Subversion Repositories svn LFS-FR

Compare Revisions

Ignore whitespace Rev 549 → Rev 550

/trunk/blfs/postlfs/postlfs.ent
File deleted
/trunk/blfs/postlfs/config/autofs.xml
0,0 → 1,242
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
 
<!ENTITY autofs-download-http "http://ftp.kernel.org/pub/linux/daemons/autofs/v4/autofs-&autofs-version;.tar.bz2">
<!ENTITY autofs-download-ftp "ftp://ftp.kernel.org/pub/linux/daemons/autofs/v4/autofs-&autofs-version;.tar.bz2">
<!ENTITY autofs-md5sum "f43a09e94c4bd512ec58ac06e9d42c60">
<!ENTITY autofs-size "122 KB">
<!ENTITY autofs-buildsize "1.4 MB">
<!ENTITY autofs-time "0.01 SBU">
]>
 
<sect1 id="autofs" xreflabel="autofs-&autofs-version;">
<sect1info>
<othername>$LastChangedBy: larry $</othername>
<date>$Date: 2005-06-16 06:20:36 $</date>
</sect1info>
<?dbhtml filename="autofs.html"?>
<title>Automate Mounting of File Systems</title>
<indexterm zone="autofs">
<primary sortas="a-Autofs">Autofs</primary></indexterm>
 
<sect2>
<title>Introduction to <application>autofs</application></title>
 
<para>The <application>autofs</application> package contains userspace
tools that work with the kernel to mount and un-mount removable file
systems. This is useful for allowing users to mount floppies, cdroms and
other removable storage devices without requiring the system
administrator to mount the devices. This may not be ideal for all
installations, so be aware of the risks before implementing this feature.</para>
 
<sect3><title>Package information</title>
<itemizedlist spacing="compact">
<listitem><para>Download (HTTP):
<ulink url="&autofs-download-http;"/></para></listitem>
<listitem><para>Download (FTP):
<ulink url="&autofs-download-ftp;"/></para></listitem>
<listitem><para>Download MD5 sum: &autofs-md5sum;</para></listitem>
<listitem><para>Download size: &autofs-size;</para></listitem>
<listitem><para>Estimated disk space required:
&autofs-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&autofs-time;</para></listitem></itemizedlist>
</sect3>
 
<sect3><title>Additional downloads</title>
<itemizedlist spacing="compact">
<listitem><para>Recommended Patch: <ulink
url="http://ftp.kernel.org/pub/linux/daemons/autofs/v4/autofs-4.1.3-strict.patch"/></para>
</listitem>
<listitem><para>Recommended Patch: <ulink
url="http://ftp.kernel.org/pub/linux/daemons/autofs/v4/autofs-4.1.3-bad_chdir.patch
"/></para>
</listitem>
<listitem><para>Recommended Patch: <ulink
url="http://ftp.kernel.org/pub/linux/daemons/autofs/v4/autofs-4.1.3-mtab_lock.patch
"/></para>
</listitem>
<listitem><para>Recommended Patch: <ulink
url="http://ftp.kernel.org/pub/linux/daemons/autofs/v4/autofs-4.1.3-non_block_ping.patch
"/></para>
</listitem>
<listitem><para>Recommended Patch: <ulink
url="http://ftp.kernel.org/pub/linux/daemons/autofs/v4/autofs-4.1.3-signal-race-fix.patch
"/></para>
</listitem>
<listitem><para>Recommended Patch: <ulink
url="http://ftp.kernel.org/pub/linux/daemons/autofs/v4/autofs-4.1.3-sock-leak-fix.patch
"/></para>
</listitem>
<listitem><para>Recommended Patch: <ulink
url="http://ftp.kernel.org/pub/linux/daemons/autofs/v4/autofs-4.1.3-replicated_server_select.patch
"/></para>
</listitem>
<listitem><para>Recommended Patch: <ulink
url="http://ftp.kernel.org/pub/linux/daemons/autofs/v4/autofs-4.1.3-multi-over.patch
"/></para>
</listitem>
</itemizedlist>
</sect3>
<!---
<sect3><title><application>template</application> dependencies</title>
<sect4><title>Required</title>
<para><xref linkend="BLFS DEPENDENCY"/></para>
</sect4>
 
<sect4><title>Optional</title>
<para><ulink url="http://www.some.url/">EXTERNAL DEPENDENCY</ulink></para>
</sect4>
</sect3> -->
 
</sect2>
 
<sect2 id="autofs-kernel">
<title>Installation of <application>autofs</application></title>
<indexterm zone="autofs autofs-kernel">
<primary sortas="d-Automounter">Automounter</primary></indexterm>
 
<para>Verify that kernel support has been compiled in or built as
modules in the following areas:
<screen>File systems
Kernel automounter version 4 support Y or M
Network File Systems
NFS file system support Y or M
SMB file system support Y or M</screen>
Recompile and install the new kernel, if necessary.</para>
 
<para>Install <application>autofs</application> by running the following
commands:</para>
 
<screen><userinput><command>patch -Np1 -i ../autofs-4.1.3-strict.patch &amp;&amp;
patch -Np1 -i ../autofs-4.1.3-bad_chdir.patch &amp;&amp;
patch -Np1 -i ../autofs-4.1.3-mtab_lock.patch &amp;&amp;
patch -Np1 -i ../autofs-4.1.3-non_block_ping.patch &amp;&amp;
patch -Np1 -i ../autofs-4.1.3-signal-race-fix.patch &amp;&amp;
patch -Np1 -i ../autofs-4.1.3-sock-leak-fix.patch &amp;&amp;
patch -Np1 -i ../autofs-4.1.3-replicated_server_select.patch &amp;&amp;
patch -Np1 -i ../autofs-4.1.3-multi-over.patch &amp;&amp;
./configure --prefix=/ --mandir=/usr/share/man &amp;&amp;
make</command></userinput></screen>
 
<para>Now, as the root user:</para>
 
<screen><userinput role='root'><command>make install &amp;&amp;
rm /etc/rc.d/init.d/autofs</command></userinput></screen>
 
</sect2>
 
<sect2>
<title>Command explanations</title>
 
<para><command>rm /etc/rc.d/init.d/autofs</command>: This command
removes the installed script which only works on specific distributions.</para>
 
</sect2>
 
<sect2>
<title>Configuring <application>autofs</application></title>
 
<sect3 id="autofs-config"><title>Config files</title>
<para><filename>/etc/sysconfig/autofs.conf</filename>,
<filename>/etc/auto.master</filename>,
<filename>/etc/auto.misc</filename>, and
<filename>/etc/auto.net</filename></para>
<indexterm zone="autofs autofs-config" >
<primary
sortas="e-etc-sysconfig-autofs.conf">/etc/sysconfig/autofs.conf</primary>
</indexterm>
<indexterm zone="autofs autofs-config">
<primary sortas="e-etc-auto.master">/etc/auto.master</primary></indexterm>
<indexterm zone="autofs autofs-config">
<primary sortas="e-etc-auto.misc">/etc/auto.misc</primary></indexterm>
<indexterm zone="autofs autofs-config">
<primary sortas="e-etc-auto.net">/etc/auto.net</primary></indexterm>
</sect3>
 
<sect3><title>Configuration Information</title>
 
<para>The installation process creates <filename>auto.master</filename>,
<filename>auto.misc</filename> and <filename>auto.net</filename>. You
will replace the <filename>auto.master</filename> with the following
commands.
 
<screen><userinput role='root'><command>mv /etc/auto.master /etc/auto.master.bak &amp;&amp;
cat &gt; /etc/auto.master &lt;&lt; "EOF"</command>
# Begin /etc/auto.master
 
/media /etc/auto.misc
 
# End /etc/auto.master
<command>EOF</command></userinput></screen></para>
 
<note><para>This file mounts a new media directory over the one created by
<acronym>LFS</acronym> and will therefore hide any mounts made by the
<filename>fstab</filename> file into that directory.</para></note>
 
<para>While this package could be used to mount <acronym>NFS</acronym>
shares and <acronym>SMB</acronym> shares, that feature is not configured
in these instructions. <acronym>NFS</acronym> shares are covered on the
next page.
</para>
 
<para>The <filename>auto.misc</filename> must be configured to your
working hardware. The loaded configuration file should load your cdrom
if <filename>/dev/cdrom</filename> is active or it can be edited to
match your device setup and examples for floppies are available in the file
and easily activated. Documentation for this file is available using the
<command>man 5 autofs</command> command.</para>
 
<para id="autofs-init">Install the
<filename>/etc/rc.d/init.d/autofs</filename> mount script and
<filename>/etc/sysconfig/autofs.conf</filename> support file
included with the <xref linkend="intro-important-bootscripts"/>
package.</para>
<indexterm zone="autofs autofs-init">
<primary sortas="f-autofs-init">autofs</primary></indexterm>
 
<screen><userinput role='root'><command>make install-autofs</command></userinput></screen>
 
<para>The time-out variable is set in
<filename>/etc/sysconfig/autofs.conf</filename>. The installed file sets
a default of 60 seconds of inactivity before unmounting the device. A
much shorter time may be necessary to protect buffer writing to a
floppy if users tend to remove the media prior to the timeout
setting.</para>
</sect3>
 
</sect2>
 
<sect2>
<title>Contents</title>
 
<segmentedlist>
<segtitle>Installed Program</segtitle>
<segtitle>Installed Libraries</segtitle>
<seglistitem>
<seg>automount</seg>
<seg>autofs modules</seg>
</seglistitem>
</segmentedlist>
 
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>
 
<varlistentry id="automount">
<term><command>automount</command></term>
<listitem><para>is the daemon that performs the mounting when a request is
made for the device.</para>
<indexterm zone="autofs automount">
<primary sortas="b-automount">automount</primary></indexterm>
</listitem>
</varlistentry>
</variablelist>
 
</sect2>
 
</sect1>
 
/trunk/blfs/postlfs/filesystems/xfs/xfs.ent
File deleted
/trunk/blfs/postlfs/filesystems/xfs/xfs-intro.xml
File deleted
/trunk/blfs/postlfs/filesystems/xfs/xfs-inst.xml
File deleted
/trunk/blfs/postlfs/filesystems/xfs/xfs-desc.xml
File deleted
/trunk/blfs/postlfs/filesystems/reiser/reiser.ent
File deleted
/trunk/blfs/postlfs/filesystems/reiser/reiser-intro.xml
File deleted
/trunk/blfs/postlfs/filesystems/reiser/reiser-exp.xml
File deleted
/trunk/blfs/postlfs/filesystems/reiser/reiser-inst.xml
File deleted
/trunk/blfs/postlfs/filesystems/reiser/reiser-desc.xml
File deleted
/trunk/blfs/postlfs/filesystems/xfs.xml
1,11 → 1,243
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
 
<!ENTITY xfsprogs-download-http "http://mirrors.sunsite.dk/xfs/download/cmd_tars/xfsprogs-&xfsprogs-version;.src.tar.gz">
<!ENTITY xfsprogs-download-ftp "ftp://oss.sgi.com/projects/xfs/download/cmd_tars/xfsprogs-&xfsprogs-version;.src.tar.gz">
<!ENTITY xfsprogs-md5sum "65fbf692f348b57f21edd4813733d9ae">
<!ENTITY xfsprogs-size "833 KB">
<!ENTITY xfsprogs-buildsize "25.2 MB">
<!ENTITY xfsprogs-time "0.59 SBU">
]>
 
<sect1 id="xfs" xreflabel="XFS-&xfsprogs-version;">
<sect1info>
<othername>$LastChangedBy: randy $</othername>
<date>$Date: 2005-06-16 06:20:37 $</date>
</sect1info>
<?dbhtml filename="xfsfs.html"?>
<title>XFS-&xfsprogs-version;</title>
<indexterm zone="xfs">
<primary sortas="a-XFS">XFS</primary>
</indexterm>
 
&xfs-intro;
&xfs-inst;
&xfs-desc;
<sect2>
<title>Introduction to
<application><acronym>XFS</acronym></application></title>
 
<para>The <application>XFS</application> package contains administration
and debugging tools for the <acronym>XFS</acronym> file system.</para>
 
<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP): <ulink
url="&xfsprogs-download-http;"/></para></listitem>
<listitem><para>Download (FTP): <ulink
url="&xfsprogs-download-ftp;"/></para></listitem>
<listitem><para>Download MD5 sum: &xfsprogs-md5sum;</para></listitem>
<listitem><para>Download size: &xfsprogs-size;</para></listitem>
<listitem><para>Estimated disk space required:
&xfsprogs-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&xfsprogs-time;</para></listitem></itemizedlist>
</sect3>
 
</sect2>
 
<sect2>
<title>Installation of <application>XFS</application></title>
 
<note><para>If you did not install the
<ulink url="&lfs-root;/chapter06/e2fsprogs.html">E2fsprogs</ulink> package in
<acronym>LFS</acronym>, you must install it, or
<ulink url="http://pecl.php.net/get/uuid-1.0.tgz">UUID</ulink> before
proceeding with the installation of
<application>XFS</application>.</para></note>
 
<para>Install <application>XFS</application> by running the following
commands:</para>
 
<screen><userinput><command>sed -i 's/autoconf//' Makefile &amp;&amp;
make</command></userinput></screen>
 
<para>Now, as the root user:</para>
 
<screen><userinput role='root'><command>make install</command></userinput></screen>
 
</sect2>
 
<sect2>
<title>Contents</title>
 
<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Library</segtitle>
<segtitle>Installed Directory</segtitle>
 
<seglistitem>
<seg>fsck.xfs, mkfs.xfs, xfs_admin, xfs_bmap, xfs_check, xfs_copy, xfs_db,
xfs_freeze, xfs_growfs, xfs_info, xfs_io, xfs_logprint, xfs_mkfile,
xfs_ncheck, xfs_repair and xfs_rtcp</seg>
<seg>libhandle.so</seg>
<seg>/usr/share/doc/xfsprogs</seg>
</seglistitem>
</segmentedlist>
 
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>
 
<varlistentry id="fsck.xfs">
<term><command>fsck.xfs</command></term>
<listitem><para>simply exits with a zero status, since <acronym>XFS</acronym>
partitions are checked at mount time.</para>
<indexterm zone="xfs fsck.xfs">
<primary sortas="b-fsck.xfs">fsck.xfs</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="mkfs.xfs">
<term><command>mkfs.xfs</command></term>
<listitem><para>constructs an <acronym>XFS</acronym> file system.</para>
<indexterm zone="xfs mkfs.xfs">
<primary sortas="b-mkfs.xfs">mkfs.xfs</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="xfs_admin">
<term><command>xfs_admin</command></term>
<listitem><para>changes the parameters of an <acronym>XFS</acronym> file
system.</para>
<indexterm zone="xfs xfs_admin">
<primary sortas="b-xfs_admin">xfs_admin</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="xfs_bmap">
<term><command>xfs_bmap</command></term>
<listitem><para>prints block mapping for an <acronym>XFS</acronym> file.</para>
<indexterm zone="xfs xfs_bmap">
<primary sortas="b-xfs_bmap">xfs_bmap</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="xfs_check">
<term><command>xfs_check</command></term>
<listitem><para>checks <acronym>XFS</acronym> file system consistency.</para>
<indexterm zone="xfs xfs_check">
<primary sortas="b-xfs_check">xfs_check</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="xfs_copy">
<term><command>xfs_copy</command></term>
<listitem><para>copies the contents of an <acronym>XFS</acronym> file system
to one or more targets in parallel.</para>
<indexterm zone="xfs xfs_copy">
<primary sortas="b-xfs_copy">xfs_copy</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="xfs_db">
<term><command>xfs_db</command></term>
<listitem><para>is used to debug an <acronym>XFS</acronym> file system.</para>
<indexterm zone="xfs xfs_db">
<primary sortas="b-xfs_db">xfs_db</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="xfs_freeze">
<term><command>xfs_freeze</command></term>
<listitem><para>suspends access to an <acronym>XFS</acronym> file
system.</para>
<indexterm zone="xfs xfs_freeze">
<primary sortas="b-xfs_freeze">xfs_freeze</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="xfs_growfs">
<term><command>xfs_growfs</command></term>
<listitem><para>expands an <acronym>XFS</acronym> file system.</para>
<indexterm zone="xfs xfs_growfs">
<primary sortas="b-xfs_growfs">xfs_growfs</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="xfs_info">
<term><command>xfs_info</command></term>
<listitem><para>is equivalent to invoking <command>xfs_growfs</command>, but
specifying that no change to the file system is to be made.</para>
<indexterm zone="xfs xfs_info">
<primary sortas="b-xfs_info">xfs_info</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="xfs_io">
<term><command>xfs_io</command></term>
<listitem><para>is a debugging tool like <command>xfs_db</command>, but is
aimed at examining the regular file I/O path rather than the raw
<acronym>XFS</acronym> volume itself.</para>
<indexterm zone="xfs xfs_io">
<primary sortas="b-xfs_io">xfs_io</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="xfs_logprint">
<term><command>xfs_logprint</command></term>
<listitem><para>prints the log of an <acronym>XFS</acronym> file system.</para>
<indexterm zone="xfs xfs_logprint">
<primary sortas="b-xfs_logprint">xfs_logprint</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="xfs_mkfile">
<term><command>xfs_mkfile</command></term>
<listitem><para>creates an <acronym>XFS</acronym> file, padded with zeroes by
default.</para>
<indexterm zone="xfs xfs_mkfile">
<primary sortas="b-xfs_mkfile">xfs_mkfile</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="xfs_ncheck">
<term><command>xfs_ncheck</command></term>
<listitem><para>generates pathnames from inode numbers for an
<acronym>XFS</acronym> file system.</para>
<indexterm zone="xfs xfs_ncheck">
<primary sortas="b-xfs_ncheck">xfs_ncheck</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="xfs_repair">
<term><command>xfs_repair</command></term>
<listitem><para>repairs corrupt or damaged <acronym>XFS</acronym>file
systems.</para>
<indexterm zone="xfs xfs_repair">
<primary sortas="b-xfs_repair">xfs_repair</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="xfs_rtcp">
<term><command>xfs_rtcp</command></term>
<listitem><para>copies a file to the real-time partition on an
<acronym>XFS</acronym> file system.</para>
<indexterm zone="xfs xfs_rtcp">
<primary sortas="b-xfs_rtcp">xfs_rtcp</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="libhandle">
<term><filename class='libraryfile'>libhandle.so</filename></term>
<listitem><para>contains functions to map filesystem handles to a
corresponding open file descriptor for that filesystem.</para>
<indexterm zone="xfs libhandle">
<primary sortas="c-libhandle">libhandle.so</primary>
</indexterm></listitem>
</varlistentry>
</variablelist>
 
</sect2>
 
</sect1>
 
/trunk/blfs/postlfs/filesystems/ext3.xml
1,48 → 1,58
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
]>
 
<sect1 id="postlfs-filesystems-ext3">
<sect1info>
<othername>$LastChangedBy: larry $</othername>
<date>$Date: 2005-06-16 06:20:37 $</date>
</sect1info>
<?dbhtml filename="ext3.html"?>
<title>Ext3</title>
 
<para>Ext3 est un système de fichiers journalisé qui est une extension du
système de fichiers ext2. La compatibilité descendante avec ext2 est là, et la
conversion de ext2 vers ext3 est trivial.</para>
<para>Ext3 is a journaling file system that is an extension to the ext2
file system. It is backward compatible with ext2 and the conversion from ext2
to ext3 is trivial.</para>
 
<para>Vous n'avez pas besoin d'installer quoi que ce soit pour utiliser ext3,
tous les packages requis étant disponible dans un système <acronym>LFS</acronym>
de base.</para>
<para>You don't need to install anything to use ext3, all the required
packages are available with a bare <acronym>LFS</acronym> system.</para>
 
<para>Lors de la construction du noyau, assurez-vous que vous avez compilé le
support ext3. Si vous voulez que votre partition root soit ext3, alors
compilez le support ext3 dans le noyau, sinon vous pouvez le compiler en tant
que module. Recompilez le noyau si nécessaire.</para>
<para>When building the kernel, ensure that you have compiled in ext3
support. If you want your root partition to be ext3, then compile the ext3
support in the kernel, else you may compile it as a module. Recompile the
kernel if needed.</para>
 
<para>Editez votre <filename>/etc/fstab</filename>. Pour chaque partition que
vous voulez convertir en ext3, éditez l'entrée de façon à ce qu'il ressemble à
la ligne suivante.</para>
<para>Edit your <filename>/etc/fstab</filename>. For each partition that you
want to convert into ext3, edit the entry so that it looks similar to the
following line.</para>
 
<screen>/dev/hd<replaceable>XX</replaceable> /mnt_point ext3 defaults 1 0</screen>
 
<para>Dans la ligne ci-dessus, remplacez
<filename>/dev/hd<replaceable>XX</replaceable></filename> par
votre partition (par exemple <filename>/dev/hda2</filename>), <filename
class="directory">/mnt_point</filename> par le point de montage (par exemple
<filename class="directory">/home</filename>). Le <option>0</option> dans le
dernier champ assure que la partition ne sera pas vérifiée pour sa consistence
lors du démarrage par le script <command>checkfs</command>. Vous pouvez
remplacer le type de système de fichiers <option>ext3</option> par
<option>auto</option> si vous voulez vous assurer que la partition sera montée
si vous avez accidentellement oublié d'activer le support ext3 dans le noyau.
</para>
<para>In the above line, replace
<filename>/dev/hd<replaceable>XX</replaceable></filename> by the
partition (e.g., <filename>/dev/hda2</filename>),
<filename class="directory">/mnt_point</filename> by the mount point (e.g.,
<filename class="directory">/home</filename>). The <option>0</option> in the
last field ensures that the partition will not be checked for
consistency during the boot process by the <command>checkfs</command> script.
You may replace the <option>ext3</option> fs type in the above by
<option>auto</option> if you want to ensure that the partition is mounted
if you accidentally skip enabling the ext3 support in the kernel.</para>
 
<para>Pour chaque partition que vous voulez convertir en ext3 dans /etc/fstab,
activez le journal pour la partition en lançant la commande suivante.</para>
<para>For each partition that you have converted to ext3 in <filename>
/etc/fstab</filename>, enable the journal for the partition by running the
following command.</para>
 
<screen><userinput><command>tune2fs -j /dev/hd<replaceable>XX</replaceable></command></userinput></screen>
<screen><userinput role='root'><command>tune2fs -j /dev/hd<replaceable>XX</replaceable></command></userinput></screen>
 
<para>Remontez les partitions concernées, ou plus simplement, redémarrez si vous
avez recompilé le noyau pour activer le support ext3.</para>
<para>Remount the concerned partitions, or simply reboot if you have
recompiled the kernel to enable ext3 support.</para>
 
<para>Plus d'informations est disponible sur <ulink
url="http://www.zip.com.au/~akpm/linux/ext3/ext3-usage.html"/>.</para>
<para>More information is available at <ulink
url="http://www.zip.com.au/~akpm/linux/ext3/ext3-usage.html"/>. This
informaion is still relevant to the 2.6 kernels.</para>
 
</sect1>
/trunk/blfs/postlfs/filesystems/filesystems.xml
1,16 → 1,27
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
]>
 
<chapter id="postlfs-filesystems">
<?dbhtml filename="filesystems.html"?>
<title>Systèmes de fichiers</title>
<title>File Systems</title>
 
<para>Les systèmes de fichiers journalisés réduisent le temps nécessaire pour
récupérer un système de fichier qui n'a pas été démonté propremement. Bien que
ceci soit particulièrement important pour les serveurs, ils sont devenus
populaires aussi sur les environnements de bureau. Ce chapitre contient un
ensemble varié de systèmes de fichiers journalisés.</para>
<para>Journaling file systems reduce the time needed to recover a
file system that was not unmounted properly. While this can be extremely
important in reducing downtime for servers, it has also become popular for
desktop environments. This chapter contains a variety of journaling
file systems.</para>
 
&postlfs-filesystems-ext3;
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="ext3.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="reiser.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="xfs.xml"/>
 
<!-- &postlfs-filesystems-ext3;
&reiser;
&xfs;
-->
 
</chapter>
/trunk/blfs/postlfs/filesystems/reiser.xml
1,12 → 1,151
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
 
<!ENTITY reiser-download-http "http://ftp.namesys.com/pub/reiserfsprogs/reiserfsprogs-&reiser-version;.tar.gz">
<!ENTITY reiser-download-ftp "ftp://ftp.namesys.com/pub/reiserfsprogs/reiserfsprogs-&reiser-version;.tar.gz">
<!ENTITY reiser-md5sum "b42cf15f6651c3ceff5cb84996c0d539">
<!ENTITY reiser-size "400 KB">
<!ENTITY reiser-buildsize "7.9 MB">
<!ENTITY reiser-time "0.16 SBU">
]>
 
<sect1 id="reiserfs" xreflabel="ReiserFS-&reiser-version;">
<sect1info>
<othername>$LastChangedBy: randy $</othername>
<date>$Date: 2005-06-16 06:20:37 $</date>
</sect1info>
<?dbhtml filename="reiserfs.html"?>
<title>ReiserFS-&reiser-version;</title>
<indexterm zone="reiserfs">
<primary sortas="a-ReiserFS">ReiserFS</primary>
</indexterm>
 
&reiser-intro;
&reiser-inst;
&reiser-exp;
&reiser-desc;
<sect2>
<title>Introduction to <application>ReiserFS</application></title>
 
<para>The <application>ReiserFS</application> package contains various
utilities for use with the Reiser file system.</para>
 
<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP): <ulink
url="&reiser-download-http;"/></para></listitem>
<listitem><para>Download (FTP): <ulink
url="&reiser-download-ftp;"/></para></listitem>
<listitem><para>Download MD5 sum: &reiser-md5sum;</para></listitem>
<listitem><para>Download size: &reiser-size;</para></listitem>
<listitem><para>Estimated disk space required:
&reiser-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&reiser-time;</para></listitem></itemizedlist>
</sect3>
 
</sect2>
 
<sect2>
<title>Installation of <application>ReiserFS</application></title>
 
<para>Install <application>ReiserFS</application> by running the following
commands:</para>
 
<screen><userinput><command>./configure --prefix=/usr --sbindir=/sbin &amp;&amp;
make</command></userinput></screen>
 
<para>Now, as the root user:</para>
 
<screen><userinput role='root'><command>make install &amp;&amp;
ln -sf reiserfsck /sbin/fsck.reiserfs &amp;&amp;
ln -sf mkreiserfs /sbin/mkfs.reiserfs</command></userinput></screen>
 
</sect2>
 
<sect2>
<title>Command explanations</title>
 
<para><parameter>--prefix=/usr</parameter>: This ensures that
the manual pages are installed in the correct location while still
installing the programs in <filename class="directory">/sbin</filename> as
they should be.</para>
 
<para><parameter>--sbindir=/sbin</parameter>: This ensures that the
<application>ReiserFS</application> utilities are installed in
<filename class="directory">/sbin</filename> as they should be.</para>
 
</sect2>
 
<sect2>
<title>Contents</title>
 
<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directories</segtitle>
 
<seglistitem>
<seg>debugreiserfs, mkreiserfs, reiserfsck, reiserfstune and
resize_reiserfs</seg>
<seg>None</seg>
<seg>None</seg>
</seglistitem>
</segmentedlist>
 
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>
 
<varlistentry id="debugreiserfs">
<term><command>debugreiserfs</command></term>
<listitem><para>can sometimes help to solve problems with
<application>ReiserFS</application> file systems. If it is called without
options, it prints the super block of any reiserfs file system found on the
device.</para>
<indexterm zone="reiserfs debugreiserfs">
<primary sortas="b-debugreiserfs">debugreiserfs</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="mkreiserfs">
<term><command>mkreiserfs</command></term>
<listitem><para>creates a <application>ReiserFS</application> file
system.</para>
<indexterm zone="reiserfs mkreiserfs">
<primary sortas="b-mkreiserfs">mkreiserfs</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="reiserfsck">
<term><command>reiserfsck</command></term>
<listitem><para>is used to check or repair a
<application>ReiserFS</application> file system.</para>
<indexterm zone="reiserfs reiserfsck">
<primary sortas="b-reiserfsck">reiserfsck</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="reiserfstune">
<term><command>reiserfstune</command></term>
<listitem><para>is used for tuning the <application>ReiserFS</application>
journal. <emphasis>WARNING</emphasis>: Don't use this utility without first
reading the man page thoroughly.</para>
<indexterm zone="reiserfs reiserfstune">
<primary sortas="b-reiserfstune">reiserfstune</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="resize_reiserfs">
<term><command>resize_reiserfs</command></term>
<listitem><para>is used to resize an unmounted
<application>ReiserFS</application> file system.</para>
<indexterm zone="reiserfs resize_reiserfs">
<primary sortas="b-resize_reiserfs">resize_reiserfs</primary>
</indexterm></listitem>
</varlistentry>
</variablelist>
 
</sect2>
 
</sect1>
 
/trunk/blfs/postlfs/security/gnupg/gnupg-intro.xml
File deleted
/trunk/blfs/postlfs/security/gnupg/gnupg-exp.xml
File deleted
/trunk/blfs/postlfs/security/gnupg/gnupg-inst.xml
File deleted
/trunk/blfs/postlfs/security/gnupg/gnupg-desc.xml
File deleted
/trunk/blfs/postlfs/security/gnupg/gnupg.ent
File deleted
/trunk/blfs/postlfs/security/shadow/shadow.ent
File deleted
/trunk/blfs/postlfs/security/shadow/shadow-intro.xml
File deleted
/trunk/blfs/postlfs/security/shadow/shadow-exp.xml
File deleted
/trunk/blfs/postlfs/security/shadow/shadow-inst.xml
File deleted
/trunk/blfs/postlfs/security/shadow/shadow-config.xml
File deleted
/trunk/blfs/postlfs/security/firewalling/firewalling.ent
File deleted
/trunk/blfs/postlfs/security/firewalling/busybox.xml
File deleted
/trunk/blfs/postlfs/security/firewalling/intro.xml
File deleted
/trunk/blfs/postlfs/security/firewalling/disclaimer.xml
File deleted
/trunk/blfs/postlfs/security/firewalling/credits.xml
File deleted
/trunk/blfs/postlfs/security/firewalling/finale.xml
File deleted
/trunk/blfs/postlfs/security/firewalling/extrainfo.xml
File deleted
/trunk/blfs/postlfs/security/firewalling/kernel.xml
File deleted
/trunk/blfs/postlfs/security/firewalling/masqrouter.xml
File deleted
/trunk/blfs/postlfs/security/firewalling/status.xml
File deleted
/trunk/blfs/postlfs/security/firewalling/writing.xml
File deleted
/trunk/blfs/postlfs/security/firewalling/library.xml
File deleted
/trunk/blfs/postlfs/security/firewalling/stop.xml
File deleted
/trunk/blfs/postlfs/security/firewalling/persfw.xml
File deleted
/trunk/blfs/postlfs/security/heimdal/heimdal-intro.xml
File deleted
/trunk/blfs/postlfs/security/heimdal/heimdal-exp.xml
File deleted
/trunk/blfs/postlfs/security/heimdal/heimdal-inst.xml
File deleted
/trunk/blfs/postlfs/security/heimdal/heimdal-desc.xml
File deleted
/trunk/blfs/postlfs/security/heimdal/heimdal-config.xml
File deleted
/trunk/blfs/postlfs/security/heimdal/heimdal.ent
File deleted
/trunk/blfs/postlfs/security/cracklib/cracklib.ent
File deleted
/trunk/blfs/postlfs/security/cracklib/cracklib-intro.xml
File deleted
/trunk/blfs/postlfs/security/cracklib/cracklib-exp.xml
File deleted
/trunk/blfs/postlfs/security/cracklib/cracklib-inst.xml
File deleted
/trunk/blfs/postlfs/security/cracklib/cracklib-desc.xml
File deleted
/trunk/blfs/postlfs/security/iptables/iptables.ent
File deleted
/trunk/blfs/postlfs/security/iptables/iptables-intro.xml
File deleted
/trunk/blfs/postlfs/security/iptables/iptables-exp.xml
File deleted
/trunk/blfs/postlfs/security/iptables/iptables-inst.xml
File deleted
/trunk/blfs/postlfs/security/iptables/iptables-desc.xml
File deleted
/trunk/blfs/postlfs/security/tripwire/tripwire-intro.xml
File deleted
/trunk/blfs/postlfs/security/tripwire/tripwire-exp.xml
File deleted
/trunk/blfs/postlfs/security/tripwire/tripwire-inst.xml
File deleted
/trunk/blfs/postlfs/security/tripwire/tripwire-desc.xml
File deleted
/trunk/blfs/postlfs/security/tripwire/tripwire-config.xml
File deleted
/trunk/blfs/postlfs/security/tripwire/tripwire.ent
File deleted
/trunk/blfs/postlfs/security/mitkrb/mitkrb-intro.xml
File deleted
/trunk/blfs/postlfs/security/mitkrb/mitkrb-exp.xml
File deleted
/trunk/blfs/postlfs/security/mitkrb/mitkrb-inst.xml
File deleted
/trunk/blfs/postlfs/security/mitkrb/mitkrb-desc.xml
File deleted
/trunk/blfs/postlfs/security/mitkrb/mitkrb-config.xml
File deleted
/trunk/blfs/postlfs/security/mitkrb/mitkrb.ent
File deleted
/trunk/blfs/postlfs/security/pam/linux_pam-config.xml
File deleted
/trunk/blfs/postlfs/security/pam/linux_pam.ent
File deleted
/trunk/blfs/postlfs/security/pam/linux_pam-intro.xml
File deleted
/trunk/blfs/postlfs/security/pam/linux_pam-exp.xml
File deleted
/trunk/blfs/postlfs/security/pam/linux_pam-inst.xml
File deleted
/trunk/blfs/postlfs/security/pam/linux_pam-desc.xml
File deleted
/trunk/blfs/postlfs/security/nessus.xml
1,8 → 1,11
<?xml version="1.0" encoding="ISO-8859-1"?>
<sect1 id="postlfs-security-nessus">
<sect1info>
<othername>$LastChangedBy: archaic $</othername>
<date>$Date: 2005-06-16 06:20:37 $</date>
</sect1info>
<?dbhtml filename="nessus.html"?>
<title>nessus</title>
 
<para>A ECRIRE - NOUVEAU</para>
<para>TO BE WRITTEN - NEW</para>
 
</sect1>
/trunk/blfs/postlfs/security/gnupg.xml
1,13 → 1,140
<?xml version="1.0" encoding="ISO-8859-1"?>
<sect1 id="gnupg" xreflabel="gnupg-&gnupg-version;">
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
 
<!ENTITY gnupg-download-http "http://public.ftp.planetmirror.com/pub/gnupg/gnupg-&gnupg-version;.tar.bz2">
<!ENTITY gnupg-download-ftp "ftp://ftp.gnupg.org/gcrypt/gnupg/gnupg-&gnupg-version;.tar.bz2">
<!ENTITY gnupg-md5 "8c303606aaf73b7756b9fe6f3d8b58c2">
<!ENTITY gnupg-size "2.7 MB">
<!ENTITY gnupg-buildsize "25 MB">
<!ENTITY gnupg-time "0.44 SBU">
]>
 
<sect1 id="gnupg" xreflabel="GnuPG-&gnupg-version;">
<sect1info>
<othername>$LastChangedBy: larry $</othername>
<date>$Date: 2005-06-16 06:20:37 $</date>
</sect1info>
<?dbhtml filename="gnupg.html"?>
<title>gnupg-&gnupg-version;</title>
<title>GnuPG-&gnupg-version;</title>
<indexterm zone="gnupg">
<primary sortas="a-GnuPG">GnuPG</primary></indexterm>
 
&gnupg-intro;
&gnupg-inst;
&gnupg-exp;
<!-- &gnupg-config; -->
&gnupg-desc;
<sect2>
<title>Introduction to <application>GnuPG</application></title>
 
<para>The <application>GnuPG</application> package contains a public/private
key encryptor. This is becoming useful for signing files or emails as proof
of identity and preventing tampering with contents of the file or email.</para>
 
<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP): <ulink
url="&gnupg-download-http;"/></para></listitem>
<listitem><para>Download (FTP): <ulink
url="&gnupg-download-ftp;"/></para></listitem>
<listitem><para>Download MD5 Sum: &gnupg-md5;</para></listitem>
<listitem><para>Download size: &gnupg-size;</para></listitem>
<listitem><para>Estimated disk space required:
&gnupg-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&gnupg-time;</para></listitem></itemizedlist>
</sect3>
 
<!-- <sect3><title>Additional downloads</title>
<itemizedlist spacing='compact'>
<listitem><para>Required Patch: <ulink
url="&patch-root;/gnupg-&gnupg-version;-po_install_fix-1.patch"/>
</para></listitem>
</itemizedlist>
</sect3> -->
 
<sect3><title><application>GnuPG</application> dependencies</title>
<sect4><title>Optional</title>
<para><xref linkend="openldap"/>,
<ulink url="../server/mail.html">MTA</ulink>,
<xref linkend="docbook-utils"/> and <ulink
url="http://www.oasis-open.org/docbook/tools/dtm/">docbook-to-man</ulink>
</para></sect4>
</sect3>
 
</sect2>
 
<sect2>
<title>Installation of <application>GnuPG</application></title>
 
<para>Install <application>GnuPG</application> by running the following
commands:</para>
 
<screen><userinput><command>./configure --prefix=/usr --libexecdir=/usr/lib &amp;&amp;
make</command></userinput></screen>
 
<para>Now, as the root user:</para>
 
<screen><userinput role='root'><command>make install &amp;&amp;
chmod 4755 /usr/bin/gpg</command></userinput></screen>
 
</sect2>
 
<sect2>
<title>Command explanations</title>
 
<para><parameter>--libexecdir=/usr/lib</parameter>: This command
creates a <filename class="directory">gnupg</filename> directory in
<filename class="directory">/usr/lib</filename> instead of
<filename class="directory">/usr/libexec</filename>.</para>
 
<para><command>chmod 4755 /usr/bin/gpg</command>: <command>gpg</command>
is installed setuid root to avoid swapping out sensitive data.</para>
 
</sect2>
 
<sect2>
<title>Contents</title>
 
<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directories</segtitle>
<seglistitem>
<seg>gpg, gpgsplit and gpgv</seg>
<seg>None</seg>
<seg>/usr/lib/gnupg and /usr/share/gnupg</seg>
</seglistitem>
</segmentedlist>
 
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>
 
<varlistentry id="gpg">
<term><command>gpg</command></term>
<listitem><para>is the backend (command-line interface) for
this Open<acronym>PGP</acronym> implementation.</para>
<indexterm zone="gnupg gpg">
<primary sortas="b-gpg">gpg</primary></indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="gpgsplit">
<term><command>gpgsplit</command></term>
<listitem><para>separates key rings.</para>
<indexterm zone="gnupg gpgsplit">
<primary sortas="b-gpgsplit">gpgsplit</primary></indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="gpgv">
<term><command>gpgv</command></term>
<listitem><para>is a verify only version of <command>gpg</command>.</para>
<indexterm zone="gnupg gpgv">
<primary sortas="b-gpgv">gpgv</primary></indexterm>
</listitem>
</varlistentry>
</variablelist>
 
</sect2>
 
</sect1>
 
/trunk/blfs/postlfs/security/syslog.xml
1,8 → 1,11
<?xml version="1.0" encoding="ISO-8859-1"?>
<sect1 id="postlfs-security-syslog">
<sect1info>
<othername>$LastChangedBy: archaic $</othername>
<date>$Date: 2005-06-16 06:20:37 $</date>
</sect1info>
<?dbhtml filename="syslog.html"?>
<title>Configurer syslog</title>
<title>Configuring syslog</title>
 
<para>A ECRIRE - NOUVEAU</para>
<para>TO BE WRITTEN - NEW</para>
 
</sect1>
/trunk/blfs/postlfs/security/iptables.xml
1,19 → 1,182
<?xml version="1.0" encoding="ISO-8859-1"?>
<sect1 id="postlfs-security-iptables">
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
 
<!ENTITY iptables-download-http "http://www.iptables.org/files/iptables-&iptables-version;.tar.bz2">
<!ENTITY iptables-download-ftp "ftp://ftp.netfilter.org/pub/iptables/iptables-&iptables-version;.tar.bz2">
<!ENTITY iptables-md5sum "c3358a3bd0d7755df0b64a5063db296b">
<!ENTITY iptables-size "177 KB">
<!ENTITY iptables-buildsize "3.8 MB">
<!ENTITY iptables-time "0.14 SBU">
]>
 
<sect1 id="iptables" xreflabel="iptables-&iptables-version;">
<sect1info>
<othername>$LastChangedBy: bdubbs $</othername>
<date>$Date: 2005-06-16 06:20:37 $</date>
</sect1info>
<?dbhtml filename="iptables.html"?>
<title>iptables-&iptables-version;</title>
 
<para>La prochaine partie de ce chapitre s'occupe des pare-feux. L'outil de
pare-feu principal pour Linux, pour la série du noyau 2.4, est
<application>iptables</application>. Il remplace
<application>ipchains</application> de la série 2.2 et
<application>ipfwadm</application> de la série 2.0. Vous aurez besoin
d'installer <application>iptables</application> si vous avez l'intention
d'utiliser une quelconque forme de pare-feu.</para>
<indexterm zone="iptables">
<primary sortas="a-Iptables">Iptables</primary>
</indexterm>
 
&iptables-intro;
&iptables-inst;
&iptables-exp;
&iptables-desc;
<para>The next part of this chapter deals with firewalls. The principal
firewall tool for Linux, as of the 2.4 kernel series, is
<application>iptables</application>. It replaces
<application>ipchains</application> from the 2.2 series and
<application>ipfwadm</application> from the 2.0 series. You will need to
install <application>iptables</application> if you intend on using any form of
a firewall.</para>
 
<sect2 id='iptables-kernel'>
<title>Introduction to <application>iptables</application></title>
 
<para>A firewall in Linux is accomplished through a portion of the kernel
called netfilter. The interface to netfilter is <application>iptables</application>.
To use it, the appropriate kernel configuration parameters are found in
Device Drivers -&gt; Networking Support -&gt; Networking Options -&gt;
Network Packet Filtering -&gt; IP: Netfilter Configuration.
 
<indexterm zone="iptables iptables-kernel">
<primary sortas="d-iptables">Iptables</primary>
</indexterm>
 
</para>
 
<sect3>
<title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP): <ulink url="&iptables-download-http;"/></para></listitem>
<listitem><para>Download (FTP): <ulink url="&iptables-download-ftp;"/></para></listitem>
<listitem><para>Download MD5 sum: &iptables-md5sum;</para></listitem>
<listitem><para>Download size: &iptables-size;</para></listitem>
<listitem><para>Estimated disk space required: &iptables-buildsize;</para></listitem>
<listitem><para>Estimated build time: &iptables-time;</para></listitem>
</itemizedlist>
</sect3>
 
</sect2>
 
<sect2>
<title>Installation of <application>iptables</application></title>
 
<note>
<para>Installation of <application>iptables</application> will fail if raw
kernel headers are found in <filename
class='directory'>/usr/src/linux</filename> either as actual files or a
symlink. As of the Linux 2.6 kernel series, this directory should no longer
exist because appropriate headers were installed in the linux-libc-headers
package during the base <acronym>LFS</acronym> installation. </para>
 
<para>For some non-x86 architectures, the raw kernel headers may be required.
In that case, add the environment variable KERNEL_DIR=/usr/src/linux to the
make commands below.</para>
</note>
 
<para>Install <application>iptables</application> by running the following
commands:</para>
 
<screen><userinput><command>make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin</command></userinput></screen>
 
<para>Now, as the root user:</para>
 
<screen><userinput role='root'><command>make PREFIX=/usr LIBDIR=/lib BINDIR=/sbin install</command></userinput></screen>
 
</sect2>
 
<sect2>
<title>Command explanations</title>
 
<para><parameter>PREFIX=/usr LIBDIR=/lib BINDIR=/sbin</parameter>: Compiles
and installs <application>iptables</application> libraries into
<filename class="directory">/lib</filename>, binaries into
<filename class="directory">/sbin</filename> and the remainder into the
<filename class="directory">/usr</filename> hierarchy instead of
<filename class="directory">/usr/local</filename>. Firewalls are
generally activated during the boot process and
<filename class="directory">/usr</filename> may not be mounted at that
time.</para>
 
</sect2>
 
<sect2>
<title>Contents</title>
 
<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directory</segtitle>
 
<seglistitem>
<seg>iptables, iptables-restore, iptables-save and ip6tables</seg>
<seg>libip6t_*.so and libipt_*.so</seg>
<seg>/lib/iptables</seg>
</seglistitem>
</segmentedlist>
 
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>
 
<varlistentry id="iptables-prog">
<term><command>iptables</command></term>
<listitem><para>is used to set up, maintain, and inspect the tables of
<acronym>IP</acronym> packet filter rules in the Linux kernel.</para>
<indexterm zone="iptables iptables-prog">
<primary sortas="b-iptables">iptables</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="iptables-restore">
<term><command>iptables-restore</command></term>
<listitem><para>is used to restore <acronym>IP</acronym> Tables from data
specified on <acronym>STDIN</acronym>. Use I/O redirection provided by your
shell to read from a file.</para>
<indexterm zone="iptables iptables-restore">
<primary sortas="b-iptables-restore">iptables-restore</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="iptables-save">
<term><command>iptables-save</command></term>
<listitem><para>is used to dump the contents of an <acronym>IP</acronym> Table
in easily parseable format to <acronym>STDOUT</acronym>. Use I/O-redirection
provided by your shell to write to a file.</para>
<indexterm zone="iptables iptables-save">
<primary sortas="b-iptables-save">iptables-save</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="ip6tables">
<term><command>ip6tables</command></term>
<listitem><para>is used to set up, maintain, and inspect the tables of
<acronym>IP</acronym>v6 packet filter rules in the Linux kernel. Several
different tables may be defined. Each table contains a number of built-in
chains and may also contain user-defined chains.</para>
<indexterm zone="iptables ip6tables">
<primary sortas="b-ip6tables">ip6tables</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="libip-iptables">
<term><filename class='libraryfile'>libip*.so</filename></term>
<listitem><para>library modules are various modules (implemented as dynamic
libraries) which extend the core functionality of
<command>iptables</command>.</para>
<indexterm zone="iptables libip-iptables">
<primary sortas="c-libip-iptables">libip*.so</primary>
</indexterm>
</listitem>
</varlistentry>
 
</variablelist>
</sect2>
</sect1>
/trunk/blfs/postlfs/security/heimdal.xml
1,12 → 1,851
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
 
<!ENTITY heimdal-download-http "http://ftp.vc-graz.ac.at/mirror/crypto/kerberos/heimdal/heimdal-&heimdal-version;.tar.gz">
<!ENTITY heimdal-download-ftp "ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-&heimdal-version;.tar.gz">
<!ENTITY heimdal-md5sum "2265fd2d4573dd3a8da45ce62519e48b">
<!ENTITY heimdal-size "3.3 MB">
<!ENTITY heimdal-buildsize "70 MB">
<!ENTITY heimdal-time "2.18 SBU">
]>
 
<sect1 id="heimdal" xreflabel="Heimdal-&heimdal-version;">
<sect1info>
<othername>$LastChangedBy: randy $</othername>
<date>$Date: 2005-06-16 06:20:37 $</date>
</sect1info>
<?dbhtml filename="heimdal.html"?>
<title>Heimdal-&heimdal-version;</title>
<indexterm zone="heimdal">
<primary sortas="a-Heimdal">Heimdal</primary>
</indexterm>
 
&heimdal-intro;
&heimdal-inst;
&heimdal-exp;
&heimdal-config;
&heimdal-desc;
<sect2>
<title>Introduction to <application>Heimdal</application></title>
 
<para><application>Heimdal</application> is a free implementation of Kerberos
5, that aims to be compatible with <acronym>MIT</acronym> krb5 and is backwards
compatible with krb4. Kerberos is a network authentication protocol. Basically
it preserves the integrity of passwords in any untrusted network (like the
Internet). Kerberized applications work hand-in-hand with sites that support
Kerberos to ensure that passwords cannot be stolen. A Kerberos installation
will make changes to the authentication mechanisms on your network and will
overwrite several programs and daemons from the
<application>Coreutils</application>, <application>Inetutils</application>,
<application>Qpopper</application> and <application>Shadow</application>
packages.</para>
 
<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP):
<ulink url="&heimdal-download-http;"/></para></listitem>
<listitem><para>Download (FTP):
<ulink url="&heimdal-download-ftp;"/></para></listitem>
<listitem><para>Download MD5 sum: &heimdal-md5sum;</para></listitem>
<listitem><para>Download size: &heimdal-size;</para></listitem>
<listitem><para>Estimated disk space required:
&heimdal-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&heimdal-time;</para></listitem></itemizedlist>
</sect3>
 
<sect3><title>Additional downloads</title>
<itemizedlist spacing='compact'>
<listitem><para>Required Patch: <ulink
url="&patch-root;/heimdal-&heimdal-version;-fhs_compliance-1.patch"/></para>
</listitem>
<listitem><para>Required patch for cracklib: <ulink
url="&patch-root;/heimdal-&heimdal-version;-cracklib-1.patch"/></para>
</listitem>
</itemizedlist>
 
</sect3>
 
<sect3><title><application>Heimdal</application> dependencies</title>
<sect4><title>Required</title>
<para><xref linkend="openssl"/> and
<xref linkend="db"/></para>
</sect4>
 
<sect4><title>Optional</title>
<para><xref linkend="Linux_PAM"/>,
<xref linkend="openldap"/>,
X (<xref linkend="xorg"/> or <xref linkend="xfree86"/>),
<xref linkend="cracklib"/> and
<ulink url="http://www.pdc.kth.se/kth-krb/">krb4</ulink></para>
 
<note><para>Some sort of time synchronization facility on your system (like
<xref linkend="ntp"/>) is required since Kerberos won't authenticate if the
time differential between a kerberized client and the
<acronym>KDC</acronym> server is more than 5 minutes.</para></note>
</sect4>
 
</sect3>
 
</sect2>
 
<sect2>
<title>Installation of <application>Heimdal</application></title>
 
<para>Before installing the package, you may want to preserve the
<command>ftp</command> program from the <application>Inetutils</application>
package. This is because using the <application>Heimdal</application>
<command>ftp</command> program to connect to non-kerberized ftp servers may
not work properly. It will allow you to connect (letting you know that
transmission of the password is clear text) but will have problems doing puts
and gets. Issue the following command as the root user.</para>
 
<screen><userinput role='root'><command>mv /usr/bin/ftp /usr/bin/ftpn</command></userinput></screen>
 
<para>If you wish the <application>Heimdal</application> package to link
against the <application>cracklib</application> library, you must apply a
patch:</para>
 
<screen><userinput><command>patch -Np1 -i ../heimdal-&heimdal-version;-cracklib-1.patch</command></userinput></screen>
 
<para>Install <application>Heimdal</application> by running the following
commands:</para>
 
<screen><userinput><command>patch -Np1 -i ../heimdal-&heimdal-version;-fhs_compliance-1.patch &amp;&amp;
./configure --prefix=/usr --sysconfdir=/etc/heimdal \
--datadir=/var/lib/heimdal --localstatedir=/var/lib/heimdal \
--libexecdir=/usr/sbin --enable-shared \
--with-openssl=/usr --with-readline=/usr &amp;&amp;
make</command></userinput></screen>
 
<para>Now, as the root user:</para>
 
<screen><userinput role='root'><command>make install &amp;&amp;
mv /bin/login /bin/login.shadow &amp;&amp;
mv /bin/su /bin/su.shadow &amp;&amp;
mv /usr/bin/{login,su} /bin &amp;&amp;
ln -sf ../../bin/login /usr/bin &amp;&amp;
mv /usr/lib/lib{otp.so.0*,kafs.so.0*,krb5.so.17*,asn1.so.6*} \
/usr/lib/lib{roken.so.16*,crypto.so.0*,db-4.3.so} /lib &amp;&amp;
ln -sf ../../lib/lib{otp.so.0{,.1.4},kafs.so.0{,.4.0},db-4.3.so} \
/usr/lib &amp;&amp;
ln -sf ../../lib/lib{krb5.so.17{,.3.0},asn1.so.6{,.0.2}} \
/usr/lib &amp;&amp;
ln -sf ../../lib/lib{roken.so.16{,.0.3},crypto.so.0{,.9.7}} \
/usr/lib &amp;&amp;
ldconfig</command></userinput></screen>
 
</sect2>
 
<sect2>
<title>Command explanations</title>
 
<para><parameter>--libexecdir=/usr/sbin</parameter>: This switch puts the
daemon programs into <filename class="directory">/usr/sbin</filename>.
</para>
 
<note><para>
If you want to preserve all your existing <application>Inetutils</application>
package daemons, install the <application>Heimdal</application> daemons into
<filename class="directory">/usr/sbin/heimdal</filename> (or wherever you
want). Since these programs will be called from <command>(x)inetd</command> or
<filename>rc</filename> scripts, it really doesn't matter where they are
installed, as long as they are correctly specified in the
<filename>/etc/(x)inetd.conf</filename> file and <filename>rc</filename>
scripts. If you choose something other than
<filename class="directory">/usr/sbin</filename>, you may want to move some of
the user programs (such as <command>kadmin</command>) to
<filename class="directory">/usr/sbin</filename> manually so they'll be in the
privileged user's default path.</para></note>
 
<para><command>mv ... .shadow; mv ... /bin; ln -sf ../../bin...</command>: The
<command>login</command> and <command>su</command> programs installed by
<application>Heimdal</application> belong in the
<filename class="directory">/bin</filename> directory. The
<command>login</command> program is symlinked because
<application>Heimdal</application> is expecting to find it in
<filename class="directory">/usr/bin</filename>. The old executables are
preserved before the move to keep things sane should breaks occur.</para>
 
<para><command>mv ... /lib; ln -sf ../../lib/lib... /usr/lib</command>: The
<command>login</command> and <command>su</command> programs installed by
<application>Heimdal</application> link against
<application>Heimdal</application> libraries as well as libraries provided by
the <application>Open<acronym>SSL</acronym></application> and
<application>Berkeley <acronym>DB</acronym></application> packages. These
libraries are moved to <filename class="directory">/lib</filename> to be
<acronym>FHS</acronym> compliant and also in case
<filename class="directory">/usr</filename> is located on a separate partition
which may not always be mounted.</para>
 
</sect2>
 
<sect2>
<title>Configuring <application>Heimdal</application></title>
 
<sect3 id="heimdal-config"><title>Config files</title>
<para><filename>/etc/heimdal/*</filename></para>
<indexterm zone="heimdal heimdal-config">
<primary sortas="e-etc-heimdal">/etc/heimdal/*</primary>
</indexterm>
</sect3>
 
<sect3><title>Configuration Information</title>
 
<sect4><title>Master <acronym>KDC</acronym> Server Configuration</title>
 
<para>Create the Kerberos configuration file with the following
commands:</para>
 
<screen><userinput role='root'><command>install -d /etc/heimdal &amp;&amp;
cat &gt; /etc/heimdal/krb5.conf &lt;&lt; "EOF"</command>
# Begin /etc/heimdal/krb5.conf
 
[libdefaults]
default_realm = <replaceable>[EXAMPLE.COM]</replaceable>
encrypt = true
 
[realms]
<replaceable>[EXAMPLE.COM]</replaceable> = {
kdc = <replaceable>[hostname.example.com]</replaceable>
admin_server = <replaceable>[hostname.example.com]</replaceable>
kpasswd_server = <replaceable>[hostname.example.com]</replaceable>
}
 
[domain_realm]
.<replaceable>[example.com]</replaceable> = <replaceable>[EXAMPLE.COM]</replaceable>
 
[logging]
kdc = FILE:/var/log/kdc.log
admin_server = FILE:/var/log/kadmin.log
default = FILE:/var/log/krb.log
 
# End /etc/heimdal/krb5.conf
<command>EOF</command></userinput></screen>
 
<para>You will need to substitute your domain and proper hostname for the
occurrences of the <replaceable>[hostname]</replaceable> and
<replaceable>[EXAMPLE.COM]</replaceable> names.</para>
 
<para><userinput>default_realm</userinput> should be the name of your domain
changed to ALL CAPS. This isn't required, but both
<application>Heimdal</application> and <application><acronym>MIT</acronym>
krb5</application> recommend it.</para>
 
<para><userinput>encrypt = true</userinput> provides encryption of all traffic
between kerberized clients and servers. It's not necessary and can be left
off. If you leave it off, you can encrypt all traffic from the client to the
server using a switch on the client program instead.</para>
 
<para>The <userinput>[realms]</userinput> parameters tell the client programs
where to look for the <acronym>KDC</acronym> authentication services.</para>
 
<para>The <userinput>[domain_realm]</userinput> section maps a domain to a
realm.</para>
 
<para>Store the master password in a key file using the following
commands:</para>
 
<screen><userinput role='root'><command>install -d -m 755 /var/lib/heimdal &amp;&amp;
kstash</command></userinput></screen>
 
<para>Create the <acronym>KDC</acronym> database:</para>
 
<screen><userinput role='root'><command>kadmin -l</command></userinput></screen>
 
<para>Choose the defaults for now. You can go in later and change the
defaults, should you feel the need. At the
<userinput>kadmin&gt;</userinput> prompt, issue the following statement:</para>
 
<screen><userinput role='root'><command>init <replaceable>[EXAMPLE.COM]</replaceable></command></userinput></screen>
 
<para>The database must now be populated with at least one principle (user).
For now, just use your regular login name or root. You may create as few, or
as many principles as you wish using the following statement:</para>
 
<screen><userinput role='root'><command>add <replaceable>[loginname]</replaceable></command></userinput></screen>
 
<para>The <acronym>KDC</acronym> server and any machine running kerberized
server daemons must have a host key installed:</para>
 
<screen><userinput role='root'><command>add --random-key host/<replaceable>[hostname.example.com]</replaceable></command></userinput></screen>
 
<para>After choosing the defaults when prompted, you will have to export the
data to a keytab file:</para>
 
<screen><userinput role='root'><command>ext host/<replaceable>[hostname.example.com]</replaceable></command></userinput></screen>
 
<para>This should have created two files in
<filename class="directory">/etc/heimdal</filename>:
<filename>krb5.keytab</filename> (Kerberos 5) and
<filename>srvtab</filename> (Kerberos 4). Both files should have 600
(root rw only) permissions. Keeping the keytab files from public access
is crucial to the overall security of the Kerberos installation.</para>
 
<para>Eventually, you'll want to add server daemon principles to the database
and extract them to the keytab file. You do this in the same way you created
the host principles. Below is an example:</para>
 
<screen><userinput role='root'><command>add --random-key ftp/<replaceable>[hostname.example.com]</replaceable></command></userinput></screen>
 
<para>(choose the defaults)</para>
 
<screen><userinput role='root'><command>ext ftp/<replaceable>[hostname.example.com]</replaceable></command></userinput></screen>
 
<para>Exit the <command>kadmin</command> program (use <command>quit</command>
or <command>exit</command>) and return back to the shell prompt. Start
the <acronym>KDC</acronym> daemon manually, just to test out the
installation:</para>
 
<screen><userinput role='root'><command>/usr/sbin/kdc &amp;</command></userinput></screen>
 
<para>Attempt to get a <acronym>TGT</acronym> (ticket granting ticket) with
the following command:</para>
 
<screen><userinput><command>kinit <replaceable>[loginname]</replaceable></command></userinput></screen>
 
<para>You will be prompted for the password you created. After you get your
ticket, you should list it with the following command:</para>
 
<screen><userinput><command>klist</command></userinput></screen>
 
<para>Information about the ticket should be displayed on the screen.</para>
 
<para>To test the functionality of the keytab file, issue the following
command:</para>
 
<screen><userinput><command>ktutil list</command></userinput></screen>
 
<para>This should dump a list of the host principals, along with the encryption
methods used to access the principals.</para>
 
<para>At this point, if everything has been successful so far, you can feel
fairly confident in the installation and configuration of the package.</para>
 
<para id="heimdal-init">Install the
<filename>/etc/rc.d/init.d/heimdal</filename> init script included in the
<xref linkend="intro-important-bootscripts"/> package:</para>
<indexterm zone="heimdal heimdal-init">
<primary sortas="f-heimdal">heimdal</primary>
</indexterm>
 
<screen><userinput role='root'><command>make install-heimdal</command></userinput></screen>
</sect4>
 
<sect4><title>Using Kerberized Client Programs</title>
 
<para>To use the kerberized client programs (<command>telnet</command>,
<command>ftp</command>, <command>rsh</command>,
<command>rxterm</command>, <command>rxtelnet</command>,
<command>rcp</command>, <command>xnlock</command>), you first must get
a <acronym>TGT</acronym>. Use the <command>kinit</command> program to
get the ticket. After you've acquired the ticket, you can use the
kerberized programs to connect to any kerberized server on the network.
You will not be prompted for authentication until your ticket expires
(default is one day), unless you specify a different user as a command
line argument to the program.</para>
 
<para>The kerberized programs will connect to non-kerberized daemons, warning
you that authentication is not encrypted. As mentioned earlier, only the
<command>ftp</command> program gives any trouble connecting to
non-kerberized daemons.</para>
 
<para>In order to use the <application>Heimdal</application>
<application>X</application> programs, you'll need to add a service port
entry to the <filename>/etc/services</filename> file for the
<command>kxd</command> server. There is no 'standardized port number' for
the 'kx' service in the <acronym>IANA</acronym> database, so you'll have to
pick an unused port number. Add an entry to the <filename>services</filename>
file similar to the entry below (substitute your chosen port number for
<replaceable>[49150]</replaceable>):</para>
 
<screen><userinput role='root'>kx <replaceable>[49150]</replaceable>/tcp # Heimdal kerberos X
kx <replaceable>[49150]</replaceable>/udp # Heimdal kerberos X</userinput></screen>
 
<para>For additional information consult <ulink
url="http://www.linuxfromscratch.org/hints/downloads/files/heimdal.txt">the
Heimdal hint</ulink> on which the above instructions are based.</para>
</sect4>
</sect3>
 
</sect2>
 
<sect2>
<title>Contents</title>
 
<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directories</segtitle>
 
<seglistitem>
<seg>afslog, dump_log, ftp, ftpd, hprop, hpropd, ipropd-master, ipropd-slave,
kadmin, kadmind, kauth, kdc, kdestroy, kf, kfd, kgetcred, kinit, klist,
kpasswd, kpasswdd, krb5-config, kstash, ktutil, kx, kxd, login, mk_cmds, otp,
otpprint, pagsh, pfrom, popper, push, rcp, replay_log, rsh, rshd, rxtelnet,
rxterm, string2key, su, telnet, telnetd, tenletxr, truncate-log,
verify_krb5_conf and xnlock</seg>
<seg>libasn1.[so,a], libeditline.a, libgssapi.[so,a], libhdb.[so,a],
libkadm5clnt.[so,a], libkadm5srv.[so,a], libkafs.[so,a], libkrb5.[so,a],
libotp.[so,a], libroken.[so,a], libsl.[so,a] and libss.[so,a]</seg>
<seg>/etc/heimdal, /usr/include/kadm5, /usr/include/ss and
/var/lib/heimdal</seg>
</seglistitem>
</segmentedlist>
 
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>
 
<varlistentry id="afslog">
<term><command>afslog</command></term>
<listitem><para>obtains <acronym>AFS</acronym> tokens for a number of
cells.</para>
<indexterm zone="heimdal afslog">
<primary sortas="b-afslog">afslog</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="ftp">
<term><command>ftp</command></term>
<listitem><para>is a kerberized <acronym>FTP</acronym> client.</para>
<indexterm zone="heimdal ftp">
<primary sortas="b-ftp">ftp</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="ftpd">
<term><command>ftpd</command></term>
<listitem><para>is a kerberized <acronym>FTP</acronym> daemon.</para>
<indexterm zone="heimdal ftpd">
<primary sortas="b-ftpd">ftpd</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="hprop">
<term><command>hprop</command></term>
<listitem><para> takes a principal database in a specified format and converts
it into a stream of <application>Heimdal</application> database records.</para>
<indexterm zone="heimdal hprop">
<primary sortas="b-hprop">hprop</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="hpropd">
<term><command>hpropd</command></term>
<listitem><para>is a server that receives a database sent by
<command>hprop</command> and writes it as a local database.</para>
<indexterm zone="heimdal hpropd">
<primary sortas="b-hpropd">hpropd</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="ipropd-master">
<term><command>ipropd-master</command></term>
<listitem><para>is a daemon which runs on the master <acronym>KDC</acronym>
server which incrementally propogates changes to the <acronym>KDC</acronym>
database to the slave <acronym>KDC</acronym> servers.</para>
<indexterm zone="heimdal ipropd-master">
<primary sortas="b-ipropd-master">ipropd-master</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="ipropd-slave">
<term><command>ipropd-slave</command></term>
<listitem><para>is a daemon which runs on the slave <acronym>KDC</acronym>
servers which incrementally propogates changes to the <acronym>KDC</acronym>
database from the master <acronym>KDC</acronym> server.</para>
<indexterm zone="heimdal ipropd-slave">
<primary sortas="b-ipropd-slave">ipropd-slave</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="kadmin">
<term><command>kadmin</command></term>
<listitem><para>is a utility used to make modifications to the Kerberos
database.</para>
<indexterm zone="heimdal kadmin">
<primary sortas="b-kadmin">kadmin</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="kadmind">
<term><command>kadmind</command></term>
<listitem><para>is a server for administrative access to the Kerberos
database.</para>
<indexterm zone="heimdal kadmind">
<primary sortas="b-kadmind">kadmind</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="kauth">
<term><command>kauth</command></term>
<listitem><para>is a symbolic link to the <command>kinit</command>
program.</para>
<indexterm zone="heimdal kauth">
<primary sortas="g-kauth">kauth</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="kdc">
<term><command>kdc</command></term>
<listitem><para>is a Kerberos 5 server.</para>
<indexterm zone="heimdal kdc">
<primary sortas="b-kdc">kdc</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="kdestroy">
<term><command>kdestroy</command></term>
<listitem><para>removes a principle's current set of tickets.</para>
<indexterm zone="heimdal kdestroy">
<primary sortas="b-kdestroy">kdestroy</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="kf">
<term><command>kf</command></term>
<listitem><para>is a program which forwards tickets to a remote host through
an authenticated and encrypted stream.</para>
<indexterm zone="heimdal kf">
<primary sortas="b-kf">kf</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="kfd">
<term><command>kfd</command></term>
<listitem><para>is a server used to receive forwarded tickets.</para>
<indexterm zone="heimdal kfd">
<primary sortas="b-kfd">kfd</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="kgetcred">
<term><command>kgetcred</command></term>
<listitem><para>obtains a ticket for a service.</para>
<indexterm zone="heimdal kgetcred">
<primary sortas="b-kgetcred">kgetcred</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="kinit">
<term><command>kinit</command></term>
<listitem><para>is used to authenticate to the Kerberos server as a principal
and acquire a ticket granting ticket that can later be used to obtain tickets
for other services.</para>
<indexterm zone="heimdal kinit">
<primary sortas="b-kinit">kinit</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="klist">
<term><command>klist</command></term>
<listitem><para>reads and displays the current tickets in the credential
cache.</para>
<indexterm zone="heimdal klist">
<primary sortas="b-klist">klist</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="kpasswd">
<term><command>kpasswd</command></term>
<listitem><para>is a program for changing Kerberos 5 passwords.</para>
<indexterm zone="heimdal kpasswd">
<primary sortas="b-kpasswd">kpasswd</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="kpasswdd">
<term><command>kpasswdd</command></term>
<listitem><para>is a Kerberos 5 password changing server.</para>
<indexterm zone="heimdal kpasswdd">
<primary sortas="b-kpasswdd">kpasswdd</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="krb5-config-prog">
<term><command>krb5-config</command></term>
<listitem><para>gives information on how to link programs against
<application>Heimdal</application> libraries.</para>
<indexterm zone="heimdal krb5-config-prog">
<primary sortas="b-krb5-config">krb5-config</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="kstash">
<term><command>kstash</command></term>
<listitem><para>stores the <acronym>KDC</acronym> master password in a
file.</para>
<indexterm zone="heimdal kstash">
<primary sortas="b-kstash">kstash</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="ktutil">
<term><command>ktutil</command></term>
<listitem><para>is a program for managing Kerberos keytabs.</para>
<indexterm zone="heimdal ktutil">
<primary sortas="b-ktutil">ktutil</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="kx">
<term><command>kx</command></term>
<listitem><para>is a program which securely forwards
<application>X</application> connections.</para>
<indexterm zone="heimdal kx">
<primary sortas="b-kx">kx</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="kxd">
<term><command>kxd</command></term>
<listitem><para>is the daemon for <command>kx</command>.</para>
<indexterm zone="heimdal kxd">
<primary sortas="b-kxd">kxd</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="login">
<term><command>login</command></term>
<listitem><para>is a kerberized login program.</para>
<indexterm zone="heimdal login">
<primary sortas="b-login">login</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="otp">
<term><command>otp</command></term>
<listitem><para>manages one-time passwords.</para>
<indexterm zone="heimdal otp">
<primary sortas="b-otp">otp</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="otpprint">
<term><command>otpprint</command></term>
<listitem><para>prints lists of one-time passwords.</para>
<indexterm zone="heimdal otpprint">
<primary sortas="b-otpprint">otpprint</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="pfrom">
<term><command>pfrom</command></term>
<listitem><para>is a script that runs <command>push --from</command>.</para>
<indexterm zone="heimdal pfrom">
<primary sortas="b-pfrom">pfrom</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="popper">
<term><command>popper</command></term>
<listitem><para>is a kerberized <acronym>POP</acronym>-3 server.</para>
<indexterm zone="heimdal popper">
<primary sortas="b-popper">popper</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="push">
<term><command>push</command></term>
<listitem><para>is a kerberized <acronym>POP</acronym> mail retreival
client.</para>
<indexterm zone="heimdal push">
<primary sortas="b-push">push</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="rcp">
<term><command>rcp</command></term>
<listitem><para>is a kerberized rcp client program.</para>
<indexterm zone="heimdal rcp">
<primary sortas="b-rcp">rcp</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="rsh">
<term><command>rsh</command></term>
<listitem><para>is a kerberized rsh client program.</para>
<indexterm zone="heimdal rsh">
<primary sortas="b-rsh">rsh</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="rshd">
<term><command>rshd</command></term>
<listitem><para>is a kerberized rsh server.</para>
<indexterm zone="heimdal rshd">
<primary sortas="b-rshd">rshd</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="rxtelnet">
<term><command>rxtelnet</command></term>
<listitem><para>starts a secure <command>xterm</command> window with a
<command>telnet</command> to a given host and forwards
<application>X</application> connections.</para>
<indexterm zone="heimdal rxtelnet">
<primary sortas="b-rxtelnet">rxtelnet</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="rxterm">
<term><command>rxterm</command></term>
<listitem><para>starts a secure remote <command>xterm</command>.</para>
<indexterm zone="heimdal rxterm">
<primary sortas="b-rxterm">rxterm</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="string2key">
<term><command>string2key</command></term>
<listitem><para>maps a password into a key.</para>
<indexterm zone="heimdal string2key">
<primary sortas="b-string2key">string2key</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="su">
<term><command>su</command></term>
<listitem><para>is a kerberized su client program.</para>
<indexterm zone="heimdal su">
<primary sortas="b-su">su</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="telnet">
<term><command>telnet</command></term>
<listitem><para>is a kerberized telnet client program.</para>
<indexterm zone="heimdal telnet">
<primary sortas="b-telnet">telnet</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="telnetd">
<term><command>telnetd</command></term>
<listitem><para>is a kerberized telnet server.</para>
<indexterm zone="heimdal telnetd">
<primary sortas="b-telnetd">telnetd</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="tenletxr">
<term><command>tenletxr</command></term>
<listitem><para>forwards <application>X</application> connections
backwards.</para>
<indexterm zone="heimdal tenletxr">
<primary sortas="b-tenletxr">tenletxr</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="verify_krb5_conf">
<term><command>verify_krb5_conf</command></term>
<listitem><para>checks <filename>krb5.conf</filename> file for obvious
errors.</para>
<indexterm zone="heimdal verify_krb5_conf">
<primary sortas="b-verify_krb5_conf">verify_krb5_conf</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="xnlock">
<term><command>xnlock</command></term>
<listitem><para>is a program that acts as a secure screen saver for
workstations running <application>X</application>.</para>
<indexterm zone="heimdal xnlock">
<primary sortas="b-xnlock">xnlock</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="libasn1">
<term><filename class='libraryfile'>libasn1.[so,a]</filename></term>
<listitem><para>provides the ASN.1 and DER functions to encode and decode
the Kerberos TGTs.</para>
<indexterm zone="heimdal libasn1">
<primary sortas="c-libasn1">libasn1.[so,a]</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="libeditline">
<term><filename class='libraryfile'>libeditline.a</filename></term>
<listitem><para>is a command-line editing library with history.</para>
<indexterm zone="heimdal libeditline">
<primary sortas="c-libeditline">libeditline.a</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="libgssapi">
<term><filename class='libraryfile'>libgssapi.[so,a]</filename></term>
<listitem><para>contain the Generic Security Service Application Programming
Interface (<acronym>GSSAPI</acronym>) functions which provides security
services to callers in a generic fashion, supportable with a range of
underlying mechanisms and technologies and hence allowing source-level
portability of applications to different environments.</para>
<indexterm zone="heimdal libgssapi">
<primary sortas="c-libgssapi">libgssapi.[so,a]</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="libhdb">
<term><filename class='libraryfile'>libhdb.[so,a]</filename></term>
<listitem><para>is a <application>Heimdal</application> Kerberos 5
authentication/authorization database access library.</para>
<indexterm zone="heimdal libhdb">
<primary sortas="c-libhdb">libhdb.[so,a]</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="libkadm5clnt">
<term><filename class='libraryfile'>libkadm5clnt.[so,a]</filename></term>
<listitem><para>contains the administrative authentication and password
checking functions required by Kerberos 5 client-side programs.</para>
<indexterm zone="heimdal libkadm5clnt">
<primary sortas="c-libkadm5clnt">libkadm5clnt.[so,a]</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="libkadm5srv">
<term><filename class='libraryfile'>libkadm5srv.[so,a]</filename></term>
<listitem><para>contain the administrative authentication and password
checking functions required by Kerberos 5 servers.</para>
<indexterm zone="heimdal libkadm5srv">
<primary sortas="c-libkadm5srv">libkadm5srv.[so,a]</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="libkafs">
<term><filename class='libraryfile'>libkafs.[so,a]</filename></term>
<listitem><para>contains the functions required to authenticated to AFS.</para>
<indexterm zone="heimdal libkafs">
<primary sortas="c-libkafs">libkafs.[so,a]</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="libkrb5">
<term><filename class='libraryfile'>libkrb5.[so,a]</filename></term>
<listitem><para>is an all-purpose Kerberos 5 library.</para>
<indexterm zone="heimdal libkrb5">
<primary sortas="c-libkrb5">libkrb5.[so,a]</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="libotp">
<term><filename class='libraryfile'>libotp.[so,a]</filename></term>
<listitem><para>contains the functions required to handle authenticating
one time passwords.</para>
<indexterm zone="heimdal libotp">
<primary sortas="c-libotp">libotp.[so,a]</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="libroken">
<term><filename class='libraryfile'>libroken.[so,a]</filename></term>
<listitem><para>is a library containing Kerberos 5 compatibility
functions.</para>
<indexterm zone="heimdal libroken">
<primary sortas="c-libroken">libroken.[so,a]</primary>
</indexterm></listitem>
</varlistentry>
 
</variablelist>
 
</sect2>
 
</sect1>
/trunk/blfs/postlfs/security/firewalling.xml
1,17 → 1,535
<?xml version="1.0" encoding="ISO-8859-1"?>
<sect1 id="postlfs-security-fw-firewall" xreflabel="Firewalling">
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
]>
 
<sect1 id="fw-firewall" xreflabel="Firewalling">
<sect1info>
<othername>$LastChangedBy: bdubbs $</othername>
<date>$Date: 2005-06-16 06:20:37 $</date>
</sect1info>
<?dbhtml filename="firewall.html"?>
<title>Mettre en place un pare-feu réseau</title>
<title>Setting up a network firewall</title>
 
<para>Avant de lire cette partie du chapitre, notez que nous assumons que
vous avez déjà installé iptables comme décrit dans la section précédente.</para>
<para>Before you read this part of the chapter, you should
have already installed iptables as described in the previous section.</para>
 
&postlfs-security-fw-intro;
&postlfs-security-fw-disclaimer;
&postlfs-security-fw-kernel;
&postlfs-security-fw-writing;
&postlfs-security-fw-finale;
&postlfs-security-fw-extrainfo;
<sect2 id="fw-intro" xreflabel="Firewalling Introduction">
<title>Introduction to Firewall Creation</title>
 
<para>The general purpose of a firewall is to protect a computer or a network
against malicious access.</para>
 
<para>In a perfect world, every daemon or service
on every machine is perfectly configured and immune to flaws such as
buffer overflows or other problems regarding its
security. Furthermore, you trust every user accessing your services.
In this world, you do not need to have a firewall.</para>
 
<para>In the real world however, daemons may be misconfigured
and exploits against essential services are freely available. You
may wish to choose which services are accessible by certain machines or
you may wish to limit which machines or applications are allowed external
access. Alternatively, you may simply not trust some of your
applications or users. You are probably connected to the Internet. In this
world, a firewall is essential.</para>
 
<para>Don't assume however, that having a firewall makes careful configuration
redundant, or that it makes any negligent misconfiguration harmless. It doesn't
prevent anyone from exploiting a service you intentionally offer but haven't
recently updated or patched after an exploit went public. Despite having a
firewall, you need to keep applications and daemons on your system properly
configured and up to date. A firewall is not a cure all, but should be an
essential part of your overall security startegy.</para>
 
</sect2>
 
<sect2>
<title>Meaning of the word "firewall"</title>
 
<para>The word firewall can have several different meanings.</para>
 
<sect3><title><xref linkend="fw-persFw"/></title>
 
<para>This is a hardware device or software program commercially sold by
companies such as Symantec which claims that it
secures a home or desktop computer with Internet access. This type of firewall is
highly relevant for users who do not know how their computers
might be accessed via the Internet or how to disable that access,
especially if they are always online and connected via
broadband links.</para></sect3>
 
<sect3>
<title><xref linkend="fw-masqRouter"/></title>
 
<para>This is a system placed between the Internet and an intranet. To minimize
the risk of compromising the firewall itself, it should generally have only one
role&mdash;that of protecting the intranet. Although not completely risk free,
the tasks of doing the routing and IP masquerading (rewriting IP headers of
the packets it routes from clients with private IP addresses onto the Internet
so that they seem to come from the firewall itself) are commonly considered
relatively secure.</para>
</sect3>
 
<sect3>
<title><xref linkend="fw-busybox"/></title>
 
<para>This is often an old computer you may have retired and nearly forgotten,
performing masquerading or routing functions, but offering non-firewall
services such as a web-cache or mail. This may be used for home
networks, but is not be considered as secure as a firewall only
machine because the combination of server and router/firewall on one machine
raises the complexity of the setup.</para>
</sect3>
 
<sect3>
<title>Firewall with a demilitarized zone [not further described here]</title>
<para>This box performs masquerading or routing, but grants public access to
some branch of your network which, because of public IP's and a physically
separated structure, is essentially a separate network with direct Internet access.
The servers on this network are those which must be easily accessible
from both the Internet and intranet. The firewall protects
both networks. This type of firewall has a minimum of three network interfaces.</para>
</sect3>
 
<sect3>
<title>Packetfilter</title>
<para>This type of firewall does routing or masquerading, but does not maintain
a state table of ongoing communication streams. It is fast, but quite limited
in its ability to block inappropriate packets without blocking desired
packets.</para>
</sect3>
</sect2>
 
<sect2 id="fw-writing" xreflabel="writing the firewalling-setup-scripts">
<title>Now you can start to build your Firewall</title>
 
<caution><para>This introduction on how to setup a firewall
is not a complete guide to securing systems. Firewalling is a complex issue
that requires careful configuration. The scripts quoted here are simply
intended to give examples of how a firewall works. They are not intended to
fit into any particular configuration and may not provide complete protection
from an attack.</para>
 
<para>Customization of these scripts for your specific situation will
be necessary for an optimal configuration, but you should make a serious
study of the iptables documentation and creating firewalls in general before
hacking away. Have a look at the list of
<xref linkend="fw-library"/> at the end of this section for
more details. There you will find a list of URLs that contain quite
comprehensive information about building your own firewall.</para>
</caution>
 
<para>The firewall configuration script installed in the last section differs
from the standard configuration script. It only has two of the standard
targets: start and status. The other targets are clear and lock. For instance when you
run:
 
<screen><userinput><command>/etc/rc.d/init.d/iptables start</command></userinput></screen>
 
the firewall will be restarted just as it is upon system startup. The status target
will present a list of all currently implemented rules. The clear target turns off all
firewall rules and the lock target will block all packets in and out of the computer
with the exception of the loopback interface.</para>
 
<para>The main startup firewall is located in the file
<filename>/etc/rc.d/rc.iptables</filename>. The sections below provide three different
approaches that can be used for a system.</para>
 
<note><para>You should always run your firewall rules from a script. This ensures
consistency and a record of what was done. It also allows retention of comments
that are essential for understanding the rules long after they were written.
</para></note>
 
<sect3 id="fw-persFw" xreflabel="Personal Firewall">
<title>Personal Firewall</title>
 
<para>A Personal Firewall is designed to let you access all the services
offered on the Internet, but keep your box secure and your data private.</para>
 
<para>Below is a slightly modified version of Rusty Russell's recommendation
from the
<ulink url="http://www.netfilter.org/documentation/HOWTO/packet-filtering-HOWTO.html">
Linux 2.4 Packet Filtering HOWTO</ulink>. It is still applicable to the Linux 2.6 kernels.</para>
 
<screen><userinput><command>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"</command>
#!/bin/sh
 
# Begin $rc_base/rc.iptables
 
# Insert connection-tracking modules
# (not needed if built into the kernel)
modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe ipt_LOG
 
# Enable broadcast echo Protection
echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
 
# Disable Source Routed Packets
echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
 
# Enable TCP SYN Cookie Protection
echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
 
# Disable ICMP Redirect Acceptance
echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
 
# Don¹t send Redirect Messages
echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
 
# Drop Spoofed Packets coming in on an interface, where responses
# would result in the reply going out a different interface.
echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
 
# Log packets with impossible addresses.
echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
 
# be verbose on dynamic ip-addresses (not needed in case of static IP)
echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
 
# disable Explicit Congestion Notification
# too many routers are still ignorant
echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
 
# Set a known state
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# These lines are here in case rules are already in place and the
# script is ever rerun on the fly. We want to remove all rules and
# pre-exisiting user defined chains before we implement new rules.
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
 
# Allow local-only connections
iptables -A INPUT -i lo -j ACCEPT
 
# Free output on any interface to any ip for any service
# (equal to -P ACCEPT)
iptables -A OUTPUT -j ACCEPT
 
# Permit answers on already established connections
# and permit new connections related to established ones
# (e.g. port mode ftp)
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 
# Log everything else. What's Windows' latest exploitable vulnerability?
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
 
# End $rc_base/rc.iptables
<command>EOF</command></userinput></screen>
 
<para>This script is quite simple, it drops all traffic coming in into your
computer that wasn't initiated from your box, but as long as you are simply
surfing the Internet you are unlikely to exceed its limits.</para>
 
<para>If you frequently encounter certain delays at accessing ftp-servers,
take a look at <xref linkend="fw-BB-4"/>.</para>
 
<para>Even if you have daemons or services running on your system, these
will be inaccessible everywhere but from your computer itself.
If you want to allow access to services on your machine, such as ssh or
ping, take a look at <xref linkend="fw-busybox"/>.</para>
 
</sect3>
 
<sect3 id="fw-masqRouter" xreflabel="Masquerading Router">
<title>Masquerading Router</title>
 
<para>A true Firewall has two interfaces, one connected to an intranet, in this
example <emphasis role="strong">eth0</emphasis>, and one connected to the
Internet, here <emphasis role="strong">ppp0</emphasis>. To provide the
maximum security for the firewall itself, make sure that there
are no unnecessary servers running on it such as <application>X11</application> et
al. As a general principle, the firewall itself should not access any
untrusted service (Think of a remote server giving answers that makes a daemon on
your system
crash, or, even worse, that implements a worm via a buffer-overflow).</para>
 
<screen><userinput><command>cat &gt; /etc/rc.d/rc.iptables &lt;&lt; "EOF"</command>
#!/bin/sh
 
# Begin $rc_base/rc.iptables
 
echo
echo "You're using the example configuration for a setup of a firewall"
echo "from Beyond Linux From Scratch."
echo "This example is far from being complete, it is only meant"
echo "to be a reference."
echo "Firewall security is a complex issue, that exceeds the scope"
echo "of the configuration rules below."
echo "You can find additional information"
echo "about firewalls in Chapter 4 of the BLFS book."
echo "http://www.linuxfromscratch.org/blfs"
echo
 
# Insert iptables modules (not needed if built into the kernel).
 
modprobe ip_tables
modprobe iptable_filter
modprobe ip_conntrack
modprobe ip_conntrack_ftp
modprobe ipt_state
modprobe iptable_nat
modprobe ip_nat_ftp
modprobe ipt_MASQUERADE
modprobe ipt_LOG
modprobe ipt_REJECT
 
# Enable broadcast echo Protection
echo 1 &gt; /proc/sys/net/ipv4/icmp_echo_ignore_broadcasts
 
# Disable Source Routed Packets
echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_source_route
 
# Enable TCP SYN Cookie Protection
echo 1 &gt; /proc/sys/net/ipv4/tcp_syncookies
 
# Disable ICMP Redirect Acceptance
echo 0 &gt; /proc/sys/net/ipv4/conf/all/accept_redirects
 
# Don¹t send Redirect Messages
echo 0 &gt; /proc/sys/net/ipv4/conf/all/send_redirects
 
# Drop Spoofed Packets coming in on an interface where responses
# would result in the reply going out a different interface.
echo 1 &gt; /proc/sys/net/ipv4/conf/all/rp_filter
 
# Log packets with impossible addresses.
echo 1 &gt; /proc/sys/net/ipv4/conf/all/log_martians
 
# Be verbose on dynamic ip-addresses (not needed in case of static IP)
echo 2 &gt; /proc/sys/net/ipv4/ip_dynaddr
 
# Disable Explicit Congestion Notification
# Too many routers are still ignorant
echo 0 &gt; /proc/sys/net/ipv4/tcp_ecn
 
# Set a known state
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP
# These lines are here in case rules are already in place and the
# script is ever rerun on the fly. We want to remove all rules and
# pre-exisiting user defined chains before we implement new rules.
iptables -F
iptables -X
iptables -Z
iptables -t nat -F
 
# Allow local connections
iptables -A INPUT -i lo -j ACCEPT
iptables -A OUTPUT -o lo -j ACCEPT
 
# Allow forwarding if the initiated on the intranet
iptables -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A FORWARD -i ! ppp+ -m state --state NEW -j ACCEPT
 
# Do masquerading
# (not needed if intranet is not using private ip-addresses)
iptables -t nat -A POSTROUTING -o ppp+ -j MASQUERADE
 
# Log everything for debugging
# (last of all rules, but before policy rules)
iptables -A INPUT -j LOG --log-prefix "FIREWALL:INPUT "
iptables -A FORWARD -j LOG --log-prefix "FIREWALL:FORWARD"
iptables -A OUTPUT -j LOG --log-prefix "FIREWALL:OUTPUT "
 
# Enable IP Forwarding
echo 1 &gt; /proc/sys/net/ipv4/ip_forward
<command>EOF</command></userinput></screen>
 
<para>With this script your intranet should be reasonably secure against
external attacks. No one should be able to setup a new connection to any
internal service and, if it's masqueraded, makes your intranet invisible to the
Internet. Furthermore, your firewall should be relatively safe because there
are no services running that a cracker could attack.</para>
 
<note><para>If the interface you're connecting to the Internet doesn't connect
via ppp, you will need to change <replaceable>ppp+</replaceable> to the name of
the interface, e.g. <emphasis role="strong">eth1</emphasis>, which you are using.
</para></note>
 
</sect3>
 
<sect3 id="fw-busybox" xreflabel="BusyBox">
<title>BusyBox</title>
 
<para>This scenario isn't too different from the <xref linkend="fw-masqRouter"/>,
but additionally offers some services to your intranet.
Examples of this can be when you want to administer your firewall from another host
on your intranet or use it as a proxy or a name server.</para>
 
<note><para>Outlining a true concept of how to protect a server that offers
services on the Internet goes far beyond the scope of this document. See the references
at the end of this section for more information.</para></note>
 
<para>Be cautious. Every service you have enabled makes your
setup more complex and your firewall less secure. You are exposed to the risks of
misconfigured services or running a service with an exploitable bug. A
firewall should generally not run any extra services. See the introduction to
the <xref linkend="fw-masqRouter"/> for some more details.</para>
 
<para>If you want to add services such as internal samba or name servers that do not
need to access the Internet themselves, the additional statements are quite
simple and should still be acceptable from a security standpoint.
Just add the following lines
into the script <emphasis>before</emphasis> the logging rules.</para>
 
<screen>iptables -A INPUT -i ! ppp+ -j ACCEPT
iptables -A OUTPUT -o ! ppp+ -j ACCEPT</screen>
 
<para>If daemons, such as squid, have to access the Internet themselves,
you could open OUTPUT generally and restrict INPUT.</para>
 
<screen>iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A OUTPUT -j ACCEPT</screen>
 
<para>However, it is generally not advisable to leave OUTPUT unrestricted. You
lose any control over trojans who would like to "call home", and a bit of
redundancy in case you've (mis-)configured a service so that it broadcasts
its existence to the world.</para>
 
<para>To accomplish this, you should restrict INPUT and OUTPUT
on all ports except those that it's absolutely necessary to have open.
Which ports you have to open depends on your needs: mostly you will find them
by looking for failed accesses in your log files.</para>
<itemizedlist spacing="compact" role='iptables'>
 
<title>Have a look at the following examples:</title>
 
<listitem><para>Squid is caching the web:</para>
<screen>iptables -A OUTPUT -p tcp --dport 80 -j ACCEPT
iptables -A INPUT -p tcp --sport 80 -m state --state ESTABLISHED \
-j ACCEPT</screen>
</listitem>
 
<listitem><para>Your caching name server (e.g., named) does its
lookups via udp:</para>
<screen>iptables -A OUTPUT -p udp --dport 53 -j ACCEPT</screen>
</listitem>
 
<listitem><para>You want to be able to ping your box to
ensure it's still alive:</para>
 
<screen>iptables -A INPUT -p icmp -m icmp --icmp-type echo-request -j ACCEPT
iptables -A OUTPUT -p icmp -m icmp --icmp-type echo-reply -j ACCEPT</screen>
</listitem>
 
<listitem><para><anchor id='fw-BB-4' xreflabel="BusyBox example number 4"/>If you are
frequently accessing ftp servers or enjoy chatting, you might notice certain
delays because some implementations of these daemons have the feature of
querying an identd on your system to obtain usernames. Although there's really
little harm in this, having an identd running is not recommended because many
security experts feel the service gives out too much additional information.</para>
 
<para>To avoid these delays you could reject the requests
with a 'tcp-reset':</para>
 
<screen>iptables -A INPUT -p tcp --dport 113 -j REJECT --reject-with tcp-reset</screen>
</listitem>
 
<listitem><para>To log and drop invalid packets (packets
that came in after netfilter's timeout or some types of network scans):</para>
 
<screen>iptables -I INPUT -p tcp -m state --state INVALID \
-j LOG --log-prefix "FIREWALL:INVALID"
iptables -I INPUT -p tcp -m state --state INVALID -j DROP</screen></listitem>
 
<listitem><para>Anything coming from the outside should not have a
private address, this is a common attack called IP-spoofing:
 
<screen>iptables -A INPUT -i ppp+ -s 10.0.0.0/8 -j DROP
iptables -A INPUT -i ppp+ -s 172.16.0.0/12 -j DROP
iptables -A INPUT -i ppp+ -s 192.168.0.0/16 -j DROP</screen>
 
There are other addresses that you may also want to drop: 0.0.0.0/8,
127.0.0.0/8, 224.0.0.0/3 (multicast and experimental), 169.254.0.0/16 (Link
Local Networks), and 192.0.2.0/24 (IANA defined test network).</para>
</listitem>
 
<listitem><para>If your firewall is a DHCP client, you need to allow
those packets:</para>
 
<screen>iptables -A INPUT -i ppp0 -p udp -s 0.0.0.0 --sport 67 \
-d 255.255.255.255 --dport 68 -j ACCEPT</screen>
</listitem>
 
<listitem><para>To simplify debugging and be fair to anyone who'd like to
access a service you have disabled, purposely or by mistake, you could REJECT
those packets that are dropped.</para>
 
<para>Obviously this must be done directly after logging as the very
last lines before the packets are dropped by policy:</para>
 
<screen>iptables -A INPUT -j REJECT</screen>
</listitem>
</itemizedlist>
 
<para>These are only examples to show you some of the capabilities of the
firewall code in Linux. Have a look at the man page of iptables.
There you will find much more information. The port numbers needed for this can be
found in <filename>/etc/services</filename>, in case you didn't find them by
trial and error in your log file.</para>
 
</sect3>
</sect2>
 
<sect2 id="fw-finale" xreflabel="Conclusion">
<title>Conclusion</title>
 
<para>Finally, there is one fact you must not forget: The effort spent
attacking a system corresponds to the value the cracker expects to gain from
it. If you are responsible for valuable information, you need to spend the
time to protect it properly.</para>
 
</sect2>
 
<sect2 id="postlfs-security-fw-extra" xreflabel="Extra Information">
<title>Extra Information</title>
 
<sect3 id="fw-library" xreflabel="Links for further reading">
<title>Where to start with further reading on firewalls.</title>
 
<para><blockquote><literallayout>
<ulink url="http://www.netfilter.org/">www.netfilter.org - Homepage of the netfilter/iptables project</ulink>
<ulink url="http://www.netfilter.org/documentation/FAQ/netfilter-faq.html">Netfilter related FAQ</ulink>
<ulink url="http://www.netfilter.org/documentation/index.html#HOWTO">Netfilter related HOWTO's</ulink>
<ulink url="http://en.tldp.org/LDP/nag2/x-087-2-firewall.html">en.tldp.org/LDP/nag2/x-087-2-firewall.html</ulink>
<ulink url="http://en.tldp.org/HOWTO/Security-HOWTO.html">en.tldp.org/HOWTO/Security-HOWTO.html</ulink>
<ulink url="http://en.tldp.org/HOWTO/Firewall-HOWTO.html">en.tldp.org/HOWTO/Firewall-HOWTO.html</ulink>
<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire.html">www.ibm.com/developerworks/security/library/s-fire.html</ulink>
<ulink url="http://www-106.ibm.com/developerworks/security/library/s-fire2.html">www.ibm.com/developerworks/security/library/s-fire2.html</ulink>
<ulink url="http://www.interhack.net/pubs/fw-faq/">www.interhack.net/pubs/fw-faq/</ulink>
<ulink url="http://www.linuxsecurity.com/docs/">www.linuxsecurity.com/docs/</ulink>
<ulink url="http://www.little-idiot.de/firewall">www.little-idiot.de/firewall (German &amp; outdated, but very comprehensive)</ulink>
<ulink url="http://www.linuxgazette.com/issue65/stumpel.html">www.linuxgazette.com/issue65/stumpel.html</ulink>
<ulink url="http://linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html">linux.oreillynet.com/pub/a/linux/2000/03/10/netadmin/ddos.html</ulink>
<ulink url="http://staff.washington.edu/dittrich/misc/ddos">staff.washington.edu/dittrich/misc/ddos</ulink>
<ulink url="http://www.e-infomax.com/ipmasq">www.e-infomax.com/ipmasq</ulink>
<ulink url="http://www.circlemud.org/~jelson/writings/security/index.htm">www.circlemud.org/~jelson/writings/security/index.htm</ulink>
<ulink url="http://www.securityfocus.com">www.securityfocus.com</ulink>
<ulink url="http://www.cert.org/tech_tips/">www.cert.org - tech_tips</ulink>
<ulink url="http://security.ittoolbox.com/">security.ittoolbox.com</ulink>
<ulink url="http://www.linux-firewall-tools.com/linux/">www.linux-firewall-tools.com/linux/</ulink>
<ulink url="http://logi.cc/linux/athome-firewall.php3">logi.cc/linux/athome-firewall.php3</ulink>
<ulink url="http://www.insecure.org/reading.html">www.insecure.org/reading.html</ulink>
<ulink url="http://www.robertgraham.com/pubs/firewall-seen.html">www.robertgraham.com/pubs/firewall-seen.html</ulink>
</literallayout></blockquote></para>
</sect3>
 
</sect2>
</sect1>
 
/trunk/blfs/postlfs/security/shadow.xml
1,28 → 1,299
<?xml version="1.0" encoding="ISO-8859-1"?>
<sect1 id="shadow">
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
 
<!ENTITY shadow-download-http " ">
<!ENTITY shadow-download-ftp "ftp://ftp.pld.org.pl/software/shadow/old/shadow-&shadow-version;.tar.bz2">
<!ENTITY shadow-md5sum "3a3d17d3d7c630b602baf66ae7434c61">
<!ENTITY shadow-size "814 KB">
<!ENTITY shadow-buildsize "14.1 MB">
<!ENTITY shadow-time "0.42 SBU">
]>
 
<sect1 id="shadow" xreflabel="Shadow-&shadow-version;">
<sect1info>
<othername>$LastChangedBy: randy $</othername>
<date>$Date: 2005-06-16 06:20:37 $</date>
</sect1info>
<?dbhtml filename="shadow.html"?>
<title>shadow-&shadow-version;</title>
<title>Shadow-&shadow-version;</title>
<indexterm zone="shadow">
<primary sortas="a-Shadow">Shadow</primary></indexterm>
 
<!--
<para>Fichier de configuration pour Shadow</para>
<sect2>
<title>Configuring shadow</title>
 
<para>Shadow's Configuration File</para>
 
<para><userinput>/etc/login.defs</userinput></para>
 
<para>Activer les mots de passe MD5</para>
<para>Enabling <acronym>MD</acronym>5 Passwords</para>
 
<para>Pour activer les mots de passe MD5, modifiez la ligne du fichier
login.defs indiquant:
<screen><userinput>#MD5_CRYPT_ENABLE no</userinput></screen>
par
<screen><userinput>MD5_CRYPT_ENABLE yes</userinput></screen></para>
 
<para>Les mots de passe créés après cette modification seront cryptés en
utilisant MD5 au lieu du cryptage DES.</para>
<para>To enable <acronym>MD</acronym>5 Passwords, modify the line in the
<filename>login.defs</filename> file that reads:
<screen><userinput>#MD5_CRYPT_ENAB no</userinput></screen>
to read:
<screen><userinput>MD5_CRYPT_ENAB yes</userinput></screen>
Passwords created after this change will be encrypted using
<acronym>MD</acronym>5 (Message-Digest Algorithm) instead of using
<acronym>DES</acronym> encryption.
</para>
</sect2>
-->
 
&shadow-intro;
&shadow-inst;
&shadow-exp;
&shadow-config;
<sect2>
<title>Introduction to <application>Shadow</application></title>
 
<para>Shadow was indeed installed in <acronym>LFS</acronym> and there is
no reason to reinstall it unless you installed
<application>Linux-<acronym>PAM</acronym></application>. If you did,
this will allow programs like <command>login</command> and
<command>su</command> to utilize
<acronym>PAM</acronym>.</para>
 
<sect3><title>Package information</title>
<itemizedlist spacing="compact">
<listitem><para>Download (HTTP):
<ulink url="&shadow-download-http;"/></para></listitem>
<listitem><para>Download (FTP):
<ulink url="&shadow-download-ftp;"/></para></listitem>
<listitem><para>Download MD5 sum:
&shadow-md5sum;</para></listitem>
<listitem><para>Download size:
&shadow-size;</para></listitem>
<listitem><para>Estimated disk space required:
&shadow-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&shadow-time;</para></listitem></itemizedlist>
</sect3>
 
<sect3><title>Additional downloads</title>
<itemizedlist spacing='compact'>
<listitem><para>Patch to fix linking against PAM:
<ulink url="&patch-root;/shadow-&shadow-version;-pam-1.patch"/></para>
</listitem>
</itemizedlist>
</sect3>
 
<sect3><title><application>Shadow</application> dependencies</title>
<sect4><title>Required</title>
<para><xref linkend="Linux_PAM"/></para></sect4>
</sect3>
</sect2>
 
<sect2>
<title>Installation of <application>Shadow</application></title>
 
<para>Reinstall <application>Shadow</application> by running the following
commands:</para>
 
<screen><userinput><command>patch -Np1 -i ../shadow-&shadow-version;-pam-1.patch &amp;&amp;
LIBS="-lpam -lpam_misc" ./configure --libdir=/usr/lib \
--enable-shared --with-libpam --without-libcrack &amp;&amp;
echo '#define HAVE_SETLOCALE 1' >> config.h &amp;&amp;
sed -i '/extern char/d' libmisc/xmalloc.c &amp;&amp;
make</command></userinput></screen>
 
<para>Now, as the root user:</para>
 
<screen><userinput role='root'><command>make install &amp;&amp;
mv /bin/sg /usr/bin &amp;&amp;
mv /bin/vigr /usr/sbin &amp;&amp;
mv /usr/bin/passwd /bin &amp;&amp;
rm /bin/groups &amp;&amp;
mv /usr/lib/lib{misc,shadow}.so.0* /lib &amp;&amp;
ln -sf ../../lib/libshadow.so.0 /usr/lib/libshadow.so &amp;&amp;
ln -sf ../../lib/libmisc.so.0 /usr/lib/libmisc.so</command></userinput></screen>
 
</sect2>
 
<sect2>
<title>Command explanations</title>
 
<para><parameter>--without-libcrack</parameter>: This switch tells
<application>Shadow</application> not to use
<filename class='libraryfile'>libcrack</filename>. This is desired as
<application>Linux-<acronym>PAM</acronym></application> already contains
<filename class='libraryfile'>libcrack</filename>.</para>
 
<para><command>sed -i '/extern char/d' libmisc/xmalloc.c</command>: This
fixes a compilation problem when using <application>GCC</application>-3.4.x.
</para>
 
</sect2>
 
<sect2>
<title>Configuring <application>Linux-<acronym>PAM</acronym></application> to
work with <application>Shadow</application></title>
 
<sect3 id="pam.d"><title>Config files</title>
<para><filename>/etc/pam.d/login</filename>,
<filename>/etc/pam.d/passwd</filename>,
<filename>/etc/pam.d/su</filename>,
<filename>/etc/pam.d/shadow</filename>,
<filename>/etc/pam.d/useradd</filename>, and
<filename>/etc/pam.d/chage</filename> &ndash;
alternatively, <filename>/etc/pam.conf</filename></para>
<indexterm zone="shadow pam.d">
<primary sortas="e-etc-pam.d">/etc/pam.d/*</primary></indexterm>
<indexterm zone="shadow pam.d">
<primary sortas="e-etc-pam.conf">/etc/pam.conf</primary></indexterm>
</sect3>
 
<sect3><title>Configuration Information</title>
 
<para>Add the following <application>Linux-<acronym>PAM</acronym></application>
configuration files to <filename class="directory">/etc/pam.d/</filename> (or
add them to <filename>/etc/pam.conf</filename> with the additional field for
the program).</para>
 
<screen><userinput><command>cat &gt; /etc/pam.d/login &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/login
 
auth requisite pam_securetty.so
auth requisite pam_nologin.so
auth required pam_env.so
auth required pam_unix.so
account required pam_access.so
account required pam_unix.so
session required pam_motd.so
session required pam_limits.so
session optional pam_mail.so dir=/var/mail standard
session optional pam_lastlog.so
session required pam_unix.so
 
# End /etc/pam.d/login
<command>EOF
cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/passwd
 
password required pam_unix.so md5 shadow
 
# End /etc/pam.d/passwd
<command>EOF
cat &gt; /etc/pam.d/shadow &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/shadow
 
auth sufficient pam_rootok.so
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
password required pam_permit.so
 
# End /etc/pam.d/shadow
<command>EOF
cat &gt; /etc/pam.d/su &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/su
 
auth sufficient pam_rootok.so
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
 
# End /etc/pam.d/su
<command>EOF
cat &gt; /etc/pam.d/useradd &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/useradd
 
auth sufficient pam_rootok.so
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
password required pam_permit.so
 
# End /etc/pam.d/useradd
<command>EOF
cat &gt; /etc/pam.d/chage &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/chage
 
auth sufficient pam_rootok.so
auth required pam_unix.so
account required pam_unix.so
session required pam_unix.so
password required pam_permit.so
 
# End /etc/pam.d/chage
<command>EOF</command></userinput></screen>
 
<note><para>If you've installed <application>cracklib</application>, replace
<filename>/etc/pam.d/passwd</filename> with the following:</para></note>
<screen><userinput><command>cat &gt; /etc/pam.d/passwd &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/passwd
 
password required pam_cracklib.so \
retry=3 difok=8 minlen=5 dcredit=3 ocredit=3 ucredit=2 lcredit=2
password required pam_unix.so md5 shadow use_authtok
 
# End /etc/pam.d/passwd
<command>EOF</command></userinput></screen>
 
<warning><para>At this point, you should do a simple test to see if
<application>Shadow</application> is
working as expected. Open another term and login as a user, then su to
to root. If you do not see any errors, then all is well and you should
proceed with the rest of the configuration. If you did
receive errors, stop now and double check the above configuration files
manually. If you cannot find, and fix the error, you should recompile
shadow replacing <envar>--with-libpam</envar> with
<envar>--without-libpam</envar> in the above
instructions. If you fail to do this and the errors remain, you
will be unable to log into your system.</para></warning>
 
<para>Currently, <filename>/etc/pam.d/other</filename> is configured to
allow anyone with an account on the machine to use programs
that do not specifically have a configuration file of their own. After
testing <application>Linux-<acronym>PAM</acronym></application> for proper
configuration, it can be changed to the following:</para>
 
<screen><userinput><command>cat &gt; /etc/pam.d/other &lt;&lt; "EOF"</command>
# Begin /etc/pam.d/other
 
auth required pam_deny.so
auth required pam_warn.so
account required pam_deny.so
session required pam_deny.so
password required pam_deny.so
password required pam_warn.so
 
# End /etc/pam.d/other
<command>EOF</command></userinput></screen>
 
<para>Finally, edit <filename>/etc/login.defs</filename> by adding '#'
to the beginning of the following lines:</para>
<screen>LASTLOG_ENAB
MAIL_CHECK_ENAB
PORTTIME_CHECKS_ENAB
CONSOLE
MOTD_FILE
NOLOGINS_FILE
PASS_MIN_LEN
SU_WHEEL_ONLY
MD5_CRYPT_ENAB
CONSOLE_GROUPS
ENVIRON_FILE</screen>
 
<para>This stops <command>login</command> from performing these functions, as
they will now be performed by <acronym>PAM</acronym> modules. Additionally,
add a '#' to the beginning of the following lines if you've installed
<application>cracklib</application>:</para>
<screen>OBSCURE_CHECKS_ENAB
CRACKLIB_DICTPATH
PASS_CHANGE_TRIES
PASS_ALWAYS_WARN</screen>
</sect3>
 
</sect2>
 
<sect2>
<title>Contents</title>
 
<para>A list of the installed files, along with their short descriptions can
be found at
<ulink url="&lfs-root;/chapter06/shadow.html#contents-shadow"/>.</para>
 
</sect2>
 
</sect1>
/trunk/blfs/postlfs/security/tripwire.xml
1,13 → 1,248
<?xml version="1.0" encoding="ISO-8859-1"?>
<sect1 id="tripwire" xreflabel="tripwire-&tripwire-version;">
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
 
<!ENTITY tripwire-download-http "http://www.frenchfries.net/paul/tripwire/tripwire-&tripwire-version;.tar.gz">
<!ENTITY tripwire-download-ftp " ">
<!ENTITY tripwire-md5sum "02610d0593fe04d35d809ff6c5becc02">
<!ENTITY tripwire-size "869 KB">
<!ENTITY tripwire-buildsize "22 MB">
<!ENTITY tripwire-time "2.96 SBU">
]>
 
<sect1 id="tripwire-portable" xreflabel="Tripwire-&tripwire-version;">
<sect1info>
<othername>$LastChangedBy: larry $</othername>
<date>$Date: 2005-06-16 06:20:37 $</date>
</sect1info>
<?dbhtml filename="tripwire.html"?>
<title>tripwire-&tripwire-version;</title>
<title>Tripwire-&tripwire-version;</title>
<indexterm zone="tripwire-portable">
<primary sortas="a-Tripwire">Tripwire</primary>
</indexterm>
 
&tripwire-intro;
&tripwire-inst;
&tripwire-exp;
&tripwire-config;
&tripwire-desc;
<sect2>
<title>Introduction to <application>Tripwire</application></title>
 
<para>The <application>Tripwire</application> package contains programs used
to verify the integrity of the files on a given system.</para>
 
<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP): <ulink
url="&tripwire-download-http;"/></para></listitem>
<listitem><para>Download (FTP): <ulink
url="&tripwire-download-ftp;"/></para></listitem>
<listitem><para>Download MD5 sum: &tripwire-md5sum;</para></listitem>
<listitem><para>Download size: &tripwire-size;</para></listitem>
<listitem><para>Estimated disk space required:
&tripwire-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&tripwire-time;</para></listitem></itemizedlist>
</sect3>
 
<sect3><title><application>Tripwire</application> dependencies</title>
<sect4><title>Optional</title>
<para><acronym>MTA</acronym> (See <xref linkend="server-mail"/>)</para>
</sect4>
</sect3>
 
</sect2>
 
<sect2>
<title>Installation of <application>Tripwire</application></title>
 
<para>Compile <application>Tripwire</application> by running the following
commands:</para>
 
<screen><userinput><command>sed -i -e 's@TWDB="${prefix}@TWDB="/var@' install/install.cfg &amp;&amp;
./configure --prefix=/usr --sysconfdir=/etc/tripwire &amp;&amp;
make</command></userinput></screen>
 
<para>Now, as the root user:</para>
 
<screen><userinput role='root'><command>make install &amp;&amp;
cp policy/*.txt /usr/share/doc/tripwire</command></userinput></screen>
 
<para>The default configuration is to use a local <acronym>MTA</acronym>. If
you don't have an <acronym>MTA</acronym> installed and have no wish to install
one, modify <filename>install.cfg</filename> to use an <acronym>SMTP</acronym>
server instead.</para>
 
</sect2>
 
<sect2>
<title>Command explanations</title>
 
<para><command>sed -i -e 's@TWDB="${prefix}@TWDB="/var@'
install/install.cfg</command>: This command tells the package to install the
program database and reports in
<filename>/var/lib/tripwire</filename>.</para>
 
<para><command>make install</command>: This command creates the
<application>Tripwire</application> security keys as well as installing the
binaries. There are two keys: a site key and a local key which are stored in
<filename class="directory">/etc/tripwire/</filename>.</para>
 
<para><command>cp policy/*.txt /usr/share/doc/tripwire</command>: This command
installs the documentation.</para>
 
</sect2>
 
<sect2>
<title>Configuring <application>Tripwire</application></title>
 
<sect3 id="tripwire-config"><title>Config files</title>
<para><filename>/etc/tripwire/*</filename></para>
<indexterm zone="tripwire-portable tripwire-config">
<primary sortas="e-etc-tripwire">/etc/tripwire/*</primary>
</indexterm>
</sect3>
 
<sect3><title>Configuration Information</title>
 
<para><application>Tripwire</application> uses a policy file to determine which
files are integrity checked. The default policy file
(<filename>/etc/tripwire/twpol.txt</filename>) is for a default
installation Redhat and will need to be updated for your system.</para>
 
<para>Policy files should be tailored to each individual distribution and/or
installation. Some custom policy files can be found below: </para>
 
<screen><ulink url="http://home.iprimus.com.au/glombowski/blfs/twpol-all.txt"/>
Checks integrity of all files
<ulink url="http://home.iprimus.com.au/glombowski/blfs/twpol-lfs.txt"/>
Custom policy file for Base LFS 3.0 system
<ulink url="http://home.iprimus.com.au/glombowski/blfs/twpol-suse7.2.txt"/>
Custom policy file for SuSE 7.2 system</screen>
 
<para>Download the custom policy file you'd like to try, copy it into
<filename class="directory">/etc/tripwire/</filename>, and use it instead of
<filename>twpol.txt</filename>. It is, however, recommended that you make
your own policy file. Get ideas from the examples above and read
<filename>/usr/share/doc/tripwire/policyguide.txt</filename> for additional
information. <filename>twpol.txt</filename> is a good policy file for beginners
as it will note any changes to the file system and can even be used as an
annoying way of keeping track of changes for uninstallation of software.</para>
 
<para>After your policy file has been transferred to
<filename class="directory">/etc/tripwire/</filename> you may begin the
configuration steps:</para>
 
<screen><userinput role='root'><command>twadmin --create-polfile --site-keyfile /etc/tripwire/site.key \
/etc/tripwire/twpol.txt &amp;&amp;
tripwire --init</command></userinput></screen>
 
</sect3>
 
<sect3><title>Usage Information</title>
<para>To use <application>Tripwire</application> after creating a policy file
to run a report, use the following command:</para>
 
<screen><userinput role='root'><command>tripwire --check &gt; /etc/tripwire/report.txt</command></userinput></screen>
 
<para>View the output to check the integrity of your files. An automatic
integrity report can be produced by using a cron facility to schedule
the runs.</para>
 
<para>Please note that after you run an integrity check, you must examine
the report (or email) and then modify the <application>Tripwire</application>
database to reflect the changed files on your system. This is so that
<application>Tripwire</application> will not continually notify you that
files you intentionally changed are a security violation. To do this you
must first <command>ls -l /var/lib/tripwire/report/</command> and note
the name of the newest file which starts with <filename>linux-</filename> and
ends in <filename>.twr</filename>. This encrypted file was created during the
last report creation and is needed to update the
<application>Tripwire</application> database of your
system. Then, type in the following command making the appropriate
substitutions for <replaceable>[?]</replaceable>:</para>
 
<screen><userinput role='root'><command>tripwire --update -twrfile \
/var/lib/tripwire/report/linux-<replaceable>[???????]</replaceable>-<replaceable>[??????]</replaceable>.twr</command></userinput></screen>
 
<para>You will be placed into <application>vim</application> with a copy of
the report in front of you. If all the changes were good, then just type
<command>:x</command> and after entering your local key, the database will be
updated. If there are files which you still want to be warned about, remove the
'x' before the filename in the report and type <command>:x</command>.</para>
 
</sect3>
 
<sect3><title>Changing the Policy File</title>
 
<para>If you are unhappy with your policy file and would like to modify it or
use a new one, modify the policy file and then execute the following
commands:</para>
 
<screen><userinput role='root'><command>twadmin --create-polfile /etc/tripwire/twpol.txt &amp;&amp;
tripwire --init</command></userinput></screen>
</sect3>
 
</sect2>
 
<sect2>
<title>Contents</title>
<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directories</segtitle>
<seglistitem>
<seg>siggen, tripwire, twadmin and twprint.</seg>
<seg>None</seg>
<seg>/etc/tripwire, /usr/share/doc/tripwire and /var/lib/tripwire</seg>
</seglistitem>
</segmentedlist>
 
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>
 
<varlistentry id="siggen">
<term><command>siggen</command></term>
<listitem><para>is a signature gathering utility that displays
the hash function values for the specified files.</para>
<indexterm zone="tripwire-portable siggen">
<primary sortas="b-siggen">siggen</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id='tripwire'>
<term><command>tripwire</command></term>
<listitem><para>is the main file integrity checking program.</para>
<indexterm zone="tripwire-portable tripwire">
<primary sortas="b-tripwire">tripwire</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id='twadmin'>
<term><command>twadmin</command></term>
<listitem><para>administrative and utility tool used to perform
certain administrative functions related to
<application>Tripwire</application> files and configuration
options.</para>
<indexterm zone="tripwire-portable twadmin">
<primary sortas="b-twadmin">twadmin</primary>
</indexterm>
</listitem>
</varlistentry>
 
<varlistentry id='twprint'>
<term><command>twprint</command></term>
<listitem><para>prints <application>Tripwire</application>
database and report files in clear text format.</para>
<indexterm zone="tripwire-portable twprint">
<primary sortas="b-twprint">twprint</primary>
</indexterm>
</listitem>
</varlistentry>
</variablelist>
 
</sect2>
 
</sect1>
 
/trunk/blfs/postlfs/security/security.xml
1,39 → 1,47
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
]>
 
<chapter id="postlfs-security">
<?dbhtml filename="security.html"?>
<title>Securité</title>
<title>Security</title>
 
<para>La sécurité prend différentes formes en informatique. Ce chapitre donne des
exemples provenant de trois types différents de sécurité&nbsp;: accès, prévention
et détection.</para>
<para>Security takes many forms in a computing environment. This chapter
gives examples of three different types of security: access, prevention
and detection.</para>
 
<para>L'accès pour les utilisateurs est généralement géré par
<command>login</command> ou par une application conçue pour gérer la fonction de
connexion. Dans ce chapitre, nous montrons comment améliorer
<command>login</command> en mettant en place des politiques avec les modules
<application><acronym>PAM</acronym></application>. L'accès via le réseau peut
aussi être sécurisé par des politiques initialisées avec
<application>iptables</application>, ce qui est généralement appelé un pare-feu.
</para>
<para>Access for users is usually handled by <command>login</command> or an
application designed to handle the login function. In this chapter, we show
how to enhance <command>login</command> by setting policies with
<application><acronym>PAM</acronym></application> modules. Access via networks
can also be secured by policies set by <application>iptables</application>,
commonly referred to as a firewall. For applications that don't offer the
best security, you can use the <application>Stunnel</application> package to
wrap an application daemon inside an <acronym>SSL</acronym> tunnel.</para>
 
<para>En prévention des brèches, comme un cheval de troie, des applications comme
<application>GnuPG</application> vous aident, par exemple en vous donnant la
possibilité de confirmer des paquetages signés en reconnaissant des modifications
d'archives <acronym>TAR</acronym> après que le mainteneur l'ait créé.</para>
<para>Prevention of breaches, like a trojan, are assisted by applications like
<application>GnuPG</application>, specifically the ability to confirm signed
packages, which recognizes modifications of the <acronym>TAR</acronym> ball
after the packager creates it.</para>
 
<para>Enfin, nous arrivons à la détection avec un paquetage qui stocke les
"signatures" de fichiers critiques (définis par l'administrateur), et regénère les
"signatures" et les compare aux fichiers qui ont été modifiés.</para>
<para> Finally, we touch on detection with a package that stores "signatures"
of critical files (defined by the administrator) and then regenerates those
"signatures" and compares for files that have been changed.</para>
 
&cracklib;
&Linux_PAM;
&shadow;
&iptables;
&postlfs-security-fw;
&gnupg;
&tripwire;
&heimdal;
&mitkrb;
<!--&postlfs-security-syslog;-->
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="openssl.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="cracklib.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="linux_pam.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="shadow.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="iptables.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="firewalling.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="gnupg.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="tripwire.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="heimdal.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="mitkrb.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="cyrus-sasl.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="stunnel.xml"/>
 
</chapter>
/trunk/blfs/postlfs/security/mitkrb.xml
1,12 → 1,694
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
 
<!ENTITY mitkrb-download-http "http://web.mit.edu/kerberos/www/dist/krb5/1.4/krb5-&mitkrb-version;-signed.tar">
<!ENTITY mitkrb-download-ftp " ">
<!ENTITY mitkrb-md5sum "2fa56607677544e3a27b42f7cfa1155b">
<!ENTITY mitkrb-size "6.6 MB">
<!ENTITY mitkrb-buildsize "55 MB">
<!ENTITY mitkrb-time "2.55 SBU">
]>
 
<sect1 id="mitkrb" xreflabel="MIT krb5-&mitkrb-version;">
<sect1info>
<othername>$LastChangedBy: larry $</othername>
<date>$Date: 2005-06-16 06:20:37 $</date>
</sect1info>
<?dbhtml filename="mitkrb.html"?>
<title>MIT krb5-&mitkrb-version;</title>
<title><acronym>MIT</acronym> krb5-&mitkrb-version;</title>
<indexterm zone="mitkrb">
<primary sortas="a-Kerberos-MIT">Kerberos5(MIT)</primary></indexterm>
 
&mitkrb-intro;
&mitkrb-inst;
&mitkrb-exp;
&mitkrb-config;
&mitkrb-desc;
<sect2>
<title>Introduction to <application><acronym>MIT</acronym>
krb5</application></title>
 
<para>
<application><acronym>MIT</acronym> krb5</application> is a free
implementation of Kerberos 5. Kerberos is a network authentication
protocol. It centralizes the authentication database and uses kerberized
applications to work with servers or services that support Kerberos
allowing single logins and encrypted communication over internal
networks or the Internet.
</para>
 
<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP):
<ulink url="&mitkrb-download-http;"/></para></listitem>
<listitem><para>Download (FTP):
<ulink url="&mitkrb-download-ftp;"/></para></listitem>
<listitem><para>Download MD5 sum: &mitkrb-md5sum;</para></listitem>
<listitem><para>Download size: &mitkrb-size;</para></listitem>
<listitem><para>Estimated disk space required:
&mitkrb-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&mitkrb-time;</para></listitem></itemizedlist>
</sect3>
 
<sect3><title><application><acronym>MIT</acronym> krb5</application>
dependencies</title>
<sect4><title>Optional</title>
<para>
<xref linkend="xinetd"/> (services servers only),
<xref linkend="Linux_PAM"/> (for <command>xdm</command> based logins) and
<xref linkend="openldap"/> (alternative for <command>krb5kdc</command>
password database)
</para>
 
<note><para>
Some sort of time synchronization facility on your system (like
<xref linkend="ntp"/>) is required since Kerberos won't authenticate if there
is a time difference between a kerberized client and the
<acronym>KDC</acronym> server.</para></note>
</sect4>
 
</sect3>
 
</sect2>
 
<sect2>
<title>Installation of <application><acronym>MIT</acronym>
krb5</application></title>
 
<para>
<application><acronym>MIT</acronym> krb5</application> is distributed in a
<acronym>TAR</acronym> file containing a compressed <acronym>TAR</acronym>
package and a detached <acronym>PGP</acronym>
<filename class="extension">ASC</filename> file.
</para>
 
<para>
If you have installed <xref linkend="gnupg"/>, you can
authenticate the package with the following command:
</para>
 
<screen><userinput><command>gpg --verify krb5-&mitkrb-version;.tar.gz.asc</command></userinput></screen>
 
<para>
Build <application><acronym>MIT</acronym> krb5</application> by running the
following commands:
</para>
 
<screen><userinput><command>cd src &amp;&amp;
./configure --prefix=/usr --sysconfdir=/etc \
--localstatedir=/var/lib --enable-dns \
--enable-static --mandir=/usr/share/man &amp;&amp;
make</command></userinput></screen>
 
<para>
Install <application><acronym>MIT</acronym> krb5</application> by
running the following commands as root:
</para>
 
<screen><userinput role='root'><command>make install &amp;&amp;
mv /bin/login /bin/login.shadow &amp;&amp;
cp /usr/sbin/login.krb5 /bin/login &amp;&amp;
mv /usr/bin/ksu /bin &amp;&amp;
mv /usr/lib/libkrb5.so.3* /lib &amp;&amp;
mv /usr/lib/libkrb4.so.2* /lib &amp;&amp;
mv /usr/lib/libdes425.so.3* /lib &amp;&amp;
mv /usr/lib/libk5crypto.so.3* /lib &amp;&amp;
mv /usr/lib/libcom_err.so.3* /lib &amp;&amp;
ln -sf ../../lib/libkrb5.so.3 /usr/lib/libkrb5.so &amp;&amp;
ln -sf ../../lib/libkrb4.so.2 /usr/lib/libkrb4.so &amp;&amp;
ln -sf ../../lib/libdes425.so.3 /usr/lib/libdes425.so &amp;&amp;
ln -sf ../../lib/libk5crypto.so.3 /usr/lib/libk5crypto.so &amp;&amp;
ln -sf ../../lib/libcom_err.so.3 /usr/lib/libcom_err.so &amp;&amp;
ldconfig</command></userinput></screen>
 
</sect2>
 
<sect2>
<title>Command explanations</title>
 
<para>
<parameter>--enable-dns</parameter>: This switch allows realms to
be resolved using the <acronym>DNS</acronym> server.
</para>
 
<para>
<parameter>--enable-static</parameter>: This switch builds static
libraries in addition to the shared libraries.
</para>
 
<para>
<screen><command>mv /bin/login /bin/login.shadow
cp /usr/sbin/login.krb5 /bin/login
mv /usr/bin/ksu /bin</command></screen>
Preserves <application>Shadow</application>'s <command>login</command>
command, moves <command>ksu</command> and <command>login</command> to
the <filename class="directory">/bin</filename> directory.
</para>
 
<para>
<screen><command>mv /usr/lib/libkrb5.so.3* /lib
mv /usr/lib/libkrb4.so.2* /lib
mv /usr/lib/libdes425.so.3* /lib
mv /usr/lib/libk5crypto.so.3* /lib
mv /usr/lib/libcom_err.so.3* /lib
ln -sf ../../lib/libkrb5.so.3 /usr/lib/libkrb5.so
ln -sf ../../lib/libkrb4.so.2 /usr/lib/libkrb4.so
ln -sf ../../lib/libdes425.so.3 /usr/lib/libdes425.so
ln -sf ../../lib/libk5crypto.so.3 /usr/lib/libk5crypto.so
ln -sf ../../lib/libcom_err.so.3 /usr/lib/libcom_err.so</command></screen>
The <command>login</command> and <command>ksu</command> programs
are linked against these libraries, therefore we move these libraries to
<filename class="directory">/lib</filename> to allow logins without mounting
<filename class="directory">/usr</filename>.
</para>
 
</sect2>
 
<sect2>
<title>Configuring <application><acronym>MIT</acronym> krb5</application></title>
 
<sect3 id="krb5-config"><title>Config files</title>
<para>
<filename>/etc/krb5.conf</filename> and
<filename>/var/lib/krb5kdc/kdc.conf</filename>
</para>
<indexterm zone="mitkrb krb5-config">
<primary sortas="e-etc-krb5.conf">/etc/krb5.conf</primary></indexterm>
<indexterm zone="mitkrb krb5-config">
<primary sortas="e-var-lib-krb5kdc-kdc.conf">/var/lib/krb5kdc/kdc.conf</primary>
</indexterm>
</sect3>
 
<sect3><title>Configuration Information</title>
 
<sect4><title>Kerberos Configuration</title>
<para>
Create the Kerberos configuration file with the following command:
</para>
 
<screen><userinput role='root'><command>cat &gt; /etc/krb5.conf &lt;&lt; "EOF"</command>
# Begin /etc/krb5.conf
 
[libdefaults]
default_realm = <replaceable>[LFS.ORG]</replaceable>
encrypt = true
 
[realms]
<replaceable>[LFS.ORG]</replaceable> = {
kdc = <replaceable>[belgarath.lfs.org]</replaceable>
admin_server = <replaceable>[belgarath.lfs.org]</replaceable>
}
 
[domain_realm]
.<replaceable>[lfs.org]</replaceable> = <replaceable>[LFS.ORG]</replaceable>
 
[logging]
kdc = SYSLOG[:INFO[:AUTH]]
admin_server = SYSLOG[INFO[:AUTH]]
default = SYSLOG[[:SYS]]
 
# End /etc/krb5.conf
<command>EOF</command></userinput></screen>
 
<para>
You will need to substitute your domain and proper hostname for the
occurances of the <replaceable>[belgarath]</replaceable> and
<replaceable>[lfs.org]</replaceable> names.
</para>
 
<para>
<userinput>default_realm</userinput> should be the name of your domain changed
to ALL CAPS. This isn't required, but both <application>Heimdal</application>
and <acronym>MIT</acronym> recommend it.
</para>
 
<para>
<userinput>encrypt = true</userinput> provides encryption of all traffic
between kerberized clients and servers. It's not necessary and can be left
off. If you leave it off, you can encrypt all traffic from the client to the
server using a switch on the client program instead.
</para>
 
<para>
The <userinput>[realms]</userinput> parameters tell the client programs where
to look for the <acronym>KDC</acronym> authentication services.
</para>
 
<para>
The <userinput>[domain_realm]</userinput> section maps a domain to a realm.
</para>
 
<para>
Create the <acronym>KDC</acronym> database:
</para>
 
<screen><userinput role='root'><command>kdb5_util create -r <replaceable>[LFS.ORG]</replaceable> -s </command></userinput></screen>
 
<para>
Now you should populate the database with principles (users). For now,
just use your regular login name or root.
</para>
 
<screen><userinput role='root'><command>kadmin.local</command></userinput>
<prompt>kadmin:</prompt><userinput><command>addprinc <replaceable>[loginname]</replaceable></command></userinput></screen>
 
<para>
The <acronym>KDC</acronym> server and any machine running kerberized
server daemons must have a host key installed:
</para>
 
<screen><prompt>kadmin:</prompt><userinput role='root'><command>addprinc -randkey host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
 
<para>
After choosing the defaults when prompted, you will have to export the
data to a keytab file:
</para>
 
<screen><prompt>kadmin:</prompt><userinput role='root'><command>ktadd host/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
 
<para>
This should have created a file in <filename class="directory">/etc</filename>
named <filename>krb5.keytab</filename> (Kerberos 5). This file should have 600
(root rw only) permissions. Keeping the keytab files from public access
is crucial to the overall security of the Kerberos installation.
</para>
 
<para>
Eventually, you'll want to add server daemon principles to the database
and extract them to the keytab file. You do this in the same way you
created the host principles. Below is an example:
</para>
 
<screen><prompt>kadmin:</prompt><userinput role='root'><command>addprinc -randkey ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput>
<prompt>kadmin:</prompt><userinput role='root'><command>ktadd ftp/<replaceable>[belgarath.lfs.org]</replaceable></command></userinput></screen>
 
<para>
Exit the <command>kadmin</command> program (use <command>quit</command>
or <command>exit</command>) and return back to the shell prompt. Start
the <acronym>KDC</acronym> daemon manually, just to test out the
installation:
</para>
 
<screen><userinput role='root'><command>/usr/sbin/krb5kdc &amp;</command></userinput></screen>
 
<para>
Attempt to get a ticket with the following command:
</para>
 
<screen><userinput><command>kinit <replaceable>[loginname]</replaceable></command></userinput></screen>
 
<para>
You will be prompted for the password you created. After you get your
ticket, you can list it with the following command:
</para>
 
<screen><userinput><command>klist</command></userinput></screen>
 
<para>
Information about the ticket should be displayed on the screen.
</para>
 
<para>
To test the functionality of the keytab file, issue the following
command:
</para>
 
<screen><userinput><command>ktutil</command></userinput>
<prompt>ktutil:</prompt><userinput><command>rkt /etc/krb5.keytab</command></userinput>
<prompt>ktutil:</prompt><userinput><command>l</command></userinput></screen>
 
<para>
This should dump a list of the host principal, along with the encryption
methods used to access the principal.
</para>
 
<para>
At this point, if everything has been successful so far, you can feel
fairly confident in the installation and configuration of the package.
</para>
 
<para>
Install the <filename>/etc/rc.d/init.d/kerberos</filename> init script
included in the <xref linkend="intro-important-bootscripts"/> package.
</para>
 
<screen><userinput role='root'><command>make install-kerberos</command></userinput></screen>
 
</sect4>
 
<sect4><title>Using Kerberized Client Programs</title>
 
<para>
To use the kerberized client programs (<command>telnet</command>,
<command>ftp</command>, <command>rsh</command>,
<command>rcp</command>, <command>rlogin</command>), you first must get
an authentication ticket. Use the <command>kinit</command> program to
get the ticket. After you've acquired the ticket, you can use the
kerberized programs to connect to any kerberized server on the network.
You will not be prompted for authentication until your ticket expires
(default is one day), unless you specify a different user as a command
line argument to the program.
</para>
 
<para>
The kerberized programs will connect to non kerberized daemons, warning
you that authentication is not encrypted.
</para>
</sect4>
 
<sect4><title>Using Kerberized Server Programs</title>
<para>
Using kerberized server programs (<command>telnetd</command>,
<command>kpropd</command>, <command>klogind</command> and
<command>kshd</command>) requires two additional configuration steps.
First the <filename>/etc/services</filename> file must be updated to
include eklogin and krb5_prop. Second, the <filename>inetd.conf</filename>
or <filename>xinetd.conf</filename> must be modified for each server that will
be activated, usually replacing the server from <xref linkend="inetutils"/>.
</para>
</sect4>
 
<sect4><title>Additional Information</title>
<para>
For additional information consult <ulink
url="http://web.mit.edu/kerberos/www/krb5-1.4/#documentation">Documentation
for krb-&mitkrb-version;</ulink> on which the above instructions are based.
</para>
 
</sect4>
 
</sect3>
 
</sect2>
 
<sect2>
<title>Contents</title>
 
<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directories</segtitle>
 
<seglistitem>
<seg>compile-et, ftp, ftpd, gss-client, gss-server, k5srvutil, kadmin,
kadmin.local, kadmind, kadmind4, kdb5_util, kdestroy, kinit, klist,
klogind, kpasswd, kprop, kpropd, krb5-send-pr, krb5-config, krb524d,
krb524init, krb5kdc, kshd, ksu, ktutil, kvno, login.krb5, rcp, rlogin,
rsh, sclient, sim_client, sim_server, sserver,
telnet, telnetd, uuclient, uuserver, v5passwd, v5passwdd</seg>
<seg>libcom_err.[so,a], libdes425.[so,a], libgssapi.[so,a], libgssrpc.[so,a],
libkadm5clnt.[so,a], libkadm5srv.[so,a], libkdb5.[so,a], libkrb5.[so,a],
libkrb4.[so,a]</seg>
<seg>/usr/include/kerberosIV and /var/lib/krb5kdc</seg>
</seglistitem>
</segmentedlist>
 
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>
 
<varlistentry id="compile_et">
<term><command>compile_et</command></term>
<listitem><para>converts the table listing
error-code names into a <application>C</application> source file..</para>
<indexterm zone="mitkrb compile_et">
<primary sortas="b-compile_et">compile_et</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="ftp-mitkrb">
<term><command>ftp</command></term>
<listitem><para>is a kerberized <acronym>FTP</acronym> client.</para>
<indexterm zone="mitkrb ftp">
<primary sortas="b-ftp">ftp</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="ftpd-mitkrb">
<term><command>ftpd</command></term>
<listitem><para>is a kerberized <acronym>FTP</acronym> daemon.</para>
<indexterm zone="mitkrb ftpd">
<primary sortas="b-ftpd">ftpd</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="k5srvutil">
<term><command>k5srvutil</command></term>
<listitem><para>is a host keytable manipulation utility.</para>
<indexterm zone="mitkrb k5srvutil">
<primary sortas="b-k5srvutil">k5srvutil</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="kadmin-mitkrb">
<term><command>kadmin</command></term>
<listitem><para>is an utility used to make modifications
to the Kerberos database.</para>
<indexterm zone="mitkrb kadmin-mitkrb">
<primary sortas="b-kadmin">kadmin</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="kadmind-mitkrb">
<term><command>kadmind</command></term>
<listitem><para>is a server for administrative access
to a Kerberos database.</para>
<indexterm zone="mitkrb kadmind-mitkrb">
<primary sortas="b-kadmind">kadmind</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="kdb5_util">
<term><command>kdb5_util</command></term>
<listitem><para>is the <acronym>KDC</acronym> database utility.</para>
<indexterm zone="mitkrb kdb5_util">
<primary sortas="b-kdb5_util">kdb5_util</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="kdestroy-mitkrb">
<term><command>kdestroy</command></term>
<listitem><para>removes the current set of tickets.</para>
<indexterm zone="mitkrb kdestroy-mitkrb">
<primary sortas="b-kdestroy">kdestroy</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="kinit-mitkrb">
<term><command>kinit</command></term>
<listitem><para>is used to authenticate to the Kerberos server as
a principal and acquire a ticket granting ticket that can later be used
to obtain tickets for other services.</para>
<indexterm zone="mitkrb kinit-mitkrb">
<primary sortas="b-kinit">kinit</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="klist-mitkrb">
<term><command>klist</command></term>
<listitem><para>reads and displays the current tickets in
the credential cache.</para>
<indexterm zone="mitkrb klist-mitkrb">
<primary sortas="b-klist">klist</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="klogind">
<term><command>klogind</command></term>
<listitem><para>is the server that responds to
<command>rlogin</command> requests.</para>
<indexterm zone="mitkrb klogind">
<primary sortas="b-klogind">klogind</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="kpasswd-mitkrb">
<term><command>kpasswd</command></term>
<listitem><para>is a program for changing Kerberos 5 passwords.</para>
<indexterm zone="mitkrb kpasswd-mitkrb">
<primary sortas="b-kpasswd">kpasswd</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="kprop">
<term><command>kprop</command></term>
<listitem><para>takes a principal database in a specified
format and converts it into a stream of database
records.</para>
<indexterm zone="mitkrb kprop">
<primary sortas="b-kprop">kprop</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="kpropd">
<term><command>kpropd</command></term>
<listitem><para>receives a database sent by
<command>kprop</command> and writes it as a local database.</para>
<indexterm zone="mitkrb kpropd">
<primary sortas="b-kpropd">kpropd</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="krb5-config-1">
<term><command>krb5-config</command></term>
<listitem><para>gives information on how to link
programs against libraries.</para>
<indexterm zone="mitkrb krb5-config-prog">
<primary sortas="b-krb5-config-1">krb5-config</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="krb5kdc">
<term><command>krb5kdc</command></term>
<listitem><para>is a Kerberos 5 server.</para>
<indexterm zone="mitkrb krb5kdc">
<primary sortas="b-krb5kdc">krb5kdc</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="kshd">
<term><command>kshd</command></term>
<listitem><para>is the server that responds to
<command>rsh</command> requests.</para>
<indexterm zone="mitkrb kshd">
<primary sortas="b-kshd">kshd</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="ksu">
<term><command>ksu</command></term>
<listitem><para>is the super user program using Kerberos protocol.
Requires a properly configured
<filename class="directory">/etc/shells</filename> and
<filename>~/.k5login</filename> containing principals authorized to
become super users.</para>
<indexterm zone="mitkrb ksu">
<primary sortas="b-ksu">ksu</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="ktutil-mitkrb">
<term><command>ktutil</command></term>
<listitem><para>is a program for managing Kerberos keytabs.</para>
<indexterm zone="mitkrb ktutil-mitkrb">
<primary sortas="b-ktutil">ktutil</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="kvno">
<term><command>kvno</command></term>
<listitem><para>prints keyversion numbers of Kerberos principals.</para>
<indexterm zone="mitkrb kvno">
<primary sortas="b-kvno">kvno</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="login.krb5">
<term><command>login.krb5</command></term>
<listitem><para>is a kerberized login program.</para>
<indexterm zone="mitkrb login">
<primary sortas="b-login.krb5">login.krb5</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="rcp-mitkrb">
<term><command>rcp</command></term>
<listitem><para>is a kerberized rcp client program.</para>
<indexterm zone="mitkrb rcp">
<primary sortas="b-rcp">rcp</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="rlogin">
<term><command>rlogin</command></term>
<listitem><para>is a kerberized rlogin client program.</para>
<indexterm zone="mitkrb rlogin">
<primary sortas="b-rlogin">rlogin</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="rsh-mitkrb">
<term><command>rsh</command></term>
<listitem><para>is a kerberized rsh client program.</para>
<indexterm zone="mitkrb rsh">
<primary sortas="b-rsh">rsh</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="telnet-mitkrb">
<term><command>telnet</command></term>
<listitem><para>is a kerberized telnet client program.</para>
<indexterm zone="mitkrb telnet">
<primary sortas="b-telnet">telnet</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="telnetd-mitkrb">
<term><command>telnetd</command></term>
<listitem><para>is a kerberized telnet server.</para>
<indexterm zone="mitkrb telnetd">
<primary sortas="b-telnetd">telnetd</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="libcom_err">
<term><filename class='libraryfile'>libcom_err.[so,a]</filename></term>
<listitem><para>implements the Kerberos library error code.</para>
<indexterm zone="mitkrb libcom_err">
<primary sortas="c-libcom_err">libcom_err.[so,a]</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="libgssapi-mitkrb">
<term><filename class='libraryfile'>libgssapi.[so,a]</filename></term>
<listitem><para>contain the Generic Security Service Application
Programming
Interface (<acronym>GSSAPI</acronym>) functions which provides security
services to callers in a generic fashion, supportable with a range of
underlying mechanisms and technologies and hence allowing source-level
portability of applications to different environments.</para>
<indexterm zone="mitkrb libgssapi">
<primary sortas="c-libgssapi">libgssapi.[so,a]</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="libkadm5clnt-mitkrb">
<term><filename
class='libraryfile'>libkadm5clnt.[so,a]</filename></term>
<listitem><para>contains the administrative authentication and password
checking functions required by Kerberos 5 client-side programs.</para>
<indexterm zone="mitkrb libkadm5clnt">
<primary sortas="c-libkadm5clnt">libkadm5clnt.[so,a]</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="libkadm5srv-mitkrb">
<term><filename class='libraryfile'>libkadm5srv.[so,a]</filename></term>
<listitem><para>contain the administrative authentication and password
checking functions required by Kerberos 5 servers.</para>
<indexterm zone="mitkrb libkadm5srv">
<primary sortas="c-libkadm5srv">libkadm5srv.[so,a]</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="libkdb5">
<term><filename class='libraryfile'>libkdb5.[so,a]</filename></term>
<listitem><para>is a Kerberos 5
authentication/authorization database access library.</para>
<indexterm zone="mitkrb libkdb5">
<primary sortas="c-libkdb5">libkdb5.[so,a]</primary>
</indexterm></listitem>
</varlistentry>
 
<varlistentry id="libkrb5-mitkrb">
<term><filename class='libraryfile'>libkrb5.[so,a]</filename></term>
<listitem><para>is an all-purpose Kerberos 5 library.</para>
<indexterm zone="mitkrb libkrb5">
<primary sortas="c-libkrb5">libkrb5.[so,a]</primary>
</indexterm></listitem>
</varlistentry>
 
</variablelist>
 
</sect2>
 
</sect1>
/trunk/blfs/postlfs/security/cracklib.xml
1,10 → 1,155
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
 
<!ENTITY cracklib-download-http "http://www.crypticide.com/users/alecm/security/cracklib,&cracklib-version;.tar.gz">
<!ENTITY cracklib-download-ftp "ftp://ftp.cerias.purdue.edu/pub/tools/unix/libs/cracklib/cracklib.&cracklib-version;.tar.gz">
<!ENTITY cracklib-http-md5sum "0c84ad7413d9dd3e5c2eaa5f97d53c4a">
<!ENTITY cracklib-ftp-md5sum "7f810e310c7f2df33d1eaa2b41ab2435">
<!ENTITY cracklib-size "21 KB">
<!ENTITY cracklib-buildsize "17 MB">
<!ENTITY cracklib-time "0.10 SBU">
<!ENTITY crackdict-size "15.6MB">
<!ENTITY alldict-size "466KB">
]>
 
<sect1 id="cracklib" xreflabel="cracklib-&cracklib-version;">
<sect1info>
<othername>$LastChangedBy: randy $</othername>
<date>$Date: 2005-06-16 06:20:37 $</date>
</sect1info>
<?dbhtml filename="cracklib.html"?>
<title>cracklib-&cracklib-version;</title>
<indexterm zone="cracklib">
<primary sortas="a-Cracklib">Cracklib</primary></indexterm>
 
&cracklib-intro;
&cracklib-inst;
&cracklib-desc;
<sect2>
<title>Introduction to <application>cracklib</application></title>
 
<para>The <application>cracklib</application> package contains a library used
to enforce strong passwords by comparing user selected passwords to words in a
chosen wordlist.</para>
 
<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP): <ulink
url="&cracklib-download-http;"/></para></listitem>
<listitem><para>Download (FTP): <ulink
url="&cracklib-download-ftp;"/></para></listitem>
<listitem><para>Download MD5 sum (HTTP):
&cracklib-http-md5sum;</para></listitem>
<listitem><para>Download MD5 sum (FTP):
&cracklib-ftp-md5sum;</para></listitem>
<listitem><para>Download size: &cracklib-size;</para></listitem>
<listitem><para>Estimated disk space required (with cracklib wordlist):
&cracklib-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&cracklib-time;</para></listitem></itemizedlist>
</sect3>
 
<sect3><title>Additional downloads</title>
<itemizedlist spacing='compact'>
<listitem><para>Required Patch: <ulink
url="&patch-root;/cracklib,&cracklib-version;-blfs-1.patch"/></para></listitem>
<listitem><para>Recommended Patch: <ulink
url="&patch-root;/cracklib,&cracklib-version;-heimdal-1.patch"/></para>
</listitem>
</itemizedlist>
 
<para>You will also need to download a wordlist for use with
<application>cracklib</application>. There are two wordlists to choose from at
the following location. Use the <filename>cracklib</filename> word list for
good security, or opt for the <filename>allwords</filename> word list for
lightweight machines short on <acronym>RAM</acronym>. You can of course choose
any other word list that you have at your disposal.</para>
 
<itemizedlist spacing='compact'>
<listitem><para>cracklib (&crackdict-size;) at <ulink
url="http://www.cotse.com/tools/wordlists.htm"/></para></listitem>
<listitem><para>allwords (&alldict-size;) at <ulink
url="http://www.cotse.com/tools/wordlists.htm"/></para></listitem>
</itemizedlist>
 
</sect3>
 
</sect2>
 
<sect2>
<title>Installation of <application>cracklib</application></title>
 
<para>First, as the root user, install the chosen word list for
<application>cracklib</application>:</para>
 
<screen><userinput role='root'><command>install -d -m755 /usr/share/dict &amp;&amp;
install -m644 ../<replaceable>[wordlist]</replaceable> /usr/share/dict &amp;&amp;
ln -sf <replaceable>[wordlist]</replaceable> /usr/share/dict/words &amp;&amp;
echo $(hostname) >> /usr/share/dict/extra.words</command></userinput></screen>
 
<para>The wordlist is linked to <filename>/usr/share/dict/words</filename> as
historically, <filename>words</filename> is the primary wordlist in the
<filename class="directory">/usr/share/dict</filename> directory. Additionally,
the value of <command>hostname</command> is echoed to a file called
<filename>extra.words</filename>. This extra file is intended to be a site
specific list which includes easy to guess passwords such as company or
department names, user's names, product names, computer names, domain names,
etc.</para>
 
<para>Now apply the <acronym>BLFS</acronym> patch:</para>
 
<screen><userinput><command>patch -Np1 -i ../cracklib,&cracklib-version;-blfs-1.patch</command></userinput></screen>
 
<para>If necessary, apply the <application>Heimdal</application> patch:</para>
 
<screen><userinput><command>cp -R cracklib cracklib_krb5 &amp;&amp;
patch -Np1 -i ../cracklib,&cracklib-version;-heimdal-1.patch</command></userinput></screen>
 
<para>Finally, as the root user, install the package:</para>
<screen><userinput role='root'><command>make install &amp;&amp;
rm /lib/libcrack.so &amp;&amp;
ln -sf ../../lib/libcrack.so.2.7 /usr/lib/libcrack.so</command></userinput></screen>
 
</sect2>
 
<sect2>
<title>Command explanations</title>
 
<para><command>rm /lib/libcrack.so; ln -sf ... /usr/lib/libcrack.so</command>:
These two commands move the <filename class='symlink'>libcrack.so</filename>
symlink from <filename class='directory'>/lib</filename> to
<filename class='directory'>/usr/lib</filename>.</para>
 
</sect2>
 
<sect2>
<title>Contents</title>
 
<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directory</segtitle>
<seglistitem>
<seg>create-cracklib-dict, mkdict and packer</seg>
<seg>libcrack.so and optionally, libcrack_krb5.so</seg>
<seg>/usr/share/dict</seg>
</seglistitem>
</segmentedlist>
 
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>
 
<varlistentry id="libcrack">
<term><filename class='libraryfile'>libcrack.so</filename></term>
<listitem><para> libraries provide a fast dictionary lookup method for strong
password enforcement.</para>
<indexterm zone="cracklib libcrack">
<primary sortas="c-libcrack">libcrack.so</primary></indexterm>
</listitem>
</varlistentry>
</variablelist>
 
</sect2>
 
</sect1>
/trunk/blfs/postlfs/security/linux_pam.xml
1,13 → 1,223
<?xml version="1.0" encoding="ISO-8859-1"?>
<sect1 id="Linux_PAM" xreflabel="Linux_PAM-&Linux_PAM-version;">
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
 
<!ENTITY Linux_PAM-download-http "http://www.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-&Linux_PAM-version;.tar.bz2">
<!ENTITY Linux_PAM-download-ftp "ftp://ftp.kernel.org/pub/linux/libs/pam/pre/library/Linux-PAM-&Linux_PAM-version;.tar.bz2">
<!ENTITY Linux_PAM-md5sum "34938b4f2449d4d3b2ffdbf354257205">
<!ENTITY Linux_PAM-size "364 KB">
<!ENTITY Linux_PAM-buildsize "6.1 MB">
<!ENTITY Linux_PAM-time "0.07 SBU">
]>
 
<sect1 id="Linux_PAM" xreflabel="Linux-PAM-&Linux_PAM-version;">
<sect1info>
<othername>$LastChangedBy: dj $</othername>
<date>$Date: 2005-06-16 06:20:37 $</date>
</sect1info>
<?dbhtml filename="linux_pam.html"?>
<title>Linux_PAM-&Linux_PAM-version;</title>
<title>Linux-PAM-&Linux_PAM-version;</title>
<indexterm zone="Linux_PAM">
<primary sortas="a-PAM_linux">PAM(Linux)</primary></indexterm>
 
&Linux_PAM-intro;
&Linux_PAM-inst;
&Linux_PAM-exp;
&Linux_PAM-config;
&Linux_PAM-desc;
<sect2>
<title>Introduction to <application>Linux-<acronym>PAM</acronym></application>
</title>
 
<para>The <application>Linux-<acronym>PAM</acronym></application> package
contains Pluggable Authentication Modules. This is useful to enable the local
system administrator to choose how applications authenticate users.</para>
 
<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP): <ulink
url="&Linux_PAM-download-http;"/></para></listitem>
<listitem><para>Download (FTP): <ulink
url="&Linux_PAM-download-ftp;"/></para></listitem>
<listitem><para>Download MD5 sum: &Linux_PAM-md5sum;</para></listitem>
<listitem><para>Download size: &Linux_PAM-size;</para></listitem>
<listitem><para>Estimated disk space required:
&Linux_PAM-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&Linux_PAM-time;</para></listitem></itemizedlist>
</sect3>
 
<sect3><title>Additional download</title>
<itemizedlist spacing='compact'>
<listitem><para>Required Patch: <ulink
url="&patch-root;/Linux-PAM-&Linux_PAM-version;-linkage-2.patch"/></para>
</listitem></itemizedlist>
</sect3>
 
<sect3><title><application>Linux-<acronym>PAM</acronym></application>
dependencies</title>
<sect4><title>Recommended</title>
<para><xref linkend="cracklib"/></para>
</sect4>
 
<sect4><title>Optional</title>
<para><ulink
url="http://sourceforge.net/projects/sgmltools-lite/">sgmltools-lite</ulink>
and <xref linkend="db"/> (for pam_userdb module)</para>
</sect4>
</sect3>
 
</sect2>
 
<sect2>
<title>Installation of
<application>Linux-<acronym>PAM</acronym></application></title>
 
<para>Install <application>Linux-<acronym>PAM</acronym></application> by
running the following commands:</para>
 
<screen><userinput><command>patch -Np1 -i ../Linux-PAM-&Linux_PAM-version;-linkage-2.patch &amp;&amp;
autoconf &amp;&amp;
sed -i 's/(mandir)/(MANDIR)/g' modules/Simple.Rules &amp;&amp;
./configure --enable-static-libpam --with-mailspool=/var/mail \
--enable-read-both-confs --sysconfdir=/etc &amp;&amp;
make</command></userinput></screen>
 
<para>Now, as the root user:</para>
 
<screen><userinput role='root'><command>make install &amp;&amp;
mv /lib/libpam.a /lib/libpam_misc.a /lib/libpamc.a /usr/lib &amp;&amp;
rm /lib/libpam{,c,_misc}.so &amp;&amp;
ln -sf ../../lib/libpam.so.&Linux_PAM-version; /usr/lib/libpam.so &amp;&amp;
ln -sf ../../lib/libpam_misc.so.&Linux_PAM-version; /usr/lib/libpam_misc.so &amp;&amp;
ln -sf ../../lib/libpamc.so.&Linux_PAM-version; /usr/lib/libpamc.so</command></userinput></screen>
 
</sect2>
 
<sect2>
<title>Command explanations</title>
 
<para><command>autoconf</command>: This is necessary because the patch
changes where <acronym>PAM</acronym> looks for the
<application>cracklib</application> libraries, requiring regeneration of the
configure script.</para>
 
<para><command>sed -i 's/(mandir)/(MANDIR)/g'
modules/Simple.Rules</command>: This command puts the module manpages
with the rest of the manpages in
<filename>/usr/share/man</filename>.</para>
 
<para><option>--enable-static-libpam</option>: This switch builds
static <acronym>PAM</acronym> libraries as well as the dynamic libraries.</para>
 
<para><parameter>--with-mailspool=/var/mail</parameter>: This switch makes
the mailspool directory <acronym>FHS</acronym> compliant.</para>
 
<para><option>--enable-read-both-confs</option>: This switch lets the local
administrator choose which configuration file setup to use.</para>
 
<para><command>mv /lib/libpam.a /lib/libpam_misc.a /lib/libpamc.a
/usr/lib</command>: This command moves the static libraries to
<filename>/usr/lib</filename> to comply with <acronym>FHS</acronym>
guidelines.</para>
 
<para><command>rm /lib/libpam{,c,_misc}.so; ln -sf ... /usr/lib/...</command>:
These commands move the <filename class='symlink'>.so</filename> symlinks from
<filename class='directory'>/lib</filename> to
<filename class='directory'>/usr/lib</filename>.</para>
 
</sect2>
 
<sect2>
<title>Configuring
<application>Linux-<acronym>PAM</acronym></application></title>
 
<sect3 id="pam-config"><title>Config files</title>
<para><filename>/etc/pam.d/*</filename> or
<filename>/etc/pam.conf</filename></para>
<indexterm zone="Linux_PAM pam-config">
<primary sortas="e-etc-pam.d">/etc/pam.d/*</primary></indexterm>
<indexterm zone="Linux_PAM pam-config">
<primary sortas="e-etc-pam.conf">/etc/pam.conf</primary></indexterm>
</sect3>
 
<sect3><title>Configuration Information</title>
 
<para>Configuration information is placed in
<filename class='directory'>/etc/pam.d/</filename> or
<filename>/etc/pam.conf</filename> depending on user preference. Below are
example files of each type:</para>
 
<screen># Begin /etc/pam.d/other
 
auth required pam_unix.so nullok
account required pam_unix.so
session required pam_unix.so
password required pam_unix.so nullok
 
# End /etc/pam.d/other
 
# Begin /etc/pam.conf
 
other auth required pam_unix.so nullok
other account required pam_unix.so
other session required pam_unix.so
other password required pam_unix.so nullok
 
# End /etc/pam.conf</screen>
 
<para>The <application><acronym>PAM</acronym></application> man page
(<command>man pam</command>) provides a good starting point for descriptions
of fields and allowable entries. The
<ulink url="http://www.kernel.org/pub/linux/libs/pam/Linux-PAM-html/pam.html">
Linux-PAM guide for system administrators</ulink>
is recommended for further reading.</para>
 
<para>Refer to
<ulink url="http://www.kernel.org/pub/linux/libs/pam/modules.html"/>
for a list of various modules available.</para>
 
<note><para>You should now reinstall the <xref linkend="shadow"/>
package.</para></note>
</sect3>
 
</sect2>
 
<sect2>
<title>Contents</title>
 
<segmentedlist>
<segtitle>Installed Program</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directories</segtitle>
<seglistitem>
<seg>unix_chkpwd and pam_tally</seg>
<seg>libpam.[so,a], libpamc.[so,a] and libpam_misc.[so,a]</seg>
<seg>/etc/pam.d, /etc/security, /lib/security and /usr/include/security</seg>
</seglistitem>
</segmentedlist>
 
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>
 
<varlistentry id="unix_chkpwd">
<term><command>unix_chkpwd</command></term>
<listitem><para>checks user passwords that are stored
in read protected databases.</para>
<indexterm zone="Linux_PAM unix_chkpwd">
<primary sortas="b-unix_chkpwd">unix_chkpwd</primary></indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="libpam">
<term><filename class='libraryfile'>libpam.[so,a]</filename></term>
<listitem><para>provide the interfaces between applications and the
<acronym>PAM</acronym> modules.</para>
<indexterm zone="Linux_PAM libpam">
<primary sortas="c-libpam">libpam.[so,a]</primary></indexterm>
</listitem>
</varlistentry>
</variablelist>
 
</sect2>
 
</sect1>
 
/trunk/blfs/postlfs/editors/nano/nano-config.xml
File deleted
/trunk/blfs/postlfs/editors/nano/nano.ent
File deleted
/trunk/blfs/postlfs/editors/nano/nano-intro.xml
File deleted
/trunk/blfs/postlfs/editors/nano/nano-inst.xml
File deleted
/trunk/blfs/postlfs/editors/nano/nano-desc.xml
File deleted
/trunk/blfs/postlfs/editors/emacs/emacs.ent
File deleted
/trunk/blfs/postlfs/editors/emacs/emacs-intro.xml
File deleted
/trunk/blfs/postlfs/editors/emacs/emacs-inst.xml
File deleted
/trunk/blfs/postlfs/editors/emacs/emacs-desc.xml
File deleted
/trunk/blfs/postlfs/editors/vim/vim-inst.xml
File deleted
/trunk/blfs/postlfs/editors/vim/vim-desc.xml
File deleted
/trunk/blfs/postlfs/editors/vim/vim.ent
File deleted
/trunk/blfs/postlfs/editors/vim/vim-intro.xml
File deleted
/trunk/blfs/postlfs/editors/vim/vim-exp.xml
File deleted
/trunk/blfs/postlfs/editors/joe/joe-config.xml
File deleted
/trunk/blfs/postlfs/editors/joe/joe.ent
File deleted
/trunk/blfs/postlfs/editors/joe/joe-intro.xml
File deleted
/trunk/blfs/postlfs/editors/joe/joe-inst.xml
File deleted
/trunk/blfs/postlfs/editors/joe/joe-desc.xml
File deleted
/trunk/blfs/postlfs/editors/emacs.xml
1,10 → 1,213
<?xml version="1.0" encoding="ISO-8859-1"?>
<sect1 id="postlfs-editors-emacs" xreflabel="Emacs-&emacs-version;">
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
 
<!ENTITY emacs-download-http "http://ftp.gnu.org/pub/gnu/emacs/emacs-&emacs-version;.tar.gz">
<!ENTITY emacs-download-ftp "ftp://ftp.gnu.org/pub/gnu/emacs/emacs-&emacs-version;.tar.gz">
<!ENTITY emacs-md5sum "8f9d97cbd126121bd5d97e5e31168a87">
<!ENTITY emacs-size "20 MB">
<!ENTITY emacs-buildsize "96.8 MB">
<!ENTITY emacs-time "4.20 SBU">
]>
 
<sect1 id="emacs" xreflabel="Emacs-&emacs-version;">
<sect1info>
<othername>$LastChangedBy: bdubbs $</othername>
<date>$Date: 2005-06-16 06:20:36 $</date>
</sect1info>
 
<?dbhtml filename="emacs.html"?>
<title>Emacs-&emacs-version;</title>
 
&emacs-intro;
&emacs-inst;
&emacs-desc;
<indexterm zone="emacs">
<primary sortas="a-Emacs">Emacs</primary>
</indexterm>
 
<sect2>
<title>Introduction to <application>Emacs</application></title>
 
<para>The <application>Emacs</application> package contains the extensible,
customizable, self-documenting real-time display editor.</para>
 
<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP): <ulink url="&emacs-download-http;"/></para></listitem>
<listitem><para>Download (FTP): <ulink url="&emacs-download-ftp;"/></para></listitem>
<listitem><para>Download MD5 sum: &emacs-md5sum;</para></listitem>
<listitem><para>Download size: &emacs-size;</para></listitem>
<listitem><para>Estimated disk space required: &emacs-buildsize;</para></listitem>
<listitem><para>Estimated build time: &emacs-time;</para></listitem>
</itemizedlist>
</sect3>
 
<sect3>
<title><application>Emacs</application> dependencies</title>
 
<sect4>
<title>Optional</title>
 
<para>X (<xref linkend="xfree86"/> or <xref linkend="xorg"/>),
<xref linkend="libjpeg"/>,
<xref linkend="libpng"/>,
<xref linkend="libtiff"/> and
<xref linkend="libungif"/> or <xref linkend="giflib"/></para>
</sect4>
</sect3>
 
</sect2>
 
<sect2>
<title>Installation of <application>Emacs</application></title>
 
<para>Install <application>Emacs</application> by running the following
commands:</para>
 
<screen><userinput><command>./configure --prefix=/usr --libexecdir=/usr/sbin &amp;&amp;
make bootstrap</command></userinput></screen>
 
<para>Now, as the root user:</para>
 
<screen><userinput role='root'><command>make install</command></userinput></screen>
 
</sect2>
 
<sect2>
<title>Contents</title>
 
<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directories</segtitle>
<seglistitem>
<seg>b2m, ctags, ebrowse, emacs, emacsclient, etags, grep-changelog and rcs-checkin</seg>
<seg>None</seg>
<seg>/usr/sbin/emacs and /usr/share/emacs</seg>
</seglistitem>
</segmentedlist>
 
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>
 
<varlistentry id="b2m">
<term><filename>b2m</filename></term>
<listitem><para>is a program to convert mail files from RMAIL
format to Unix <quote>mbox</quote> format.</para>
<indexterm zone="emacs b2m">
<primary sortas="b-b2m">b2m</primary></indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="ctags">
<term><filename>b2m</filename></term>
<listitem><para>creates cross-reference tagfile database files
for source code.</para>
<indexterm zone="emacs ctags">
<primary sortas="b-ctags">ctags</primary></indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="ebrowse">
<term><filename>ebrowse</filename></term>
<listitem><para>permits browsing of C++ class hierarchies from
within emacs.</para>
<indexterm zone="emacs ebrowse">
<primary sortas="b-ebrowse">ebrowse</primary></indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="emacs-prog">
<term><filename>emacs</filename></term>
<listitem><para>is an editor.</para>
<indexterm zone="emacs emacs-prog">
<primary sortas="b-emacs">emacs</primary></indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="emacsclient">
<term><filename>emacsclient</filename></term>
<listitem><para>attaches an emacs session to an already
running emacsserver instance.</para>
<indexterm zone="emacs emacsclient">
<primary sortas="b-emacsclient">emacsclient</primary></indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="etags">
<term><filename>etags</filename></term>
<listitem><para>is another program to generate source code
cross-reference tagfiles.</para>
<indexterm zone="emacs etags">
<primary sortas="b-etags">etags</primary></indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="grep-changelog">
<term><filename>grep-changelog</filename></term>
<listitem><para>prints entries in Change Logs matching
various criteria.</para>
<indexterm zone="emacs grep-changelog">
<primary sortas="b-grep-changelog">grep-changelog</primary></indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="rcs-checkin">
<term><filename>rcs-checkin</filename></term>
<listitem><para>is a shell script used to check
files into <acronym>RCS</acronym>.</para>
<indexterm zone="emacs rcs-checkin">
<primary sortas="b-rcs-checkin">rcs-checkin</primary></indexterm>
</listitem>
</varlistentry>
 
<!--
<sect3><title>cvt-mail</title>
<para><command>cvt-mail</command> converts old style goslings emacs mail
directories into gnu-rmail format.</para></sect3>
 
<sect3><title>digest-doc</title>
<para><command>digest-doc</command> is a filter to create nroff output for man
pages.</para></sect3>
 
<sect3><title>emacsserver</title>
<para><command>emacserver</command> allows other applications/shells to access
an already running emacs instance and share buffers with it.</para></sect3>
 
<sect3><title>fakemail</title>
<para><command>fakemail</command> is a sendmail-like interface to
<filename>/bin/mail</filename>.</para></sect3>
 
<sect3><title>hexl</title>
<para><command>hexl</command> converts files for editing with emacs hexl-mode
binary file editing mode.</para></sect3>
 
<sect3><title>movemail</title>
<para><command>movemail</command> provides access to
<acronym>POP</acronym>3 mailboxes.</para></sect3>
 
<sect3><title>profile</title>
<para><command>profile</command> generates periodic events for profiling of
Emacs Lisp code.</para></sect3>
 
<sect3><title>rcs2log</title>
<para><command>rcs2log</command> generates change log prefixes from
<acronym>RCS</acronym> files.</para></sect3>
 
<sect3><title>sorted-doc</title>
<para><command>sorted-doc</command> is a filter to generate texinfo
files.</para></sect3>
 
<sect3><title>vcdiff</title>
<para><command>vcdiff</command> compares <acronym>SCCS</acronym>
files.</para></sect3>
 
<sect3><title>yow</title>
<para><command>yow</command> prints a quotation from Zippy the
Pinhead.</para></sect3> -->
</variablelist>
 
</sect2>
 
</sect1>
/trunk/blfs/postlfs/editors/ed.xml
0,0 → 1,135
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
 
<!ENTITY ed-download-http "http://ftp.gnu.org/pub/gnu/ed/ed-&ed-version;.tar.gz">
<!ENTITY ed-download-ftp "ftp://ftp.gnu.org/pub/gnu/ed/ed-&ed-version;.tar.gz">
<!ENTITY ed-md5sum "ddd57463774cae9b50e70cd51221281b">
<!ENTITY ed-size "182 KB">
<!ENTITY ed-buildsize "3.1 MB">
<!ENTITY ed-time "0.10 SBU">
]>
 
<sect1 id="ed" xreflabel="Ed-&ed-version;">
<sect1info>
<othername>$LastChangedBy: larry $</othername>
<date>$Date: 2005-06-16 06:20:36 $</date>
</sect1info>
<?dbhtml filename="ed.html"?>
<title>Ed-&ed-version;</title>
<indexterm zone="ed"><primary
sortas="a-Ed">Ed</primary></indexterm>
 
 
<sect2>
<title>Introduction to <application>Ed</application></title>
 
<para><application>Ed</application> is a line-oriented text editor. It
is used to create, display, modify and otherwise manipulate text files,
both interactively and via shell scripts. Ed isn't something which many
people use. It's described here because it can be used by the patch
program if you encounter an ed-based patch file. This happens rarely
because diff-based patches are preferred these days.</para>
 
<sect3><title>Package information</title>
<itemizedlist spacing="compact">
<listitem><para>Download (HTTP):
<ulink url="&ed-download-http;"/></para></listitem>
<listitem><para>Download (FTP):
<ulink url="&ed-download-ftp;"/></para></listitem>
<listitem><para>Download MD5 sum: &ed-md5sum;</para></listitem>
<listitem><para>Download size: &ed-size;</para></listitem>
<listitem><para>Estimated disk space required:
&ed-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&ed-time;</para></listitem></itemizedlist>
</sect3>
 
<sect3><title>Additional downloads</title>
<itemizedlist spacing="compact">
<listitem><para>Required Patch: <ulink
url="&patch-root;/ed-&ed-version;-mkstemp-1.patch"/></para></listitem>
</itemizedlist></sect3>
 
</sect2>
 
<sect2>
<title>Installation of <application>Ed</application></title>
 
<para><application>Ed</application> normally uses the
<emphasis>mktemp</emphasis> function to create temporary files in
<filename class="directory">/tmp</filename>, but this function contains
a vulnerability (see the section on Temporary Files at
<ulink url="http://en.tldp.org/HOWTO/Secure-Programs-HOWTO/avoid-race.html"/>).
Apply the following patch to make <application>Ed</application> use
<emphasis>mkstemp</emphasis> instead, a secure way to create temporary
files:</para>
 
<screen><userinput><command>patch -Np1 -i ../ed-&ed-version;-mkstemp-1.patch</command></userinput></screen>
 
<para>Install <application>Ed</application> by running the following
commands:</para>
 
<screen><userinput><command>./configure --prefix=/usr --exec-prefix="" &amp;&amp;
make</command></userinput></screen>
 
<para>Now, as the root user:</para>
 
<screen><userinput role='root'><command>make install</command></userinput></screen>
 
</sect2>
 
<sect2>
<title>Command explanations</title>
 
<para><parameter>--exec-prefix=""</parameter>: This forces the programs
to be installed into the <filename class="directory">/bin</filename>
directory. Having the programs available there is useful in the event of
the <filename class="directory">/usr</filename> partition being
unavailable.</para>
 
</sect2>
 
<sect2>
<title>Contents</title>
 
<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directories</segtitle>
<seglistitem>
<seg>ed and red</seg>
<seg>None</seg>
<seg>None</seg>
</seglistitem>
</segmentedlist>
 
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>
 
<varlistentry id="ed-prog">
<term><filename>ed</filename></term>
<listitem><para>is a line-oriented text editor.</para>
<indexterm zone="ed ed-prog">
<primary sortas="b-ed">ed</primary></indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="red">
<term><filename>red</filename></term>
<listitem><para>is a restricted ed&mdash;it can only edit files in the
current directory and cannot execute shell commands.
</para>
<indexterm zone="ed red">
<primary sortas="b-red">red</primary></indexterm>
</listitem>
</varlistentry>
 
</variablelist>
 
</sect2>
 
</sect1>
/trunk/blfs/postlfs/editors/editors.xml
1,18 → 1,25
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
]>
 
<chapter id="postlfs-editors">
<?dbhtml filename="editors.html"?>
<title>Editeurs</title>
<title>Editors</title>
 
<para>Ce chapitre est référencé dans le livre <acronym>LFS</acronym> pour ceux
qui souhaitent utiliser d'autres éditeurs sur leur système
<acronym>LFS</acronym>. Nous avons aussi l'opportunité de montrer le bénéfice
que tirent certains programmes déjà installés par <acronym>LFS</acronym> à être
recompilés après l'installation des bibliothèques <acronym>GUI</acronym>.</para>
<para>This chapter is referenced in the <acronym>LFS</acronym> book for
those wishing to use other editors on their <acronym>LFS</acronym> system.
You're also shown how some <acronym>LFS</acronym> installed programs
benefit from being recompiled after <acronym>GUI</acronym> libraries have
been installed.</para>
 
&postlfs-editors-vim;
&postlfs-editors-emacs;
&postlfs-editors-nano;
&postlfs-editors-joe;
&postlfs-editors-pico;
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="vim.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="emacs.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="nano.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="joe.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="pico.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="ed.xml"/>
 
</chapter>
/trunk/blfs/postlfs/editors/pico.xml
1,9 → 1,19
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
]>
 
<sect1 id="pico">
<sect1info>
<othername>$LastChangedBy: larry $</othername>
<date>$Date: 2005-06-16 06:20:36 $</date>
</sect1info>
<?dbhtml filename="pico.html"?>
<title>Pico</title>
 
<para><application>pico</application> est installé comme partie de
<para><command>pico</command> is installed as a part of
<xref linkend="pine"/>.</para>
 
</sect1>
/trunk/blfs/postlfs/editors/nano.xml
1,11 → 1,135
<?xml version="1.0" encoding="ISO-8859-1"?>
<sect1 id="postlfs-editors-nano">
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
 
<!ENTITY nano-download-http "http://www.nano-editor.org/dist/v1.2/nano-&nano-version;.tar.gz">
<!ENTITY nano-download-ftp "ftp://ftp.uni-koeln.de/editor/nano-&nano-version;.tar.gz">
<!ENTITY nano-md5sum "2c513310ec5e8b63abaecaf48670ac7a">
<!ENTITY nano-size "897 KB">
<!ENTITY nano-buildsize "4.3 MB">
<!ENTITY nano-time "0.08 SBU">
]>
 
<sect1 id="nano">
<sect1info>
<othername>$LastChangedBy: bdubbs $</othername>
<date>$Date: 2005-06-16 06:20:36 $</date>
</sect1info>
<?dbhtml filename="nano.html"?>
<title>nano-&nano-version;</title>
<indexterm zone="nano"><primary
sortas="a-nano">Nano</primary></indexterm>
 
&nano-intro;
&nano-inst;
&nano-config;
&nano-desc;
<sect2>
<title>Introduction to <application>nano</application></title>
 
<para>The <application>nano</application> package contains a small, simple
text editor which aims to replace <application>Pico</application>, the default
editor in the <application>Pine</application> package.</para>
 
<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP): <ulink
url="&nano-download-http;"/></para></listitem>
<listitem><para>Download (FTP): <ulink
url="&nano-download-ftp;"/></para></listitem>
<listitem><para>Download MD5 sum: &nano-md5sum;</para></listitem>
<listitem><para>Download size: &nano-size;</para></listitem>
<listitem><para>Estimated disk space required:
&nano-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&nano-time;</para></listitem></itemizedlist>
</sect3>
 
<sect3><title><application>nano</application> dependencies</title>
<sect4><title>Optional</title>
<para><xref linkend="slang"/></para>
</sect4>
</sect3>
 
</sect2>
 
<sect2>
<title>Installation of <application>nano</application></title>
 
<para>Install <application>nano</application> by running the following
commands:</para>
 
<screen><userinput><command>./configure --prefix=/usr --sysconfdir=/etc \
--enable-color --enable-multibuffer --enable-nanorc &amp;&amp;
make</command></userinput></screen>
 
<para>Now, as the root user:</para>
 
<screen><userinput role='root'><command>make install &amp;&amp;
mkdir -p /usr/share/doc/nano/examples &amp;&amp;
cp nanorc.sample /usr/share/doc/nano/examples</command></userinput></screen>
 
</sect2>
 
<sect2>
<title>Configuring nano</title>
 
<sect3 id="nano-config"><title>Config files</title>
<para><filename>/etc/nanorc</filename>, <filename>~/.nanorc</filename></para>
<indexterm zone="nano nano-config">
<primary sortas="e-etc-nanorc">/etc/nanorc</primary>
</indexterm>
<indexterm zone="nano nano-config">
<primary sortas="e-AA.nanorc">~/.nanorc</primary>
</indexterm>
 
<para>Example Configuration</para>
 
<screen><userinput>set autoindent
set const
set fill 72
set historylog
set multibuffer
set nohelp
set regexp
set smooth
set suspend</userinput></screen>
 
<para>Another example is in the
<filename class="directory">/usr/share/doc/nano/examples</filename> directory
in the <filename>nanorc.sample</filename> file. It includes color
configurations and has some documentation included in the comments.</para>
</sect3>
</sect2>
 
<sect2>
<title>Contents</title>
 
<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directory</segtitle>
<seglistitem>
<seg>nano</seg>
<seg>None</seg>
<seg>/usr/share/doc/nano</seg>
</seglistitem>
</segmentedlist>
 
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>
 
<varlistentry id="nano-prog">
<term><filename>nano</filename></term>
<listitem><para>is a small, simple text editor which aims to
replace <application>Pico</application>, the default editor in the
<application>Pine</application> package.</para>
<indexterm zone="nano nano-prog">
<primary sortas="b-nano">nano</primary></indexterm>
</listitem>
</varlistentry>
 
</variablelist>
 
</sect2>
 
</sect1>
/trunk/blfs/postlfs/editors/vim.xml
1,11 → 1,192
<?xml version="1.0" encoding="ISO-8859-1"?>
<sect1 id="postlfs-editors-vim" xreflabel="Vim-&vim-version;">
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
 
<!ENTITY vim-download-http "http://ftp.at.vim.org/pub/vim/unix/vim-&vim-version;.tar.bz2">
<!ENTITY vim-download-ftp "ftp://ftp.vim.org/pub/vim/unix/vim-&vim-version;.tar.bz2">
<!ENTITY vim-md5sum "821fda8f14d674346b87e3ef9cb96389">
<!ENTITY vim-size "3.7 MB">
<!ENTITY vim-buildsize "48 MB">
<!ENTITY vim-time "0.59 SBU">
]>
 
<sect1 id="vim" xreflabel="Vim-&vim-version;">
<sect1info>
<othername>$LastChangedBy: bdubbs $</othername>
<date>$Date: 2005-06-16 06:20:36 $</date>
</sect1info>
<?dbhtml filename="vim.html"?>
<title>Vim-&vim-version;</title>
<indexterm zone="vim"><primary
sortas="a-Vim">Vim</primary></indexterm>
 
&vim-intro;
&vim-inst;
&vim-exp;
&vim-desc;
<sect2>
<title>Introduction to <application>Vim</application></title>
 
<para>The <application>Vim</application> package, which is an
abbreviation for VI IMproved, contains a <command>vi</command>
clone with extra features as compared to the original
<command>vi</command>.</para>
 
<para>The default <acronym>LFS</acronym> instructions install
<application>vim</application> as a part of the base system.
If you would prefer to link <application>vim</application>
against <application>X</application>, you should recompile
<application>vim</application> to enable <acronym>GUI</acronym>
mode. There is no need for special instructions since
<application>X</application> support is automatically detected.
</para>
 
<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP): <ulink
url="&vim-download-http;"/></para></listitem>
<listitem><para>Download (FTP): <ulink
url="&vim-download-ftp;"/></para></listitem>
<listitem><para>Download MD5 sum: &vim-md5sum;</para></listitem>
<listitem><para>Download size: &vim-size;</para></listitem>
<listitem><para>Estimated disk space required:
&vim-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&vim-time;</para></listitem></itemizedlist>
</sect3>
 
<sect3><title>Additional downloads</title>
<itemizedlist spacing='compact'>
<listitem><para>Required patch: <ulink
url="&patch-root;/vim-&vim-version;-security_fix-1.patch"/></para>
</listitem>
<listitem><para>Translated Vim messages: <ulink
url="http://ftp.at.vim.org/pub/vim/extra/vim-&vim-version;-lang.tar.gz"/>
</para></listitem>
</itemizedlist></sect3>
 
<sect3><title><application>Vim</application> dependencies</title>
<sect4><title>Recommended</title>
<para><application>X</application>
(<xref linkend="xfree86"/> or <xref linkend="xorg"/>)</para>
</sect4>
 
<sect4><title>Optional</title>
<para><xref linkend="gtk2"/>,
<xref linkend="lesstif"/>,
<xref linkend="python"/>,
<xref linkend="tcl"/>,
<xref linkend="ruby"/>
and <xref linkend="gpm"/>
</para>
</sect4>
</sect3>
 
</sect2>
 
<sect2>
<title>Installation of <application>Vim</application></title>
 
<note><para>If you recompile vim to link against <application>X</application>,
and your <application>X</application> libs are not on the root partition, you
will no longer have an editor for use in emergencies. You may choose to
install an additional editor, not link vim against X, or move the current
<command>vim</command> executable to the <filename>/bin</filename> directory
under a different name such as <filename>vi</filename>.</para></note>
 
<para>If desired, unpack the translated messages archive:</para>
 
<screen><userinput><command>tar -zxf ../vim-&vim-version;-lang.tar.gz --strip-path=1</command></userinput></screen>
<para>Install <application>Vim</application> by running the following
commands:</para>
 
<screen><userinput><command>echo '#define SYS_VIMRC_FILE "/etc/vimrc"' &gt;&gt; src/feature.h &amp;&amp;
echo '#define SYS_GVIMRC_FILE "/etc/gvimrc"' &gt;&gt; src/feature.h &amp;&amp;
patch -Np1 -i ../vim-&vim-version;-security_fix-1.patch &amp;&amp;
./configure --prefix=/usr --with-features=huge &amp;&amp;
make</command></userinput></screen>
 
<para>Now, as the root user:</para>
 
<screen><userinput role='root'><command>make install</command></userinput></screen>
 
</sect2>
 
<sect2>
<title>Command explanations</title>
 
<para><parameter>--with-features=huge</parameter>: This switch enables all
the additional features available in <application>Vim</application>.</para>
 
<para><option>--enable-gui=no</option>: If you prefer not to link
<application>Vim</application> against <application>X</application>, use
this switch.</para>
 
</sect2>
 
<sect2>
<title>Contents</title>
 
<para>A list of the reinstalled files, along with their short descriptions can
be found at <ulink url="&lfs-root;/chapter06/vim.html#contents-vim"/>.</para>
 
<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directory</segtitle>
<seglistitem>
<seg>gview, gvim, gvimdiff, rgview, rgvim</seg>
<seg>None</seg>
<seg>/usr/share/vim</seg>
</seglistitem>
</segmentedlist>
 
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>
 
<varlistentry id="gview">
<term><filename>gview</filename></term>
<listitem><para>starts <command>gvim</command> in read-only mode.</para>
<indexterm zone="vim gview">
<primary sortas="b-gview">gview</primary></indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="gvim">
<term><filename>gvim</filename></term>
<listitem><para>is the editor that runs under X and includes a <acronym>GUI</acronym></para>
<indexterm zone="vim gvim">
<primary sortas="b-gvim">gvim</primary></indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="gvimdiff">
<term><filename>gvimdiff</filename></term>
<listitem><para>edits two or three versions of a file with
<command>gvim</command> and show differences.</para>
<indexterm zone="vim gvimdiff">
<primary sortas="b-gvimdiff">gvimdiff</primary></indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="rgview">
<term><filename>rgview</filename></term>
<listitem><para>is a restricted version of <command>gview</command>.</para>
<indexterm zone="vim rgview">
<primary sortas="b-rgview">rgview</primary></indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="rgvim">
<term><filename>rgvim</filename></term>
<listitem><para>is a restricted version of <command>gvim</command>. </para>
<indexterm zone="vim gvim">
<primary sortas="b-gvim">gvim</primary></indexterm>
</listitem>
</varlistentry>
 
</variablelist>
 
</sect2>
 
</sect1>
/trunk/blfs/postlfs/editors/joe.xml
1,11 → 1,175
<?xml version="1.0" encoding="ISO-8859-1"?>
<sect1 id="postlfs-editors-joe">
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
 
<!ENTITY joe-download-http "http://prdownloads.sourceforge.net/joe-editor/joe-&joe-version;.tar.gz">
<!ENTITY joe-download-ftp " ">
<!ENTITY joe-md5sum "2a6ef018870fca9b7df85401994fb0e0">
<!ENTITY joe-size "380 KB">
<!ENTITY joe-buildsize "5.7 MB">
<!ENTITY joe-time "0.11 SBU">
]>
 
<sect1 id="joe">
<sect1info>
<othername>$LastChangedBy: larry $</othername>
<date>$Date: 2005-06-16 06:20:36 $</date>
</sect1info>
<?dbhtml filename="joe.html"?>
<title>JOE-&joe-version;</title>
<indexterm zone="joe"><primary
sortas="a-JOE">JOE</primary></indexterm>
 
&joe-intro;
&joe-inst;
&joe-config;
&joe-desc;
<sect2>
<title>Introduction to <application><acronym>JOE</acronym></application></title>
 
<para><application>JOE</application> (Joe's own editor) is a small text editor
capable of emulating WordStar, <application>Pico</application>,
and <application>Emacs</application>.</para>
 
<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP): <ulink
url="&joe-download-http;"/></para></listitem>
<listitem><para>Download (FTP): <ulink
url="&joe-download-ftp;"/></para></listitem>
<listitem><para>Download MD5 sum: &joe-md5sum;</para></listitem>
<listitem><para>Download size: &joe-size;</para></listitem>
<listitem><para>Estimated disk space required:
&joe-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&joe-time;</para></listitem></itemizedlist>
</sect3>
 
</sect2>
 
<sect2>
<title>Installation of <application><acronym>JOE</acronym></application></title>
 
<para>Install <application><acronym>JOE</acronym></application> by running the
following commands:</para>
 
<screen><userinput><command>./configure --sysconfdir=/etc --prefix=/usr &amp;&amp;
make</command></userinput></screen>
 
<para>Now, as the root user:</para>
 
<screen><userinput role='root'><command>make install</command></userinput></screen>
 
</sect2>
 
<sect2>
<title>Configuration files</title>
 
<sect3 id="joe-config"><title>Config files</title>
<para><filename>/etc/joe/jmacsrc</filename>,
<filename>/etc/joe/joerc</filename>, <filename>/etc/joe/jpicorc</filename>,
<filename>/etc/joe/jstarrc</filename>, <filename>/etc/joe/rjoerc</filename>,
<filename>~/.joerc</filename></para>
<indexterm zone="joe joe-config">
<primary sortas="e-etc-joe-jmacsrc">/etc/joe/jmacsrc</primary>
</indexterm>
<indexterm zone="joe joe-config">
<primary sortas="e-etc-joe-joerc">/etc/joe/joerc</primary>
</indexterm>
<indexterm zone="joe joe-config">
<primary sortas="e-etc-joe-jpicorc">/etc/joe/jpicorc</primary>
</indexterm>
<indexterm zone="joe joe-config">
<primary sortas="e-etc-joe-jstarrc">/etc/joe/jstarrc</primary>
</indexterm>
<indexterm zone="joe joe-config">
<primary sortas="e-etc-joe-rjoerc">/etc/joe/rjoerc</primary>
</indexterm>
<indexterm zone="joe joe-config">
<primary sortas="e-AA.joerc">~/.joerc</primary>
</indexterm>
</sect3>
 
</sect2>
 
<sect2>
<title>Contents</title>
 
<segmentedlist>
<segtitle>Installed Programs</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directory</segtitle>
<seglistitem>
<seg>jmacs, joe, jpico, jstar, rjoe and termidx</seg>
<seg>None</seg>
<seg>/etc/joe</seg>
</seglistitem>
</segmentedlist>
 
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>
 
<varlistentry id="jmacs">
<term><filename>jmacs</filename></term>
<listitem><para>is a symbolic link to
<command>joe</command> used to launch <application>Emacs</application>
emulation mode.</para>
<indexterm zone="joe jmacs">
<primary sortas="b-jmacs">jmacs</primary></indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="joe-prog">
<term><filename>joe</filename></term>
<listitem><para>is a small text editor capable of emulating
WordStar, <application>Pico</application>, and
<application>Emacs</application>.</para>
<indexterm zone="joe joe-prog">
<primary sortas="b-joe">joe</primary></indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="jpico">
<term><filename>jpico</filename></term>
<listitem><para>is a symbolic link to
<command>joe</command> used to launch <application>Pico</application>
emulation mode.</para>
<indexterm zone="joe jpico">
<primary sortas="b-jpico">jpico</primary></indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="jstar">
<term><filename>jstar</filename></term>
<listitem><para>is a symbolic link to
<command>joe</command> used to launch WordStar
emulation mode.</para>
<indexterm zone="joe jstar">
<primary sortas="b-jstar">jstar</primary></indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="rjoe">
<term><filename>rjoe</filename></term>
<listitem><para>is a symbolic link to
<command>joe</command> that restricts
<application><acronym>JOE</acronym></application> to editing
only files which are specified on the command-line.</para>
<indexterm zone="joe rjoe">
<primary sortas="b-rjoe">rjoe</primary></indexterm>
</listitem>
</varlistentry>
 
<varlistentry id="termidx">
<term><filename>termidx</filename></term>
<listitem><para>is a program used by
<command>joe</command> to generate the termcap index file.</para>
<indexterm zone="joe termidx">
<primary sortas="b-termidx">termidx</primary></indexterm>
</listitem>
</varlistentry>
 
</variablelist>
 
</sect2>
 
</sect1>
/trunk/blfs/postlfs/shells/zsh/zsh.ent
File deleted
/trunk/blfs/postlfs/shells/zsh/zsh-intro.xml
File deleted
/trunk/blfs/postlfs/shells/zsh/zsh-inst.xml
File deleted
/trunk/blfs/postlfs/shells/zsh/zsh-desc.xml
File deleted
/trunk/blfs/postlfs/shells/zsh/zsh-config.xml
File deleted
/trunk/blfs/postlfs/shells/ash/ash-inst.xml
File deleted
/trunk/blfs/postlfs/shells/ash/ash-desc.xml
File deleted
/trunk/blfs/postlfs/shells/ash/ash-config.xml
File deleted
/trunk/blfs/postlfs/shells/ash/ash.ent
File deleted
/trunk/blfs/postlfs/shells/ash/ash-intro.xml
File deleted
/trunk/blfs/postlfs/shells/tcsh/tcsh.ent
File deleted
/trunk/blfs/postlfs/shells/tcsh/tcsh-intro.xml
File deleted
/trunk/blfs/postlfs/shells/tcsh/tcsh-exp.xml
File deleted
/trunk/blfs/postlfs/shells/tcsh/tcsh-inst.xml
File deleted
/trunk/blfs/postlfs/shells/tcsh/tcsh-desc.xml
File deleted
/trunk/blfs/postlfs/shells/tcsh/tcsh-config.xml
File deleted
/trunk/blfs/postlfs/shells/tcsh.xml
1,13 → 1,147
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
 
<!ENTITY tcsh-download-http "http://gd.tuwien.ac.at/utils/shells/tcsh/tcsh-&tcsh-version;.tar.gz">
<!ENTITY tcsh-download-ftp "ftp://ftp.fu-berlin.de/unix/shells/tcsh/tcsh-&tcsh-version;.tar.gz">
<!ENTITY tcsh-size "804 KB">
<!ENTITY tcsh-buildsize "9.0 MB">
<!ENTITY tcsh-time "0.16 SBU">
<!ENTITY tcsh-md5sum "11c0c9c9148652dc01270c4880d1cc6e">
]>
 
<sect1 id="tcsh" xreflabel="Tcsh-&tcsh-version;">
<sect1info>
<othername>$LastChangedBy: randy $</othername>
<date>$Date: 2005-06-16 06:20:37 $</date>
</sect1info>
<?dbhtml filename="tcsh.html"?>
<title>Tcsh-&tcsh-version;</title>
<indexterm zone="tcsh">
<primary sortas="a-Tcsh">Tcsh</primary></indexterm>
 
&tcsh-intro;
&tcsh-inst;
&tcsh-exp;
&tcsh-config;
&tcsh-desc;
<sect2>
<title>Introduction to <application>Tcsh</application></title>
 
<para>The <application>Tcsh</application> package contains "an enhanced but
completely compatible version of the Berkeley Unix C shell (csh)". This is
useful as an alternative shell for those who prefer C syntax to that of the
bash shell, and also because some programs require the C shell in order to
install.</para>
 
<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP): <ulink
url="&tcsh-download-http;"/></para></listitem>
<listitem><para>Download (FTP): <ulink
url="&tcsh-download-ftp;"/></para></listitem>
<listitem><para>Download MD5 sum: &tcsh-md5sum;</para></listitem>
<listitem><para>Download size: &tcsh-size;</para></listitem>
<listitem><para>Estimated disk space required:
&tcsh-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&tcsh-time;</para></listitem></itemizedlist>
</sect3>
 
</sect2>
 
<sect2>
<title>Installation of <application>Tcsh</application></title>
 
<para>Install <application>Tcsh</application> by running the following
commands:</para>
 
<screen><userinput><command>./configure --prefix=/usr &amp;&amp;
make</command></userinput></screen>
 
<para>Now, as the root user:</para>
 
<screen><userinput role='root'><command>make install &amp;&amp;
make install.man &amp;&amp;
ln -sf /usr/bin/tcsh /bin/csh</command></userinput></screen>
 
</sect2>
 
<sect2>
<title>Command explanations</title>
 
<para><command>ln -sf /usr/bin/tcsh /bin/csh</command>: The
<acronym>FHS</acronym> states that if there is a <application>C</application>
shell installed, there should be a symlink from
<filename>/bin/csh</filename> to it. This creates that symlink.</para>
 
</sect2>
 
<sect2>
<title>Configuring <application>Tcsh</application></title>
 
<sect3 id="tcsh-config"><title>Config files</title>
<para>There are numerous configuration files for the C shell. Examples
of these are <filename>/etc/csh.cshrc</filename>,
<filename>/etc/csh.login</filename>,
<filename>/etc/csh.logout</filename>,
<filename>~/.tcshrc</filename>,
<filename>~/.cshrc</filename>,
<filename>~/.history</filename>,
<filename>~/.cshdirs</filename>,
<filename>~/.login</filename>,
<filename>~/.logout</filename>. More information on these files can be
found in the <filename>tcsh(1)</filename> man page.</para>
 
<indexterm zone="tcsh tcsh-config">
<primary sortas="e-etc-csh.cshrc">/etc/csh.cshrc</primary></indexterm>
<indexterm zone="tcsh tcsh-config">
<primary sortas="e-etc-csh.login">/etc/csh.login</primary></indexterm>
<indexterm zone="tcsh tcsh-config">
<primary sortas="e-etc-csh.logout">/etc/csh.logout</primary></indexterm>
<indexterm zone="tcsh tcsh-config">
<primary sortas="e-AA.tcshrc">~/.tcshrc</primary></indexterm>
<indexterm zone="tcsh tcsh-config">
<primary sortas="e-AA.cshrc">~/.cshrc</primary></indexterm>
<indexterm zone="tcsh tcsh-config">
<primary sortas="e-AA.history">~/.history</primary></indexterm>
<indexterm zone="tcsh tcsh-config">
<primary sortas="e-AA.cshdirs">~/.cshdirs</primary></indexterm>
<indexterm zone="tcsh tcsh-config">
<primary sortas="e-AA.login">~/.login</primary></indexterm>
<indexterm zone="tcsh tcsh-config">
<primary sortas="e-AA.logout">~/.logout</primary></indexterm>
</sect3>
 
</sect2>
 
<sect2>
<title>Contents</title>
 
<segmentedlist>
<segtitle>Installed Program</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directories</segtitle>
<seglistitem>
<seg>tcsh</seg>
<seg>None</seg>
<seg>None</seg>
</seglistitem>
</segmentedlist>
 
<variablelist>
<bridgehead renderas="sect3">Short Descriptions</bridgehead>
<?dbfo list-presentation="list"?>
 
<varlistentry id="tcsh-prog">
<term><command>tcsh</command></term>
<listitem><para>is an enhanced but completely compatible version of the
Berkeley Unix C shell, <command>csh</command>. It is usable as both an
interactive shell and a script processor.</para>
<indexterm zone="tcsh tcsh-prog">
<primary sortas="b-tcsh">tcsh</primary></indexterm>
</listitem>
</varlistentry>
</variablelist>
 
</sect2>
 
</sect1>
 
/trunk/blfs/postlfs/shells/zsh.xml
1,12 → 1,131
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
 
<!ENTITY zsh-download-http "http://prdownloads.sourceforge.net/zsh/zsh-&zsh-version;.tar.bz2">
<!ENTITY zsh-download-ftp " ">
<!ENTITY zsh-size "2.0 MB">
<!ENTITY zsh-buildsize "17 MB">
<!ENTITY zsh-time "0.51 SBU">
<!ENTITY zsh-md5sum "5c37fa9eb659458fe4f7f80da17fb09c">
]>
 
 
<sect1 id="zsh" xreflabel="ZSH-&zsh-version;">
<sect1info>
<othername>$LastChangedBy: larry $</othername>
<date>$Date: 2005-06-16 06:20:37 $</date>
</sect1info>
<?dbhtml filename="zsh.html"?>
<title>ZSH-&zsh-version;</title>
<indexterm zone="zsh">
<primary sortas="a-ZSH">ZSH</primary></indexterm>
 
&zsh-intro;
&zsh-inst;
&zsh-config;
&zsh-desc;
<sect2>
<title>Introduction to <application>ZSH</application></title>
 
<para>The <application>ZSH</application> package contains a command
interpreter (shell) usable as an interactive login shell and as
a shell script command processor. Of the standard shells,
<application>ZSH</application> most
closely resembles <application>KSH</application> but includes many
enhancements.</para>
 
<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP): <ulink
url="&zsh-download-http;"/></para></listitem>
<listitem><para>Download (FTP): <ulink
url="&zsh-download-ftp;"/></para></listitem>
<listitem><para>Download MD5 sum: &zsh-md5sum;</para></listitem>
<listitem><para>Download size: &zsh-size;</para></listitem>
<listitem><para>Estimated disk space required:
&zsh-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&zsh-time;</para></listitem></itemizedlist>
</sect3>
 
<sect3><title><application>ZSH</application> dependencies</title>
<sect4><title>Optional</title>
<para><xref linkend="pcre"/></para></sect4>
</sect3>
 
</sect2>
 
<sect2>
<title>Installation of <application>ZSH</application></title>
 
<para>Install <application>ZSH</application> by running the following
commands:</para>
 
<screen><userinput><command>./configure --prefix=/usr &amp;&amp;
make</command></userinput></screen>
 
<para>Now, as the root user:</para>
 
<screen><userinput role='root'><command>make install</command></userinput></screen>
 
</sect2>
 
<sect2>
<title>Configuring <application>ZSH</application></title>
 
<sect3 id="zsh-config"><title>Config files</title>
<para>There are a whole host of configuration files for
<application>ZSH</application> including
<filename>/etc/zshenv</filename>,
<filename>/etc/zprofile</filename>,
<filename>/etc/zshrc</filename>,
<filename>/etc/zlogin</filename> and
<filename>/etc/zlogout</filename>. You can find more information on these in
the <filename>zsh(1)</filename> and related man pages.</para>
 
<indexterm zone="zsh zsh-config">
<primary sortas="e-etc-zshenv">/etc/zshenv</primary></indexterm>
<indexterm zone="zsh zsh-config">
<primary sortas="e-etc-zprofile">/etc/zprofile</primary></indexterm>
<indexterm zone="zsh zsh-config">
<primary sortas="e-etc-zshrc">/etc/zshrc</primary></indexterm>
<indexterm zone="zsh zsh-config">
<primary sortas="e-etc-zlogin">/etc/zlogin</primary></indexterm>
<indexterm zone="zsh zsh-config">
<primary sortas="e-etc-zlogout">/etc/zlogout</primary></indexterm>
</sect3>
 
</sect2>
 
<sect2>
<title>Contents</title>
 
<segmentedlist>
<segtitle>Installed Program</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directories</segtitle>
<seglistitem>
<seg>zsh</seg>
<seg>None</seg>
<seg>/usr/lib/zsh, /user/share/zsh</seg>
</seglistitem>
</segmentedlist>
 
<variablelist>
<bridgehead renderas="sect3">Short Description</bridgehead>
<?dbfo list-presentation="list"?>
 
<varlistentry id="zsh-prog">
<term><command>zsh</command></term>
<listitem><para>is a shell which has command-line editing, built-in spelling
correction, programmable command completion, shell functions (with
autoloading), a history mechanism, and a host of other features.</para>
<indexterm zone="zsh zsh-prog">
<primary sortas="b-zsh">zsh</primary></indexterm>
</listitem>
</varlistentry>
</variablelist>
 
</sect2>
 
</sect1>
 
/trunk/blfs/postlfs/shells/shells.xml
1,15 → 1,21
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
]>
 
<chapter id="postlfs-shells">
<?dbhtml filename="shells.html"?>
<title>Shells</title>
 
<para>Nous sommes tous familiers avec le shell BASH (Bourne Again shell), mais
il existe deux autres interfaces utilisateur considérées comme des shells
modernes et utiles, tcsh (Shell C UNIX de Berkeley) et zsh (Korn shell). Ce
chapitre installe les packages compatibles avec ces types de shells.</para>
<para>We are all familiar with the Bourne Again SHell, but there are two
other user interfaces that are considered useful modern shells -- the
Berkeley Unix C shell and the Korn shell. This chapter installs
packages compatible with these additional shell types.</para>
 
&ash;
&tcsh;
&zsh;
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="ash.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="tcsh.xml"/>
<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="zsh.xml"/>
 
</chapter>
/trunk/blfs/postlfs/shells/ash.xml
1,12 → 1,128
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
"http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
<!ENTITY % general-entities SYSTEM "../../general.ent">
%general-entities;
 
<!ENTITY ash-version "0.4.0">
<!ENTITY ash-download-http " ">
<!ENTITY ash-download-ftp "ftp://distro.ibiblio.org/pub/Linux/distributions/slackware/slackware_source/ap/ash/ash-&ash-version;.tar.gz">
<!ENTITY ash-md5sum "1c59f5b62a081cb0cb3b053c01d79529">
<!ENTITY ash-size "118 KB">
<!ENTITY ash-buildsize "2.2 MB">
<!ENTITY ash-time "0.06 SBU">
]>
 
<sect1 id="ash" xreflabel="ASH-&ash-version;">
<sect1info>
<othername>$LastChangedBy: randy $</othername>
<date>$Date: 2005-06-16 06:20:37 $</date>
</sect1info>
<?dbhtml filename="ash.html"?>
<title>ASH-&ash-version;</title>
<indexterm zone="ash">
<primary sortas="a-ASH">ASH</primary></indexterm>
 
&ash-intro;
&ash-inst;
&ash-config;
&ash-desc;
<sect2>
<title>Introduction to <application>ASH</application></title>
 
<para><command>ash</command> is a shell that is the most compliant with the
Bourne Shell (not to be confused with Bourne Again SHell i.e.,
<application>Bash</application> installed in <acronym>LFS</acronym>) without
any additional features. Bourne Shell is available on most commercial
<acronym>UNIX</acronym> systems. Hence <command>ash</command> is useful for
testing scripts to be <command>sh</command>-compliant. It also has a small
memory and space requirements compared to the other
<command>sh</command>-compliant shells.</para>
 
<sect3><title>Package information</title>
<itemizedlist spacing='compact'>
<listitem><para>Download (HTTP): <ulink
url="&ash-download-http;"/></para></listitem>
<listitem><para>Download (FTP): <ulink
url="&ash-download-ftp;"/></para></listitem>
<listitem><para>Download MD5 sum: &ash-md5sum;</para></listitem>
<listitem><para>Download size: &ash-size;</para></listitem>
<listitem><para>Estimated disk space required:
&ash-buildsize;</para></listitem>
<listitem><para>Estimated build time:
&ash-time;</para></listitem></itemizedlist>
</sect3>
 
<sect3><title>Additional downloads</title>
<itemizedlist spacing='compact'>
<listitem><para>Required Patch: <ulink
url="&patch-root;/ash-&ash-version;-cumulative_fixes-1.patch"/></para>
</listitem>
</itemizedlist>
</sect3>
 
</sect2>
 
<sect2>
<title>Installation of <application>ASH</application></title>
 
<para>Install <application>ASH</application> by running the following
commands:</para>
 
<screen><userinput><command>patch -Np1 -i ../ash-0.4.0-cumulative_fixes-1.patch &amp;&amp;
make</command></userinput></screen>
 
<para>Now, as the root user:</para>
 
<screen><userinput role='root'><command>install -m 755 sh /bin/ash &amp;&amp;
install -m 644 sh.1 /usr/share/man/man1/ash.1</command></userinput></screen>
 
<para>If you would like to make <command>ash</command> the default sh shell,
make a symlink.</para>
 
<screen><userinput><command>ln -sf ash /bin/sh</command></userinput></screen>
 
</sect2>
 
<sect2>
<title>Configuring <application>ASH</application></title>
 
<sect3 id="ash-config"><title>Config files</title>
<para><application>ASH</application> sources
<filename>/etc/profile</filename> and
<filename>$HOME/.profile</filename></para>
 
<indexterm zone="ash ash-config">
<primary sortas="e-etc-profile">/etc/profile</primary></indexterm>
<indexterm zone="ash ash-config">
<primary sortas="e-AHOME-.profile">$HOME/.profile</primary></indexterm>
</sect3>
 
</sect2>
 
<sect2>
<title>Contents</title>
<segmentedlist>
<segtitle>Installed Program</segtitle>
<segtitle>Installed Libraries</segtitle>
<segtitle>Installed Directories</segtitle>
<seglistitem>
<seg>ash</seg>
<seg>None</seg>
<seg>None</seg>
</seglistitem>
</segmentedlist>
 
<variablelist>
<bridgehead renderas="sect3">Short Description</bridgehead>
<?dbfo list-presentation="list"?>
 
<varlistentry id="ash-prog">
<term><command>ash</command></term>
<listitem><para>is a <command>sh</command>-compliant shell.</para>
<indexterm zone="ash ash-prog">
<primary sortas="b-ash">ash</primary></indexterm>
</listitem>
</varlistentry>
</variablelist>
 
</sect2>
 
</sect1>