------------------------------------------------------------ revno: 3656 committer: Adam Sommer <[EMAIL PROTECTED]> branch nick: ubuntu-hardy timestamp: Mon 2008-01-28 23:16:45 -0500 message: Patch by Gilbert Mendoza. modified: generic/server/C/security.xml ------------------------------------------------------------ revno: 3653.1.7 committer: Gilbert Mendoza <[EMAIL PROTECTED]> branch nick: ubuntu-hardy timestamp: Mon 2008-01-28 20:08:38 -0800 message: programlisting tag adjustments modified: generic/server/C/security.xml ------------------------------------------------------------ revno: 3653.1.6 committer: Gilbert Mendoza <[EMAIL PROTECTED]> branch nick: ubuntu-hardy timestamp: Sun 2008-01-27 20:19:28 -0800 message: additional refinement of tag usage modified: generic/server/C/security.xml ------------------------------------------------------------ revno: 3653.1.5 committer: Gilbert Mendoza <[EMAIL PROTECTED]> branch nick: ubuntu-hardy timestamp: Thu 2008-01-24 20:58:33 -0800 message: userinput and computeroutput tags for security section modified: generic/server/C/security.xml
=== modified file 'generic/server/C/security.xml' --- a/generic/server/C/security.xml 2008-01-23 05:50:23 +0000 +++ b/generic/server/C/security.xml 2008-01-29 04:08:38 +0000 @@ -42,10 +42,10 @@ <screen><command>sudo passwd</command></screen> <para>Sudo will prompt you for your password, and then ask you to supply a new password for root as shown below: </para> - <screen><command>[sudo] password for username: (enter your own password) -Enter new UNIX password: (enter a new password for root) -Retype new UNIX password: (repeat new password for root) -passwd: password updated successfully</command></screen> + <screen><computeroutput>[sudo] password for username: <userinput>(enter your own password)</userinput> +Enter new UNIX password: <userinput>(enter a new password for root)</userinput> +Retype new UNIX password: <userinput>(repeat new password for root)</userinput> +passwd: password updated successfully</computeroutput></screen> </listitem> <listitem> <para> @@ -121,7 +121,7 @@ <sect2 id="user-profile-security" status="review"> <title>User Profile Security</title> <para> - When a new user is created, the adduser utility creates a brand new home directory named <filename>/home/username</filename>, respectively. The default profile is modeled after the contents found in the directory of <filename>/etc/skel</filename>, which includes all profile basics. + When a new user is created, the adduser utility creates a brand new home directory named <filename class="directory">/home/username</filename>, respectively. The default profile is modeled after the contents found in the directory of <filename class="directory">/etc/skel</filename>, which includes all profile basics. </para> <para> If your server will be home to multiple users, you should pay close attention to the user home directory permissions to ensure confidentiality. By default, user home directories in Ubuntu are created with world read/execute permissions. This means that all users can browse and access the contents of other users home directories. This may not be suitable for your environment. @@ -132,9 +132,9 @@ To verify your current users home directory permissions, use the following syntax: </para> <screen><command>ls -ld /home/username</command></screen> - <para>The following output shows that the directory <filename>/home/username</filename> has world readable permissions: + <para>The following output shows that the directory <filename class="directory">/home/username</filename> has world readable permissions: </para> -<screen><command>drwxr-xr-x 2 username username 4096 2007-10-02 20:03 username</command></screen> +<screen><computeroutput>drwxr-xr-x 2 username username 4096 2007-10-02 20:03 username</computeroutput></screen> </listitem> <listitem> <para> @@ -147,9 +147,9 @@ </para> </note> <para> - A much more efficient approach to the matter would be to modify the <application>adduser</application> global default permissions when creating user home folders. Simply edit the file /etc/adduser.conf and modify the DIR_MODE variable to something appropriate, so that all new home directories will receive the correct permissions. + A much more efficient approach to the matter would be to modify the <application>adduser</application> global default permissions when creating user home folders. Simply edit the file <filename>/etc/adduser.conf</filename> and modify the <varname>DIR_MODE</varname> variable to something appropriate, so that all new home directories will receive the correct permissions. </para> -<screen><command>DIR_MODE=0750</command></screen> +<programlisting>DIR_MODE=0750</programlisting> </listitem> <listitem> <para> @@ -158,7 +158,7 @@ <screen><command>ls -ld /home/username</command></screen> <para>The results below show that world readable permissions have been removed: </para> -<screen><command>drwxr-x--- 2 username username 4096 2007-10-02 20:03 username</command></screen> +<screen><computeroutput>drwxr-x--- 2 username username 4096 2007-10-02 20:03 username</computeroutput></screen> </listitem> </itemizedlist> </sect2> @@ -173,11 +173,11 @@ <para> By default, Ubuntu requires a minimum password length of 4 characters, as well as some basic entropy checks. These values are controlled in the file <filename>/etc/pam.d/common-password</filename>, which is outlined below. </para> -<screen><command>password required pam_unix.so nullok obscure min=4 max=8 md5</command></screen> +<programlisting>password required pam_unix.so nullok obscure min=4 max=8 md5</programlisting> <para> If you would like to adjust the minimum length to 6 characters, change the appropriate variable to min=6. The modification is outlined below. </para> -<screen><command>password required pam_unix.so nullok obscure min=6 max=8 md5</command></screen> +<programlisting>password required pam_unix.so nullok obscure min=6 max=8 md5</programlisting> <note> <para> The <varname>max=8</varname> variable does not represent the maximum length of a password. It only means that complexity requirements will not be checked on passwords over 8 characters. You may want to look at the <application>libpam-cracklib</application> package for additional password entropy assistance. @@ -197,13 +197,13 @@ <screen><command>sudo chage -l username</command></screen> <para>The output below shows interesting facts about the user account, namely that there are no policies applied: </para> -<screen><command>Last password change : Jan 20, 2008 +<screen><computeroutput>Last password change : Jan 20, 2008 Password expires : never Password inactive : never Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 99999 -Number of days of warning before password expires : 7</command></screen> +Number of days of warning before password expires : 7</computeroutput></screen> </listitem> <listitem> <para> @@ -222,13 +222,13 @@ <screen><command>sudo chage -l username</command></screen> <para>The output below shows the new policies that have been established for the account: </para> -<screen><command>Last password change : Jan 20, 2008 +<screen><computeroutput>Last password change : Jan 20, 2008 Password expires : Apr 19, 2008 Password inactive : May 19, 2008 Account expires : Jan 31, 2008 Minimum number of days between password change : 5 Maximum number of days between password change : 90 -Number of days of warning before password expires : 14</command></screen> +Number of days of warning before password expires : 14</computeroutput></screen> </listitem> </itemizedlist> </sect3> @@ -248,7 +248,7 @@ Simply disabling/locking a user account will not prevent a user from logging into your server remotely if they have previously set up RSA public key authentication. They will still be able to gain shell access to the server, without the need for any password. Remember to check the users home directory for files that will allow for this type of authenticated SSH access. e.g. <filename>/home/username/.ssh/authorized_keys</filename>. </para> <para> - Remove or rename the directory <filename>.ssh/</filename> in the user's home folder to prevent further SSH authentication capabilities. + Remove or rename the directory <filename class="directory">.ssh/</filename> in the user's home folder to prevent further SSH authentication capabilities. </para> <para> Be sure to check for any established SSH connections by the disabled user, as it is possible they may have existing inbound or outbound connections. Kill any that are found. @@ -256,7 +256,7 @@ <para> Restrict SSH access to only user accounts that should have it. For example, you may create a group called "sshlogin" and add the group name as the value associated with the <varname>AllowGroups</varname> variable located in the file <filename>/etc/ssh/sshd_config</filename>. </para> -<screen><command>AllowGroups sshlogin</command></screen> +<programlisting>AllowGroups sshlogin</programlisting> <para> Then add your permitted SSH users to the group "sshlogin", and restart the SSH service. </para> @@ -292,7 +292,7 @@ <para> To disable the reboot action taken by pressing the <keycombo><keycap>Ctrl</keycap><keycap>Alt</keycap><keycap>Delete</keycap></keycombo> key combination, comment out the following line in the file <filename>/etc/event.d/control-alt-delete</filename>. </para> -<screen><command>#exec /sbin/shutdown -r now "Control-Alt-Delete pressed"</command></screen> +<programlisting>#exec /sbin/shutdown -r now "Control-Alt-Delete pressed"</programlisting> </listitem> </itemizedlist> </sect2> @@ -327,21 +327,21 @@ <screen><command>grub-md5-crypt</command></screen> <para>The command will ask you to enter a password and offer a resulting hash value as shown below: </para> -<screen><command>Password: (enter new password) -Retype password: (repeat password) -$1$s3YiK$M3lxAbqA6JLm2FbDWnClQ0</command></screen> +<screen><computeroutput>Password: <userinput>(enter new password)</userinput> +Retype password: <userinput>(repeat password)</userinput> +$1$s3YiK$M3lxAbqA6JLm2FbDWnClQ0</computeroutput></screen> </listitem> <listitem> <para> Add the resulting hash value to the file <filename>/etc/grub/menu.lst</filename> in the following format: </para> -<screen><command>password --md5 $1$s3YiK$M3lxAbqA6JLm2FbDWnClQ0</command></screen> +<programlisting>password --md5 $1$s3YiK$M3lxAbqA6JLm2FbDWnClQ0</programlisting> </listitem> <listitem> <para> To require use of the password for entering single user mode, change the value of the <varname>lockalternative</varname> variable in the file <filename>/boot/grub/menu.lst</filename> to <varname>true</varname>, as shown in the following example. </para> -<screen><command># lockalternative=true</command></screen> +<programlisting># lockalternative=true</programlisting> </listitem> </itemizedlist> <note> -- https://code.launchpad.net/~ubuntu-core-doc/ubuntu-doc/ubuntu-hardy You are receiving this branch notification because you are subscribed to it. -- ubuntu-doc-commits mailing list ubuntu-doc-commits@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-doc-commits