAM to Work with Shadow</title>
 
<note>
<para>The rest of this page is devoted to configuring
<application>Shadow</application> to work properly with
<application>Linux-PAM</application>. If you do not have
<application>Linux-PAM</application> installed, et you reinstalled
<application>Shadow</application> to support strong passwords via
the <application>CrackLib</application> library, no further configuration
is required.</para>
</note>
 
<sect3 id="pam.d">
<title>Fichiers de configuration</title>
 
<para><filename>/etc/pam.d/*</filename> or alternatively
<filename>/etc/pam.conf, /etc/login.defs, et
/etc/security/*</filename></para>
 
<indexterm zone="shadow pam.d">
<primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
</indexterm>
 
<indexterm zone="shadow pam.d">
<primary sortas="e-etc-pam.conf">/etc/pam.conf</primary>
</indexterm>
 
<indexterm zone="shadow pam.d">
<primary sortas="e-etc-login.defs">/etc/login.defs</primary>
</indexterm>
 
<indexterm zone="shadow pam.d">
<primary sortas="e-etc-security">/etc/security/*</primary>
</indexterm>
 
</sect3>
 
<sect3>
<title>Informations de configuration</title>
 
<para>Configuring your system to use <application>Linux-PAM</application>
can be a complex task. The information below will provide a basic setup
so that <application>Shadow</application>'s login et password
functionality will work effectively with
<application>Linux-PAM</application>. Review the information et links on
the <xref linkend="linux-pam"/> page for further configuration
information. For information specific to integrating
<application>Shadow</application>, <application>Linux-PAM</application>
et <application>CrackLib</application>, you can visit the following
links:</para>
 
<itemizedlist spacing="compact">
<listitem>
<para><ulink
url="http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam-6.html#ss6.3"/></para>
</listitem>
<listitem>
<para><ulink
url="http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html"/></para>
</listitem>
</itemizedlist>
 
<sect4 id="pam-login-defs">
<title>Configuration de /etc/login.defs</title>
 
<para>The <command>login</command> program currently performs many
functions which <application>Linux-PAM</application> modules should
now handle. The following <command>sed</command> command will comment
out the appropriate lines in <filename>/etc/login.defs</filename> et
stop <command>login</command> from performing these functions (a backup
file named <filename>/etc/login.defs.orig</filename> is also created
to preserve the original file's contents). Issue the following commands
en tant qu'utilisateur <systemitem class="username">root</systemitem>&nbsp;:</para>
 
<indexterm zone="shadow pam-login-defs">
<primary sortas="e-etc-login.defs">/etc/login.defs</primary>
</indexterm>
 
<screen role="root"><userinput>install -v -m644 /etc/login.defs /etc/login.defs.orig &amp;&amp;
for FUNCTION in LASTLOG_ENAB MAIL_CHECK_ENAB \
PORTTIME_CHECKS_ENAB CONSOLE \
MOTD_FILE NOLOGINS_FILE PASS_MIN_LEN \
SU_WHEEL_ONLY MD5_CRYPT_ENAB \
CONSOLE_GROUPS ENVIRON_FILE \
ULIMIT ENV_TZ ENV_HZ ENV_SUPATH \
ENV_PATH QMAIL_DIR MAIL_DIR MAIL_FILE \
CHFN_AUTH FAILLOG_ENAB QUOTAS_ENAB FTMP_FILE \
OBSCURE_CHECKS_ENAB CRACKLIB_DICTPATH \
PASS_CHANGE_TRIES PASS_ALWAYS_WARN ISSUE_FILE
do
sed -i "s/^$FUNCTION/# &amp;/" /etc/login.defs
done</userinput></screen>
 
</sect4>
 
<sect4>
<title>Configuration de the /etc/pam.d/ Files</title>
 
<para>As mentioned previously in the
<application>Linux-PAM</application> instructions,
<application>Linux-PAM</application> has two supported methods for
configuration. The commands below assume that you've chosen to use
a directory based configuration, where each program has its own
configuration file. You can optionally use a single
<filename>/etc/pam.conf</filename> configuration file by using the
text from the files below, et supplying the program name as an
additional first field for each line.</para>
 
<para>As the <systemitem class="username">root</systemitem> user,
replace the following <application>Linux-PAM</application>
configuration files in the
<filename class="directory">/etc/pam.d/</filename> directory (or
add the contents to the <filename>/etc/pam.conf</filename> file) using
les commandes suivantes&nbsp;:</para>
 
</sect4>
 
<sect4>
<title>'login' (with CrackLib)</title>
 
<screen role="root"><userinput>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/login
 
auth requisite pam_nologin.so
auth required pam_securetty.so
auth required pam_unix.so
account required pam_access.so
account required pam_unix.so
session required pam_env.so
session required pam_motd.so
session required pam_limits.so
session optional pam_mail.so dir=/var/mail standard
session optional pam_lastlog.so
session required pam_unix.so
password required pam_cracklib.so retry=3
password required pam_unix.so md5 shadow use_authtok
 
# End /etc/pam.d/login</literal>
EOF</userinput></screen>
 
</sect4>
 
<sect4>
<title>'login' (without CrackLib)</title>
 
<screen role="root"><userinput>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/login
 
auth requisite pam_nologin.so
auth required pam_securetty.so
auth required pam_env.so
auth required pam_unix.so
account required pam_access.so
161,54 → 348,79
account required pam_unix.so
session required pam_motd.so
session required pam_limits.so
session optional pam_mail.so dir=/var/mail standard
session optional pam_mail.so dir=/var/mail standard
session optional pam_lastlog.so
session required pam_unix.so
password required pam_unix.so md5 shadow
 
# End /etc/pam.d/login
<command>EOF
cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/passwd
# End /etc/pam.d/login</literal>
EOF</userinput></screen>
 
password required pam_unix.so md5 shadow
</sect4>
 
# End /etc/pam.d/passwd
<command>EOF
cat &gt; /etc/pam.d/shadow &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/shadow
<sect4>
<title>'passwd' (with CrackLib)</title>
 
auth sufficient pam_rootok.so
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
password required pam_permit.so
<screen role="root"><userinput>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/passwd
 
# End /etc/pam.d/shadow
<command>EOF
cat &gt; /etc/pam.d/su &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/su
password required pam_cracklib.so type=Linux retry=1 \
difok=5 diffignore=23 minlen=9 \
dcredit=1 ucredit=1 lcredit=1 \
ocredit=1 \
dictpath=/lib/cracklib/pw_dict
password required pam_unix.so md5 shadow use_authtok
 
auth sufficient pam_rootok.so
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
# End /etc/pam.d/passwd</literal>
EOF</userinput></screen>
 
# End /etc/pam.d/su
<command>EOF
cat &gt; /etc/pam.d/useradd &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/useradd
<note><para>In its default configuration, owing to credits,
pam_cracklib will allow multiple case passwords as short as 6
characters, even with the <parameter>minlen</parameter> value
set to 11. You should review the pam_cracklib(8) man page et
determine if these default values are acceptable for the security
of your system.</para></note>
 
</sect4>
 
<sect4>
<title>'passwd' (without CrackLib)</title>
 
<screen role="root"><userinput>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/passwd
 
password required pam_unix.so md5 shadow
 
# End /etc/pam.d/passwd</literal>
EOF</userinput></screen>
 
</sect4>
 
<sect4>
<title>'su'</title>
 
<screen role="root"><userinput>cat &gt; /etc/pam.d/su &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/su
 
auth sufficient pam_rootok.so
auth required pam_unix.so
account required pam_unix.so
session optional pam_mail.so dir=/var/mail standard
session optional pam_xauth.so
session required pam_env.so
session required pam_unix.so
password required pam_permit.so
 
# End /etc/pam.d/useradd
<command>EOF
cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/chage
# End /etc/pam.d/su</literal>
EOF</userinput></screen>
 
</sect4>
 
<sect4>
<title>'chage'</title>
 
<screen role="root"><userinput>cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/chage
 
auth sufficient pam_rootok.so
auth required pam_unix.so
account required pam_unix.so
215,85 → 427,150
session required pam_unix.so
password required pam_permit.so
 
# End /etc/pam.d/chage
<command>EOF</command></userinput></screen>
# End /etc/pam.d/chage</literal>
EOF</userinput></screen>
 
<note><para>If you've installed <application>cracklib</application>, replace
<filename>/etc/pam.d/passwd</filename> with the following:</para></note>
<screen><userinput><command>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/passwd
</sect4>
 
password required pam_cracklib.so \
retry=3 difok=8 minlen=5 dcredit=3 ocredit=3 ucredit=2 lcredit=2
password required pam_unix.so md5 shadow use_authtok
<sect4>
<title>'chfn', 'chgpasswd', 'chgpasswd', 'chsh', 'groupadd',
'groupdel', 'groupmems', 'groupmod', 'newusers', 'useradd', 'userdel'
et 'usermod'</title>
 
# End /etc/pam.d/passwd
<command>EOF</command></userinput></screen>
<screen role="root"><userinput>for PROGRAM in chfn chgpasswd chpasswd chsh groupadd groupdel \
groupmems groupmod newusers useradd userdel usermod
do
install -v -m644 /etc/pam.d/chage /etc/pam.d/$PROGRAM
sed -i "s/chage/$PROGRAM/" /etc/pam.d/$PROGRAM
done</userinput></screen>
 
<warning><para>At this point, you should do a simple test to see if
<application>Shadow</application> is
working as expected. Open another term and login as a user, then su to
to root. If you do not see any errors, then all is well and you should
proceed with the rest of the configuration. If you did
receive errors, stop now and double check the above configuration files
manually. If you cannot find, and fix the error, you should recompile
shadow replacing <envar>--with-libpam</envar> with
<envar>--without-libpam</envar> in the above
instructions. If you fail to do this and the errors remain, you
will be unable to log into your system.</para></warning>
<warning>
<para>At this point, you should do a simple test to see if
<application>Shadow</application> is working as expected. Open
another terminal et log in as a user, then <command>su</command> to
<systemitem class="username">root</systemitem>. If you do not see any
errors, then all is well et you should proceed with the rest of the
configuration. If you did receive errors, stop now et double check
the above configuration files manually. You can also run the test
suite from the <application>Linux-PAM</application> package to assist
you in determining the problem. If you cannot find et
fix the error, you should recompile <application>Shadow</application>
adding the <option>--without-libpam</option> switch to the
<command>configure</command> command in the above instructions
(also move the <filename>/etc/login.defs.orig</filename> backup
file to <filename>/etc/login.defs</filename>). If you
fail to do this et the errors remain, you will be unable to log into
your system.</para>
</warning>
 
<para>Currently, <filename>/etc/pam.d/other</filename> is configured to
allow anyone with an account on the machine to use programs
that do not specifically have a configuration file of their own. After
testing <application>Linux-<acronym>PAM</acronym></application> for proper
configuration, it can be changed to the following:</para>
</sect4>
 
<screen><userinput><command>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/other
<sect4>
<title>Other</title>
 
<para>Currently, <filename>/etc/pam.d/other</filename> is configured
to allow anyone with an account on the machine to use PAM-aware
programs without a configuration file for that program. After testing
<application>Linux-PAM</application> for proper configuration, install
a more restrictive <filename>other</filename> file so that
program-specific configuration files are required:</para>
 
<screen role="root"><userinput>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"
<literal># Begin /etc/pam.d/other
 
auth required pam_deny.so
auth required pam_warn.so
account required pam_deny.so
session required pam_deny.so
account required pam_warn.so
password required pam_deny.so
password required pam_warn.so
session required pam_deny.so
session required pam_warn.so
 
# End /etc/pam.d/other
<command>EOF</command></userinput></screen>
# End /etc/pam.d/other</literal>
EOF</userinput></screen>
 
<para>Finally, edit <filename>/etc/login.defs</filename> by adding '#'
to the beginning of the following lines:</para>
<screen>LASTLOG_ENAB
MAIL_CHECK_ENAB
PORTTIME_CHECKS_ENAB
CONSOLE
MOTD_FILE
NOLOGINS_FILE
PASS_MIN_LEN
SU_WHEEL_ONLY
MD5_CRYPT_ENAB
CONSOLE_GROUPS
ENVIRON_FILE</screen>
</sect4>
 
<para>This stops <command>login</command> from performing these functions, as
they will now be performed by <acronym>PAM</acronym> modules. Additionally,
add a '#' to the beginning of the following lines if you've installed
<application>cracklib</application>:</para>
<screen>OBSCURE_CHECKS_ENAB
CRACKLIB_DICTPATH
PASS_CHANGE_TRIES
PASS_ALWAYS_WARN</screen>
</sect3>
<sect4 id="pam-access">
<title>Configuration de Login Access</title>
 
</sect2>
<para>Instead of using the <filename>/etc/login.access</filename>
file for controlling access to the system,
<application>Linux-PAM</application> uses the
<filename class='libraryfile'>pam_access.so</filename> module along
with the <filename>/etc/security/access.conf</filename> file. Rename
the <filename>/etc/login.access</filename> file using the following
command:</para>
 
<sect2>
<title>Contents</title>
<indexterm zone="shadow pam-access">
<primary sortas="e-etc-security-access.conf">/etc/security/access.conf</primary>
</indexterm>
 
<para>A list of the installed files, along with their short descriptions can
be found at
<ulink url="&lfs-root;/chapter06/shadow.html#contents-shadow"/>.</para>
<screen role="root"><userinput>if [ -f /etc/login.access ]; then
mv -v /etc/login.access /etc/login.access.NOUSE
fi</userinput></screen>
 
</sect2>
</sect4>
 
<sect4 id="pam-limits">
<title>Configuration de Resource Limits</title>
 
<para>Instead of using the <filename>/etc/limits</filename> file
for limiting usage of system resources,
<application>Linux-PAM</application> uses the
<filename class='libraryfile'>pam_limits.so</filename> module along
with the <filename>/etc/security/limits.conf</filename> file. Rename
the <filename>/etc/limits</filename> file using the following
command:</para>
 
<indexterm zone="shadow pam-limits">
<primary sortas="e-etc-security-limits.conf">/etc/security/limits.conf</primary>
</indexterm>
 
<screen role="root"><userinput>if [ -f /etc/limits ]; then
mv -v /etc/limits /etc/limits.NOUSE
fi</userinput></screen>
 
</sect4>
 
<sect4 id="pam-env">
<title>Configuration de Default Environment</title>
 
<para>During previous configuration, several items were removed from
<filename>/etc/login.defs</filename>. Some of these items are now
controlled by the <filename class='libraryfile'>pam_env.so</filename>
module et the <filename>/etc/security/pam_env.conf</filename>
configuration file. In particular, the default path has been
changed. To recover your default path, execute the following
suivantes&nbsp;:</para>
 
<screen role="root"><userinput>ENV_PATH=`grep '^ENV_PATH' /etc/login.defs.orig | \
awk '{ print $2 }' | sed 's/PATH=//'` &amp;&amp;
echo 'PATH DEFAULT='`echo "${ENV_PATH}"`\
' OVERRIDE=${PATH}' \
>> /etc/security/pam_env.conf &amp;&amp;
unset ENV_PATH</userinput></screen>
 
<note>
<para>ENV_SUPATH is no longer supported. You must create
a valid <filename>/root/.bashrc</filename> file to provide a
modified path for the super-user.</para>
</note>
 
</sect4>
 
</sect3>
 
</sect2>
 
<sect2 role="content">
<title>Contenu</title>
 
<para>A list of the installed files, along with their short descriptions
can be found at
<ulink url="&lfs-root;/chapter06/shadow.html#contents-shadow"/>.</para>
 
</sect2>
 
</sect1>
/trunk/blfs/postlfs/security/mitkrb.xml
1,205 → 1,282
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
 
<!ENTITY mitkrb-download-http "http://web.mit.edu/kerberos/www/dist/krb5/1.4/krb5-&mitkrb-version;-signed.tar">
<!ENTITY mitkrb-download-http "http://web.mit.edu/kerberos/www/dist/krb5/1.6/krb5-&mitkrb-version;-signed.tar">
<!ENTITY mitkrb-download-ftp " ">
<!ENTITY mitkrb-md5sum "2fa56607677544e3a27b42f7cfa1155b">
<!ENTITY mitkrb-size "6.6 MB">
<!ENTITY mitkrb-buildsize "55 MB">
<!ENTITY mitkrb-time "2.55 SBU">
<!ENTITY mitkrb-md5sum "a365e39ff7d39639556c2797a0e1c3f4">
<!ENTITY mitkrb-size "12.0 Mio">
<!ENTITY mitkrb-buildsize "124 Mio">
<!ENTITY mitkrb-time "1.4 SBU">
]>
 
<sect1 id="mitkrb" xreflabel="MIT krb5-&mitkrb-version;">
<sect1info>
<othername>$LastChangedBy: larry $</othername>
<date>$Date: 2005-06-16 06:20:37 $</date>
</sect1info>
<?dbhtml filename="mitkrb.html"?>
<title><acronym>MIT</acronym> krb5-&mitkrb-version;</title>
<indexterm zone="mitkrb">
<primary sortas="a-Kerberos-MIT">Kerberos5(MIT)</primary></indexterm>
<sect1 id="mitkrb" xreflabel="MIT Kerberos V5-&mitkrb-version;">
<?dbhtml filename="mitkrb.html"?>
 
<sect2>
<title>Introduction to <application><acronym>MIT</acronym>
krb5</application></title>
<sect1info>
<othername>$LastChangedBy: gdalziel $</othername>
<date>$Date: 2009-07-06 21:12:40 +0200 (lun 06 jui 2009) $</date>
</sect1info>
 
<para>
<application><acronym>MIT</acronym> krb5</application> is a free
implementation of Kerberos 5. Kerberos is a network authentication
protocol. It centralizes the authentication database and uses kerberized
applications to work with servers or services that support Kerberos
allowing single logins and encrypted communication over internal
networks or the Internet.
</para>
<title>MIT Kerberos V5-&mitkrb-version;</title>
 
<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP):
<ulink url="&mitkrb-download-http;"/></para></listitem>
<listitem><para>Download (FTP):
<ulink url="&mitkrb-download-ftp;"/></para></listitem>
<listitem><para>Download MD5 sum: &mitkrb-md5sum;</para></listitem>
<listitem><para>Download size: &mitkrb-size;</para></listitem>
<listitem><para>Estimated disk space required:
&mitkrb-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&mitkrb-time;</para></listitem></itemizedlist>
</sect3>
<indexterm zone="mitkrb">
<primary sortas="a-MIT-Kerberos">MIT Kerberos V5</primary>
</indexterm>
 
<sect3><title><application><acronym>MIT</acronym> krb5</application>
dependencies</title>
<sect4><title>Optional</title>
<para>
<xref linkend="xinetd"/> (services servers only),
<xref linkend="Linux_PAM"/> (for <command>xdm</command> based logins) and
<xref linkend="openldap"/> (alternative for <command>krb5kdc</command>
password database)
</para>
<sect2 role="package">
<title>Introduction à MIT Kerberos V5</title>
 
<note><para>
Some sort of time synchronization facility on your system (like
<xref linkend="ntp"/>) is required since Kerberos won't authenticate if there
is a time difference between a kerberized client and the
<acronym>KDC</acronym> server.</para></note>
</sect4>
<para><application>MIT Kerberos V5</application> is a free implementation
of Kerberos 5. Kerberos is a network authentication protocol. It
centralizes the authentication database et uses kerberized
applications to work with servers or services that support Kerberos
allowing single logins et encrypted communication over internal
networks or the Internet.</para>
 
</sect3>
<bridgehead renderas="sect3">Informations sur le paquet</bridgehead>
<itemizedlist spacing="compact">
<listitem>
<para>Téléchargement (HTTP)&nbsp;: <ulink url="&mitkrb-download-http;"/></para>
</listitem>
<listitem>
<para>Téléchargement (FTP)&nbsp;: <ulink url="&mitkrb-download-ftp;"/></para>
</listitem>
<listitem>
<para>Somme de contrôle MD5 du téléchargement&nbsp;: &mitkrb-md5sum;</para>
</listitem>
<listitem>
<para>Taille du téléchargement&nbsp;: &mitkrb-size;</para>
</listitem>
<listitem>
<para>Estimation de l'espace disque requis&nbsp;: &mitkrb-buildsize;</para>
</listitem>
<listitem>
<para>Estimation du temps de construction&nbsp;: &mitkrb-time;</para>
</listitem>
</itemizedlist>
 
</sect2>
<bridgehead renderas="sect3">MIT Kerberos V5 Dependencies</bridgehead>
 
<sect2>
<title>Installation of <application><acronym>MIT</acronym>
krb5</application></title>
<bridgehead renderas="sect4">Facultatives</bridgehead>
<para role="optional"><xref linkend="linux-pam"/>
(for <command>xdm</command> based logins),
<xref linkend="openldap"/> et
<xref linkend="dejagnu"/> (required to run the test suite)</para>
 
<para>
<application><acronym>MIT</acronym> krb5</application> is distributed in a
<acronym>TAR</acronym> file containing a compressed <acronym>TAR</acronym>
package and a detached <acronym>PGP</acronym>
<filename class="extension">ASC</filename> file.
</para>
<note>
<para>Some sort of time synchronization facility on your system (like
<xref linkend="ntp"/>) is required since Kerberos won't authenticate if
there is a time difference between a kerberized client et the
KDC server.</para>
</note>
 
<para>
If you have installed <xref linkend="gnupg"/>, you can
authenticate the package with the following command:
</para>
<para condition="html" role="usernotes">Notes utilisateur&nbsp;:
<ulink url="&blfs-wiki;/mitkrb"/></para>
 
<screen><userinput><command>gpg --verify krb5-&mitkrb-version;.tar.gz.asc</command></userinput></screen>
</sect2>
 
<para>
Build <application><acronym>MIT</acronym> krb5</application> by running the
following commands:
</para>
<sect2 role="installation">
<title>Installation de MIT Kerberos V5</title>
 
<screen><userinput><command>cd src &amp;&amp;
./configure --prefix=/usr --sysconfdir=/etc \
--localstatedir=/var/lib --enable-dns \
--enable-static --mandir=/usr/share/man &amp;&amp;
make</command></userinput></screen>
<para><application>MIT Kerberos V5</application> is distributed in a
TAR file containing a compressed TAR package et a detached PGP
<filename class="extension">ASC</filename> file. You'll need to unpack
the distribution tar file, then unpack the compressed tar file before
starting the build.</para>
 
<para>
Install <application><acronym>MIT</acronym> krb5</application> by
running the following commands as root:
</para>
<para>After unpacking the distribution tarball et if you have
<xref linkend="gnupg"/> installed, you can
authenticate the package with the following command:</para>
 
<screen><userinput role='root'><command>make install &amp;&amp;
mv /bin/login /bin/login.shadow &amp;&amp;
cp /usr/sbin/login.krb5 /bin/login &amp;&amp;
mv /usr/bin/ksu /bin &amp;&amp;
mv /usr/lib/libkrb5.so.3* /lib &amp;&amp;
mv /usr/lib/libkrb4.so.2* /lib &amp;&amp;
mv /usr/lib/libdes425.so.3* /lib &amp;&amp;
mv /usr/lib/libk5crypto.so.3* /lib &amp;&amp;
mv /usr/lib/libcom_err.so.3* /lib &amp;&amp;
ln -sf ../../lib/libkrb5.so.3 /usr/lib/libkrb5.so &amp;&amp;
ln -sf ../../lib/libkrb4.so.2 /usr/lib/libkrb4.so &amp;&amp;
ln -sf ../../lib/libdes425.so.3 /usr/lib/libdes425.so &amp;&amp;
ln -sf ../../lib/libk5crypto.so.3 /usr/lib/libk5crypto.so &amp;&amp;
ln -sf ../../lib/libcom_err.so.3 /usr/lib/libcom_err.so &amp;&amp;
ldconfig</command></userinput></screen>
<screen><userinput>gpg - -verify krb5-&mitkrb-version;.tar.gz.asc</userinput></screen>
 
</sect2>
<para>Build <application>MIT Kerberos V5</application> by running the
following suivantes&nbsp;:</para>
 
<sect2>
<title>Command explanations</title>
<screen><userinput>cd src &amp;&amp;
./configure CPPFLAGS="-I/usr/include/et -I/usr/include/ss" \
--prefix=/usr \
--sysconfdir=/etc/krb5 \
--localstatedir=/var/lib \
--with-system-et \
--with-system-ss \
--enable-dns-for-realm \
--mandir=/usr/share/man &amp;&amp;
make</userinput></screen>
 
<para>
<parameter>--enable-dns</parameter>: This switch allows realms to
be resolved using the <acronym>DNS</acronym> server.
</para>
<para>The regression test suite is designed to be run after the
installation has been completed.</para>
 
<para>
<parameter>--enable-static</parameter>: This switch builds static
libraries in addition to the shared libraries.
</para>
<para>Maintenant, en tant qu'utilisateur <systemitem class="username">root</systemitem>&nbsp;:</para>
 
<para>
<screen><command>mv /bin/login /bin/login.shadow
cp /usr/sbin/login.krb5 /bin/login
mv /usr/bin/ksu /bin</command></screen>
Preserves <application>Shadow</application>'s <command>login</command>
command, moves <command>ksu</command> and <command>login</command> to
the <filename class="directory">/bin</filename> directory.
</para>
<screen role="root"><userinput>make install &amp;&amp;
 
<para>
<screen><command>mv /usr/lib/libkrb5.so.3* /lib
mv /usr/lib/libkrb4.so.2* /lib
mv /usr/lib/libdes425.so.3* /lib
mv /usr/lib/libk5crypto.so.3* /lib
mv /usr/lib/libcom_err.so.3* /lib
ln -sf ../../lib/libkrb5.so.3 /usr/lib/libkrb5.so
ln -sf ../../lib/libkrb4.so.2 /usr/lib/libkrb4.so
ln -sf ../../lib/libdes425.so.3 /usr/lib/libdes425.so
ln -sf ../../lib/libk5crypto.so.3 /usr/lib/libk5crypto.so
ln -sf ../../lib/libcom_err.so.3 /usr/lib/libcom_err.so</command></screen>
The <command>login</command> and <command>ksu</command> programs
are linked against these libraries, therefore we move these libraries to
<filename class="directory">/lib</filename> to allow logins without mounting
<filename class="directory">/usr</filename>.
</para>
mv -v /usr/bin/ksu /bin &amp;&amp;
chmod -v 755 /bin/ksu &amp;&amp;
mv -v /usr/lib/libkrb5.so.3* /lib &amp;&amp;
mv -v /usr/lib/libk5crypto.so.3* /lib &amp;&amp;
mv -v /usr/lib/libkrb5support.so.0* /lib &amp;&amp;
 
</sect2>
ln -v -sf ../../lib/libkrb5.so.3.3 /usr/lib/libkrb5.so &amp;&amp;
ln -v -sf ../../lib/libk5crypto.so.3.1 /usr/lib/libk5crypto.so &amp;&amp;
ln -v -sf ../../lib/libkrb5support.so.0.1 /usr/lib/libkrb5support.so&amp;&amp;
 
<sect2>
<title>Configuring <application><acronym>MIT</acronym> krb5</application></title>
install -m644 -v ../doc/*.info* /usr/share/info &amp;&amp;
for INFOFILE in 425 5-admin 5-install 5-user; do
install-info --info-dir=/usr/share/info \
/usr/share/info/krb$INFOFILE.info
rm ../doc/krb$INFOFILE.info*
done &amp;&amp;
 
<sect3 id="krb5-config"><title>Config files</title>
<para>
<filename>/etc/krb5.conf</filename> and
<filename>/var/lib/krb5kdc/kdc.conf</filename>
</para>
<indexterm zone="mitkrb krb5-config">
<primary sortas="e-etc-krb5.conf">/etc/krb5.conf</primary></indexterm>
<indexterm zone="mitkrb krb5-config">
<primary sortas="e-var-lib-krb5kdc-kdc.conf">/var/lib/krb5kdc/kdc.conf</primary>
</indexterm>
</sect3>
install -m755 -v -d /usr/share/doc/krb5-&mitkrb-version; &amp;&amp;
cp -Rv ../doc/* /usr/share/doc/krb5-&mitkrb-version;</userinput></screen>
 
<sect3><title>Configuration Information</title>
<warning>
<para><command>login.krb5</command> does not support
<application>Shadow</application> passwords. As a result, when the
Kerberos server is unavailable, the default fall through to
<filename>/etc/passwd</filename> will not work because
the passwords have been moved to <filename>/etc/shadow</filename> during
the LFS build process. Entering the following
commands without moving the passwords back to
<filename>/etc/passwd</filename> could prevent any logins.</para>
</warning>
 
<sect4><title>Kerberos Configuration</title>
<para>
Create the Kerberos configuration file with the following command:
</para>
<para>After considering (and understanding) the above warning, the
following commands can be entered as the
<systemitem class="username">root</systemitem> user to replace the
existing <command>login</command> program with the Kerberized
version (after preserving the original) et move the support libraries
to a location available when the
<filename class='directory'>/usr</filename> filesystem is
not mounted:</para>
 
<screen><userinput role='root'><command>cat &gt; /etc/krb5.conf &lt;&lt; "EOF"</command>
# Begin /etc/krb5.conf
<screen role="root"><userinput>mv -v /bin/login /bin/login.shadow &amp;&amp;
install -m755 -v /usr/sbin/login.krb5 /bin/login &amp;&amp;
 
mv -v /usr/lib/libdes425.so.3* /lib &amp;&amp;
mv -v /usr/lib/libkrb4.so.2* /lib &amp;&amp;
 
ln -v -sf ../../lib/libdes425.so.3.0 /usr/lib/libdes425.so &amp;&amp;
ln -v -sf ../../lib/libkrb4.so.2.0 /usr/lib/libkrb4.so &amp;&amp;
 
ldconfig</userinput></screen>
 
<!--
<para>If <application>CrackLib</application> is installed, or if any
word list has been put in
<filename class='directory'>/usr/share/dict</filename>, the following
should be entered en tant qu'utilisateur <systemitem class="username">root</systemitem>
user:</para>
 
<screen role="root"><userinput>ln -s /usr/share/dict/words /var/lib/krb5kdc/kadmin.dict</userinput></screen>
-->
 
<para>To test the installation, you must have
<xref linkend="dejagnu"/> installed et lancez&nbsp;: <command>make
check</command>. The RPC layer tests will require a portmap daemon
(see <xref linkend="portmap"/>) running et configured to listen on the
regular network interface (not localhost). See the <quote>Testing the
Build</quote> section of the <filename>krb5-install.html</filename> file
in the <filename class='directory'>../doc</filename> directory for complete
information on running the regression tests.</para>
 
</sect2>
 
<sect2 role="commands">
<title>Explication des commandes</title>
 
<para><parameter>--enable-dns-for-realm</parameter>: This parameter allows
realms to be resolved using the DNS server.</para>
 
<para><parameter>--with-system-et</parameter>: This parameter causes the
build to use the system-installed versions of the error-table support
software.</para>
 
<para><parameter>--with-system-ss</parameter>: This parameter causes the
build to use the system-installed versions of the subsystem command-line
interface software.</para>
 
<para><parameter>--localstatedir=/var/lib</parameter>: This parameter is
used so that the Kerberos variable run-time data is located in
<filename class='directory'>/var/lib</filename> instead of
<filename class='directory'>/usr/var</filename>.</para>
 
<!-- <para><parameter>- -enable-static</parameter>: This switch builds static
libraries in addition to the shared libraries.</para> -->
 
<para><command>mv -v /usr/bin/ksu /bin</command>: Moves the
<command>ksu</command> program to the
<filename class="directory">/bin</filename> directory so that it is
available when the <filename class="directory">/usr</filename>
filesystem is not mounted.</para>
 
<para><command>mv -v ... /lib &amp;&amp; ln -v -sf ...</command>:
These libraries are moved to <filename class="directory">/lib</filename> so
they are available when the <filename class="directory">/usr</filename>
filesystem is not mounted.</para>
 
</sect2>
 
<sect2 role="configuration">
<title>Configuration de MIT Kerberos V5</title>
 
<sect3 id="krb5-config">
<title>Fichiers de configuration</title>
 
<para><filename>/etc/krb5/krb5.conf</filename> et
<filename>/var/lib/krb5kdc/kdc.conf</filename></para>
 
<indexterm zone="mitkrb krb5-config">
<primary sortas="e-etc-krb5-krb5.conf">/etc/krb5/krb5.conf</primary>
</indexterm>
 
<indexterm zone="mitkrb krb5-config">
<primary sortas="e-var-lib-krb5kdc-kdc.conf">/var/lib/krb5kdc/kdc.conf</primary>
</indexterm>
 
</sect3>
 
<sect3>
<title>Informations de configuration</title>
 
<sect4>
<title>Kerberos Configuration</title>
 
<tip>
<para>You should consider installing some sort of password checking
dictionary so that you can configure the installation to only
accept strong passwords. A suitable dictionary to use is shown in
the <xref linkend="cracklib"/> instructions. Note that only one
file can be used, but you can concatenate many files into one. The
configuration file shown below assumes you have installed a
dictionary to <filename>/usr/share/dict/words</filename>.</para>
</tip>
 
<para>Create the Kerberos configuration file with the following
commands issued by the <systemitem class="username">root</systemitem>
user:</para>
 
<screen role="root"><userinput>install -v -m755 -d /etc/krb5 &amp;&amp;
cat &gt; /etc/krb5/krb5.conf &lt;&lt; "EOF"
<literal># Begin /etc/krb5/krb5.conf
 
[libdefaults]
default_realm = <replaceable>[LFS.ORG]</replaceable>
default_realm = <replaceable>&lt;LFS.ORG&gt;</replaceable>
encrypt = true
 
[realms]
<replaceable>[LFS.ORG]</replaceable> = {
kdc = <replaceable>[belgarath.lfs.org]</replaceable>
admin_server = <replaceable>[belgarath.lfs.org]</replaceable>
<replaceable>&lt;LFS.ORG&gt;</replaceable> = {
kdc = <replaceable>&lt;belgarath.lfs.org&gt;</replaceable>
admin_server = <replaceable>&lt;belgarath.lfs.org&gt;</replaceable>
dict_file = /usr/share/dict/words
}
 
[domain_realm]
.<replaceable>[lfs.org]</replaceable> = <replaceable>[LFS.ORG]</replaceable>
.<replaceable>&lt;lfs.org&gt;</replaceable> = <replaceable>&lt;LFS.ORG&gt;</replaceable>
 
[logging]
kdc = SYSLOG[:INFO[:AUTH]]
206,489 → 283,506
admin_server = SYSLOG[INFO[:AUTH]]
default = SYSLOG[[:SYS]]
 
# End /etc/krb5.conf
<command>EOF</command></userinput></screen>
# End /etc/krb5/krb5.conf</literal>
EOF</userinput></screen>
 
<para>
You will need to substitute your domain and proper hostname for the
occurances of the <replaceable>[belgarath]</replaceable> and
<replaceable>[lfs.org]</replaceable> names.
</para>
<para>You will need to substitute your domain et proper hostname
for the occurrences of the <replaceable>&lt;belgarath&gt;</replaceable> et
<replaceable>&lt;lfs.org&gt;</replaceable> names.</para>
 
<para>
<userinput>default_realm</userinput> should be the name of your domain changed
to ALL CAPS. This isn't required, but both <application>Heimdal</application>
and <acronym>MIT</acronym> recommend it.
</para>
<para><option>default_realm</option> should be the name of your
domain changed to ALL CAPS. This isn't required, but both
<application>Heimdal</application> et MIT recommend it.</para>
 
<para>
<userinput>encrypt = true</userinput> provides encryption of all traffic
between kerberized clients and servers. It's not necessary and can be left
off. If you leave it off, you can encrypt all traffic from the client to the
server using a switch on the client program instead.
</para>
<para><option>encrypt = true</option> provides encryption of all
traffic between kerberized clients et servers. It's not necessary
et can be left off. If you leave it off, you can encrypt all traffic
from the client to the server using a switch on the client program
instead.</para>
 
<para>
The <userinput>[realms]</userinput> parameters tell the client programs where
to look for the <acronym>KDC</acronym> authentication services.
</para>
<para>The <option>[realms]</option> parameters tell the client
programs where to look for the KDC authentication services.</para>
 
<para>
The <userinput>[domain_realm]</userinput> section maps a domain to a realm.
</para>
<para>The <option>[domain_realm]</option> section maps a domain to
a realm.</para>
 
<para>
Create the <acronym>KDC</acronym> database:
</para>
<para>Create the KDC database:</para>
 
<screen><userinput role='root'><command>kdb5_util create -r <replaceable>[LFS.ORG]</replaceable> -s </command></userinput></screen>
<screen role="root"><userinput>kdb5_util create -r <replaceable>&lt;LFS.ORG&gt;</replaceable> -s</userinput></screen>
 
<para>
Now you should populate the database with principles (users). For now,
just use your regular login name or root.
</para>
<para>Maintenant you should populate the database with principles
(users). For now, just use your regular login name or
<systemitem class="username">root</systemitem>.</para>
 
<screen><userinput role='root'><command>kadmin.local</command></userinput>
<prompt>kadmin:</prompt><userinput><command>addprinc <replaceable>[loginname]</replaceable></command></userinput></screen>
<screen role="root"><userinput>kadmin.local
<prompt>kadmin:</prompt> add_policy dict-only
<prompt>kadmin:</prompt> addprinc -policy dict-only <replaceable>&lt;loginname&gt;</replaceable></userinput></screen>
 
<para>
The <acronym>KDC</acronym> server and any machine running kerberized
server daemons must have a host key installed:
</para>
<para>The KDC server et any machine running kerberized
server daemons must have a host key installed:</para>
 
<screen><prompt>kadmin:</prompt><userinput role='root'><command>addprinc -randkey host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
<screen role='root'><userinput><prompt>kadmin:</prompt> addprinc -randkey host/<replaceable>&lt;belgarath.lfs.org&gt;</replaceable></userinput></screen>
 
<para>
After choosing the defaults when prompted, you will have to export the
data to a keytab file:
</para>
<para>After choosing the defaults when prompted, you will have to
export the data to a keytab file:</para>
 
<screen><prompt>kadmin:</prompt><userinput role='root'><command>ktadd host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
<screen role='root'><userinput><prompt>kadmin:</prompt> ktadd host/<replaceable>&lt;belgarath.lfs.org&gt;</replaceable></userinput></screen>
 
<para>
This should have created a file in <filename class="directory">/etc</filename>
named <filename>krb5.keytab</filename> (Kerberos 5). This file should have 600
(root rw only) permissions. Keeping the keytab files from public access
is crucial to the overall security of the Kerberos installation.
</para>
<para>This should have created a file in
<filename class="directory">/etc/krb5</filename> named
<filename>krb5.keytab</filename> (Kerberos 5). This file should
have 600 (<systemitem class="username">root</systemitem> rw only)
permissions. Keeping the keytab files from public access is crucial
to the overall security of the Kerberos installation.</para>
 
<para>
Eventually, you'll want to add server daemon principles to the database
and extract them to the keytab file. You do this in the same way you
created the host principles. Below is an example:
</para>
<para>Eventually, you'll want to add server daemon principles to the
database et extract them to the keytab file. You do this in the same
way you created the host principles. Below is an example:</para>
 
<screen><prompt>kadmin:</prompt><userinput role='root'><command>addprinc -randkey ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput>
<prompt>kadmin:</prompt><userinput role='root'><command>ktadd ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
<screen role='root'><userinput><prompt>kadmin:</prompt> addprinc -randkey ftp/<replaceable>&lt;belgarath.lfs.org&gt;</replaceable>
<prompt>kadmin:</prompt> ktadd ftp/<replaceable>&lt;belgarath.lfs.org&gt;</replaceable></userinput></screen>
 
<para>
Exit the <command>kadmin</command> program (use <command>quit</command>
or <command>exit</command>) and return back to the shell prompt. Start
the <acronym>KDC</acronym> daemon manually, just to test out the
installation:
</para>
<para>Exit the <command>kadmin</command> program (use
<command>quit</command> or <command>exit</command>) et return
back to the shell prompt. Start the KDC daemon manually, just to
test out the installation:</para>
 
<screen><userinput role='root'><command>/usr/sbin/krb5kdc &amp;</command></userinput></screen>
<screen role='root'><userinput>/usr/sbin/krb5kdc &amp;</userinput></screen>
 
<para>
Attempt to get a ticket with the following command:
</para>
<para>Attempt to get a ticket with the following command:</para>
 
<screen><userinput><command>kinit <replaceable>[loginname]</replaceable></command></userinput></screen>
<screen><userinput>kinit <replaceable>&lt;loginname&gt;</replaceable></userinput></screen>
 
<para>
You will be prompted for the password you created. After you get your
ticket, you can list it with the following command:
</para>
<para>You will be prompted for the password you created. After you
get your ticket, you can list it with the following command:</para>
 
<screen><userinput><command>klist</command></userinput></screen>
<screen><userinput>klist</userinput></screen>
 
<para>
Information about the ticket should be displayed on the screen.
</para>
<para>Information about the ticket should be displayed on the
screen.</para>
 
<para>
To test the functionality of the keytab file, issue the following
command:
</para>
<para>To test the functionality of the keytab file, issue the
following command:</para>
 
<screen><userinput><command>ktutil</command></userinput>
<prompt>ktutil:</prompt><userinput><command>rkt /etc/krb5.keytab</command></userinput>
<prompt>ktutil:</prompt><userinput><command>l</command></userinput></screen>
<screen><userinput>ktutil
<prompt>ktutil:</prompt> rkt /etc/krb5/krb5.keytab
<prompt>ktutil:</prompt> l</userinput></screen>
 
<para>
This should dump a list of the host principal, along with the encryption
methods used to access the principal.
</para>
<para>This should dump a list of the host principal, along with
the encryption methods used to access the principal.</para>
 
<para>
At this point, if everything has been successful so far, you can feel
fairly confident in the installation and configuration of the package.
</para>
<para>At this point, if everything has been successful so far, you
can feel fairly confident in the installation et configuration of
the package.</para>
 
<para>
Install the <filename>/etc/rc.d/init.d/kerberos</filename> init script
included in the <xref linkend="intro-important-bootscripts"/> package.
</para>
<para>Installez the <filename>/etc/rc.d/init.d/kerberos</filename> init
script included in the <xref linkend="bootscripts"/>
package.</para>
 
<screen><userinput role='root'><command>make install-kerberos</command></userinput></screen>
<screen role="root"><userinput>make install-kerberos</userinput></screen>
 
</sect4>
</sect4>
 
<sect4><title>Using Kerberized Client Programs</title>
<sect4>
<title>Using Kerberized Client Programs</title>
 
<para>
To use the kerberized client programs (<command>telnet</command>,
<command>ftp</command>, <command>rsh</command>,
<command>rcp</command>, <command>rlogin</command>), you first must get
an authentication ticket. Use the <command>kinit</command> program to
get the ticket. After you've acquired the ticket, you can use the
kerberized programs to connect to any kerberized server on the network.
You will not be prompted for authentication until your ticket expires
(default is one day), unless you specify a different user as a command
line argument to the program.
</para>
<para>To use the kerberized client programs (<command>telnet</command>,
<command>ftp</command>, <command>rsh</command>, <command>rcp</command>,
<command>rlogin</command>), you first must get an authentication ticket.
Use the <command>kinit</command> program to get the ticket. After you've
acquired the ticket, you can use the kerberized programs to connect to
any kerberized server on the network. You will not be prompted for
authentication until your ticket expires (default is one day), unless
you specify a different user as a command line argument to the
program.</para>
 
<para>
The kerberized programs will connect to non kerberized daemons, warning
you that authentication is not encrypted.
</para>
</sect4>
<para>The kerberized programs will connect to non kerberized daemons,
warning you that authentication is not encrypted.</para>
 
<sect4><title>Using Kerberized Server Programs</title>
<para>
Using kerberized server programs (<command>telnetd</command>,
<command>kpropd</command>, <command>klogind</command> and
<command>kshd</command>) requires two additional configuration steps.
First the <filename>/etc/services</filename> file must be updated to
include eklogin and krb5_prop. Second, the <filename>inetd.conf</filename>
or <filename>xinetd.conf</filename> must be modified for each server that will
be activated, usually replacing the server from <xref linkend="inetutils"/>.
</para>
</sect4>
</sect4>
 
<sect4><title>Additional Information</title>
<para>
For additional information consult <ulink
url="http://web.mit.edu/kerberos/www/krb5-1.4/#documentation">Documentation
for krb-&mitkrb-version;</ulink> on which the above instructions are based.
</para>
<sect4>
<title>Using Kerberized Server Programs</title>
 
</sect4>
<para>Using kerberized server programs (<command>telnetd</command>,
<command>kpropd</command>, <command>klogind</command> et
<command>kshd</command>) requires two additional configuration steps.
First the <filename>/etc/services</filename> file must be updated to
include eklogin et krb5_prop. Second, the
<filename>inetd.conf</filename> or <filename>xinetd.conf</filename>
must be modified for each server that will be activated, usually
replacing the server from <xref linkend="inetutils"/>.</para>
 
</sect3>
</sect4>
 
</sect2>
<sect4>
<title>Additional Information</title>
 
<sect2>
<title>Contents</title>
<para>For additional information consult <ulink
url="http://web.mit.edu/kerberos/www/krb5-1.6/#documentation">
Documentation for krb-&mitkrb-version;</ulink> on which the above
instructions are based.</para>
 
<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directories</segtitle>
</sect4>
 
<seglistitem>
<seg>compile-et, ftp, ftpd, gss-client, gss-server, k5srvutil, kadmin,
kadmin.local, kadmind, kadmind4, kdb5_util, kdestroy, kinit, klist,
klogind, kpasswd, kprop, kpropd, krb5-send-pr, krb5-config, krb524d,
krb524init, krb5kdc, kshd, ksu, ktutil, kvno, login.krb5, rcp, rlogin,
rsh, sclient, sim_client, sim_server, sserver,
telnet, telnetd, uuclient, uuserver, v5passwd, v5passwdd</seg>
<seg>libcom_err.[so,a], libdes425.[so,a], libgssapi.[so,a], libgssrpc.[so,a],
libkadm5clnt.[so,a], libkadm5srv.[so,a], libkdb5.[so,a], libkrb5.[so,a],
libkrb4.[so,a]</seg>
<seg>/usr/include/kerberosIV and /var/lib/krb5kdc</seg>
</seglistitem>
</segmentedlist>
</sect3>
 
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>
</sect2>
 
<varlistentry id="compile_et">
<term><command>compile_et</command></term>
<listitem><para>converts the table listing
error-code names into a <application>C</application> source file..</para>
<indexterm zone="mitkrb compile_et">
<primary sortas="b-compile_et">compile_et</primary>
</indexterm></listitem>
</varlistentry>
<sect2 role="content">
<title>Contenu</title>
<para></para>
 
<varlistentry id="ftp-mitkrb">
<term><command>ftp</command></term>
<listitem><para>is a kerberized <acronym>FTP</acronym> client.</para>
<indexterm zone="mitkrb ftp">
<primary sortas="b-ftp">ftp</primary>
</indexterm></listitem>
</varlistentry>
<segmentedlist>
<segtitle>Programmes installés</segtitle>
<segtitle>Bibliothèques installées</segtitle>
<segtitle>Répertoires installés</segtitle>
 
<varlistentry id="ftpd-mitkrb">
<term><command>ftpd</command></term>
<listitem><para>is a kerberized <acronym>FTP</acronym> daemon.</para>
<indexterm zone="mitkrb ftpd">
<primary sortas="b-ftpd">ftpd</primary>
</indexterm></listitem>
</varlistentry>
<seglistitem>
<seg>ftp, ftpd, gss-client, gss-server, k5srvutil, kadmin,
kadmin.local, kadmind, kdb5_ldap_util, kdb5_util, kdestroy, kinit, klist,
klogind, kpasswd, kprop, kpropd, krb5-config, krb5-send-pr, krb524d,
krb524init, krb5kdc, kshd, ksu, ktutil, kvno, login.krb5, rcp, rlogin,
rsh, sclient, sim_client, sim_server, sserver, telnet, telnetd,
uuclient, uuserver et v4rcp</seg>
<seg>libdes425.so, libgssapi_krb5.so,
libgssrpc.so, libk5crypto.so, libkadm5clnt.so, libkadm5srv.so,
libkdb5.so, libkdb_ldap.so, libkrb4.so, libkrb5.so et
libkrb5support.so</seg>
<seg>/etc/krb5, /usr/include/{gssapi,gssrpc,kerberosIV,krb5},
/usr/lib/krb5, /usr/share/{doc/krb5-&mitkrb-version;,examples,gnats}
et /var/lib/krb5kdc</seg>
</seglistitem>
</segmentedlist>
 
<varlistentry id="k5srvutil">
<term><command>k5srvutil</command></term>
<listitem><para>is a host keytable manipulation utility.</para>
<indexterm zone="mitkrb k5srvutil">
<primary sortas="b-k5srvutil">k5srvutil</primary>
</indexterm></listitem>
</varlistentry>
<variablelist>
<bridgehead renderas="sect3">Descriptions courtes</bridgehead>
<?dbfo list-presentation="list"?>
<?dbhtml list-presentation="table"?>
 
<varlistentry id="kadmin-mitkrb">
<term><command>kadmin</command></term>
<listitem><para>is an utility used to make modifications
to the Kerberos database.</para>
<indexterm zone="mitkrb kadmin-mitkrb">
<primary sortas="b-kadmin">kadmin</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="ftp-mitkrb">
<term><command>ftp</command></term>
<listitem>
<para>is a kerberized FTP client.</para>
<indexterm zone="mitkrb ftp-mitkrb">
<primary sortas="b-ftp">ftp</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="kadmind-mitkrb">
<term><command>kadmind</command></term>
<listitem><para>is a server for administrative access
to a Kerberos database.</para>
<indexterm zone="mitkrb kadmind-mitkrb">
<primary sortas="b-kadmind">kadmind</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="ftpd-mitkrb">
<term><command>ftpd</command></term>
<listitem>
<para>is a kerberized FTP daemon.</para>
<indexterm zone="mitkrb ftpd-mitkrb">
<primary sortas="b-ftpd">ftpd</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="kdb5_util">
<term><command>kdb5_util</command></term>
<listitem><para>is the <acronym>KDC</acronym> database utility.</para>
<indexterm zone="mitkrb kdb5_util">
<primary sortas="b-kdb5_util">kdb5_util</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="k5srvutil">
<term><command>k5srvutil</command></term>
<listitem>
<para>is a host keytable manipulation utility.</para>
<indexterm zone="mitkrb k5srvutil">
<primary sortas="b-k5srvutil">k5srvutil</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="kdestroy-mitkrb">
<term><command>kdestroy</command></term>
<listitem><para>removes the current set of tickets.</para>
<indexterm zone="mitkrb kdestroy-mitkrb">
<primary sortas="b-kdestroy">kdestroy</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="kadmin-mitkrb">
<term><command>kadmin</command></term>
<listitem>
<para>is an utility used to make modifications
to the Kerberos database.</para>
<indexterm zone="mitkrb kadmin-mitkrb">
<primary sortas="b-kadmin">kadmin</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="kinit-mitkrb">
<term><command>kinit</command></term>
<listitem><para>is used to authenticate to the Kerberos server as
a principal and acquire a ticket granting ticket that can later be used
to obtain tickets for other services.</para>
<indexterm zone="mitkrb kinit-mitkrb">
<primary sortas="b-kinit">kinit</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="kadmind-mitkrb">
<term><command>kadmind</command></term>
<listitem>
<para>is a server for administrative access
to a Kerberos database.</para>
<indexterm zone="mitkrb kadmind-mitkrb">
<primary sortas="b-kadmind">kadmind</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="klist-mitkrb">
<term><command>klist</command></term>
<listitem><para>reads and displays the current tickets in
the credential cache.</para>
<indexterm zone="mitkrb klist-mitkrb">
<primary sortas="b-klist">klist</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="kdb5_util">
<term><command>kdb5_util</command></term>
<listitem>
<para>is the KDC database utility.</para>
<indexterm zone="mitkrb kdb5_util">
<primary sortas="b-kdb5_util">kdb5_util</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="klogind">
<term><command>klogind</command></term>
<listitem><para>is the server that responds to
<command>rlogin</command> requests.</para>
<indexterm zone="mitkrb klogind">
<primary sortas="b-klogind">klogind</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="kdestroy-mitkrb">
<term><command>kdestroy</command></term>
<listitem>
<para>removes the current set of tickets.</para>
<indexterm zone="mitkrb kdestroy-mitkrb">
<primary sortas="b-kdestroy">kdestroy</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="kpasswd-mitkrb">
<term><command>kpasswd</command></term>
<listitem><para>is a program for changing Kerberos 5 passwords.</para>
<indexterm zone="mitkrb kpasswd-mitkrb">
<primary sortas="b-kpasswd">kpasswd</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="kinit-mitkrb">
<term><command>kinit</command></term>
<listitem>
<para>is used to authenticate to the Kerberos server as a
principal et acquire a ticket granting ticket that can
later be used to obtain tickets for other services.</para>
<indexterm zone="mitkrb kinit-mitkrb">
<primary sortas="b-kinit">kinit</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="kprop">
<term><command>kprop</command></term>
<listitem><para>takes a principal database in a specified
format and converts it into a stream of database
records.</para>
<indexterm zone="mitkrb kprop">
<primary sortas="b-kprop">kprop</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="klist-mitkrb">
<term><command>klist</command></term>
<listitem>
<para>reads et displays the current tickets in
the credential cache.</para>
<indexterm zone="mitkrb klist-mitkrb">
<primary sortas="b-klist">klist</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="kpropd">
<term><command>kpropd</command></term>
<listitem><para>receives a database sent by
<command>kprop</command> and writes it as a local database.</para>
<indexterm zone="mitkrb kpropd">
<primary sortas="b-kpropd">kpropd</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="klogind">
<term><command>klogind</command></term>
<listitem>
<para>is the server that responds to <command>rlogin</command>
requests.</para>
<indexterm zone="mitkrb klogind">
<primary sortas="b-klogind">klogind</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="krb5-config-1">
<term><command>krb5-config</command></term>
<listitem><para>gives information on how to link
programs against libraries.</para>
<indexterm zone="mitkrb krb5-config-prog">
<primary sortas="b-krb5-config-1">krb5-config</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="kpasswd-mitkrb">
<term><command>kpasswd</command></term>
<listitem>
<para>is a program for changing Kerberos 5 passwords.</para>
<indexterm zone="mitkrb kpasswd-mitkrb">
<primary sortas="b-kpasswd">kpasswd</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="krb5kdc">
<term><command>krb5kdc</command></term>
<listitem><para>is a Kerberos 5 server.</para>
<indexterm zone="mitkrb krb5kdc">
<primary sortas="b-krb5kdc">krb5kdc</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="kprop">
<term><command>kprop</command></term>
<listitem>
<para>takes a principal database in a specified format et
converts it into a stream of database records.</para>
<indexterm zone="mitkrb kprop">
<primary sortas="b-kprop">kprop</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="kshd">
<term><command>kshd</command></term>
<listitem><para>is the server that responds to
<command>rsh</command> requests.</para>
<indexterm zone="mitkrb kshd">
<primary sortas="b-kshd">kshd</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="kpropd">
<term><command>kpropd</command></term>
<listitem>
<para>receives a database sent by <command>kprop</command>
et writes it as a local database.</para>
<indexterm zone="mitkrb kpropd">
<primary sortas="b-kpropd">kpropd</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="ksu">
<term><command>ksu</command></term>
<listitem><para>is the super user program using Kerberos protocol.
Requires a properly configured
<filename class="directory">/etc/shells</filename> and
<filename>~/.k5login</filename> containing principals authorized to
become super users.</para>
<indexterm zone="mitkrb ksu">
<primary sortas="b-ksu">ksu</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="krb5-config-prog2">
<term><command>krb5-config</command></term>
<listitem>
<para>gives information on how to link programs against
libraries.</para>
<indexterm zone="mitkrb krb5-config-prog2">
<primary sortas="b-krb5-config">krb5-config</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="ktutil-mitkrb">
<term><command>ktutil</command></term>
<listitem><para>is a program for managing Kerberos keytabs.</para>
<indexterm zone="mitkrb ktutil-mitkrb">
<primary sortas="b-ktutil">ktutil</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="krb5kdc">
<term><command>krb5kdc</command></term>
<listitem>
<para>is a Kerberos 5 server.</para>
<indexterm zone="mitkrb krb5kdc">
<primary sortas="b-krb5kdc">krb5kdc</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="kvno">
<term><command>kvno</command></term>
<listitem><para>prints keyversion numbers of Kerberos principals.</para>
<indexterm zone="mitkrb kvno">
<primary sortas="b-kvno">kvno</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="kshd">
<term><command>kshd</command></term>
<listitem>
<para>is the server that responds to <command>rsh</command>
requests.</para>
<indexterm zone="mitkrb kshd">
<primary sortas="b-kshd">kshd</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="login.krb5">
<term><command>login.krb5</command></term>
<listitem><para>is a kerberized login program.</para>
<indexterm zone="mitkrb login">
<primary sortas="b-login.krb5">login.krb5</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="ksu">
<term><command>ksu</command></term>
<listitem>
<para>is the super user program using Kerberos protocol.
Requires a properly configured
<filename class="directory">/etc/shells</filename> et
<filename>~/.k5login</filename> containing principals
authorized to become super users.</para>
<indexterm zone="mitkrb ksu">
<primary sortas="b-ksu">ksu</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="rcp-mitkrb">
<term><command>rcp</command></term>
<listitem><para>is a kerberized rcp client program.</para>
<indexterm zone="mitkrb rcp">
<primary sortas="b-rcp">rcp</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="ktutil-mitkrb">
<term><command>ktutil</command></term>
<listitem>
<para>is a program for managing Kerberos keytabs.</para>
<indexterm zone="mitkrb ktutil-mitkrb">
<primary sortas="b-ktutil">ktutil</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="rlogin">
<term><command>rlogin</command></term>
<listitem><para>is a kerberized rlogin client program.</para>
<indexterm zone="mitkrb rlogin">
<primary sortas="b-rlogin">rlogin</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="kvno">
<term><command>kvno</command></term>
<listitem>
<para>prints keyversion numbers of Kerberos principals.</para>
<indexterm zone="mitkrb kvno">
<primary sortas="b-kvno">kvno</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="rsh-mitkrb">
<term><command>rsh</command></term>
<listitem><para>is a kerberized rsh client program.</para>
<indexterm zone="mitkrb rsh">
<primary sortas="b-rsh">rsh</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="login.krb5">
<term><command>login.krb5</command></term>
<listitem>
<para>is a kerberized login program.</para>
<indexterm zone="mitkrb login">
<primary sortas="b-login.krb5">login.krb5</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="telnet-mitkrb">
<term><command>telnet</command></term>
<listitem><para>is a kerberized telnet client program.</para>
<indexterm zone="mitkrb telnet">
<primary sortas="b-telnet">telnet</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="rcp-mitkrb">
<term><command>rcp</command></term>
<listitem>
<para>is a kerberized rcp client program.</para>
<indexterm zone="mitkrb rcp-mitkrb">
<primary sortas="b-rcp">rcp</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="telnetd-mitkrb">
<term><command>telnetd</command></term>
<listitem><para>is a kerberized telnet server.</para>
<indexterm zone="mitkrb telnetd">
<primary sortas="b-telnetd">telnetd</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="rlogin">
<term><command>rlogin</command></term>
<listitem>
<para>is a kerberized rlogin client program.</para>
<indexterm zone="mitkrb rlogin">
<primary sortas="b-rlogin">rlogin</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="libcom_err">
<term><filename class='libraryfile'>libcom_err.[so,a]</filename></term>
<listitem><para>implements the Kerberos library error code.</para>
<indexterm zone="mitkrb libcom_err">
<primary sortas="c-libcom_err">libcom_err.[so,a]</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="rsh-mitkrb">
<term><command>rsh</command></term>
<listitem>
<para>is a kerberized rsh client program.</para>
<indexterm zone="mitkrb rsh-mitkrb">
<primary sortas="b-rsh">rsh</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="libgssapi-mitkrb">
<term><filename class='libraryfile'>libgssapi.[so,a]</filename></term>
<listitem><para>contain the Generic Security Service Application
Programming
Interface (<acronym>GSSAPI</acronym>) functions which provides security
services to callers in a generic fashion, supportable with a range of
underlying mechanisms and technologies and hence allowing source-level
portability of applications to different environments.</para>
<indexterm zone="mitkrb libgssapi">
<primary sortas="c-libgssapi">libgssapi.[so,a]</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="telnet-mitkrb">
<term><command>telnet</command></term>
<listitem>
<para>is a kerberized telnet client program.</para>
<indexterm zone="mitkrb telnet-mitkrb">
<primary sortas="b-telnet">telnet</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="libkadm5clnt-mitkrb">
<term><filename
class='libraryfile'>libkadm5clnt.[so,a]</filename></term>
<listitem><para>contains the administrative authentication and password
checking functions required by Kerberos 5 client-side programs.</para>
<indexterm zone="mitkrb libkadm5clnt">
<primary sortas="c-libkadm5clnt">libkadm5clnt.[so,a]</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="telnetd-mitkrb">
<term><command>telnetd</command></term>
<listitem>
<para>is a kerberized telnet server.</para>
<indexterm zone="mitkrb telnetd-mitkrb">
<primary sortas="b-telnetd">telnetd</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="libkadm5srv-mitkrb">
<term><filename class='libraryfile'>libkadm5srv.[so,a]</filename></term>
<listitem><para>contain the administrative authentication and password
checking functions required by Kerberos 5 servers.</para>
<indexterm zone="mitkrb libkadm5srv">
<primary sortas="c-libkadm5srv">libkadm5srv.[so,a]</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="libgssapi_krb5-mitkrb">
<term><filename class='libraryfile'>libgssapi_krb5.so</filename></term>
<listitem>
<para>contain the Generic Security Service Application
Programming Interface (GSSAPI) functions which provides security
services to callers in a generic fashion, supportable with a range of
underlying mechanisms et technologies and hence allowing source-level
portability of applications to different environments.</para>
<indexterm zone="mitkrb libgssapi_krb5-mitkrb">
<primary sortas="c-libgssapi_krb5">libgssapi_krb5.so</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="libkdb5">
<term><filename class='libraryfile'>libkdb5.[so,a]</filename></term>
<listitem><para>is a Kerberos 5
authentication/authorization database access library.</para>
<indexterm zone="mitkrb libkdb5">
<primary sortas="c-libkdb5">libkdb5.[so,a]</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="libkadm5clnt-mitkrb">
<term><filename class='libraryfile'>libkadm5clnt.so</filename></term>
<listitem>
<para>contains the administrative authentication et password
checking functions required by Kerberos 5 client-side programs.</para>
<indexterm zone="mitkrb libkadm5clnt-mitkrb">
<primary sortas="c-libkadm5clnt">libkadm5clnt.so</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="libkrb5-mitkrb">
<term><filename class='libraryfile'>libkrb5.[so,a]</filename></term>
<listitem><para>is an all-purpose Kerberos 5 library.</para>
<indexterm zone="mitkrb libkrb5">
<primary sortas="c-libkrb5">libkrb5.[so,a]</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="libkadm5srv-mitkrb">
<term><filename class='libraryfile'>libkadm5srv.so</filename></term>
<listitem>
<para>contain the administrative authentication et password
checking functions required by Kerberos 5 servers.</para>
<indexterm zone="mitkrb libkadm5srv-mitkrb">
<primary sortas="c-libkadm5srv">libkadm5srv.so</primary>
</indexterm>
</listitem>
</varlistentry>
 
</variablelist>
<varlistentry id="libkdb5">
<term><filename class='libraryfile'>libkdb5.so</filename></term>
<listitem>
<para>is a Kerberos 5 authentication/authorization database
access library.</para>
<indexterm zone="mitkrb libkdb5">
<primary sortas="c-libkdb5">libkdb5.so</primary>
</indexterm>
</listitem>
</varlistentry>
 
</sect2>
<varlistentry id="libkrb5-mitkrb">
<term><filename class='libraryfile'>libkrb5.so</filename></term>
<listitem>
<para>is an all-purpose Kerberos 5 library.</para>
<indexterm zone="mitkrb libkrb5-mitkrb">
<primary sortas="c-libkrb5">libkrb5.so</primary>
</indexterm>
</listitem>
</varlistentry>
 
</variablelist>
 
</sect2>
 
</sect1>
/trunk/blfs/postlfs/security/stunnel.xml
1,239 → 1,320
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
 
<!ENTITY stunnel-download-http "http://www.stunnel.org/download/stunnel/src/stunnel-&stunnel-version;.tar.gz">
<!ENTITY stunnel-download-ftp "ftp://ftp.fu-berlin.de/unix/linux/mirrors/gentoo/distfiles/stunnel-&stunnel-version;.tar.gz">
<!ENTITY stunnel-md5sum "7d53af550a1c2e01e146b936e58b8860">
<!ENTITY stunnel-size "486 KB">
<!ENTITY stunnel-buildsize "3.9 MB">
<!ENTITY stunnel-time "0.11 SBU">
<!ENTITY stunnel-download-ftp "ftp://stunnel.mirt.net/stunnel/stunnel-&stunnel-version;.tar.gz">
<!ENTITY stunnel-md5sum "1eaec5228979beca4d548f453304e311">
<!ENTITY stunnel-size "528 Kio">
<!ENTITY stunnel-buildsize "5 Mio">
<!ENTITY stunnel-time "0.1 SBU">
]>
 
<sect1 id="stunnel" xreflabel="Stunnel-&stunnel-version;">
<sect1info>
<othername>$LastChangedBy: randy $</othername>
<date>$Date: 2005-06-16 06:24:42 $</date>
</sect1info>
<?dbhtml filename="stunnel.html"?>
<title>Stunnel-&stunnel-version;</title>
<indexterm zone="stunnel">
<primary sortas="a-Stunnel">Stunnel</primary></indexterm>
<?dbhtml filename="stunnel.html"?>
 
<sect2>
<title>Introduction to <application>Stunnel</application></title>
<sect1info>
<othername>$LastChangedBy: randy $</othername>
<date>$Date: 2008-08-11 20:32:48 +0200 (lun, 11 aoû 2008) $</date>
</sect1info>
 
<para>The <application>Stunnel</application> package contains a program that
allows you to encrypt arbitrary <acronym>TCP</acronym> connections inside
<acronym>SSL</acronym> (Secure Sockets Layer) so you can easily communicate
with clients over secure channels. <application>Stunnel</application> can be
used to add <acronym>SSL</acronym> functionality to commonly used Inetd
daemons like <acronym>POP</acronym>-2, <acronym>POP</acronym>-3, and
<acronym>IMAP</acronym> servers, to standalone daemons like
<acronym>NNTP</acronym>, <acronym>SMTP</acronym> and <acronym>HTTP</acronym>,
and in tunneling <acronym>PPP</acronym> over network sockets without changes
to the server package source code.</para>
<title>Stunnel-&stunnel-version;</title>
 
<sect3><title>Package information</title>
<itemizedlist spacing="compact">
<listitem><para>Download (HTTP):
<ulink url="&stunnel-download-http;"/></para></listitem>
<listitem><para>Download (FTP):
<ulink url="&stunnel-download-ftp;"/></para></listitem>
<listitem><para>Download MD5 sum:
&stunnel-md5sum;</para></listitem>
<listitem><para>Download size:
&stunnel-size;</para></listitem>
<listitem><para>Estimated disk space required:
&stunnel-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&stunnel-time;</para></listitem></itemizedlist>
</sect3>
<indexterm zone="stunnel">
<primary sortas="a-Stunnel">Stunnel</primary>
</indexterm>
 
<sect3><title><application>Stunnel</application> dependencies</title>
<sect4><title>Required</title>
<para><xref linkend="openssl"/></para>
</sect4>
<sect2 role="package">
<title>Introduction à Stunnel</title>
 
<sect4><title>Optional</title>
<para><xref linkend="tcpwrappers"/></para>
</sect4>
</sect3>
<para>The <application>Stunnel</application> package contains a program
that allows you to encrypt arbitrary TCP connections inside SSL (Secure
Sockets Layer) so you can easily communicate with clients over secure
channels. <application>Stunnel</application> can be used to add SSL
functionality to commonly used <application>Inetd</application> daemons
like POP-2, POP-3, et IMAP servers, to standalone daemons like NNTP,
SMTP et HTTP, and in tunneling PPP over network sockets without changes
to the server package source code.</para>
 
</sect2>
<bridgehead renderas="sect3">Informations sur le paquet</bridgehead>
<itemizedlist spacing="compact">
<listitem>
<para>Téléchargement (HTTP)&nbsp;: <ulink url="&stunnel-download-http;"/></para>
</listitem>
<listitem>
<para>Téléchargement (FTP)&nbsp;: <ulink url="&stunnel-download-ftp;"/></para>
</listitem>
<listitem>
<para>Somme de contrôle MD5 du téléchargement&nbsp;: &stunnel-md5sum;</para>
</listitem>
<listitem>
<para>Taille du téléchargement&nbsp;: &stunnel-size;</para>
</listitem>
<listitem>
<para>Estimation de l'espace disque requis&nbsp;: &stunnel-buildsize;</para>
</listitem>
<listitem>
<para>Estimation du temps de construction&nbsp;: &stunnel-time;</para>
</listitem>
</itemizedlist>
 
<sect2>
<title>Installation of <application>Stunnel</application></title>
<bridgehead renderas="sect3">Téléchargements supplémentaires</bridgehead>
<itemizedlist spacing="compact">
<listitem>
<para>Correctif requis&nbsp;: <ulink
url="&patch-root;/stunnel-&stunnel-version;-setuid-1.patch"/></para>
</listitem>
</itemizedlist>
 
<para>The <command>stunnel</command> daemon will be run in a
<command>chroot</command> jail by an unprivileged user. Create the new user,
group and <command>chroot</command> home directory structure using the
following commands as the root user:</para>
<bridgehead renderas="sect3">Stunnel Dependencies</bridgehead>
 
<screen><userinput role='root'><command>groupadd stunnel &amp;&amp;
<bridgehead renderas="sect4">Requises</bridgehead>
<para role="required"><xref linkend="openssl"/></para>
 
<bridgehead renderas="sect4">Facultatives</bridgehead>
<para role="optional"><xref linkend="tcpwrappers"/></para>
 
<para condition="html" role="usernotes">Notes utilisateur&nbsp;:
<ulink url="&blfs-wiki;/stunnel"/></para>
 
</sect2>
 
<sect2 role="installation">
<title>Installation de Stunnel</title>
 
<para>The <command>stunnel</command> daemon will be run in a
<command>chroot</command> jail by an unprivileged user. Create the
new user et group using the following commands as the
<systemitem class="username">root</systemitem>&nbsp;:</para>
 
<screen role="root"><userinput>groupadd -g 51 stunnel &amp;&amp;
useradd -c "Stunnel Daemon" -d /var/lib/stunnel \
-g stunnel -s /bin/false stunnel &amp;&amp;
install -d -m 700 -o stunnel -g stunnel /var/lib/stunnel/run</command></userinput></screen>
-g stunnel -s /bin/false -u 51 stunnel</userinput></screen>
 
<note><para>A signed <acronym>SSL</acronym> Certificate and a Private Key is
necessary to run the <command>stunnel</command> daemon. If you own, or have
already created a signed <acronym>SSL</acronym> Certificate you wish to use,
copy it to <filename>tools/stunnel.pem</filename> in the source directory
before starting the build, otherwise you will be prompted to create one. The
<filename>.pem</filename> file must be formatted as shown below:</para>
<note>
<para>A signed SSL Certificate et a Private Key is necessary to run
the <command>stunnel</command> daemon. If you own, or have already
created a signed SSL Certificate you wish to use, copy it to
<filename>/etc/stunnel/stunnel.pem</filename> before starting the build
(ensure only <systemitem class='username'>root</systemitem> has read et
write access), otherwise you will be
prompted to create one during the installation process. The
<filename class='extension'>.pem</filename> file must be formatted as
shown below:</para>
 
<screen>-----BEGIN RSA PRIVATE KEY-----
<replaceable>[many encrypted lines of unencrypted key]</replaceable>
<screen><literal>-----BEGIN RSA PRIVATE KEY-----
<replaceable>&lt;many encrypted lines of unencrypted key&gt;</replaceable>
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
<replaceable>[many encrypted lines of certificate]</replaceable>
-----END CERTIFICATE-----</screen></note>
<replaceable>&lt;many encrypted lines of certificate&gt;</replaceable>
-----END CERTIFICATE-----</literal></screen>
</note>
 
<para>Install <application>Stunnel</application> by running the following
commands:</para>
<para>Installez <application>Stunnel</application> en lançant les commandes
suivantes&nbsp;:</para>
 
<screen><userinput><command>./configure --prefix=/usr --sysconfdir=/etc \
--localstatedir=/var/lib/stunnel &amp;&amp;
make</command></userinput></screen>
<screen><userinput>patch -Np1 -i ../stunnel-&stunnel-version;-setuid-1.patch &amp;&amp;
 
<para>Now, as the root user:</para>
sed -i 's|nogroup|stunnel|g' configure &amp;&amp;
sed -i 's|$(prefix)/var/lib|$(localstatedir)|' tools/Makefile.in &amp;&amp;
 
<screen><userinput role='root'><command>make install</command></userinput></screen>
./configure --prefix=/usr \
--sysconfdir=/etc \
--localstatedir=/var/lib \
--disable-libwrap &amp;&amp;
make</userinput></screen>
 
</sect2>
<para>Ce paquet n'est pas fourni avec une suite de tests.</para>
 
<sect2>
<title>Command explanations</title>
<para>Maintenant, en tant qu'utilisateur <systemitem class="username">root</systemitem>&nbsp;:</para>
 
<para><parameter>--sysconfdir=/etc</parameter>: This parameter forces the
configuration directory to <filename class='directory'>/etc</filename> instead
of <filename class='directory'>/usr/etc</filename>.</para>
<screen role="root"><userinput>make docdir=/usr/share/doc/stunnel-&stunnel-version; install</userinput></screen>
 
<para><parameter>--localstatedir=/var/lib/stunnel</parameter>: This parameter
causes the installation process to create
<filename class='directory'>/var/lib/stunnel/stunnel</filename> instead of
<filename class='directory'>/usr/var/stunnel</filename>.</para>
</sect2>
 
<para><command>make</command>: This command builds the package and, if you
did not copy an <filename>stunnel.pem</filename> file to the source
<filename class='directory'>tools/</filename> directory, prompts you for the
necessary information to create one. Ensure you reply to the</para>
<sect2 role="commands">
<title>Explication des commandes</title>
 
<screen><computeroutput>Common Name (FQDN of your server) [localhost]:</computeroutput></screen>
<para><command>sed -i 's|nogroup|stunnel|g' configure</command>: This
command is used to change the default group for the installed files in
<filename class='directory'>/var/lib/stunnel</filename> from
<systemitem class="groupname">nogroup</systemitem> to
<systemitem class="groupname">stunnel</systemitem>.</para>
 
<para>prompt with the name or <acronym>IP</acronym> address you will be using
to access the service.</para>
<para><command>sed -i '...' tools/Makefile.in</command>: This command
ensures that the chroot jail will be located in
<filename class='directory'>/var/lib/stunnel</filename> instead of
<filename class='directory'>/usr/var/lib/stunnel</filename>.</para>
 
</sect2>
<para><parameter>--sysconfdir=/etc</parameter>: This parameter forces
the configuration directory to <filename class='directory'>/etc</filename>
instead of <filename class='directory'>/usr/etc</filename>.</para>
 
<sect2>
<title>Configuring <application>Stunnel</application></title>
<para><parameter>--localstatedir=/var/lib</parameter>: This parameter
sets the installation to use
<filename class='directory'>/var/lib/stunnel</filename> instead of
creating et using
<filename class='directory'>/usr/var/stunnel</filename>.</para>
 
<sect3 id="stunnel-config"><title>Config files</title>
<para><filename>/etc/stunnel/stunnel.conf</filename></para>
<indexterm zone="stunnel stunnel-config">
<primary sortas="e-etc-stunnel-stunnel.conf">/etc/stunnel/stunnel.conf</primary>
</indexterm>
</sect3>
<para><parameter>--disable-libwrap</parameter>: This parameter is required
if you don't have <application>tcpwrappers</application> installed. Remove
the parameter if <application>tcpwrappers</application> is installed.</para>
 
<sect3><title>Configuration Information</title>
<para><command>make docdir=... install</command>: This command installs the
package, changes the documentation installation directory to standard
naming conventions et, if you did not copy an
<filename>stunnel.pem</filename> file to the
<filename class='directory'>/etc/stunnel</filename> directory, prompts you
for the necessary information to create one. Ensure you reply to the</para>
 
<para>Create a basic <filename>/etc/stunnel/stunnel.conf</filename>
configuration file using the following commands:</para>
<screen><prompt>Common Name (FQDN of your server) [localhost]:</prompt></screen>
 
<screen><userinput role='root'><command>cat &gt;/etc/stunnel/stunnel.conf &lt;&lt; "EOF"</command>
# File: /etc/stunnel/stunnel.conf
<para>prompt with the name or IP address you will be using
to access the service(s).</para>
 
pid = /run/stunnel.pid
</sect2>
 
<sect2 role="configuration">
<title>Configuration de Stunnel</title>
 
<sect3 id="stunnel-config">
<title>Fichiers de configuration</title>
 
<para><filename>/etc/stunnel/stunnel.conf</filename></para>
 
<indexterm zone="stunnel stunnel-config">
<primary sortas="e-etc-stunnel-stunnel.conf">/etc/stunnel/stunnel.conf</primary>
</indexterm>
 
</sect3>
 
<sect3>
<title>Informations de configuration</title>
 
<para>As the <systemitem class="username">root</systemitem> user,
create the directory used for the
<filename class='extension'>.pid</filename> file that is created
when the <application>Stunnel</application> daemon starts:</para>
 
<screen role="root"><userinput>install -v -m750 -o stunnel -g stunnel -d /var/lib/stunnel/run</userinput></screen>
 
<para>Next, create a basic <filename>/etc/stunnel/stunnel.conf</filename>
configuration file using the following commands as the
<systemitem class="username">root</systemitem>&nbsp;:</para>
 
<screen role="root"><userinput>cat &gt;/etc/stunnel/stunnel.conf &lt;&lt; "EOF" &amp;&amp;
<literal>; File: /etc/stunnel/stunnel.conf
 
pid = /run/stunnel.pid
chroot = /var/lib/stunnel
client = no
setuid = stunnel
setgid = stunnel
setgid = stunnel</literal>
 
<command>EOF</command></userinput></screen>
EOF
chmod -v 644 /etc/stunnel/stunnel.conf</userinput></screen>
 
<para>Next, you need to add the service you wish to encrypt to the
configuration file. The format is as follows:</para>
<para>Finally, you need to add the service(s) you wish to encrypt to the
configuration file. The format is as follows:</para>
 
<screen><userinput role='root'>[<replaceable>[service]</replaceable>]
accept = <replaceable>[hostname:portnumber]</replaceable>
connect = <replaceable>[hostname:portnumber]</replaceable></userinput></screen>
<screen><literal>[<replaceable>&lt;service&gt;</replaceable>]
accept = <replaceable>&lt;hostname:portnumber&gt;</replaceable>
connect = <replaceable>&lt;hostname:portnumber&gt;</replaceable></literal></screen>
 
<para>If you use <application>Stunnel</application> to encrypt a daemon
started from <command>[x]inetd</command>, you may need to disable that daemon
in the <filename>/etc/[x]inetd.conf</filename> file and enable a corresponding
<replaceable>[service]</replaceable>_stunnel service. You may have to add an
appropriate entry in <filename>/etc/services</filename> as well.</para>
<para>If you use <application>Stunnel</application> to encrypt a daemon
started from <command>[x]inetd</command>, you may need to disable that
daemon in the <filename>/etc/[x]inetd.conf</filename> file et enable a
corresponding <replaceable>&lt;service&gt;</replaceable>_stunnel service. You
may have to add an appropriate entry in <filename>/etc/services</filename>
as well.</para>
 
<para>For a full explanation of the commands and syntax used in the
configuration file, run <command>man stunnel</command>. To see a
<acronym>BLFS</acronym> example of an actual setup of an
<command>stunnel</command> encrypted service, read the
<xref linkend="samba3-swat-config"/> in the <application>Samba</application>
instructions.</para>
<para>For a full explanation of the commands et syntax used in the
configuration file, run <command>man stunnel</command>. To see a
BLFS example of an actual setup of an <command>stunnel</command> encrypted
service, read the <xref linkend="samba3-swat-config"/> in the
<application>Samba</application> instructions.</para>
 
<para id="stunnel.init">To automatically start the <command>stunnel</command>
daemon when the system is rebooted, install the
<filename>/etc/rc.d/init.d/stunnel</filename> bootscript from the
<xref linkend="intro-important-bootscripts"/> package.</para>
<indexterm zone="stunnel stunnel.init">
<primary sortas="f-stunnel.init">stunnel</primary></indexterm>
</sect3>
 
<screen><userinput role='root'><command>make install-stunnel</command></userinput></screen>
</sect3>
<sect3 id="stunnel-init">
<title>Boot Script</title>
 
</sect2>
<para>To automatically start the <command>stunnel</command> daemon
when the system is rebooted, install the
<filename>/etc/rc.d/init.d/stunnel</filename> bootscript from the
<xref linkend="bootscripts"/> package.</para>
 
<sect2>
<title>Contents</title>
<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Library</segtitle>
<segtitle>Installed Directories</segtitle>
<seglistitem>
<seg>stunnel and stunnel3</seg>
<seg>libstunnel.so</seg>
<seg>/etc/stunnel, /var/lib/stunnel and /usr/share/doc/stunnel</seg>
</seglistitem>
</segmentedlist>
<indexterm zone="stunnel stunnel-init">
<primary sortas="f-stunnel">stunnel</primary>
</indexterm>
 
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>
<screen role="root"><userinput>make install-stunnel</userinput></screen>
 
<varlistentry id="stunnel-prog">
<term><command>stunnel</command></term>
<listitem><para> is a program designed to work as an <acronym>SSL</acronym>
encryption wrapper between remote clients and local
(<command>[x]inetd</command>-startable) or remote servers.</para>
<indexterm zone="stunnel stunnel-prog">
<primary sortas="b-stunnel">stunnel</primary></indexterm>
</listitem>
</varlistentry>
</sect3>
 
<varlistentry id="stunnel3">
<term><command>stunnel3</command></term>
<listitem><para>is a <application>Perl</application> wrapper script to use
<command>stunnel</command> 3.x syntax with <command>stunnel</command>
>=4.05.</para>
<indexterm zone="stunnel stunnel3">
<primary sortas="b-stunnel3">stunnel3</primary></indexterm>
</listitem>
</varlistentry>
</sect2>
 
<varlistentry id="libstunnel">
<term><filename class='libraryfile'>libstunnel.so</filename></term>
<listitem><para> contains the <acronym>API</acronym> functions required by
<application>Stunnel</application>.</para>
<indexterm zone="stunnel libstunnel">
<primary sortas="c-libstunnel">libstunnel.so</primary></indexterm>
</listitem>
</varlistentry>
</variablelist>
<sect2 role="content">
<title>Contenu</title>
 
</sect2>
<segmentedlist>
<segtitle>Programmes installés</segtitle>
<segtitle>Bibliothèque installée</segtitle>
<segtitle>Répertoires installés</segtitle>
 
<seglistitem>
<seg>stunnel et stunnel3</seg>
<seg>libstunnel.so</seg>
<seg>/etc/stunnel, /usr/lib/stunnel,
/usr/share/doc/stunnel-&stunnel-version; et
/var/lib/stunnel</seg>
</seglistitem>
</segmentedlist>
 
<variablelist>
<bridgehead renderas="sect3">Descriptions courtes</bridgehead>
<?dbfo list-presentation="list"?>
<?dbhtml list-presentation="table"?>
 
<varlistentry id="stunnel-prog">
<term><command>stunnel</command></term>
<listitem>
<para> is a program designed to work as an SSL
encryption wrapper between remote clients et local
(<command>{x}inetd</command>-startable) or remote servers.</para>
<indexterm zone="stunnel stunnel-prog">
<primary sortas="b-stunnel">stunnel</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="stunnel3">
<term><command>stunnel3</command></term>
<listitem>
<para>is a <application>Perl</application> wrapper script to use
<command>stunnel</command> 3.x syntax with <command>stunnel</command>
>=4.05.</para>
<indexterm zone="stunnel stunnel3">
<primary sortas="b-stunnel3">stunnel3</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="libstunnel">
<term><filename class='libraryfile'>libstunnel.so</filename></term>
<listitem>
<para> contains the API functions required by
<application>Stunnel</application>.</para>
<indexterm zone="stunnel libstunnel">
<primary sortas="c-libstunnel">libstunnel.so</primary>
</indexterm>
</listitem>
</varlistentry>
 
</variablelist>
 
</sect2>
 
</sect1>
 
/trunk/blfs/postlfs/security/gnupg2.xml
8,8 → 8,8
<!-- <!ENTITY gnupg2-download-http "http://public.ftp.planetmirror.com/pub/gnupg/gnupg-&gnupg2-version;.tar.bz2"> -->
<!ENTITY gnupg2-download-ftp "ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-&gnupg2-version;.tar.bz2">
<!ENTITY gnupg2-md5sum "fc4377ca67e1bf687eeaf22e79c0b9d1">
<!ENTITY gnupg2-size "3.6 MB">
<!ENTITY gnupg2-buildsize "65 MB">
<!ENTITY gnupg2-size "3.6 Mio">
<!ENTITY gnupg2-buildsize "65 Mio">
<!ENTITY gnupg2-time "0.7 SBU">
]>
 
17,8 → 17,8
<?dbhtml filename="gnupg2.html"?>
 
<sect1info>
<othername>$LastChangedBy: randy $</othername>
<date>$Date: 2008-11-16 21:28:02 $</date>
<othername>$LastChangedBy: gdalziel $</othername>
<date>$Date: 2009-07-06 21:12:40 +0200 (lun 06 jui 2009) $</date>
</sect1info>
 
<title>GnuPG-&gnupg2-version;</title>
28,43 → 28,43
</indexterm>
 
<sect2 role="package">
<title>Introduction to GnuPG 2</title>
<title>Introduction à GnuPG 2</title>
 
<para>The <application>GnuPG 2</application> package is GNU's tool for
secure communication and data storage. It can be used to encrypt data and
secure communication et data storage. It can be used to encrypt data and
to create digital signatures. It includes an advanced key management
facility and is compliant with the proposed OpenPGP Internet standard as
described in RFC2440 and the S/MIME standard as described by several RFCs.
GnuPG 2 is the stable version of GnuPG integrating support for OpenPGP and
facility et is compliant with the proposed OpenPGP Internet standard as
described in RFC2440 et the S/MIME standard as described by several RFCs.
GnuPG 2 is the stable version of GnuPG integrating support for OpenPGP et
S/MIME. It does not conflict with an installed <xref linkend="gnupg"/>
OpenPGP-only version.</para>
 
<bridgehead renderas="sect3">Package Information</bridgehead>
<bridgehead renderas="sect3">Informations sur le paquet</bridgehead>
<itemizedlist spacing="compact">
<listitem>
<para>Download (HTTP): <ulink url="&gnupg2-download-http;"/></para>
<para>Téléchargement (HTTP)&nbsp;: <ulink url="&gnupg2-download-http;"/></para>
</listitem>
<listitem>
<para>Download (FTP): <ulink url="&gnupg2-download-ftp;"/></para>
<para>Téléchargement (FTP)&nbsp;: <ulink url="&gnupg2-download-ftp;"/></para>
</listitem>
<listitem>
<para>Download MD5 sum: &gnupg2-md5sum;</para>
<para>Somme de contrôle MD5 du téléchargement&nbsp;: &gnupg2-md5sum;</para>
</listitem>
<listitem>
<para>Download size: &gnupg2-size;</para>
<para>Taille du téléchargement&nbsp;: &gnupg2-size;</para>
</listitem>
<listitem>
<para>Estimated disk space required: &gnupg2-buildsize;</para>
<para>Estimation de l'espace disque requis&nbsp;: &gnupg2-buildsize;</para>
</listitem>
<listitem>
<para>Estimated build time: &gnupg2-time;</para>
<para>Estimation du temps de construction&nbsp;: &gnupg2-time;</para>
</listitem>
</itemizedlist>
 
<!-- <bridgehead renderas="sect3">Additional Downloads</bridgehead>
<!-- <bridgehead renderas="sect3">Téléchargements supplémentaires</bridgehead>
<itemizedlist spacing='compact'>
<listitem>
<para>Required Patch: <ulink
<para>Requises Patch: <ulink
url="&patch-root;/gnupg2-&gnupg2-version;-curl_LDAP-1.patch"/>
</para>
</listitem>
72,46 → 72,46
 
<bridgehead renderas="sect3">GnuPG Dependencies</bridgehead>
 
<bridgehead renderas="sect4">Required</bridgehead>
<bridgehead renderas="sect4">Requises</bridgehead>
<para role="required"><xref linkend="pth"/>,
<xref linkend="libassuan"/>,
<xref linkend="libgcrypt"/>, and
<xref linkend="libgcrypt"/> et
<xref linkend="libksba"/></para>
 
<bridgehead renderas="sect4">Optional</bridgehead>
<bridgehead renderas="sect4">Facultatives</bridgehead>
<para role="optional"><xref linkend="openldap"/>,
<xref linkend="libusb"/>,
<xref linkend="curl"/>, and
<xref linkend="libusb-compat"/>,
<xref linkend="curl"/> et
an <xref linkend="server-mail"/></para>
 
<bridgehead renderas="sect4">Optional (Run-time Requirement For Most of
<bridgehead renderas="sect4">Facultatives (Run-time Requirement For Most of
the Package's Functionality)</bridgehead>
<para role="optional"><xref linkend="pinentry"/></para>
 
<para condition="html" role="usernotes">User Notes:
<para condition="html" role="usernotes">Notes utilisateur&nbsp;:
<ulink url="&blfs-wiki;/gnupg2"/></para>
 
</sect2>
 
<sect2 role="installation">
<title>Installation of GnuPG 2</title>
<title>Installation de GnuPG 2</title>
 
<para>Install <application>GnuPG 2</application> by running the following
commands:</para>
<para>Installez <application>GnuPG 2</application> en lançant les commandes
suivantes&nbsp;:</para>
 
<screen><userinput>./configure --prefix=/usr --libexecdir=/usr/lib/gnupg2 &amp;&amp;
make</userinput></screen>
 
<para>If you have <xref linkend="tetex"/> installed and you wish to create
documentation in alternate formats, issue the following commands:</para>
<para>If you have <xref linkend="tetex"/> installed et you wish to create
documentation in alternate formats, issue les commandes suivantes&nbsp;:</para>
 
<screen><userinput>make -C doc pdf ps html &amp;&amp;
makeinfo --html --no-split -o doc/gnupg_nochunks.html doc/gnupg.texi &amp;&amp;
makeinfo --plaintext -o doc/gnupg.txt doc/gnupg.texi</userinput></screen>
 
<para>To test the results, issue: <command>make check</command>.</para>
<para>Pour tester les résultats, lancez&nbsp;: <command>make check</command>.</para>
 
<para>Now, as the <systemitem class="username">root</systemitem> user:</para>
<para>Maintenant, en tant qu'utilisateur <systemitem class="username">root</systemitem>&nbsp;:</para>
 
<!-- Removing this from the commands as it doesn't appear
necessary any longer. See the gnupg.texi file (or some
131,7 → 131,7
 
<para>If you created alternate formats of the documentation, install it
using the following command as the
<systemitem class="username">root</systemitem> user:</para>
<systemitem class="username">root</systemitem>&nbsp;:</para>
 
<screen role="root"><userinput>install -v -m755 -d /usr/share/doc/gnupg-&gnupg2-version;/html &amp;&amp;
install -v -m644 doc/gnupg.html/* \
146,7 → 146,7
</sect2>
 
<sect2 role="commands">
<title>Command Explanations</title>
<title>Explication des commandes</title>
 
<para><parameter>--libexecdir=/usr/lib/gnupg2</parameter>: This switch
creates a <filename class="directory">gnupg</filename> directory in
163,25 → 163,25
</sect2>
 
<sect2 role="content">
<title>Contents</title>
<title>Contenu</title>
 
<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directories</segtitle>
<segtitle>Programmes installés</segtitle>
<segtitle>Bibliothèques installées</segtitle>
<segtitle>Répertoires installés</segtitle>
 
<seglistitem>
<seg>addgnupghome, applygnupgdefaults, gpg-agent, gpg-connect-agent,
gpg2, gpgconf, gpgkey2ssh, gpgparsemail, gpgsm, gpgsm-gencert.sh,
gpgv2, kbxutil, scdaemon, symcryptrun, and watchgnupg</seg>
gpgv2, kbxutil, scdaemon, symcryptrun, et watchgnupg</seg>
<seg>None</seg>
<seg>/usr/lib/gnupg2, /usr/share/gnupg and
<seg>/usr/lib/gnupg2, /usr/share/gnupg et
/usr/share/doc/gnupg2-&gnupg2-version;</seg>
</seglistitem>
</segmentedlist>
 
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<bridgehead renderas="sect3">Descriptions courtes</bridgehead>
<?dbfo list-presentation="list"?>
<?dbhtml list-presentation="table"?>
 
188,7 → 188,7
<varlistentry id="addgnupghome">
<term><command>addgnupghome</command></term>
<listitem>
<para>is used to create and populate user's
<para>is used to create et populate user's
<filename class='directory'>~/.gnupg</filename> directories</para>
<indexterm zone="gnupg2 addgnupghome">
<primary sortas="b-addgnupghome">addgnupghome</primary>
213,7 → 213,7
<listitem>
<para>is a daemon used to manage secret (private) keys independently
from any protocol. It is used as a backend for <command>gpg</command>
and <command>gpgsm</command> as well as for a couple of other
et <command>gpgsm</command> as well as for a couple of other
utilities.</para>
<indexterm zone="gnupg2 gpg-agent">
<primary sortas="b-gpg-agent">gpg-agent</primary>
236,7 → 236,7
<term><command>gpg2</command></term>
<listitem>
<para>is the OpenPGP part of the GNU Privacy Guard (GnuPG). It is a
tool used to provide digital encryption and signing services using
tool used to provide digital encryption et signing services using
the OpenPGP standard.</para>
<indexterm zone="gnupg2 gpg2">
<primary sortas="b-gpg2">gpg2</primary>
247,8 → 247,8
<varlistentry id="gpgconf">
<term><command>gpgconf</command></term>
<listitem>
<para>is a utility used to automatically and reasonable safely
query and modify configuration files in the
<para>is a utility used to automatically et reasonable safely
query et modify configuration files in the
<filename class='directory'>~/.gnupg</filename> home directory. It is
designed not to be invoked manually by the user, but automatically by
graphical user interfaces.</para>
273,7 → 273,7
<term><command>gpgsm</command></term>
<listitem>
<para>is a tool similar to <command>gpg</command> used to provide
digital encryption and signing services on X.509 certificates and the
digital encryption et signing services on X.509 certificates and the
CMS protocol. It is mainly used as a backend for S/MIME mail
processing.</para>
<indexterm zone="gnupg2 gpgsm">
285,7 → 285,7
<varlistentry id="gpgsm-gencert.sh">
<term><command>gpgsm-gencert.sh</command></term>
<listitem>
<para>is a simple tool used to interactivly generate a certificate
<para>is a simple tool used to interactively generate a certificate
request which will be printed to stdout.</para>
<indexterm zone="gnupg2 gpgsm-gencert.sh">
<primary sortas="b-gpgsm-gencert.sh">gpgsm-gencert.sh</primary>
306,7 → 306,7
<varlistentry id="kbxutil">
<term><command>kbxutil</command></term>
<listitem>
<para>is used to list, export and import Keybox data.</para>
<para>is used to list, export et import Keybox data.</para>
<indexterm zone="gnupg2 kbxutil">
<primary sortas="b-kbxutil">kbxutil</primary>
</indexterm>
317,7 → 317,7
<term><command>scdaemon</command></term>
<listitem>
<para>is a daemon used to manage smartcards. It is usually invoked by
<command>gpg-agent</command> and in general not used directly.</para>
<command>gpg-agent</command> et in general not used directly.</para>
<indexterm zone="gnupg2 scdaemon">
<primary sortas="b-scdaemon">scdaemon</primary>
</indexterm>
/trunk/blfs/postlfs/security/firewalling.xml
1,165 → 1,188
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
]>
 
<sect1 id="fw-firewall" xreflabel="Firewalling">
<sect1info>
<othername>$LastChangedBy: bdubbs $</othername>
<date>$Date: 2005-06-16 06:20:37 $</date>
</sect1info>
<?dbhtml filename="firewall.html"?>
<title>Setting up a network firewall</title>
<?dbhtml filename="firewall.html"?>
 
<para>Before you read this part of the chapter, you should
have already installed iptables as described in the previous section.</para>
<sect1info>
<othername>$LastChangedBy: bdubbs $</othername>
<date>$Date: 2009-02-24 10:53:46 +0100 (mar 24 fév 2009) $</date>
</sect1info>
 
<sect2 id="fw-intro" xreflabel="Firewalling Introduction">
<title>Introduction to Firewall Creation</title>
<title>Setting Up a Network Firewall</title>
 
<para>The general purpose of a firewall is to protect a computer or a network
against malicious access.</para>
<para>Before you read this part of the chapter, you should have
already installed iptables as described in the previous section.</para>
 
<para>In a perfect world, every daemon or service
on every machine is perfectly configured and immune to flaws such as
buffer overflows or other problems regarding its
security. Furthermore, you trust every user accessing your services.
In this world, you do not need to have a firewall.</para>
<sect2 id="fw-intro" xreflabel="Firewalling Introduction">
<title>Introduction à Firewall Creation</title>
 
<para>In the real world however, daemons may be misconfigured
and exploits against essential services are freely available. You
may wish to choose which services are accessible by certain machines or
you may wish to limit which machines or applications are allowed external
access. Alternatively, you may simply not trust some of your
applications or users. You are probably connected to the Internet. In this
world, a firewall is essential.</para>
<para>The general purpose of a firewall is to protect a computer or
a network against malicious access.</para>
 
<para>Don't assume however, that having a firewall makes careful configuration
redundant, or that it makes any negligent misconfiguration harmless. It doesn't
prevent anyone from exploiting a service you intentionally offer but haven't
recently updated or patched after an exploit went public. Despite having a
firewall, you need to keep applications and daemons on your system properly
configured and up to date. A firewall is not a cure all, but should be an
essential part of your overall security startegy.</para>
<para>In a perfect world, every daemon or service on every machine
is perfectly configured et immune to flaws such as buffer overflows
or other problems regarding its security. Furthermore, you trust
every user accessing your services. In this world, you do not need
to have a firewall.</para>
 
</sect2>
<para>In the real world however, daemons may be misconfigured et
exploits against essential services are freely available. You may
wish to choose which services are accessible by certain machines or
you may wish to limit which machines or applications are allowed
external access. Alternatively, you may simply not trust some of
your applications or users. You are probably connected to the
Internet. In this world, a firewall is essential.</para>
 
<sect2>
<title>Meaning of the word "firewall"</title>
<para>Don't assume however, that having a firewall makes careful
configuration redundant, or that it makes any negligent
misconfiguration harmless. It doesn't prevent anyone from exploiting
a service you intentionally offer but haven't recently updated or
patched after an exploit went public. Despite having a firewall, you
need to keep applications et daemons on your system properly
configured et up to date. A firewall is not a cure all, but should
be an essential part of your overall security strategy.</para>
 
<para>The word firewall can have several different meanings.</para>
</sect2>
 
<sect3><title><xref linkend="fw-persFw"/></title>
<sect2>
<title>Meaning of the Word "Firewall"</title>
 
<para>This is a hardware device or software program commercially sold by
companies such as Symantec which claims that it
secures a home or desktop computer with Internet access. This type of firewall is
highly relevant for users who do not know how their computers
might be accessed via the Internet or how to disable that access,
especially if they are always online and connected via
broadband links.</para></sect3>
<para>The word firewall can have several different meanings.</para>
 
<sect3>
<title><xref linkend="fw-masqRouter"/></title>
<sect3>
<title><xref linkend="fw-persFw"/></title>
 
<para>This is a system placed between the Internet and an intranet. To minimize
the risk of compromising the firewall itself, it should generally have only one
role&mdash;that of protecting the intranet. Although not completely risk free,
the tasks of doing the routing and IP masquerading (rewriting IP headers of
the packets it routes from clients with private IP addresses onto the Internet
so that they seem to come from the firewall itself) are commonly considered
relatively secure.</para>
</sect3>
<para>This is a hardware device or software program commercially sold (or
offered via freeware) by companies such as Symantec which claims that
it secures a home or desktop computer connected to the Internet. This
type of firewall is highly relevant for users who do not know how their
computers might be accessed via the Internet or how to disable
that access, especially if they are always online et connected
via broadband links.</para>
 
<sect3>
<title><xref linkend="fw-busybox"/></title>
</sect3>
 
<para>This is often an old computer you may have retired and nearly forgotten,
performing masquerading or routing functions, but offering non-firewall
services such as a web-cache or mail. This may be used for home
networks, but is not be considered as secure as a firewall only
machine because the combination of server and router/firewall on one machine
raises the complexity of the setup.</para>
</sect3>
<sect3>
<title><xref linkend="fw-masqRouter"/></title>
 
<sect3>
<title>Firewall with a demilitarized zone [not further described here]</title>
<para>This box performs masquerading or routing, but grants public access to
some branch of your network which, because of public IP's and a physically
separated structure, is essentially a separate network with direct Internet access.
The servers on this network are those which must be easily accessible
from both the Internet and intranet. The firewall protects
both networks. This type of firewall has a minimum of three network interfaces.</para>
</sect3>
<para>This is a system placed between the Internet et an intranet.
To minimize the risk of compromising the firewall itself, it should
generally have only one role&mdash;that of protecting the intranet.
Although not completely risk free, the tasks of doing the routing et
IP masquerading (rewriting IP headers of the packets it routes from
clients with private IP addresses onto the Internet so that they seem
to come from the firewall itself) are commonly considered relatively
secure.</para>
 
<sect3>
<title>Packetfilter</title>
<para>This type of firewall does routing or masquerading, but does not maintain
a state table of ongoing communication streams. It is fast, but quite limited
in its ability to block inappropriate packets without blocking desired
packets.</para>
</sect3>
</sect2>
</sect3>
 
<sect2 id="fw-writing" xreflabel="writing the firewalling-setup-scripts">
<title>Now you can start to build your Firewall</title>
<sect3>
<title><xref linkend="fw-busybox"/></title>
 
<caution><para>This introduction on how to setup a firewall
is not a complete guide to securing systems. Firewalling is a complex issue
that requires careful configuration. The scripts quoted here are simply
intended to give examples of how a firewall works. They are not intended to
fit into any particular configuration and may not provide complete protection
from an attack.</para>
<para>This is often an old computer you may have retired et nearly
forgotten, performing masquerading or routing functions, but offering
non-firewall services such as a web-cache or mail. This may be used
for home networks, but is not to be considered as secure as a firewall
only machine because the combination of server et router/firewall on
one machine raises the complexity of the setup.</para>
 
<para>Customization of these scripts for your specific situation will
be necessary for an optimal configuration, but you should make a serious
study of the iptables documentation and creating firewalls in general before
hacking away. Have a look at the list of
<xref linkend="fw-library"/> at the end of this section for
more details. There you will find a list of URLs that contain quite
comprehensive information about building your own firewall.</para>
</caution>
</sect3>
 
<para>The firewall configuration script installed in the last section differs
from the standard configuration script. It only has two of the standard
targets: start and status. The other targets are clear and lock. For instance when you
run:
<sect3>
<title>Firewall with a Demilitarized Zone [Not Further
Described Here]</title>
 
<screen><userinput><command>/etc/rc.d/init.d/iptables start</command></userinput></screen>
<para>This box performs masquerading or routing, but grants public
access to some branch of your network which, because of public IPs
et a physically separated structure, is essentially a separate
network with direct Internet access. The servers on this network are
those which must be easily accessible from both the Internet et
intranet. The firewall protects both networks. This type of firewall
has a minimum of three network interfaces.</para>
 
the firewall will be restarted just as it is upon system startup. The status target
will present a list of all currently implemented rules. The clear target turns off all
firewall rules and the lock target will block all packets in and out of the computer
with the exception of the loopback interface.</para>
</sect3>
 
<para>The main startup firewall is located in the file
<filename>/etc/rc.d/rc.iptables</filename>. The sections below provide three different
approaches that can be used for a system.</para>
<sect3>
<title>Packetfilter</title>
 
<note><para>You should always run your firewall rules from a script. This ensures
consistency and a record of what was done. It also allows retention of comments
that are essential for understanding the rules long after they were written.
</para></note>
<para>This type of firewall does routing or masquerading, but does
not maintain a state table of ongoing communication streams. It is
fast, but quite limited in its ability to block undesired packets
without blocking desired packets.</para>
 
<sect3 id="fw-persFw" xreflabel="Personal Firewall">
<title>Personal Firewall</title>
</sect3>
 
<para>A Personal Firewall is designed to let you access all the services
offered on the Internet, but keep your box secure and your data private.</para>
</sect2>
 
<para>Below is a slightly modified version of Rusty Russell's recommendation
from the
<ulink url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
Linux 2.4 Packet Filtering HOWTO</ulink>. It is still applicable to the Linux 2.6 kernels.</para>
<sect2 id="fw-writing" xreflabel="writing the firewalling-setup-scripts">
<title>Maintenant You Can Start to Build your Firewall</title>
 
<screen><userinput><command>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"</command>
#!/bin/sh
<caution>
<para>This introduction on how to setup a firewall is not a
complete guide to securing systems. Firewalling is a complex
issue that requires careful configuration. The scripts quoted
here are simply intended to give examples of how a firewall
works. They are not intended to fit into any particular
configuration et may not provide complete protection from
an attack.</para>
 
<para>Customization of these scripts for your specific situation
will be necessary for an optimal configuration, but you should
make a serious study of the iptables documentation et creating
firewalls in general before hacking away. Have a look at the
list of <xref linkend="fw-library"/> at the end of this section for
more details. There you will find a list of URLs that contain quite
comprehensive information about building your own firewall.</para>
</caution>
 
<para>The firewall configuration script installed in the iptables section
differs from the standard configuration script. It only has two of
the standard targets: start et status. The other targets are clear
et lock. For instance if you lancez&nbsp;:</para>
 
<screen role="root"><userinput>/etc/rc.d/init.d/iptables start</userinput></screen>
 
<para>the firewall will be restarted just as it is upon system startup.
The status target will present a list of all currently implemented
rules. The clear target turns off all firewall rules et the lock
target will block all packets in et out of the computer with the
exception of the loopback interface.</para>
 
<para>The main startup firewall is located in the file
<filename>/etc/rc.d/rc.iptables</filename>. The sections below provide
three different approaches that can be used for a system.</para>
 
<note>
<para>You should always run your firewall rules from a script.
This ensures consistency et a record of what was done. It also
allows retention of comments that are essential for understanding
the rules long after they were written.</para>
</note>
 
<sect3 id="fw-persFw" xreflabel="Personal Firewall">
<title>Personal Firewall</title>
 
<para>A Personal Firewall is designed to let you access all the
services offered on the Internet, but keep your box secure et
your data private.</para>
 
<para>Below is a slightly modified version of Rusty Russell's
recommendation from the <ulink
url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
Linux 2.4 Packet Filtering HOWTO</ulink>. It is still applicable
to the Linux 2.6 kernels.</para>
 
<screen role="root"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
<literal>#!/bin/sh
 
# Begin $rc_base/rc.iptables
 
# Insert connection-tracking modules
# Insert connection-tracking modules
# (not needed if built into the kernel)
modprobe ip_tables
modprobe iptable_filter
173,6 → 196,7
 
# Disable Source Routed Packets
echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
echo 0 &gt; /proc/sys/net/ipv4/conf/default/accept_source_route
 
# Enable TCP SYN Cookie Protection
echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
180,20 → 204,23
# Disable ICMP Redirect Acceptance
echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
 
# Don¹t send Redirect Messages
# Don't send Redirect Messages
echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
echo 0 &gt; /proc/sys/net/ipv4/conf/default/send_redirects
 
# Drop Spoofed Packets coming in on an interface, where responses
# Drop Spoofed Packets coming in on an interface, where responses
# would result in the reply going out a different interface.
echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 &gt; /proc/sys/net/ipv4/conf/default/rp_filter
 
# Log packets with impossible addresses.
echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
echo 1 &gt; /proc/sys/net/ipv4/conf/default/log_martians
 
# be verbose on dynamic ip-addresses (not needed in case of static IP)
echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
 
# disable Explicit Congestion Notification
# disable Explicit Congestion Notification
# too many routers are still ignorant
echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
 
201,25 → 228,25
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# These lines are here in case rules are already in place and the
# script is ever rerun on the fly. We want to remove all rules and
# pre-exisiting user defined chains before we implement new rules.
 
# These lines are here in case rules are already in place et the
# script is ever rerun on the fly. We want to remove all rules et
# pre-existing user defined chains before we implement new rules.
iptables -F
iptables -X
iptables -Z
 
iptables -t nat -F
 
# Allow local-only connections
iptables -A INPUT -i lo -j ACCEPT
 
# Free output on any interface to any ip for any service
# Free output on any interface to any ip for any service
# (equal to -P ACCEPT)
iptables -A OUTPUT -j ACCEPT
 
# Permit answers on already established connections
# and permit new connections related to established ones
# et permit new connections related to established ones
# (e.g. port mode ftp)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
226,38 → 253,42
# Log everything else. What's Windows' latest exploitable vulnerability?
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
 
# End $rc_base/rc.iptables
<command>EOF</command></userinput></screen>
# End $rc_base/rc.iptables</literal>
EOF
chmod 700 /etc/rc.d/rc.iptables</userinput></screen>
 
<para>This script is quite simple, it drops all traffic coming in into your
computer that wasn't initiated from your box, but as long as you are simply
surfing the Internet you are unlikely to exceed its limits.</para>
<para>This script is quite simple, it drops all traffic coming
into your computer that wasn't initiated from your computer, but
as long as you are simply surfing the Internet you are unlikely
to exceed its limits.</para>
 
<para>If you frequently encounter certain delays at accessing ftp-servers,
take a look at <xref linkend="fw-BB-4"/>.</para>
<para>If you frequently encounter certain delays at accessing
FTP servers, take a look at <xref linkend="fw-BB-4"/>.</para>
 
<para>Even if you have daemons or services running on your system, these
will be inaccessible everywhere but from your computer itself.
If you want to allow access to services on your machine, such as ssh or
ping, take a look at <xref linkend="fw-busybox"/>.</para>
<para>Even if you have daemons or services running on your system,
these will be inaccessible everywhere but from your computer itself.
If you want to allow access to services on your machine, such as
<command>ssh</command> or <command>ping</command>, take a look at
<xref linkend="fw-busybox"/>.</para>
 
</sect3>
</sect3>
 
<sect3 id="fw-masqRouter" xreflabel="Masquerading Router">
<title>Masquerading Router</title>
<sect3 id="fw-masqRouter" xreflabel="Masquerading Router">
<title>Masquerading Router</title>
 
<para>A true Firewall has two interfaces, one connected to an intranet, in this
example <emphasis role="strong">eth0</emphasis>, and one connected to the
Internet, here <emphasis role="strong">ppp0</emphasis>. To provide the
maximum security for the firewall itself, make sure that there
are no unnecessary servers running on it such as <application>X11</application> et
al. As a general principle, the firewall itself should not access any
untrusted service (Think of a remote server giving answers that makes a daemon on
your system
crash, or, even worse, that implements a worm via a buffer-overflow).</para>
<para>A true Firewall has two interfaces, one connected to an
intranet, in this example <emphasis role="strong">eth0</emphasis>,
et one connected to the Internet, here <emphasis
role="strong">ppp0</emphasis>. To provide the maximum security
for the firewall itself, make sure that there are no unnecessary
servers running on it such as <application>X11</application> et
al. As a general principle, the firewall itself should not access
any untrusted service (think of a remote server giving answers that
makes a daemon on your system crash, or even worse, that implements
a worm via a buffer-overflow).</para>
 
<screen><userinput><command>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"</command>
#!/bin/sh
<screen role="root"><?dbfo keep-together="auto"?><userinput>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"
<literal>#!/bin/sh
 
# Begin $rc_base/rc.iptables
 
270,7 → 301,7
echo "of the configuration rules below."
echo "You can find additional information"
echo "about firewalls in Chapter 4 of the BLFS book."
echo "http://www.linuxfromscratch.org/blfs"
echo "http://www.&lfs-domainname;/blfs"
echo
 
# Insert iptables modules (not needed if built into the kernel).
311,7 → 342,7
# Be verbose on dynamic ip-addresses (not needed in case of static IP)
echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
 
# Disable Explicit Congestion Notification
# Disable Explicit Congestion Notification
# Too many routers are still ignorant
echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
 
319,14 → 350,14
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# These lines are here in case rules are already in place and the
# script is ever rerun on the fly. We want to remove all rules and
# pre-exisiting user defined chains before we implement new rules.
 
# These lines are here in case rules are already in place et the
# script is ever rerun on the fly. We want to remove all rules et
# pre-existing user defined chains before we implement new rules.
iptables -F
iptables -X
iptables -Z
 
iptables -t nat -F
 
# Allow local connections
341,169 → 372,197
# (not needed if intranet is not using private ip-addresses)
iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
 
# Log everything for debugging
# Log everything for debugging
# (last of all rules, but before policy rules)
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
 
# Enable IP Forwarding
echo 1 &gt; /proc/sys/net/ipv4/ip_forward
<command>EOF</command></userinput></screen>
# Enable IP Forwarding
echo 1 &gt; /proc/sys/net/ipv4/ip_forward</literal>
EOF
chmod 700 /etc/rc.d/rc.iptables</userinput></screen>
 
<para>With this script your intranet should be reasonably secure against
external attacks. No one should be able to setup a new connection to any
internal service and, if it's masqueraded, makes your intranet invisible to the
Internet. Furthermore, your firewall should be relatively safe because there
are no services running that a cracker could attack.</para>
<para>With this script your intranet should be reasonably secure
against external attacks. No one should be able to setup a new
connection to any internal service et, if it's masqueraded,
makes your intranet invisible to the Internet. Furthermore, your
firewall should be relatively safe because there are no services
running that a cracker could attack.</para>
 
<note><para>If the interface you're connecting to the Internet doesn't connect
via ppp, you will need to change <replaceable>ppp+</replaceable> to the name of
the interface, e.g. <emphasis role="strong">eth1</emphasis>, which you are using.
</para></note>
<note>
<para>If the interface you're connecting to the Internet
doesn't connect via PPP, you will need to change
<replaceable>&lt;ppp+&gt;</replaceable> to the name of the interface
(e.g., <emphasis role="strong">eth1</emphasis>) which you are
using.</para>
</note>
 
</sect3>
</sect3>
 
<sect3 id="fw-busybox" xreflabel="BusyBox">
<title>BusyBox</title>
<sect3 id="fw-busybox" xreflabel="BusyBox">
<title>BusyBox</title>
 
<para>This scenario isn't too different from the <xref linkend="fw-masqRouter"/>,
but additionally offers some services to your intranet.
Examples of this can be when you want to administer your firewall from another host
on your intranet or use it as a proxy or a name server.</para>
<para>This scenario isn't too different from the <xref
linkend="fw-masqRouter"/>, but additionally offers some
services to your intranet. Examples of this can be when
you want to administer your firewall from another host on
your intranet or use it as a proxy or a name server.</para>
 
<note><para>Outlining a true concept of how to protect a server that offers
services on the Internet goes far beyond the scope of this document. See the references
at the end of this section for more information.</para></note>
<note>
<para>Outlining a true concept of how to protect a server that
offers services on the Internet goes far beyond the scope of
this document. See the references at the end of this section
for more information.</para>
</note>
 
<para>Be cautious. Every service you have enabled makes your
setup more complex and your firewall less secure. You are exposed to the risks of
misconfigured services or running a service with an exploitable bug. A
firewall should generally not run any extra services. See the introduction to
the <xref linkend="fw-masqRouter"/> for some more details.</para>
<para>Be cautious. Every service you have enabled makes your
setup more complex et your firewall less secure. You are
exposed to the risks of misconfigured services or running
a service with an exploitable bug. A firewall should generally
not run any extra services. See the introduction to the
<xref linkend="fw-masqRouter"/> for some more details.</para>
 
<para>If you want to add services such as internal samba or name servers that do not
need to access the Internet themselves, the additional statements are quite
simple and should still be acceptable from a security standpoint.
Just add the following lines
into the script <emphasis>before</emphasis> the logging rules.</para>
<para>If you want to add services such as internal Samba or
name servers that do not need to access the Internet themselves,
the additional statements are quite simple et should still be
acceptable from a security standpoint. Just add the following lines
into the script <emphasis>before</emphasis> the logging rules.</para>
 
<screen>iptables -A INPUT -i ! ppp+ -j ACCEPT
iptables -A OUTPUT -o ! ppp+ -j ACCEPT</screen>
<screen><literal>iptables -A INPUT -i ! ppp+ -j ACCEPT
iptables -A OUTPUT -o ! ppp+ -j ACCEPT</literal></screen>
 
<para>If daemons, such as squid, have to access the Internet themselves,
you could open OUTPUT generally and restrict INPUT.</para>
<para>If daemons, such as squid, have to access the Internet
themselves, you could open OUTPUT generally et restrict
INPUT.</para>
 
<screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j ACCEPT</screen>
<screen><literal>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j ACCEPT</literal></screen>
 
<para>However, it is generally not advisable to leave OUTPUT unrestricted. You
lose any control over trojans who would like to "call home", and a bit of
redundancy in case you've (mis-)configured a service so that it broadcasts
its existence to the world.</para>
<para>However, it is generally not advisable to leave OUTPUT
unrestricted. You lose any control over trojans who would like
to "call home", et a bit of redundancy in case you've
(mis-)configured a service so that it broadcasts its existence
to the world.</para>
 
<para>To accomplish this, you should restrict INPUT and OUTPUT
on all ports except those that it's absolutely necessary to have open.
Which ports you have to open depends on your needs: mostly you will find them
by looking for failed accesses in your log files.</para>
<itemizedlist spacing="compact" role='iptables'>
<para>To accomplish this, you should restrict INPUT et OUTPUT
on all ports except those that it's absolutely necessary to have
open. Which ports you have to open depends on your needs: mostly
you will find them by looking for failed accesses in your log
files.</para>
 
<title>Have a look at the following examples:</title>
<itemizedlist spacing="compact" role='iptables'>
<title>Have a Look at the Following Examples:</title>
<listitem>
<para>Squid is caching the web:</para>
 
<listitem><para>Squid is caching the web:</para>
<screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
<screen><literal>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED \
-j ACCEPT</screen>
</listitem>
-j ACCEPT</literal></screen>
 
<listitem><para>Your caching name server (e.g., named) does its
lookups via udp:</para>
<screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</screen>
</listitem>
</listitem>
<listitem>
<para>Your caching name server (e.g., named) does its
lookups via UDP:</para>
 
<listitem><para>You want to be able to ping your box to
ensure it's still alive:</para>
<screen><literal>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</literal></screen>
 
<screen>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</screen>
</listitem>
</listitem>
<listitem>
<para>You want to be able to ping your computer to
ensure it's still alive:</para>
 
<listitem><para><anchor id='fw-BB-4' xreflabel="BusyBox example number 4"/>If you are
frequently accessing ftp servers or enjoy chatting, you might notice certain
delays because some implementations of these daemons have the feature of
querying an identd on your system to obtain usernames. Although there's really
little harm in this, having an identd running is not recommended because many
security experts feel the service gives out too much additional information.</para>
<screen><literal>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</literal></screen>
 
<para>To avoid these delays you could reject the requests
with a 'tcp-reset':</para>
</listitem>
<listitem>
<para id='fw-BB-4' xreflabel="BusyBox example number 4">If
you are frequently accessing FTP servers or enjoy chatting, you might
notice certain delays because some implementations of these daemons
have the feature of querying an identd on your system to obtain
usernames. Although there's really little harm in this, having an
identd running is not recommended because many security experts feel
the service gives out too much additional information.</para>
 
<screen>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset</screen>
</listitem>
<para>To avoid these delays you could reject the requests
with a 'tcp-reset':</para>
 
<listitem><para>To log and drop invalid packets (packets
that came in after netfilter's timeout or some types of network scans):</para>
<screen><literal>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset</literal></screen>
 
<screen>iptables -I INPUT -p tcp -m state --state INVALID \
</listitem>
<listitem>
<para>To log et drop invalid packets (packets
that came in after netfilter's timeout or some types of
network scans)&nbsp;:</para>
 
<screen><literal>iptables -I INPUT -p tcp -m state --state INVALID \
-j LOG --log-prefix "FIREWALL:INVALID"
iptables -I INPUT -p tcp -m state --state INVALID -j DROP</screen></listitem>
iptables -I INPUT -p tcp -m state --state INVALID -j DROP</literal></screen>
 
<listitem><para>Anything coming from the outside should not have a
private address, this is a common attack called IP-spoofing:
</listitem>
<listitem>
<para>Anything coming from the outside should not have a
private address, this is a common attack called IP-spoofing:</para>
 
<screen>iptables -A INPUT -i ppp+ -s 10.0.0.0/8 -j DROP
<screen><literal>iptables -A INPUT -i ppp+ -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i ppp+ -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP</screen>
iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP</literal></screen>
 
There are other addresses that you may also want to drop: 0.0.0.0/8,
127.0.0.0/8, 224.0.0.0/3 (multicast and experimental), 169.254.0.0/16 (Link
Local Networks), and 192.0.2.0/24 (IANA defined test network).</para>
</listitem>
<para>There are other addresses that you may also want to
drop: 0.0.0.0/8, 127.0.0.0/8, 224.0.0.0/3 (multicast et
experimental), 169.254.0.0/16 (Link Local Networks), et
192.0.2.0/24 (IANA defined test network).</para>
</listitem>
<listitem>
<para>If your firewall is a DHCP client, you need to allow
those packets:</para>
 
<listitem><para>If your firewall is a DHCP client, you need to allow
those packets:</para>
<screen><literal>iptables -A INPUT -i ppp0 -p udp -s 0.0.0.0 --sport 67 \
-d 255.255.255.255 --dport 68 -j ACCEPT</literal></screen>
 
<screen>iptables -A INPUT -i ppp0 -p udp -s 0.0.0.0 --sport 67 \
-d 255.255.255.255 --dport 68 -j ACCEPT</screen>
</listitem>
</listitem>
<listitem>
<para>To simplify debugging et be fair to anyone who'd like
to access a service you have disabled, purposely or by mistake,
you could REJECT those packets that are dropped.</para>
 
<listitem><para>To simplify debugging and be fair to anyone who'd like to
access a service you have disabled, purposely or by mistake, you could REJECT
those packets that are dropped.</para>
<para>Obviously this must be done directly after logging as the very
last lines before the packets are dropped by policy:</para>
 
<para>Obviously this must be done directly after logging as the very
last lines before the packets are dropped by policy:</para>
<screen><literal>iptables -A INPUT -j REJECT</literal></screen>
 
<screen>iptables -A INPUT -j REJECT</screen>
</listitem>
</itemizedlist>
</listitem>
</itemizedlist>
 
<para>These are only examples to show you some of the capabilities of the
firewall code in Linux. Have a look at the man page of iptables.
There you will find much more information. The port numbers needed for this can be
found in <filename>/etc/services</filename>, in case you didn't find them by
trial and error in your log file.</para>
<para>These are only examples to show you some of the capabilities
of the firewall code in Linux. Have a look at the man page of iptables.
There you will find much more information. The port numbers needed for
this can be found in <filename>/etc/services</filename>, in case you
didn't find them by trial et error in your log file.</para>
 
</sect3>
</sect2>
</sect3>
 
<sect2 id="fw-finale" xreflabel="Conclusion">
<title>Conclusion</title>
</sect2>
 
<para>Finally, there is one fact you must not forget: The effort spent
attacking a system corresponds to the value the cracker expects to gain from
it. If you are responsible for valuable information, you need to spend the
time to protect it properly.</para>
<sect2 id="fw-finale" xreflabel="Conclusion">
<title>Conclusion</title>
 
</sect2>
<para>Finally, there is one fact you must not forget: The effort spent
attacking a system corresponds to the value the cracker expects to gain
from it. If you are responsible for valuable information, you need to
spend the time to protect it properly.</para>
 
<sect2 id="postlfs-security-fw-extra" xreflabel="Extra Information">
<title>Extra Information</title>
</sect2>
 
<sect3 id="fw-library" xreflabel="Links for further reading">
<title>Where to start with further reading on firewalls.</title>
<sect2 id="postlfs-security-fw-extra" xreflabel="Extra Information">
<title>Extra Information</title>
 
<para><blockquote><literallayout>
<sect3 id="fw-library" xreflabel="links for further reading">
<title>Where to Start with Further Reading on Firewalls</title>
 
<blockquote>
<literallayout>
<ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables project</ulink>
<ulink url="http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">Netfilter related FAQ</ulink>
<ulink url="http://www.netfilter.org/documentation/index.html#HOWTO">Netfilter related HOWTO's</ulink>
510,12 → 569,8
<ulink url="http://en.tldp.org/LDP/nag2/x-087-2-firewall.html">en.tldp.org/LDP/nag2/x-087-2-firewall.html</ulink>
<ulink url="http://en.tldp.org/HOWTO/Security-HOWTO.html">en.tldp.org/HOWTO/Security-HOWTO.html</ulink>
<ulink url="http://en.tldp.org/HOWTO/Firewall-HOWTO.html">en.tldp.org/HOWTO/Firewall-HOWTO.html</ulink>
<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire.html">www.ibm.com/developerworks/security/library/s-fire.html</ulink>
<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire2.html">www.ibm.com/developerworks/security/library/s-fire2.html</ulink>
<ulink url="http://www.interhack.net/pubs/fw-faq/">www.interhack.net/pubs/fw-faq/</ulink>
<ulink url="http://www.linuxsecurity.com/docs/">www.linuxsecurity.com/docs/</ulink>
<ulink url="http://www.little-idiot.de/firewall">www.little-idiot.de/firewall (German &amp; outdated, but very comprehensive)</ulink>
<ulink url="http://www.linuxgazette.com/issue65/stumpel.html">www.linuxgazette.com/issue65/stumpel.html</ulink>
<ulink url="http://linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html">linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html</ulink>
<ulink url="http://staff.washington.edu/dittrich/misc/ddos">staff.washington.edu/dittrich/misc/ddos</ulink>
<ulink url="http://www.e-infomax.com/ipmasq">www.e-infomax.com/ipmasq</ulink>
523,13 → 578,26
<ulink url="http://www.securityfocus.com">www.securityfocus.com</ulink>
<ulink url="http://www.cert.org/tech_tips/">www.cert.org - tech_tips</ulink>
<ulink url="http://security.ittoolbox.com/">security.ittoolbox.com</ulink>
<ulink url="http://www.insecure.org/reading.html">www.insecure.org/reading.html</ulink>
</literallayout>
</blockquote>
 
<!-- The following are all dead links from the section above. They are
moved out of the section so the literallayout won't produce blank
lines in the rendered text
 
<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire.html">www.ibm.com/developerworks/security/library/s-fire.html</ulink>
<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire2.html">www.ibm.com/developerworks/security/library/s-fire2.html</ulink>
<ulink url="http://www.interhack.net/pubs/fw-faq/">www.interhack.net/pubs/fw-faq/</ulink>
<ulink url="http://www.linuxgazette.com/issue65/stumpel.html">www.linuxgazette.com/issue65/stumpel.html</ulink>
<ulink url="http://www.linux-firewall-tools.com/linux/">www.linux-firewall-tools.com/linux/</ulink>
<ulink url="http://logi.cc/linux/athome-firewall.php3">logi.cc/linux/athome-firewall.php3</ulink>
<ulink url="http://www.insecure.org/reading.html">www.insecure.org/reading.html</ulink>
<ulink url="http://www.robertgraham.com/pubs/firewall-seen.html">www.robertgraham.com/pubs/firewall-seen.html</ulink>
</literallayout></blockquote></para>
</sect3>
 
</sect2>
-->
 
</sect3>
 
</sect2>
 
</sect1>
 
/trunk/blfs/postlfs/security/heimdal.xml
1,217 → 1,359
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
 
<!ENTITY heimdal-download-http "http://ftp.vc-graz.ac.at/mirror/crypto/kerberos/heimdal/heimdal-&heimdal-version;.tar.gz">
<!ENTITY heimdal-download-http "http://www.h5l.org/dist/src/heimdal-&heimdal-version;.tar.gz">
<!ENTITY heimdal-download-ftp "ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-&heimdal-version;.tar.gz">
<!ENTITY heimdal-md5sum "2265fd2d4573dd3a8da45ce62519e48b">
<!ENTITY heimdal-size "3.3 MB">
<!ENTITY heimdal-buildsize "70 MB">
<!ENTITY heimdal-time "2.18 SBU">
<!ENTITY heimdal-md5sum "7892e97b346534cc9afeeee461fe3bab">
<!ENTITY heimdal-size "3.6 Mio">
<!ENTITY heimdal-buildsize "136 Mio">
<!ENTITY heimdal-time "4.0 SBU (additional 1.5 SBU to run the test suite)">
]>
 
<sect1 id="heimdal" xreflabel="Heimdal-&heimdal-version;">
<sect1info>
<othername>$LastChangedBy: randy $</othername>
<date>$Date: 2005-06-16 06:20:37 $</date>
</sect1info>
<?dbhtml filename="heimdal.html"?>
<title>Heimdal-&heimdal-version;</title>
<indexterm zone="heimdal">
<primary sortas="a-Heimdal">Heimdal</primary>
</indexterm>
<?dbhtml filename="heimdal.html"?>
 
<sect2>
<title>Introduction to <application>Heimdal</application></title>
<sect1info>
<othername>$LastChangedBy: randy $</othername>
<date>$Date: 2009-07-19 16:13:01 +0200 (dim 19 jui 2009) $</date>
</sect1info>
 
<para><application>Heimdal</application> is a free implementation of Kerberos
5, that aims to be compatible with <acronym>MIT</acronym> krb5 and is backwards
compatible with krb4. Kerberos is a network authentication protocol. Basically
it preserves the integrity of passwords in any untrusted network (like the
Internet). Kerberized applications work hand-in-hand with sites that support
Kerberos to ensure that passwords cannot be stolen. A Kerberos installation
will make changes to the authentication mechanisms on your network and will
overwrite several programs and daemons from the
<application>Coreutils</application>, <application>Inetutils</application>,
<application>Qpopper</application> and <application>Shadow</application>
packages.</para>
<title>Heimdal-&heimdal-version;</title>
 
<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP):
<ulink url="&heimdal-download-http;"/></para></listitem>
<listitem><para>Download (FTP):
<ulink url="&heimdal-download-ftp;"/></para></listitem>
<listitem><para>Download MD5 sum: &heimdal-md5sum;</para></listitem>
<listitem><para>Download size: &heimdal-size;</para></listitem>
<listitem><para>Estimated disk space required:
&heimdal-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&heimdal-time;</para></listitem></itemizedlist>
</sect3>
<indexterm zone="heimdal">
<primary sortas="a-Heimdal">Heimdal</primary>
</indexterm>
 
<sect3><title>Additional downloads</title>
<itemizedlist spacing='compact'>
<listitem><para>Required Patch: <ulink
url="&patch-root;/heimdal-&heimdal-version;-fhs_compliance-1.patch"/></para>
</listitem>
<listitem><para>Required patch for cracklib: <ulink
url="&patch-root;/heimdal-&heimdal-version;-cracklib-1.patch"/></para>
</listitem>
</itemizedlist>
<sect2 role="package">
<title>Introduction à Heimdal</title>
 
</sect3>
<para><application>Heimdal</application> is a free implementation
of Kerberos 5 that aims to be compatible with MIT Kerberos 5 et is
backward compatible with Kerberos 4. Kerberos is a network authentication
protocol. Basically it preserves the integrity of passwords in any
untrusted network (like the Internet). Kerberized applications work
hand-in-hand with sites that support Kerberos to ensure that passwords
cannot be stolen or compromised. A Kerberos installation will make changes
to the authentication mechanisms on your network et will overwrite several
programs et daemons from the <application>Shadow</application>,
<application>Inetutils</application> et
<application>Qpopper</application> packages. See
<ulink url="&files-anduin;/heimdal-overwrites"/> for a complete list of
all the files et commands to rename each of them.</para>
 
<sect3><title><application>Heimdal</application> dependencies</title>
<sect4><title>Required</title>
<para><xref linkend="openssl"/> and
<xref linkend="db"/></para>
</sect4>
<bridgehead renderas="sect3">Informations sur le paquet</bridgehead>
<itemizedlist spacing="compact">
<listitem>
<para>Téléchargement (HTTP)&nbsp;: <ulink url="&heimdal-download-http;"/></para>
</listitem>
<listitem>
<para>Téléchargement (FTP)&nbsp;: <ulink url="&heimdal-download-ftp;"/></para>
</listitem>
<listitem>
<para>Somme de contrôle MD5 du téléchargement&nbsp;: &heimdal-md5sum;</para>
</listitem>
<listitem>
<para>Taille du téléchargement&nbsp;: &heimdal-size;</para>
</listitem>
<listitem>
<para>Estimation de l'espace disque requis&nbsp;: &heimdal-buildsize;</para>
</listitem>
<listitem>
<para>Estimation du temps de construction&nbsp;: &heimdal-time;</para>
</listitem>
</itemizedlist>
 
<sect4><title>Optional</title>
<para><xref linkend="Linux_PAM"/>,
<xref linkend="openldap"/>,
X (<xref linkend="xorg"/> or <xref linkend="xfree86"/>),
<xref linkend="cracklib"/> and
<ulink url="http://www.pdc.kth.se/kth-krb/">krb4</ulink></para>
<bridgehead renderas="sect3">Téléchargements supplémentaires</bridgehead>
<itemizedlist spacing='compact'>
<listitem>
<para>Requises Patch: <ulink
url="&patch-root;/heimdal-&heimdal-version;-blfs_docs-1.patch"/></para>
</listitem>
<listitem>
<para>Requises Patch: <ulink
url="&patch-root;/heimdal-&heimdal-version;-libss-1.patch"/></para>
</listitem>
</itemizedlist>
 
<note><para>Some sort of time synchronization facility on your system (like
<xref linkend="ntp"/>) is required since Kerberos won't authenticate if the
time differential between a kerberized client and the
<acronym>KDC</acronym> server is more than 5 minutes.</para></note>
</sect4>
<bridgehead renderas="sect3">Heimdal Dependencies</bridgehead>
 
</sect3>
<bridgehead renderas="sect4">Requises to Build the Server-Side Tools</bridgehead>
<para role="required">
<xref linkend="db"/> (recommended) or GDBM (GDBM is installed in LFS)</para>
<!-- <xref linkend="db"/> is recommended (installed in LFS)
or <xref linkend="gdbm"/></para> -->
 
</sect2>
<bridgehead renderas="sect4">Recommandées</bridgehead>
<para role="recommended"><xref linkend="openssl"/></para>
 
<sect2>
<title>Installation of <application>Heimdal</application></title>
<bridgehead renderas="sect4">Facultatives</bridgehead>
<para role="optional"><xref linkend="linux-pam"/>,
<xref linkend="openldap"/>,
<xref linkend="x-window-system"/> et
<ulink url="http://packages.debian.org/stable/source/libcap">libcap</ulink></para>
 
<para>Before installing the package, you may want to preserve the
<command>ftp</command> program from the <application>Inetutils</application>
package. This is because using the <application>Heimdal</application>
<command>ftp</command> program to connect to non-kerberized ftp servers may
not work properly. It will allow you to connect (letting you know that
transmission of the password is clear text) but will have problems doing puts
and gets. Issue the following command as the root user.</para>
<note>
<para>Some sort of time synchronization facility on your system
(like <xref linkend="ntp"/>) is required since Kerberos won't
authenticate if the time differential between a kerberized client
et the KDC server is more than 5 minutes.</para>
</note>
 
<screen><userinput role='root'><command>mv /usr/bin/ftp /usr/bin/ftpn</command></userinput></screen>
<para condition="html" role="usernotes">Notes utilisateur&nbsp;:
<ulink url="&blfs-wiki;/heimdal"/></para>
 
<para>If you wish the <application>Heimdal</application> package to link
against the <application>cracklib</application> library, you must apply a
patch:</para>
</sect2>
 
<screen><userinput><command>patch -Np1 -i ../heimdal-&heimdal-version;-cracklib-1.patch</command></userinput></screen>
<sect2 role="installation">
<title>Installation de Heimdal</title>
 
<para>Install <application>Heimdal</application> by running the following
commands:</para>
<warning>
<para>Ensure you really need a Kerberos installation before you decide
to install this package. Failure to install et configure the package
correctly can alter your system so that users cannot log in.</para>
</warning>
 
<screen><userinput><command>patch -Np1 -i ../heimdal-&heimdal-version;-fhs_compliance-1.patch &amp;&amp;
./configure --prefix=/usr --sysconfdir=/etc/heimdal \
--datadir=/var/lib/heimdal --localstatedir=/var/lib/heimdal \
--libexecdir=/usr/sbin --enable-shared \
--with-openssl=/usr --with-readline=/usr &amp;&amp;
make</command></userinput></screen>
<para>Installez <application>Heimdal</application> en lançant les commandes
suivantes&nbsp;:</para>
 
<para>Now, as the root user:</para>
<screen><userinput>patch -Np1 -i ../heimdal-&heimdal-version;-blfs_docs-1.patch &amp;&amp;
patch -Np1 -i ../heimdal-&heimdal-version;-libss-1.patch &amp;&amp;
 
<screen><userinput role='root'><command>make install &amp;&amp;
mv /bin/login /bin/login.shadow &amp;&amp;
mv /bin/su /bin/su.shadow &amp;&amp;
mv /usr/bin/{login,su} /bin &amp;&amp;
ln -sf ../../bin/login /usr/bin &amp;&amp;
mv /usr/lib/lib{otp.so.0*,kafs.so.0*,krb5.so.17*,asn1.so.6*} \
/usr/lib/lib{roken.so.16*,crypto.so.0*,db-4.3.so} /lib &amp;&amp;
ln -sf ../../lib/lib{otp.so.0{,.1.4},kafs.so.0{,.4.0},db-4.3.so} \
/usr/lib &amp;&amp;
ln -sf ../../lib/lib{krb5.so.17{,.3.0},asn1.so.6{,.0.2}} \
/usr/lib &amp;&amp;
ln -sf ../../lib/lib{roken.so.16{,.0.3},crypto.so.0{,.9.7}} \
/usr/lib &amp;&amp;
ldconfig</command></userinput></screen>
./configure --prefix=/usr \
--sysconfdir=/etc/heimdal \
--libexecdir=/usr/sbin \
--localstatedir=/var/lib/heimdal \
--datadir=/var/lib/heimdal \
--with-hdbdir=/var/lib/heimdal \
--with-readline=/usr \
--enable-kcm &amp;&amp;
make</userinput></screen>
 
</sect2>
<para>If you have <xref linkend="tetex"/> installed et wish to create
alternate forms of the documentation, change into the
<filename class='directory'>doc</filename> directory et issue any or all
of les commandes suivantes&nbsp;:</para>
 
<sect2>
<title>Command explanations</title>
<screen><userinput>pushd doc &amp;&amp;
 
<para><parameter>--libexecdir=/usr/sbin</parameter>: This switch puts the
daemon programs into <filename class="directory">/usr/sbin</filename>.
</para>
make html &amp;&amp;
 
<note><para>
If you want to preserve all your existing <application>Inetutils</application>
package daemons, install the <application>Heimdal</application> daemons into
<filename class="directory">/usr/sbin/heimdal</filename> (or wherever you
want). Since these programs will be called from <command>(x)inetd</command> or
<filename>rc</filename> scripts, it really doesn't matter where they are
installed, as long as they are correctly specified in the
<filename>/etc/(x)inetd.conf</filename> file and <filename>rc</filename>
scripts. If you choose something other than
<filename class="directory">/usr/sbin</filename>, you may want to move some of
the user programs (such as <command>kadmin</command>) to
<filename class="directory">/usr/sbin</filename> manually so they'll be in the
privileged user's default path.</para></note>
texi2pdf heimdal.texi &amp;&amp;
texi2dvi heimdal.texi &amp;&amp;
dvips -o heimdal.ps heimdal.dvi &amp;&amp;
makeinfo --plaintext -o heimdal.txt heimdal.texi &amp;&amp;
 
<para><command>mv ... .shadow; mv ... /bin; ln -sf ../../bin...</command>: The
<command>login</command> and <command>su</command> programs installed by
<application>Heimdal</application> belong in the
<filename class="directory">/bin</filename> directory. The
<command>login</command> program is symlinked because
<application>Heimdal</application> is expecting to find it in
<filename class="directory">/usr/bin</filename>. The old executables are
preserved before the move to keep things sane should breaks occur.</para>
texi2pdf hx509.texi &amp;&amp;
texi2dvi hx509.texi &amp;&amp;
dvips -o hx509.ps hx509.dvi &amp;&amp;
makeinfo --plaintext -o hx509.txt hx509.texi &amp;&amp;
 
<para><command>mv ... /lib; ln -sf ../../lib/lib... /usr/lib</command>: The
<command>login</command> and <command>su</command> programs installed by
<application>Heimdal</application> link against
<application>Heimdal</application> libraries as well as libraries provided by
the <application>Open<acronym>SSL</acronym></application> and
<application>Berkeley <acronym>DB</acronym></application> packages. These
libraries are moved to <filename class="directory">/lib</filename> to be
<acronym>FHS</acronym> compliant and also in case
<filename class="directory">/usr</filename> is located on a separate partition
which may not always be mounted.</para>
popd</userinput></screen>
 
</sect2>
<para>Pour tester les résultats, lancez&nbsp;: <command>make -k check</command>. The
<command>ipropd</command> test is known to fail but all others should
pass.</para>
 
<sect2>
<title>Configuring <application>Heimdal</application></title>
<para>Maintenant, en tant qu'utilisateur <systemitem class="username">root</systemitem>&nbsp;:</para>
 
<sect3 id="heimdal-config"><title>Config files</title>
<para><filename>/etc/heimdal/*</filename></para>
<indexterm zone="heimdal heimdal-config">
<primary sortas="e-etc-heimdal">/etc/heimdal/*</primary>
</indexterm>
</sect3>
<!-- <screen role="root"><?dbfo keep-together="auto"?><userinput>mv -v /usr/include/ss/ss.h /usr/include/ss/ss.h.e2fsprogs &amp;&amp;
mv -v /usr/lib/libss.a /usr/lib/libss.a.e2fsprogs &amp;&amp;
mv -v /usr/lib/libss.so /usr/lib/libss.so.e2fsprogs &amp;&amp;
mv -v /usr/bin/mk_cmds /usr/bin/mk_cmds.e2fsprogs &amp;&amp;
-->
 
<sect3><title>Configuration Information</title>
<screen role="root"><userinput>make install &amp;&amp;
 
<sect4><title>Master <acronym>KDC</acronym> Server Configuration</title>
install -v -m755 -d /usr/share/doc/heimdal-&heimdal-version; &amp;&amp;
install -v -m644 doc/{init-creds,layman.asc} \
/usr/share/doc/heimdal-&heimdal-version; &amp;&amp;
 
<para>Create the Kerberos configuration file with the following
commands:</para>
ln -sfv mech.5 /usr/share/man/man5/qop.5 &amp;&amp;
ln -sfv ../man5/mech.5 /usr/share/man/cat5/qop.5 &amp;&amp;
ln -sfv ../man5/mech.5 /usr/share/man/cat5 &amp;&amp;
 
<screen><userinput role='root'><command>install -d /etc/heimdal &amp;&amp;
cat &gt; /etc/heimdal/krb5.conf &lt;&lt; "EOF"</command>
# Begin /etc/heimdal/krb5.conf
mv -v /bin/login /bin/login.SHADOW &amp;&amp;
mv -v /bin/su /bin/su.SHADOW &amp;&amp;
mv -v /usr/bin/{login,su} /bin &amp;&amp;
ln -v -sf ../../bin/login /usr/bin &amp;&amp;
 
for LINK in lib{otp,kafs,krb5,hx509,asn1,roken,crypto}; do
mv -v /usr/lib/${LINK}.so.* /lib &amp;&amp;
ln -v -sf ../../lib/$(readlink /usr/lib/${LINK}.so) \
/usr/lib/${LINK}.so
done &amp;&amp;
 
mv -v /usr/lib/$(readlink /usr/lib/libdb.so) \
/usr/lib/libdb-?.so \
/lib &amp;&amp;
ln -v -sf ../../lib/$(readlink /usr/lib/libdb.so) \
/usr/lib/libdb.so &amp;&amp;
 
ldconfig</userinput></screen>
 
<!-- mv -v /usr/include/ss/ss.h /usr/include/ss/ss.h.heimdal &amp;&amp;
mv -v /usr/include/ss/ss.h.e2fsprogs /usr/include/ss/ss.h &amp;&amp;
mv -v /usr/lib/libss.a /usr/lib/libss.a.heimdal &amp;&amp;
mv -v /usr/lib/libss.a.e2fsprogs /usr/lib/libss.a &amp;&amp;
mv -v /usr/lib/libss.so /usr/lib/libss.so.heimdal &amp;&amp;
mv -v /usr/lib/libss.so.e2fsprogs /usr/lib/libss.so &amp;&amp;
mv -v /usr/lib/libss.la /usr/lib/libss.la.heimdal &amp;&amp;
mv -v /usr/bin/mk_cmds /usr/bin/mk_cmds.heimdal &amp;&amp;
mv -v /usr/bin/mk_cmds.e2fsprogs /usr/bin/mk_cmds &amp;&amp; -->
 
<para>If you built any of the alternate forms of documentation, install it
using the following commands as the
<systemitem class="username">root</systemitem>&nbsp;:</para>
 
<screen role="root"><userinput>install -v -m644 doc/{heimdal,hx509}.{dvi,ps,pdf,html,txt} \
/usr/share/doc/heimdal-&heimdal-version;</userinput></screen>
 
<para>If you wish to use the <xref linkend="cracklib"/> library to enforce
strong passwords in the KDC database, issue the following commands as the
<systemitem class="username">root</systemitem>&nbsp;:</para>
 
<screen role="root"><userinput>sed -e 's|/usr/pkg|/usr|' \
-e 's|/usr/lib/cracklib_dict|/lib/cracklib/pw_dict|' \
-e 's|/var/heimdal|/var/lib/heimdal|' \
lib/kadm5/check-cracklib.pl \
> /bin/krb5-check-cracklib.pl &amp;&amp;
 
chmod -v 755 /bin/krb5-check-cracklib.pl</userinput></screen>
 
</sect2>
 
<sect2 role="commands">
<title>Explication des commandes</title>
 
<!-- <para><command>mv -v /usr/include/...</command>,
<command>mv -v /usr/lib/libss.* ...</command> et
<command>mv -v /usr/bin/mk_cmds ...</command>: The
<application>Heimdal</application> installation will overwrite an
interface header, static library, library symbolic link et a
shell script from the
<application>E2fsprogs</application> package. These commands rename the
original files before the installation, et then restore them (after
renaming the new <application>Heimdal</application> files) after the
installation.</para> -->
 
<para><parameter>--libexecdir=/usr/sbin</parameter>: This switch causes
the daemon programs to be installed into
<filename class="directory">/usr/sbin</filename>.</para>
 
<tip>
<para>If you want to preserve all your existing
<application>Inetutils</application> package daemons, install the
<application>Heimdal</application> daemons into
<filename class="directory">/usr/sbin/heimdal</filename> (or wherever
you want). Since these programs will be called from
<command>(x)inetd</command> or <filename>rc</filename> scripts, it
really doesn't matter where they are installed, as long as they are
correctly specified in the <filename>/etc/(x)inetd.conf</filename> file
et <filename>rc</filename> scripts. If you choose something other than
<filename class="directory">/usr/sbin</filename>, you may want to move
some of the user programs (such as <command>kadmin</command>) to
<filename class="directory">/usr/sbin</filename> manually so they'll be
in the privileged user's default <envar>PATH</envar>.</para>
</tip>
 
<para><parameter>--localstatedir=/var/lib/heimdal</parameter>,
<parameter>--datadir=/var/lib/heimdal</parameter> et
<parameter>--with-hdbdir=/var/lib/heimdal</parameter>: These parameters
are used so that the KDC database et associated files will all reside
in <filename class='directory'>/var/lib/heimdal</filename>.</para>
 
<para><parameter>--with-readline=/usr</parameter>: This parameter must be
used so that the <command>configure</command> script properly locates the
installed <application>Readline</application> package.</para>
 
<para><parameter>--enable-kcm</parameter>: This parameter enables building
the Kerberos Credentials Manager.</para>
 
<para><command>ln -sfv .../mech.5 /usr/share/man/...</command>: These
commands are used to fix some broken symbolic links.</para>
 
<para><command>mv ... ...SHADOW</command>, <command>mv ... /bin</command>
et <command> ln ... /usr/bin</command>: The <command>login</command>
et <command>su</command> programs installed by
<application>Heimdal</application> belong in the
<filename class="directory">/bin</filename> directory. The
<command>login</command> program is symlinked because
<application>Heimdal</application> is expecting to find it in
<filename class="directory">/usr/bin</filename>. The old executables from
the <application>Shadow</application> package are preserved before the move
so that they can be restored if you experience problems logging into the
system after the <application>Heimdal</application> package is installed
et configured.</para>
 
<para><command>for LINK in ...; do ...; done</command>,
<command>mv ... /lib</command> et
<command>ln ... /usr/lib/libdb.so</command>: The <command>login</command>
et <command>su</command> programs previously moved into the
<filename class='directory'>/lib</filename> directory link against
<application>Heimdal</application> libraries as well as libraries provided
by the <application>OpenSSL</application> et
<application>Berkeley DB</application> packages. These
libraries are also moved to <filename class="directory">/lib</filename>
so they are FHS compliant et also in case
<filename class="directory">/usr</filename> is located on a separate
partition which may not always be mounted.</para>
 
</sect2>
 
<sect2 role="configuration">
<title>Configuration de Heimdal</title>
 
<sect3 id="heimdal-config">
<title>Fichiers de configuration</title>
 
<para><filename>/etc/heimdal/*</filename></para>
 
<indexterm zone="heimdal heimdal-config">
<primary sortas="e-etc-heimdal">/etc/heimdal/*</primary>
</indexterm>
 
</sect3>
 
<sect3>
<title>Informations de configuration</title>
 
<note>
<para>All the configuration steps shown below must be accomplished
by the <systemitem class='username'>root</systemitem> user unless
otherwise noted.</para>
</note>
 
<sect4>
<title>Master KDC Server Configuration</title>
 
<para>Many of the commands below use
<replaceable>&lt;replaceable&gt;</replaceable> tags to identify places
where you need to substitute information specific to your network.
Ensure you replace everything in these tags (there will be no angle
brackets when you are done) with your site-specific information.</para>
 
<para>Create the Kerberos configuration file with the following
suivantes&nbsp;:</para>
 
<screen role="root"><userinput>install -v -m755 -d /etc/heimdal &amp;&amp;
cat &gt; /etc/heimdal/krb5.conf &lt;&lt; "EOF" &amp;&amp;
<literal># Begin /etc/heimdal/krb5.conf
 
[libdefaults]
default_realm = <replaceable>[EXAMPLE.COM]</replaceable>
default_realm = <replaceable>&lt;EXAMPLE.COM&gt;</replaceable>
encrypt = true
 
[realms]
<replaceable>[EXAMPLE.COM]</replaceable> = {
kdc = <replaceable>[hostname.example.com]</replaceable>
admin_server = <replaceable>[hostname.example.com]</replaceable>
kpasswd_server = <replaceable>[hostname.example.com]</replaceable>
<replaceable>&lt;EXAMPLE.COM&gt;</replaceable> = {
kdc = <replaceable>&lt;hostname.example.com&gt;</replaceable>
admin_server = <replaceable>&lt;hostname.example.com&gt;</replaceable>
kpasswd_server = <replaceable>&lt;hostname.example.com&gt;</replaceable>
}
 
[domain_realm]
.<replaceable>[example.com]</replaceable> = <replaceable>[EXAMPLE.COM]</replaceable>
.<replaceable>&lt;example.com&gt;</replaceable> = <replaceable>&lt;EXAMPLE.COM&gt;</replaceable>
 
[logging]
kdc = FILE:/var/log/kdc.log
218,634 → 360,803
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb.log
 
# End /etc/heimdal/krb5.conf
<command>EOF</command></userinput></screen>
# End /etc/heimdal/krb5.conf</literal>
EOF
chmod -v 644 /etc/heimdal/krb5.conf</userinput></screen>
 
<para>You will need to substitute your domain and proper hostname for the
occurrences of the <replaceable>[hostname]</replaceable> and
<replaceable>[EXAMPLE.COM]</replaceable> names.</para>
<para>You will need to substitute your domain et proper hostname
for the occurrences of the <replaceable>&lt;hostname&gt;</replaceable>
et <replaceable>&lt;EXAMPLE.COM&gt;</replaceable> names.</para>
 
<para><userinput>default_realm</userinput> should be the name of your domain
changed to ALL CAPS. This isn't required, but both
<application>Heimdal</application> and <application><acronym>MIT</acronym>
krb5</application> recommend it.</para>
<para><option>default_realm</option> should be the name of your
domain changed to ALL CAPS. This isn't required, but both
<application>Heimdal</application> et <application>MIT
Kerberos</application> recommend it.</para>
 
<para><userinput>encrypt = true</userinput> provides encryption of all traffic
between kerberized clients and servers. It's not necessary and can be left
off. If you leave it off, you can encrypt all traffic from the client to the
server using a switch on the client program instead.</para>
<para><option>encrypt = true</option> provides encryption of all
traffic between kerberized clients et servers. It's not necessary
et can be left off. If you leave it off, you can encrypt all traffic
from the client to the server using a switch on the client program
instead. The <option>[realms]</option> parameters tell the client
programs where to look for the KDC authentication services. The
<option>[domain_realm]</option> section maps a domain
to a realm.</para>
 
<para>The <userinput>[realms]</userinput> parameters tell the client programs
where to look for the <acronym>KDC</acronym> authentication services.</para>
<para>Store the master password in a key file using the following
suivantes&nbsp;:</para>
 
<para>The <userinput>[domain_realm]</userinput> section maps a domain to a
realm.</para>
<screen role="root"><userinput>install -v -m755 -d /var/lib/heimdal &amp;&amp;
kstash</userinput></screen>
 
<para>Store the master password in a key file using the following
commands:</para>
<para>Create the KDC database:</para>
 
<screen><userinput role='root'><command>install -d -m 755 /var/lib/heimdal &amp;&amp;
kstash</command></userinput></screen>
<screen role="root"><userinput>kadmin -l</userinput></screen>
 
<para>Create the <acronym>KDC</acronym> database:</para>
<para>The commands below will prompt you for information about the
principles. Choose the defaults for now unless you know what you are
doing et need to specify different values. You can go in later and
change the defaults, should you feel the need. You may use the up et
down arrow keys to use the history feature of <command>kadmin</command>
in a similar manner en tant qu'utilisateur <command>bash</command> history
feature.</para>
 
<screen><userinput role='root'><command>kadmin -l</command></userinput></screen>
<para>At the <prompt>kadmin&gt;</prompt> prompt, issue the following
statement:</para>
 
<para>Choose the defaults for now. You can go in later and change the
defaults, should you feel the need. At the
<userinput>kadmin&gt;</userinput> prompt, issue the following statement:</para>
<screen role="root"><userinput>init <replaceable>&lt;EXAMPLE.COM&gt;</replaceable></userinput></screen>
 
<screen><userinput role='root'><command>init <replaceable>[EXAMPLE.COM]</replaceable></command></userinput></screen>
<para>The database must now be populated with at least one principle
(user). For now, just use your regular login name or root. You may
create as few, or as many principles as you wish using the following
statement:</para>
 
<para>The database must now be populated with at least one principle (user).
For now, just use your regular login name or root. You may create as few, or
as many principles as you wish using the following statement:</para>
<screen role="root"><userinput>add <replaceable>&lt;loginname&gt;</replaceable></userinput></screen>
 
<screen><userinput role='root'><command>add <replaceable>[loginname]</replaceable></command></userinput></screen>
<para>The KDC server et any machine running kerberized
server daemons must have a host key installed:</para>
 
<para>The <acronym>KDC</acronym> server and any machine running kerberized
server daemons must have a host key installed:</para>
<screen role="root"><userinput>add --random-key host/<replaceable>&lt;hostname.example.com&gt;</replaceable></userinput></screen>
 
<screen><userinput role='root'><command>add --random-key host/<replaceable>[hostname.example.com]</replaceable></command></userinput></screen>
<para>After choosing the defaults when prompted, you will have to
export the data to a keytab file:</para>
 
<para>After choosing the defaults when prompted, you will have to export the
data to a keytab file:</para>
<screen role="root"><userinput>ext host/<replaceable>&lt;hostname.example.com&gt;</replaceable></userinput></screen>
 
<screen><userinput role='root'><command>ext host/<replaceable>[hostname.example.com]</replaceable></command></userinput></screen>
<para>This should have created two files in
<filename class="directory">/etc/heimdal</filename>:
<filename>krb5.keytab</filename> (Kerberos 5) et
<filename>srvtab</filename> (Kerberos 4). Both files should have 600
(root rw only) permissions. Keeping the keytab files from public access
is crucial to the overall security of the Kerberos installation.</para>
 
<para>This should have created two files in
<filename class="directory">/etc/heimdal</filename>:
<filename>krb5.keytab</filename> (Kerberos 5) and
<filename>srvtab</filename> (Kerberos 4). Both files should have 600
(root rw only) permissions. Keeping the keytab files from public access
is crucial to the overall security of the Kerberos installation.</para>
<para>Eventually, you'll want to add server daemon principles to the
database et extract them to the keytab file. You do this in the same
way you created the host principles. Below is an example:</para>
 
<para>Eventually, you'll want to add server daemon principles to the database
and extract them to the keytab file. You do this in the same way you created
the host principles. Below is an example:</para>
<screen role="root"><userinput>add --random-key ftp/<replaceable>&lt;hostname.example.com&gt;</replaceable></userinput></screen>
 
<screen><userinput role='root'><command>add --random-key ftp/<replaceable>[hostname.example.com]</replaceable></command></userinput></screen>
<para>(choose the defaults)</para>
 
<para>(choose the defaults)</para>
<screen role="root"><userinput>ext ftp/<replaceable>&lt;hostname.example.com&gt;</replaceable></userinput></screen>
 
<screen><userinput role='root'><command>ext ftp/<replaceable>[hostname.example.com]</replaceable></command></userinput></screen>
<para>Exit the <command>kadmin</command> program (use
<command>quit</command> or <command>exit</command>) et return back
to the shell prompt. Start the KDC daemon manually, just to test out
the installation:</para>
 
<para>Exit the <command>kadmin</command> program (use <command>quit</command>
or <command>exit</command>) and return back to the shell prompt. Start
the <acronym>KDC</acronym> daemon manually, just to test out the
installation:</para>
<screen role="root"><userinput>/usr/sbin/kdc &amp;</userinput></screen>
 
<screen><userinput role='root'><command>/usr/sbin/kdc &amp;</command></userinput></screen>
<para>Attempt to get a TGT (ticket granting ticket) with
the following command:</para>
 
<para>Attempt to get a <acronym>TGT</acronym> (ticket granting ticket) with
the following command:</para>
<screen><userinput>kinit <replaceable>&lt;loginname&gt;</replaceable></userinput></screen>
 
<screen><userinput><command>kinit <replaceable>[loginname]</replaceable></command></userinput></screen>
<para>You will be prompted for the password you created. After you get
your ticket, you should list it with the following command:</para>
 
<para>You will be prompted for the password you created. After you get your
ticket, you should list it with the following command:</para>
<screen><userinput>klist</userinput></screen>
 
<screen><userinput><command>klist</command></userinput></screen>
<para>Information about the ticket should be displayed on
the screen.</para>
 
<para>Information about the ticket should be displayed on the screen.</para>
<para>To test the functionality of the <filename>keytab</filename> file,
issue the following command:</para>
 
<para>To test the functionality of the keytab file, issue the following
command:</para>
<screen><userinput>ktutil list</userinput></screen>
 
<screen><userinput><command>ktutil list</command></userinput></screen>
<para>This should dump a list of the host principals, along with the
encryption methods used to access the principals.</para>
 
<para>This should dump a list of the host principals, along with the encryption
methods used to access the principals.</para>
<para>At this point, if everything has been successful so far, you
can feel fairly confident in the installation, setup et configuration
of your new <application>Heimdal</application> Kerberos 5
installation.</para>
 
<para>At this point, if everything has been successful so far, you can feel
fairly confident in the installation and configuration of the package.</para>
<para>If you wish to use the <xref linkend="cracklib"/> library to
enforce strong passwords in the KDC database, you must do two things.
First, add the following lines to the
<filename>/etc/heimdal/krb5.conf</filename> configuration file:</para>
 
<para id="heimdal-init">Install the
<filename>/etc/rc.d/init.d/heimdal</filename> init script included in the
<xref linkend="intro-important-bootscripts"/> package:</para>
<indexterm zone="heimdal heimdal-init">
<primary sortas="f-heimdal">heimdal</primary>
</indexterm>
<screen><literal>[password_quality]
policies = builtin:external-check
external_program = /bin/krb5-check-cracklib.pl</literal></screen>
 
<screen><userinput role='root'><command>make install-heimdal</command></userinput></screen>
</sect4>
<para>Next you must install the
<application>Crypt::Cracklib</application>
<application>Perl</application> module. Download it from the CPAN
site. The URL at the time of this writing is <ulink
url="http://cpan.org/authors/id/D/DA/DANIEL/Crypt-Cracklib-1.2.tar.gz"/>.
After unpacking the tarball et changing into the newly created
directory, issue the following command to add the BLFS
<application>Cracklib</application> dictionary location to one of the
source files:</para>
 
<sect4><title>Using Kerberized Client Programs</title>
<screen><userinput>sed -i 's|pw_dict|&amp;\n\t\t/lib/cracklib/pw_dict|' Cracklib.pm</userinput></screen>
 
<para>To use the kerberized client programs (<command>telnet</command>,
<command>ftp</command>, <command>rsh</command>,
<command>rxterm</command>, <command>rxtelnet</command>,
<command>rcp</command>, <command>xnlock</command>), you first must get
a <acronym>TGT</acronym>. Use the <command>kinit</command> program to
get the ticket. After you've acquired the ticket, you can use the
kerberized programs to connect to any kerberized server on the network.
You will not be prompted for authentication until your ticket expires
(default is one day), unless you specify a different user as a command
line argument to the program.</para>
<para>Then use the standard <command>perl Makefile.PL</command>;
<command>make</command>; <command>make test</command>;
<command>make install</command> commands. Note that one test fails
due to an unknown reason.</para>
 
<para>The kerberized programs will connect to non-kerberized daemons, warning
you that authentication is not encrypted. As mentioned earlier, only the
<command>ftp</command> program gives any trouble connecting to
non-kerberized daemons.</para>
<para id="heimdal-init">Install the
<filename>/etc/rc.d/init.d/heimdal</filename> init script included
in the <xref linkend="bootscripts"/> package:</para>
 
<para>In order to use the <application>Heimdal</application>
<application>X</application> programs, you'll need to add a service port
entry to the <filename>/etc/services</filename> file for the
<command>kxd</command> server. There is no 'standardized port number' for
the 'kx' service in the <acronym>IANA</acronym> database, so you'll have to
pick an unused port number. Add an entry to the <filename>services</filename>
file similar to the entry below (substitute your chosen port number for
<replaceable>[49150]</replaceable>):</para>
<indexterm zone="heimdal heimdal-init">
<primary sortas="f-heimdal">heimdal</primary>
</indexterm>
 
<screen><userinput role='root'>kx <replaceable>[49150]</replaceable>/tcp # Heimdal kerberos X
kx <replaceable>[49150]</replaceable>/udp # Heimdal kerberos X</userinput></screen>
<screen role="root"><userinput>make install-heimdal</userinput></screen>
 
<para>For additional information consult <ulink
url="http://www.linuxfromscratch.org/hints/downloads/files/heimdal.txt">the
Heimdal hint</ulink> on which the above instructions are based.</para>
</sect4>
</sect3>
</sect4>
 
</sect2>
<sect4>
<title>Using Kerberized Client Programs</title>
 
<sect2>
<title>Contents</title>
<para>To use the kerberized client programs (<command>telnet</command>,
<command>ftp</command>, <command>rsh</command>,
<command>rxterm</command>, <command>rxtelnet</command>,
<command>rcp</command>, <command>xnlock</command>), you first must get
a TGT. Use the <command>kinit</command> program to get the ticket.
After you've acquired the ticket, you can use the kerberized programs
to connect to any kerberized server on the network. You will not be
prompted for authentication until your ticket expires (default is one
day), unless you specify a different user as a command line argument
to the program.</para>
 
<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directories</segtitle>
<para>The kerberized programs will connect to non-kerberized daemons,
warning you that authentication is not encrypted.</para>
 
<seglistitem>
<seg>afslog, dump_log, ftp, ftpd, hprop, hpropd, ipropd-master, ipropd-slave,
kadmin, kadmind, kauth, kdc, kdestroy, kf, kfd, kgetcred, kinit, klist,
kpasswd, kpasswdd, krb5-config, kstash, ktutil, kx, kxd, login, mk_cmds, otp,
otpprint, pagsh, pfrom, popper, push, rcp, replay_log, rsh, rshd, rxtelnet,
rxterm, string2key, su, telnet, telnetd, tenletxr, truncate-log,
verify_krb5_conf and xnlock</seg>
<seg>libasn1.[so,a], libeditline.a, libgssapi.[so,a], libhdb.[so,a],
libkadm5clnt.[so,a], libkadm5srv.[so,a], libkafs.[so,a], libkrb5.[so,a],
libotp.[so,a], libroken.[so,a], libsl.[so,a] and libss.[so,a]</seg>
<seg>/etc/heimdal, /usr/include/kadm5, /usr/include/ss and
/var/lib/heimdal</seg>
</seglistitem>
</segmentedlist>
<para>In order to use the <application>Heimdal</application>
<application>X</application> programs, you'll need to add a service
port entry to the <filename>/etc/services</filename> file for the
<command>kxd</command> server. There is no 'standardized port number'
for the 'kx' service in the IANA database, so you'll have to pick an
unused port number. Add an entry to the <filename>services</filename>
file similar to the entry below (substitute your chosen port number
for <replaceable>&lt;49150&gt;</replaceable>)&nbsp;:</para>
 
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>
<screen><literal>kx <replaceable>&lt;49150&gt;</replaceable>/tcp # Heimdal kerberos X
kx <replaceable>&lt;49150&gt;</replaceable>/udp # Heimdal kerberos X</literal></screen>
 
<varlistentry id="afslog">
<term><command>afslog</command></term>
<listitem><para>obtains <acronym>AFS</acronym> tokens for a number of
cells.</para>
<indexterm zone="heimdal afslog">
<primary sortas="b-afslog">afslog</primary>
</indexterm></listitem>
</varlistentry>
<para>For additional information consult <ulink
url="&hints-root;/downloads/files/heimdal.txt">the
Heimdal hint</ulink> on which the above instructions are based.</para>
 
<varlistentry id="ftp">
<term><command>ftp</command></term>
<listitem><para>is a kerberized <acronym>FTP</acronym> client.</para>
<indexterm zone="heimdal ftp">
<primary sortas="b-ftp">ftp</primary>
</indexterm></listitem>
</varlistentry>
</sect4>
 
<varlistentry id="ftpd">
<term><command>ftpd</command></term>
<listitem><para>is a kerberized <acronym>FTP</acronym> daemon.</para>
<indexterm zone="heimdal ftpd">
<primary sortas="b-ftpd">ftpd</primary>
</indexterm></listitem>
</varlistentry>
</sect3>
 
<varlistentry id="hprop">
<term><command>hprop</command></term>
<listitem><para> takes a principal database in a specified format and converts
it into a stream of <application>Heimdal</application> database records.</para>
<indexterm zone="heimdal hprop">
<primary sortas="b-hprop">hprop</primary>
</indexterm></listitem>
</varlistentry>
</sect2>
 
<varlistentry id="hpropd">
<term><command>hpropd</command></term>
<listitem><para>is a server that receives a database sent by
<command>hprop</command> and writes it as a local database.</para>
<indexterm zone="heimdal hpropd">
<primary sortas="b-hpropd">hpropd</primary>
</indexterm></listitem>
</varlistentry>
<sect2 role="content">
<title>Contenu</title>
 
<varlistentry id="ipropd-master">
<term><command>ipropd-master</command></term>
<listitem><para>is a daemon which runs on the master <acronym>KDC</acronym>
server which incrementally propogates changes to the <acronym>KDC</acronym>
database to the slave <acronym>KDC</acronym> servers.</para>
<indexterm zone="heimdal ipropd-master">
<primary sortas="b-ipropd-master">ipropd-master</primary>
</indexterm></listitem>
</varlistentry>
<segmentedlist>
<segtitle>Programmes installés</segtitle>
<segtitle>Bibliothèques installées</segtitle>
<segtitle>Répertoires installés</segtitle>
 
<varlistentry id="ipropd-slave">
<term><command>ipropd-slave</command></term>
<listitem><para>is a daemon which runs on the slave <acronym>KDC</acronym>
servers which incrementally propogates changes to the <acronym>KDC</acronym>
database from the master <acronym>KDC</acronym> server.</para>
<indexterm zone="heimdal ipropd-slave">
<primary sortas="b-ipropd-slave">ipropd-slave</primary>
</indexterm></listitem>
</varlistentry>
<seglistitem>
<seg>afslog, ftp, ftpd, gss, hprop, hpropd, hxtool, iprop-log,
ipropd-master, ipropd-slave, kadmin, kadmind, kauth, kcm, kdc,
kdestroy, kdigest, kf, kfd, kgetcred, kimpersonate, kinit, klist,
kpasswd, kpasswdd, krb5-check-cracklib.pl, krb5-config, kstash,
ktutil, kx, kxd, login, mk_cmds-krb5, otp, otpprint, pagsh, pfrom,
popper, push, rcp, rsh, rshd, rxtelnet, rxterm, string2key, su,
telnet, telnetd, tenletxr, verify_krb5_conf et xnlock</seg>
 
<varlistentry id="kadmin">
<term><command>kadmin</command></term>
<listitem><para>is a utility used to make modifications to the Kerberos
database.</para>
<indexterm zone="heimdal kadmin">
<primary sortas="b-kadmin">kadmin</primary>
</indexterm></listitem>
</varlistentry>
<seg>hdb_ldap.{so,a}, libasn1.{so,a}, libeditline.{so,a},
libgssapi.{so,a}, libhdb.{so,a}, libheimntlm.{so,a}, libhx509.{so,a},
libkadm5clnt.{so,a}, libkadm5srv.{so,a}, libkafs.{so,a},
libkdc.{so,a}, libkrb5.{so,a}, libotp.{so,a}, libroken.{so,a},
libsl.{so,a}, libss-krb5.{so,a} et windc.{so,a}</seg>
 
<varlistentry id="kadmind">
<term><command>kadmind</command></term>
<listitem><para>is a server for administrative access to the Kerberos
database.</para>
<indexterm zone="heimdal kadmind">
<primary sortas="b-kadmind">kadmind</primary>
</indexterm></listitem>
</varlistentry>
<seg>/etc/heimdal, /usr/include/gssapi, /usr/include/kadm5,
/usr/include/krb5, /usr/include/roken, /usr/include/ss,
/usr/share/doc/heimdal-&heimdal-version; et /var/lib/heimdal</seg>
</seglistitem>
</segmentedlist>
 
<varlistentry id="kauth">
<term><command>kauth</command></term>
<listitem><para>is a symbolic link to the <command>kinit</command>
program.</para>
<indexterm zone="heimdal kauth">
<primary sortas="g-kauth">kauth</primary>
</indexterm></listitem>
</varlistentry>
<variablelist>
<bridgehead renderas="sect3">Descriptions courtes</bridgehead>
<?dbfo list-presentation="list"?>
<?dbhtml list-presentation="table"?>
 
<varlistentry id="kdc">
<term><command>kdc</command></term>
<listitem><para>is a Kerberos 5 server.</para>
<indexterm zone="heimdal kdc">
<primary sortas="b-kdc">kdc</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="afslog">
<term><command>afslog</command></term>
<listitem>
<para>obtains AFS tokens for a number of cells.</para>
<indexterm zone="heimdal afslog">
<primary sortas="b-afslog">afslog</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="kdestroy">
<term><command>kdestroy</command></term>
<listitem><para>removes a principle's current set of tickets.</para>
<indexterm zone="heimdal kdestroy">
<primary sortas="b-kdestroy">kdestroy</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="ftp">
<term><command>ftp</command></term>
<listitem>
<para>is a kerberized FTP client.</para>
<indexterm zone="heimdal ftp">
<primary sortas="b-ftp">ftp</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="kf">
<term><command>kf</command></term>
<listitem><para>is a program which forwards tickets to a remote host through
an authenticated and encrypted stream.</para>
<indexterm zone="heimdal kf">
<primary sortas="b-kf">kf</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="ftpd">
<term><command>ftpd</command></term>
<listitem>
<para>is a kerberized FTP daemon.</para>
<indexterm zone="heimdal ftpd">
<primary sortas="b-ftpd">ftpd</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="kfd">
<term><command>kfd</command></term>
<listitem><para>is a server used to receive forwarded tickets.</para>
<indexterm zone="heimdal kfd">
<primary sortas="b-kfd">kfd</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="hprop">
<term><command>hprop</command></term>
<listitem>
<para> takes a principal database in a specified format et converts
it into a stream of <application>Heimdal</application> database
records.</para>
<indexterm zone="heimdal hprop">
<primary sortas="b-hprop">hprop</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="kgetcred">
<term><command>kgetcred</command></term>
<listitem><para>obtains a ticket for a service.</para>
<indexterm zone="heimdal kgetcred">
<primary sortas="b-kgetcred">kgetcred</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="hpropd">
<term><command>hpropd</command></term>
<listitem>
<para>is a server that receives a database sent by
<command>hprop</command> et writes it as a local database.</para>
<indexterm zone="heimdal hpropd">
<primary sortas="b-hpropd">hpropd</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="kinit">
<term><command>kinit</command></term>
<listitem><para>is used to authenticate to the Kerberos server as a principal
and acquire a ticket granting ticket that can later be used to obtain tickets
for other services.</para>
<indexterm zone="heimdal kinit">
<primary sortas="b-kinit">kinit</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="iprop-log">
<term><command>iprop-log</command></term>
<listitem>
<para>is used to maintain the iprop log file.</para>
<indexterm zone="heimdal iprop-log">
<primary sortas="b-iprop-log">iprop-log</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="klist">
<term><command>klist</command></term>
<listitem><para>reads and displays the current tickets in the credential
cache.</para>
<indexterm zone="heimdal klist">
<primary sortas="b-klist">klist</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="ipropd-master">
<term><command>ipropd-master</command></term>
<listitem>
<para>is a daemon which runs on the master KDC
server which incrementally propagates changes to the KDC
database to the slave KDC servers.</para>
<indexterm zone="heimdal ipropd-master">
<primary sortas="b-ipropd-master">ipropd-master</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="kpasswd">
<term><command>kpasswd</command></term>
<listitem><para>is a program for changing Kerberos 5 passwords.</para>
<indexterm zone="heimdal kpasswd">
<primary sortas="b-kpasswd">kpasswd</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="ipropd-slave">
<term><command>ipropd-slave</command></term>
<listitem>
<para>is a daemon which runs on the slave KDC
servers which incrementally propagates changes to the KDC
database from the master KDC server.</para>
<indexterm zone="heimdal ipropd-slave">
<primary sortas="b-ipropd-slave">ipropd-slave</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="kpasswdd">
<term><command>kpasswdd</command></term>
<listitem><para>is a Kerberos 5 password changing server.</para>
<indexterm zone="heimdal kpasswdd">
<primary sortas="b-kpasswdd">kpasswdd</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="kadmin">
<term><command>kadmin</command></term>
<listitem>
<para>is a utility used to make modifications to the Kerberos
database.</para>
<indexterm zone="heimdal kadmin">
<primary sortas="b-kadmin">kadmin</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="krb5-config-prog">
<term><command>krb5-config</command></term>
<listitem><para>gives information on how to link programs against
<application>Heimdal</application> libraries.</para>
<indexterm zone="heimdal krb5-config-prog">
<primary sortas="b-krb5-config">krb5-config</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="kadmind">
<term><command>kadmind</command></term>
<listitem>
<para>is a server for administrative access to the Kerberos
database.</para>
<indexterm zone="heimdal kadmind">
<primary sortas="b-kadmind">kadmind</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="kstash">
<term><command>kstash</command></term>
<listitem><para>stores the <acronym>KDC</acronym> master password in a
file.</para>
<indexterm zone="heimdal kstash">
<primary sortas="b-kstash">kstash</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="kauth">
<term><command>kauth</command></term>
<listitem>
<para>is a symbolic link to the <command>kinit</command>
program.</para>
<indexterm zone="heimdal kauth">
<primary sortas="g-kauth">kauth</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="ktutil">
<term><command>ktutil</command></term>
<listitem><para>is a program for managing Kerberos keytabs.</para>
<indexterm zone="heimdal ktutil">
<primary sortas="b-ktutil">ktutil</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="kcm">
<term><command>kcm</command></term>
<listitem>
<para>is a process based credential cache for Kerberos
tickets.</para>
<indexterm zone="heimdal kcm">
<primary sortas="b-kcm">kcm</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="kx">
<term><command>kx</command></term>
<listitem><para>is a program which securely forwards
<application>X</application> connections.</para>
<indexterm zone="heimdal kx">
<primary sortas="b-kx">kx</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="kdc">
<term><command>kdc</command></term>
<listitem>
<para>is a Kerberos 5 server.</para>
<indexterm zone="heimdal kdc">
<primary sortas="b-kdc">kdc</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="kxd">
<term><command>kxd</command></term>
<listitem><para>is the daemon for <command>kx</command>.</para>
<indexterm zone="heimdal kxd">
<primary sortas="b-kxd">kxd</primary>
</indexterm></listitem>
</varlistentry>
<varlistentry id="kdestroy">
<term><command>kdestroy</command></term>
<listitem>
<para>removes a principle's current set of tickets.</para>
<indexterm zone="heimdal kdestroy