------------------------------------------------------------
revno: 3654
committer: Jim Campbell <[EMAIL PROTECTED]>
branch nick: ubuntu-hardy
timestamp: Thu 2008-01-31 21:23:02 -0600
message:
updates from the ubuntu doc team
modified:
generic/server/C/security.xml
------------------------------------------------------------
revno: 3651.1.5
committer: Adam Sommer <[EMAIL PROTECTED]>
branch nick: ubuntu-hardy
timestamp: Mon 2008-01-28 23:16:45 -0500
message:
Patch by Gilbert Mendoza.
modified:
generic/server/C/security.xml
------------------------------------------------------------
revno: 3651.3.7
committer: Gilbert Mendoza <[EMAIL PROTECTED]>
branch nick: ubuntu-hardy
timestamp: Mon 2008-01-28 20:08:38 -0800
message:
programlisting tag adjustments
modified:
generic/server/C/security.xml
------------------------------------------------------------
revno: 3651.3.6
committer: Gilbert Mendoza <[EMAIL PROTECTED]>
branch nick: ubuntu-hardy
timestamp: Sun 2008-01-27 20:19:28 -0800
message:
additional refinement of tag usage
modified:
generic/server/C/security.xml
------------------------------------------------------------
revno: 3651.3.5
committer: Gilbert Mendoza <[EMAIL PROTECTED]>
branch nick: ubuntu-hardy
timestamp: Thu 2008-01-24 20:58:33 -0800
message:
userinput and computeroutput tags for security section
modified:
generic/server/C/security.xml
=== modified file 'generic/server/C/security.xml'
--- a/generic/server/C/security.xml 2008-01-23 05:50:23 +0000
+++ b/generic/server/C/security.xml 2008-01-29 04:08:38 +0000
@@ -42,10 +42,10 @@
<screen><command>sudo passwd</command></screen>
<para>Sudo will prompt you for your password, and then ask you
to supply a new password for root as shown below:
</para>
- <screen><command>[sudo] password for username: (enter your own
password)
-Enter new UNIX password: (enter a new password for root)
-Retype new UNIX password: (repeat new password for root)
-passwd: password updated successfully</command></screen>
+ <screen><computeroutput>[sudo] password for username:
<userinput>(enter your own password)</userinput>
+Enter new UNIX password: <userinput>(enter a new password for root)</userinput>
+Retype new UNIX password: <userinput>(repeat new password for root)</userinput>
+passwd: password updated successfully</computeroutput></screen>
</listitem>
<listitem>
<para>
@@ -121,7 +121,7 @@
<sect2 id="user-profile-security" status="review">
<title>User Profile Security</title>
<para>
- When a new user is created, the adduser utility creates a brand new
home directory named <filename>/home/username</filename>, respectively. The
default profile is modeled after the contents found in the directory of
<filename>/etc/skel</filename>, which includes all profile basics.
+ When a new user is created, the adduser utility creates a brand new
home directory named <filename class="directory">/home/username</filename>,
respectively. The default profile is modeled after the contents found in the
directory of <filename class="directory">/etc/skel</filename>, which includes
all profile basics.
</para>
<para>
If your server will be home to multiple users, you should pay close
attention to the user home directory permissions to ensure confidentiality. By
default, user home directories in Ubuntu are created with world read/execute
permissions. This means that all users can browse and access the contents of
other users home directories. This may not be suitable for your environment.
@@ -132,9 +132,9 @@
To verify your current users home directory permissions, use
the following syntax:
</para>
<screen><command>ls -ld /home/username</command></screen>
- <para>The following output shows that the directory
<filename>/home/username</filename> has world readable permissions:
+ <para>The following output shows that the directory <filename
class="directory">/home/username</filename> has world readable permissions:
</para>
-<screen><command>drwxr-xr-x 2 username username 4096 2007-10-02 20:03
username</command></screen>
+<screen><computeroutput>drwxr-xr-x 2 username username 4096 2007-10-02
20:03 username</computeroutput></screen>
</listitem>
<listitem>
<para>
@@ -147,9 +147,9 @@
</para>
</note>
<para>
- A much more efficient approach to the matter would be to modify
the <application>adduser</application> global default permissions when creating
user home folders. Simply edit the file /etc/adduser.conf and modify the
DIR_MODE variable to something appropriate, so that all new home directories
will receive the correct permissions.
+ A much more efficient approach to the matter would be to modify
the <application>adduser</application> global default permissions when creating
user home folders. Simply edit the file <filename>/etc/adduser.conf</filename>
and modify the <varname>DIR_MODE</varname> variable to something appropriate,
so that all new home directories will receive the correct permissions.
</para>
-<screen><command>DIR_MODE=0750</command></screen>
+<programlisting>DIR_MODE=0750</programlisting>
</listitem>
<listitem>
<para>
@@ -158,7 +158,7 @@
<screen><command>ls -ld /home/username</command></screen>
<para>The results below show that world readable permissions
have been removed:
</para>
-<screen><command>drwxr-x--- 2 username username 4096 2007-10-02 20:03
username</command></screen>
+<screen><computeroutput>drwxr-x--- 2 username username 4096 2007-10-02
20:03 username</computeroutput></screen>
</listitem>
</itemizedlist>
</sect2>
@@ -173,11 +173,11 @@
<para>
By default, Ubuntu requires a minimum password length of 4 characters,
as well as some basic entropy checks. These values are controlled in the file
<filename>/etc/pam.d/common-password</filename>, which is outlined below.
</para>
-<screen><command>password required pam_unix.so nullok obscure min=4 max=8
md5</command></screen>
+<programlisting>password required pam_unix.so nullok obscure min=4 max=8
md5</programlisting>
<para>
If you would like to adjust the minimum length to 6 characters, change the
appropriate variable to min=6. The modification is outlined below.
</para>
-<screen><command>password required pam_unix.so nullok obscure min=6 max=8
md5</command></screen>
+<programlisting>password required pam_unix.so nullok obscure min=6 max=8
md5</programlisting>
<note>
<para>
The <varname>max=8</varname> variable does not represent the maximum
length of a password. It only means that complexity requirements will not be
checked on passwords over 8 characters. You may want to look at the
<application>libpam-cracklib</application> package for additional password
entropy assistance.
@@ -197,13 +197,13 @@
<screen><command>sudo chage -l username</command></screen>
<para>The output below shows interesting facts about the user
account, namely that there are no policies applied:
</para>
-<screen><command>Last password change : Jan
20, 2008
+<screen><computeroutput>Last password change
: Jan 20, 2008
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
-Number of days of warning before password expires : 7</command></screen>
+Number of days of warning before password expires :
7</computeroutput></screen>
</listitem>
<listitem>
<para>
@@ -222,13 +222,13 @@
<screen><command>sudo chage -l username</command></screen>
<para>The output below shows the new policies that have been
established for the account:
</para>
-<screen><command>Last password change : Jan
20, 2008
+<screen><computeroutput>Last password change
: Jan 20, 2008
Password expires : Apr 19, 2008
Password inactive : May 19, 2008
Account expires : Jan 31, 2008
Minimum number of days between password change : 5
Maximum number of days between password change : 90
-Number of days of warning before password expires : 14</command></screen>
+Number of days of warning before password expires :
14</computeroutput></screen>
</listitem>
</itemizedlist>
</sect3>
@@ -248,7 +248,7 @@
Simply disabling/locking a user account will not prevent a user from
logging into your server remotely if they have previously set up RSA public key
authentication. They will still be able to gain shell access to the server,
without the need for any password. Remember to check the users home directory
for files that will allow for this type of authenticated SSH access. e.g.
<filename>/home/username/.ssh/authorized_keys</filename>.
</para>
<para>
- Remove or rename the directory <filename>.ssh/</filename> in the user's
home folder to prevent further SSH authentication capabilities.
+ Remove or rename the directory <filename
class="directory">.ssh/</filename> in the user's home folder to prevent further
SSH authentication capabilities.
</para>
<para>
Be sure to check for any established SSH connections by the disabled
user, as it is possible they may have existing inbound or outbound connections.
Kill any that are found.
@@ -256,7 +256,7 @@
<para>
Restrict SSH access to only user accounts that should have it. For
example, you may create a group called "sshlogin" and add the group name as the
value associated with the <varname>AllowGroups</varname> variable located in
the file <filename>/etc/ssh/sshd_config</filename>.
</para>
-<screen><command>AllowGroups sshlogin</command></screen>
+<programlisting>AllowGroups sshlogin</programlisting>
<para>
Then add your permitted SSH users to the group "sshlogin", and restart
the SSH service.
</para>
@@ -292,7 +292,7 @@
<para>
To disable the reboot action taken by pressing the
<keycombo><keycap>Ctrl</keycap><keycap>Alt</keycap><keycap>Delete</keycap></keycombo>
key combination, comment out the following line in the file
<filename>/etc/event.d/control-alt-delete</filename>.
</para>
-<screen><command>#exec /sbin/shutdown -r now "Control-Alt-Delete
pressed"</command></screen>
+<programlisting>#exec /sbin/shutdown -r now "Control-Alt-Delete
pressed"</programlisting>
</listitem>
</itemizedlist>
</sect2>
@@ -327,21 +327,21 @@
<screen><command>grub-md5-crypt</command></screen>
<para>The command will ask you to enter a password and offer a
resulting hash value as shown below:
</para>
-<screen><command>Password: (enter new password)
-Retype password: (repeat password)
-$1$s3YiK$M3lxAbqA6JLm2FbDWnClQ0</command></screen>
+<screen><computeroutput>Password: <userinput>(enter new password)</userinput>
+Retype password: <userinput>(repeat password)</userinput>
+$1$s3YiK$M3lxAbqA6JLm2FbDWnClQ0</computeroutput></screen>
</listitem>
<listitem>
<para>
Add the resulting hash value to the file
<filename>/etc/grub/menu.lst</filename> in the following format:
</para>
-<screen><command>password --md5
$1$s3YiK$M3lxAbqA6JLm2FbDWnClQ0</command></screen>
+<programlisting>password --md5 $1$s3YiK$M3lxAbqA6JLm2FbDWnClQ0</programlisting>
</listitem>
<listitem>
<para>
To require use of the password for entering single user mode,
change the value of the <varname>lockalternative</varname> variable in the file
<filename>/boot/grub/menu.lst</filename> to <varname>true</varname>, as shown
in the following example.
</para>
-<screen><command># lockalternative=true</command></screen>
+<programlisting># lockalternative=true</programlisting>
</listitem>
</itemizedlist>
<note>
--
https://code.launchpad.net/~ubuntu-core-doc/ubuntu-doc/ubuntu-hardy
You are receiving this branch notification because you are subscribed to it.
--
ubuntu-doc-commits mailing list
ubuntu-doc-commits@lists.ubuntu.com
https://lists.ubuntu.com/mailman/listinfo/ubuntu-doc-commits
