~ubuntu-branches/ubuntu/jaunty/ubuntu-docs/jaunty-proposed

* Various serverguide fixes:
  - Grammar error (LP: #203829) - Dean Sas
  - Fix mailman dependencies (LP: #291772) - Morten Siebuhr
  - CVS installation error (LP: #298605) - Thomas M
  - Postfox installation error (LP: #306289) - Adam Sommer
  - SSH update (LP: #311900) - Dean Sas
  - unzoo replaced by zoo (LP: #312506)
  - Samba instructions update (LP: #313232) - Adam Sommer
  - Clearer SSL instructions (LP: #314951) - Adam Sommer
  - LDAP error (LP: #319179) - Adam Sommer
  - MoinMoin installation fix (LP: #320840) - Adam Sommer
  - Postfix ssl improvements (LP: #323203) - Adam Sommer
  - Ebox instructions error (LP: #324399) - Dean Sas
  - Typo in openssh section (LP: #325828) - Dean Sas
  - Typo in samba section (LP: #285484) - Nick Ellery
  - SSHD fix (LP: #295279) - Adam Sommer
  - Jeos fix (LP: #307582) - Adam Sommer
  - Remove reference to ebox-all package (LP: #322367) - Adam Sommer

* Typo in "switching from windows" (LP: #309735)
* Broken link in "programming" (LP: #310081) - Jonathan Jesse
* lsb_release issue in "basic commands" (LP: #310713) - Thomas M
* Updating logout instructions (LP: #327060) - Dean Sas
* Updating all documents to use apt-url for installation instructions
* Refreshing pot files for Rosetta
* Recompress *.png files with 'advpng -z -4 file.png' to save space -  Sahak Petrosyan
* Improve instructions on pasting commands (LP: #185892) - Martin Mai
* Rewrite of networking instructions (LP: #298513, LP: #321308, LP: #314680, LP: #321179) - Dougie Richardson
* Amend punctuation of about-ubuntu (LP: #275592) - Dougie Richardson
* Documentation for automatic login (LP: #290467) - Dougie Richardson

files added:
internet/C/connecttoserver.xml

internet/C/disconnecting.xml

internet/C/information.xml

internet/C/nm.xml

serverguide/C/clustering.xml

serverguide/C/other-apps.xml

files removed:
internet/C/connect.xml

files modified:
about-ubuntu/C/about-ubuntu.xml

about-ubuntu/po/about-ubuntu.pot

add-applications/C/add-applications.xml

add-applications/po/add-applications.pot

administrative/po/administrative.pot

advanced-topics/po/advanced-topics.pot

basic-commands/C/basic-commands.xml

basic-commands/po/basic-commands.pot

browser-startpage/img/header.png

browser-startpage/img/headerlogo.png

config-desktop/C/config-desktop.xml

config-desktop/po/config-desktop.pot

debian/changelog

desktop-effects/C/desktop-effects.xml

desktop-effects/po/desktop-effects.pot

files-and-docs/po/files-and-docs.pot

games/C/games.xml

games/po/games.pot

hardware/C/hardware.xml

hardware/po/hardware.pot

internet/C/basics.xml

internet/C/connecting.xml

internet/C/internet.xml

internet/C/networking.xml

internet/C/troubleshooting.xml

internet/C/web-apps.xml

internet/C/wireless.xml

internet/po/internet.pot

keeping-safe/C/keeping-safe.xml

keeping-safe/po/keeping-safe.pot

libs/admon/caution.png

libs/admon/important.png

libs/admon/tip.png

libs/admon/warning.png

libs/gnome-menus-C.ent

libs/img/bg-content.png

libs/img/cap-bottom.png

libs/img/cap-top.png

libs/img/headerlogo.png

libs/img/help-about.png

libs/img/tab_off_ns1.png

libs/img/tab_off_ns2.png

libs/img/tab_on_ns1.png

libs/img/tab_on_ns2.png

libs/img/ubuntuheader.png

libs/navig/home.png

libs/navig/next.png

libs/navig/prev.png

libs/navig/toc-blank.png

libs/navig/up.png

libs/ubuntu-book.css

musicvideophotos/C/musicvideophotos.xml

musicvideophotos/po/musicvideophotos.pot

newtoubuntu/po/newtoubuntu.pot

office/C/office.xml

office/po/office.pot

printing/C/printing.xml

printing/po/printing.pot

programming/C/programming.xml

programming/po/programming.pot

serverguide/C/dns.xml

serverguide/C/file-server.xml

serverguide/C/installation.xml

serverguide/C/lamp-applications.xml

serverguide/C/mail.xml

serverguide/C/network-auth.xml

serverguide/C/network-config.xml

serverguide/C/package-management.xml

serverguide/C/remote-administration.xml

serverguide/C/security.xml

serverguide/C/serverguide.xml

serverguide/C/vcs.xml

serverguide/C/virtualization.xml

serverguide/C/web-servers.xml

serverguide/C/windows-networking.xml

serverguide/po/serverguide.pot

switching/C/installing.xml

switching/C/whyswitch.xml

windows/C/glossary.xml

windows/po/windows.pot

Show diffs side-by-side

added added

removed removed

serverguide/C/security.xml

1384

</sect2>

1385

1386

<title>Generating a Certificate Signing Request (CSR)</title>

1387

<para>Whether you are getting a certificate from a CA or generating your own

1388

self-signed certificate, the first step is to generate a key.

1389

</para>

1387

1388

<para>

1389

Whether you are getting a certificate from a CA or generating your own

1390

self-signed certificate, the first step is to generate a key.

1391

</para>

1392

1393

<para>

1394

If the certificate will be used by service daemons, such as Apache, Postfix, Dovecot, etc,

1395

a key without a passphrase is often appropriate. Not having a passphrase allows the services

1396

to start without manual intervention, usually the preferred way to start a daemon.

1397

</para>

1398

1399

<para>

1400

This section will cover generating a key with a passphrase, and one without. The non-passphrase

1401

key will then be used to generate a certificate that can be used with various service daemons.

1402

</para>

1403

1404

1390

1405

<para>

1391

To generate the <emphasis>keys</emphasis> for the Certificate Signing Request (CSR) run the

1392

following command from a terminal prompt:

1406

Running your secure service without a passphrase is convenient because you will not

1407

need to enter the passphrase every time you start your secure service. But it is

1408

insecure and a compromise of the key means a compromise of the server as well.

1393

1409

</para>

1410

</warning>

1411

1412

<para>

1413

To generate the <emphasis>keys</emphasis> for the Certificate Signing Request (CSR) run the

1414

following command from a terminal prompt:

1415

</para>

1416

1394

1417

1395

1418

<command>openssl genrsa -des3 -out server.key 1024</command>

1396

1419

</screen>

1407

1430

<para>

1408

1431

You can now enter your passphrase. For best security, it should

1409

1432

at least contain eight characters. The minimum length when

1410

specifying -des3 is four characters. It should include numbers

1433

specifying -des3 is four characters. It should include numbers

1411

1434

and/or punctuation and not be a word in a dictionary. Also

1412

1435

remember that your passphrase is case-sensitive.

1413

1436

</para>

1417

1440

correctly, the server key is generated and stored in the

1418

1441

<filename>server.key</filename> file.

1419

1442

</para>

1420

1421

1422

<para>

1423

You can also run your secure service without a passphrase.

1424

This is convenient because you will not need to enter the

1425

passphrase every time you start your secure service. But it

1426

is highly insecure and a compromise of the key means a

1427

compromise of the server as well.

1428

</para>

1429

</warning>

1430

1431

<para>

1432

In any case, you can choose to run your secure service without

1433

a passphrase by leaving out the -des3 switch in the generation

1434

phase or by issuing the following command at a terminal prompt:

1443

1444

<para>

1445

Now create the insecure key, the one without a passphrase, and shuffle

1446

the key names:

1435

1447

</para>

1436

1448

1437

1449

1438

1450

<command>openssl rsa -in server.key -out server.key.insecure</command>

1451

<command>mv server.key server.key.secure</command>

1452

<command>mv server.key.insecure server.key</command>

1439

1453

</screen>

1454

1440

1455

<para>

1441

Once you run the above command, the insecure key will be stored

1442

in the <filename>server.key.insecure</filename> file. You can use this

1456

The insecure key is now named <filename>server.key</filename>, and you can use this

1443

1457

file to generate the CSR without passphrase.

1444

1458

</para>

1445

1459

1446

1460

<para>

1447

1461

To create the CSR, run the following command at a terminal prompt:

1448

1462

</para>

1463

1449

1464

1450

1465

<command>openssl req -new -key server.key -out server.csr</command>

1451

1466

</screen>

1677

1692

</itemizedlist>

1678

1693

</sect2>

1679

1694

</sect1>

1695

1696

<title>eCryptfs</title>

1697

1698

<para>

1699

<emphasis>eCryptfs</emphasis> is a POSIX-compliant enterprise-class stacked cryptographic filesystem for Linux. Layering on

1700

top of the filesystem layer <emphasis>eCryptfs</emphasis> protects files no matter the underlying filesystem, partition

1701

type, etc.

1702

</para>

1703

1704

<para>

1705

During installation there is an option to encrypt the <filename role="directory">/home</filename> partition. This will automatically

1706

configure everything needed to encrypt and mount the partition.

1707

</para>

1708

1709

<para>

1710

As an example, this section will cover configuring <filename role="directory">/srv</filename> to be encrypted using eCryptfs.

1711

</para>

1712

1713

1714

<title>Using eCryptfs</title>

1715

1716

<para>

1717

First, install the necessary packages. From a terminal prompt enter:

1718

</para>

1719

1720

1721

<command>sudo apt-get install ecryptfs-utils</command>

1722

</screen>

1723

1724

<para>

1725

Now mount the partition to be encrypted:

1726

</para>

1727

1728

1729

<command>sudo mount -t ecryptfs /srv /srv</command>

1730

</screen>

1731

1732

<para>

1733

You will then be prompted for some details on how <application>ecryptfs</application> should encrypt the data.

1734

</para>

1735

1736

<para>

1737

To test that files placed in <filename>/srv</filename> are indeed encrypted copy the <filename>/etc/default</filename>

1738

folder to <filename>/srv</filename>:

1739

</para>

1740

1741

1742

<command>sudo cp -r /etc/default /srv</command>

1743

</screen>

1744

1745

<para>

1746

Now unmount <filename>/srv</filename>, and try to view a file:

1747

</para>

1748

1749

1750

<command>sudo umount /srv</command>

1751

<command>cat /srv/default/cron</command>

1752

</screen>

1753

1754

<para>

1755

Remounting <filename>/srv</filename> using <application>ecryptfs</application> will make the data viewable once again.

1756

</para>

1757

1758

</sect2>

1759

1760

<title>Automatically Mounting Encrypted Partitions</title>

1761

1762

<para>

1763

There are a couple of ways to automatically mount an <application>ecryptfs</application> encrypted filesystem

1764

at boot. This example will use a <filename>/root/.ecryptfsrc</filename> file containing mount options, along with

1765

a passphrase file residing on a USB key.

1766

</para>

1767

1768

<para>

1769

First, create <filename>/root/.ecryptfsrc</filename> containing:

1770

</para>

1771

1772

1773

key=passphrase:passphrase_passwd_file=/mnt/usb/passwd_file.txt

1774

ecryptfs_sig=5826dd62cf81c615

1775

ecryptfs_cipher=aes

1776

ecryptfs_key_bytes=16

1777

ecryptfs_passthrough=n

1778

ecryptfs_enable_filename_crypto=n

1779

</programlisting>

1780

1781

<note>

1782

<para>

1783

Adjust the <emphasis>ecryptfs_sig</emphasis> to the signature in <filename>/root/.ecryptfs/sig-cache.txt</filename>.

1784

</para>

1785

</note>

1786

1787

<para>

1788

Next, create the <filename>/mnt/usb/passwd_file.txt</filename> passphrase file:

1789

</para>

1790

1791

1792

passphrase_passwd=[secrets]

1793

</programlisting>

1794

1795

<para>

1796

Now add the necessary lines to <filename>/etc/fstab</filename>:

1797

</para>

1798

1799

1800

/dev/sdb1 /mnt/usb ext3 ro 0 0

1801

/srv /srv ecryptfs defaults 0 0

1802

</programlisting>

1803

1804

<para>

1805

Make sure the USB drive is mounted before the encrypted partition.

1806

</para>

1807

1808

<para>

1809

Finally, reboot and the <filename>/srv</filename> should be mounted using ecryptfs.

1810

</para>

1811

1812

</sect2>

1813

1814

<title>Other Utilities</title>

1815

1816

<para>

1817

The <application>ecryptfs-utils</application> package includes several other useful utilities:

1818

</para>

1819

1820

1821

1822

<para>

1823

<emphasis>ecryptfs-setup-private:</emphasis> creates a <filename>~/Private</filename> directory

1824

to contain encrypted information. This utility can be run by unprivileged users to keep

1825

data private from other users on the system.

1826

</para>

1827

</listitem>

1828

1829

<para>

1830

<emphasis>ecryptfs-mount-private and ecryptfs-umount-private:</emphasis> will mount and unmount

1831

respectively, a users <filename>~/Private</filename> directory.

1832

</para>

1833

</listitem>

1834

1835

<para>

1836

<emphasis>ecryptfs-add-passphrase:</emphasis> adds a new passphrase to the kernel keyring.

1837

</para>

1838

</listitem>

1839

1840

<para>

1841

<emphasis>ecryptfs-manager:</emphasis> manages <application>eCryptfs</application> objects such as keys.

1842

</para>

1843

</listitem>

1844

1845

<para>

1846

<emphasis>ecryptfs-stat:</emphasis> allows you to view the <application>ecryptfs</application> meta information

1847

for a file.

1848

</para>

1849

</listitem>

1850

</itemizedlist>

1851

1852

</sect2>

1853

1854

<title>References</title>

1855

1856

1857

1858

<para>

1859

For more information on eCryptfs see the <ulink url="https://launchpad.net/ecryptfs">Launch Pad project page</ulink>

1860

</para>

1861

</listitem>

1862

1863

<para>

1864

There is also a <ulink url="http://www.linuxjournal.com/article/9400">Linux Journal</ulink> article covering eCryptfs.

1865

</para>

1866

</listitem>

1867

1868

<para>

1869

Also, for more <application>ecryptfs</application> options see the

1870

<ulink url="http://manpages.ubuntu.com/manpages/jaunty/en/man7/ecryptfs.7.html">ecryptfs man page</ulink>.

1871

</para>

1872

</listitem>

1873

</itemizedlist>

1874

1875

</sect2>

1876

</sect1>

1680

1877

</chapter>

1681

Older »