aboutsummaryrefslogtreecommitdiff
path: root/el_GR.ISO8859-7
diff options
context:
space:
mode:
authorGabor Kovesdan <gabor@FreeBSD.org>2012-08-21 19:16:02 +0000
committerGabor Kovesdan <gabor@FreeBSD.org>2012-08-21 19:16:02 +0000
commit2e51ec7022b39b6fb3524de08669b20d0d436285 (patch)
tree79fbae1d36dfb1cf1c634282cd893ef6532e3abb /el_GR.ISO8859-7
parentb2153405c50aa7276c3b5ad07d50eec1f0b45449 (diff)
downloaddoc-2e51ec7022b39b6fb3524de08669b20d0d436285.tar.gz
doc-2e51ec7022b39b6fb3524de08669b20d0d436285.zip
- Strip unnecessary trailing spaces
Approved by: doceng (implicit)
Notes
Notes: svn path=/projects/sgml2xml/; revision=39416
Diffstat (limited to 'el_GR.ISO8859-7')
-rw-r--r--el_GR.ISO8859-7/articles/compiz-fusion/article.sgml6
-rw-r--r--el_GR.ISO8859-7/articles/dialup-firewall/article.sgml2
-rw-r--r--el_GR.ISO8859-7/articles/formatting-media/article.sgml38
-rw-r--r--el_GR.ISO8859-7/articles/gjournal-desktop/Makefile2
-rw-r--r--el_GR.ISO8859-7/articles/laptop/article.sgml16
-rw-r--r--el_GR.ISO8859-7/articles/new-users/article.sgml8
-rw-r--r--el_GR.ISO8859-7/books/faq/Makefile6
-rw-r--r--el_GR.ISO8859-7/books/faq/book.sgml22
-rw-r--r--el_GR.ISO8859-7/books/handbook/Makefile2
-rw-r--r--el_GR.ISO8859-7/books/handbook/advanced-networking/chapter.sgml10
-rw-r--r--el_GR.ISO8859-7/books/handbook/cutting-edge/chapter.sgml2
-rw-r--r--el_GR.ISO8859-7/books/handbook/disks/chapter.sgml6
-rw-r--r--el_GR.ISO8859-7/books/handbook/eresources/chapter.sgml2
-rw-r--r--el_GR.ISO8859-7/books/handbook/kernelconfig/chapter.sgml8
-rw-r--r--el_GR.ISO8859-7/books/handbook/linuxemu/chapter.sgml4
-rw-r--r--el_GR.ISO8859-7/books/handbook/mac/chapter.sgml6
-rw-r--r--el_GR.ISO8859-7/books/handbook/multimedia/chapter.sgml24
-rw-r--r--el_GR.ISO8859-7/books/handbook/network-servers/chapter.sgml2
-rw-r--r--el_GR.ISO8859-7/books/handbook/security/chapter.sgml444
-rw-r--r--el_GR.ISO8859-7/htdocs/doc/Makefile2
-rw-r--r--el_GR.ISO8859-7/share/sgml/freebsd.dsl4
-rw-r--r--el_GR.ISO8859-7/share/sgml/navibar.l10n.ent4
22 files changed, 310 insertions, 310 deletions
diff --git a/el_GR.ISO8859-7/articles/compiz-fusion/article.sgml b/el_GR.ISO8859-7/articles/compiz-fusion/article.sgml
index ff572f153b..edbe6f4e09 100644
--- a/el_GR.ISO8859-7/articles/compiz-fusion/article.sgml
+++ b/el_GR.ISO8859-7/articles/compiz-fusion/article.sgml
@@ -11,7 +11,7 @@
Installing and Using compiz-fusion in FreeBSD
The FreeBSD Greek Documentation Project
-
+
%SOURCE% en_US.ISO8859-1/articles/compiz-fusion/article.sgml
%SRCID% 1.6
@@ -66,8 +66,8 @@
<title>Εισαγωγή</title>
<para>H εγκατάσταση του <application>Compiz&nbsp;Fusion</application>
- από την συλλογή των Ports, είναι μια σχετικά απλή διαδικασία.
- Χρειάζονται, όμως, και κάποιες επιπλέον ρυθμίσεις, οι οποίες δεν
+ από την συλλογή των Ports, είναι μια σχετικά απλή διαδικασία.
+ Χρειάζονται, όμως, και κάποιες επιπλέον ρυθμίσεις, οι οποίες δεν
περιγράφονται στην τεκμηρίωση του port. Το άρθρο αυτό θα σας βοηθήσει
να ρυθμίσετε τον <application>&xorg;</application> server για
τρισδιάστατη λειτουργία, να ρυθμίσετε την nVidia κάρτα γραφικών σας,
diff --git a/el_GR.ISO8859-7/articles/dialup-firewall/article.sgml b/el_GR.ISO8859-7/articles/dialup-firewall/article.sgml
index 35b86a48c0..fbc7135377 100644
--- a/el_GR.ISO8859-7/articles/dialup-firewall/article.sgml
+++ b/el_GR.ISO8859-7/articles/dialup-firewall/article.sgml
@@ -213,7 +213,7 @@ fwcmd="/sbin/ipfw"
oif="tun0"
# Define our inside interface. This is usually your network
-# card. Be sure to change this to match your own network
+# card. Be sure to change this to match your own network
# interface.
iif="fxp0"
diff --git a/el_GR.ISO8859-7/articles/formatting-media/article.sgml b/el_GR.ISO8859-7/articles/formatting-media/article.sgml
index d93dac4bbd..f3cdf21090 100644
--- a/el_GR.ISO8859-7/articles/formatting-media/article.sgml
+++ b/el_GR.ISO8859-7/articles/formatting-media/article.sgml
@@ -74,7 +74,7 @@
<para>Υπάρχουν δύο πιθανοί τρόποι (modes) μορφοποίησης:</para>
- <itemizedlist>
+ <itemizedlist>
<listitem>
<para><firstterm>συμβατή λειτουργία (compatibility
mode)</firstterm>: Διαμόρφωση του δίσκου ώστε να έχει ένα πίνακα
@@ -109,7 +109,7 @@
(τίτλος) και στα τμήματα (partitions) των δίσκων. Επιπλέον σας
επιτρέπει να αποθηκεύσετε τις αλλαγές μόνο στον συγκεκριμένο δίσκο
χωρίς να επηρεάζει τους υπόλοιπους. Ο δεύτερος τρόπος είναι να
- εκτελέσετε διάφορες εντολές με το χέρι απο την γραμμή εντολών ως root.
+ εκτελέσετε διάφορες εντολές με το χέρι απο την γραμμή εντολών ως root.
Αν επιλέξετε την αποκλειστική λειτουργία χρειάζετε να εκτελέσετε μόνο
2-3 εντολές ενώ με το <command>sysinstall</command> πρέπει δουλέψετε
λιγάκι παραπάνω.</para>
@@ -128,7 +128,7 @@
<listitem>
<para>συμβατή λειτουργία (compatibility mode): η διαμόρφωση του
δίσκου ώστε να έχει ένα πίνακα τμήματων (slice table) και να
- μπορεί να χρησιμοποιηθεί παράλληλα με άλλα λειτουργικά συστήματα.
+ μπορεί να χρησιμοποιηθεί παράλληλα με άλλα λειτουργικά συστήματα.
Αντίθετο της αποκλειστικής λειτουργίας.</para>
</listitem>
@@ -157,8 +157,8 @@
<listitem>
<para>τμήμα (slice): Μία υποδιαίρεση ενός δίσκου. Σύμφωνα με τα
- πρότυπα των PC μπορούν να υπάρχουν μέχρι 4 τμήματα σε έναν δίσκο.
- Τα τμήματα αποτελούνται απο συνεχόμενους τομείς (sectors).
+ πρότυπα των PC μπορούν να υπάρχουν μέχρι 4 τμήματα σε έναν δίσκο.
+ Τα τμήματα αποτελούνται απο συνεχόμενους τομείς (sectors).
Υπάρχει ένας <quote>πίνακας τμημάτων</quote> (slice table) που
περιέχει πληροφορίες για τα τμήματα και χρησιμοποιείται από το
BIOS για να βρεί από πού μπορεί να ξεκινήσει το σύστημα. Ο
@@ -175,7 +175,7 @@
βρίσκεται σε ένα κομμάτι. Τα κομμάτια φτιάχνονται με το εργαλείο
disklabel.</para>
</listitem>
-
+
<listitem>
<para>τομέας (sector): Η μικρότερη υποδιαίρεση ενός δίσκου. Συνήθως
έχει μέγεθος 512 bytes.</para>
@@ -246,11 +246,11 @@
<procedure>
<step>
- <para>Ξεκινήστε το sysinstall ώς root γράφοντας
+ <para>Ξεκινήστε το sysinstall ώς root γράφοντας
<informalexample>
<screen>&prompt.root; <userinput>/stand/sysinstall</userinput></screen>
- </informalexample>
+ </informalexample>
στην γραμμή εντολών.</para>
</step>
@@ -271,12 +271,12 @@
<step>
<para>Αν θα χρησιμοποιήσετε όλο το δίσκο για το FreeBSD, επιλέξτε
<command>A</command>.</para>
- </step>
+ </step>
<step>
<para>Μόλις σας ρωτήσει αν όντως θέλετε να το κάνετε αυτό (Do you
still want to do this) απαντήστε <command>Yes</command>.</para>
- </step>
+ </step>
<step>
<para>Επιλέξτε <command>Write</command>.</para>
@@ -359,7 +359,7 @@
<para>Αν χρειάζεται να αλλάξετε το disklabel για να χρησιμοποιήσετε
πολλαπλά partitions (για παράδειγμα αν θέλετε swap) τότε κάντε:</para>
-
+
<informalexample>
<screen>&prompt.root; <userinput>dd if=/dev/zero of=/dev/ad2 count=2</userinput>
&prompt.root; <userinput>disklabel /dev/ad2 > /tmp/label</userinput>
@@ -397,7 +397,7 @@
<informalexample>
<screen>&prompt.root; <userinput>/stand/sysinstall</userinput></screen>
- </informalexample>
+ </informalexample>
στην γραμμή εντολών.</para>
</step>
@@ -418,10 +418,10 @@
<step>
<para>Αν θα χρησιμοποιήσετε όλο τον δίσκο για το FreeBSD,
επιλέξτε <command>A</command>.</para>
- </step>
+ </step>
<step>
- <para>Όταν σας ζητηθεί:
+ <para>Όταν σας ζητηθεί:
<informalexample>
<screen>Do you want to do this with a true partition entry so as to remain
@@ -454,7 +454,7 @@ drive(s)?</screen>
<step>
<para>Επιλέξτε <command>Label</command> απο το Index menu.</para>
- </step>
+ </step>
<step>
<para>Ονομάστε το δίσκο όπως θέλετε (εδώ θα ορίσετε τα
@@ -469,7 +469,7 @@ drive(s)?</screen>
συμφέρει να το κάνετε! Θα σας δώσει το λάθος:
<informalexample>
- <screen>Error mounting /mnt/dev/ad2s1e on /mnt/blah : No such file or directory</screen>
+ <screen>Error mounting /mnt/dev/ad2s1e on /mnt/blah : No such file or directory</screen>
</informalexample>
Αγνοήστε το.</para>
@@ -508,7 +508,7 @@ drive(s)?</screen>
</step>
<step>
- <para>Όταν κάνετε newfs στον δίσκο, ΜΗΝ το κάνετε στο κομμάτι `c'.
+ <para>Όταν κάνετε newfs στον δίσκο, ΜΗΝ το κάνετε στο κομμάτι `c'.
Αντίθετα, κάντε το μόνο στο κομμάτι που δεν είναι swap.</para>
</step>
@@ -519,7 +519,7 @@ drive(s)?</screen>
<informalexample>
<programlisting>/dev/ad0b none swap sw 0 0</programlisting>
</informalexample>
-
+
<para>Αλλάξτε το <filename>/dev/ad0b</filename> στο όνομα της
καινούργιας σας συσκευής.</para>
</step>
@@ -540,7 +540,7 @@ swapon: added /dev/da0b as swap space</screen>
<sect2>
<title>Αντιγράφοντας τα περιεχόμενα δίσκων</title>
<!-- Should have specific tag -->
-
+
<para>Από τον: Renaud Waldura
(<email>renaud@softway.com</email>)</para>
diff --git a/el_GR.ISO8859-7/articles/gjournal-desktop/Makefile b/el_GR.ISO8859-7/articles/gjournal-desktop/Makefile
index af8057d21c..bb5ce632fb 100644
--- a/el_GR.ISO8859-7/articles/gjournal-desktop/Makefile
+++ b/el_GR.ISO8859-7/articles/gjournal-desktop/Makefile
@@ -2,7 +2,7 @@
# $FreeBSD$
#
# Article: Implementing UFS journaling on a desktop PC
-#
+#
# %SOURCE% en_US.ISO8859-1/articles/gjournal-desktop/Makefile
# %SRCID% 1.1
#
diff --git a/el_GR.ISO8859-7/articles/laptop/article.sgml b/el_GR.ISO8859-7/articles/laptop/article.sgml
index 7ce757ee5e..f0c2dc0d1c 100644
--- a/el_GR.ISO8859-7/articles/laptop/article.sgml
+++ b/el_GR.ISO8859-7/articles/laptop/article.sgml
@@ -72,9 +72,9 @@
υπολογιστές θα βρείτε και στη
σελίδα <ulink url="http://tuxmobil.org/mobile_bsd.html"></ulink>.</para>
- <sect1 id="xorg">
+ <sect1 id="xorg">
<title>Το γραφικό περιβάλλον &xorg;</title>
-
+
<para>Οι πρόσφατες εκδόσεις των <application>&xorg;</application> δουλεύουν με τις
περισσότερες μοντέρνες κάρτες οθόνης που χρησιμοποιούνται σε
φορητούς υπολογιστές. Η επιτάχυνση (acceleration) μπορεί να μην
@@ -119,9 +119,9 @@
<para>στο αρχείο <filename>xorg.conf</filename>, στο
τμήμα <literal>InputDevice</literal>.</para>
- </sect1>
+ </sect1>
- <sect1 id="modems">
+ <sect1 id="modems">
<title>Modems</title>
<para>Οι φορητοί έρχονται συνήθως με εσωτερικά (on-board) μόντεμ.
@@ -139,9 +139,9 @@
φτηνά USB ή σειριακά μόντεμ που μπορεί να σας κοστίσουν
λιγότερο. Γενικά, τα κανονικά (όχι win-μόντεμ) μόντεμ πρέπει να
δουλεύουν χωρίς κανένα πρόβλημα.</para>
- </sect1>
+ </sect1>
- <sect1 id="pcmcia">
+ <sect1 id="pcmcia">
<title>Συσκευές PCMCIA (PC Card)</title>
<para>Οι πιο πολλοί φορητοί έρχονται με υποδοχές PCMCIA (γνωστές
@@ -199,9 +199,9 @@
χρησιμοποιήσει το PCI BIOS). Αν έχετε προβλήματα με αυτή την
έκδοση του &os;, δοκιμάστε να την αναβαθμίσετε σε κάποια πιο
καινούρια.</para>
- </sect1>
+ </sect1>
- <sect1 id="power-management">
+ <sect1 id="power-management">
<title>Power management</title>
<para>Δυστυχώς, το power management δεν υποστηρίζεται πολύ καλά
diff --git a/el_GR.ISO8859-7/articles/new-users/article.sgml b/el_GR.ISO8859-7/articles/new-users/article.sgml
index 6186a0d87d..85876260b0 100644
--- a/el_GR.ISO8859-7/articles/new-users/article.sgml
+++ b/el_GR.ISO8859-7/articles/new-users/article.sgml
@@ -1017,7 +1017,7 @@ setenv XNLSPATH /usr/X11R6/lib/X11/nls</programlisting>
να δουλεύει όταν το σύστημα ξεκινήσει σε κατάσταση ενός χρήστη (single
user mode). Η λύση είναι να χρησιμοποιείτε την εντολή <command>su
-m</command> για να γίνετε <username>root</username>, που θα σας δώσει ένα <command>tcsh</command> φλοιό σαν
- <username>root</username>, αφού το ποιος είναι ο φλοιός είναι μέρος του περιβάλλοντος.
+ <username>root</username>, αφού το ποιος είναι ο φλοιός είναι μέρος του περιβάλλοντος.
Μπορείτε να κάνετε μόνιμη μια τέτοια αλλαγή προσθέτοντας στο
<filename>.tcshrc</filename> σας μια συντόμευση</para>
<programlisting>alias su su -m</programlisting>
@@ -1045,7 +1045,7 @@ setenv XNLSPATH /usr/X11R6/lib/X11/nls</programlisting>
<para>set prompt = "%h %t %~ %# "</para>
<para>Αυτό μπορεί να πάει στο ίδιο μέρος που υπάρχει η παλιά set prompt
- γραμμή αν υπάρχει, ή κάτω από την "if($?prompt) then" αν δεν υπάρχει.
+ γραμμή αν υπάρχει, ή κάτω από την "if($?prompt) then" αν δεν υπάρχει.
Μετατρέψτε την παλιά σε σχόλιο, ώστε να μπορείτε να επιστρέψετε στο
παλιό σας prompt αν το προτιμάτε. Μην ξεχάσετε στην καινούρια γραμμή τα
κενά και τα εισαγωγικά. Μπορείτε να κάνετε το tcsh να ξαναδιαβάσει το
@@ -1068,12 +1068,12 @@ setenv XNLSPATH /usr/X11R6/lib/X11/nls</programlisting>
<command>/sbin/umount /cdrom</command>, να βγάλετε το δίσκο από τον
οδηγό, να βάλετε ένα καινούριο και να το συνδέσετε με την εντολή
<command>/sbin/mount_cd9660 /dev/cd0a /cdrom</command> υποθέτοντας ότι
- <hardware>cd0a</hardware> είναι το όνομα της συσκευής του οδηγού CDROM.
+ <hardware>cd0a</hardware> είναι το όνομα της συσκευής του οδηγού CDROM.
Οι πιο πρόσφατες εκδόσεις του FreeBSD σας αφήνουν να συνδέσετε το CDROM
γράφοντας απλά <command>/sbin/mount /cdrom</command>.</para>
<para>Το live σύστημα&mdash;το δεύτερο CDROM από τους δίσκους εγκατάστασης
- του FreeBSD&mdash; μπορεί να φανεί χρήσιμο αν έχετε περιορισμένο χώρο.
+ του FreeBSD&mdash; μπορεί να φανεί χρήσιμο αν έχετε περιορισμένο χώρο.
Το τι υπάρχει στο live σύστημα διαφέρει από έκδοση σε έκδοση. Μπορείτε
να δοκιμάσετε να παίξετε ακόμα και παιχνίδια από το CDROM. Αυτό απαιτεί
να χρησιμοποιήσετε την εντολή <command>lndir</command>, που εγκαθίσταται
diff --git a/el_GR.ISO8859-7/books/faq/Makefile b/el_GR.ISO8859-7/books/faq/Makefile
index 160d11646b..071210c072 100644
--- a/el_GR.ISO8859-7/books/faq/Makefile
+++ b/el_GR.ISO8859-7/books/faq/Makefile
@@ -1,4 +1,4 @@
-#
+#
# $FreeBSD$
#
# Μορφοποίηση του FreeBSD FAQ
@@ -18,8 +18,8 @@ INSTALL_ONLY_COMPRESSED?=
WITH_BIBLIOXREF_TITLE?=YES
-#
-# Η λίστα SRCS περιέχει όλα τα SGML αρχεία που αποτελούν μέρη του κειμένου.
+#
+# Η λίστα SRCS περιέχει όλα τα SGML αρχεία που αποτελούν μέρη του κειμένου.
# Αλλαγές σε οποιοδήποτε από αυτά τα αρχεία προκαλούν rebuild.
#
diff --git a/el_GR.ISO8859-7/books/faq/book.sgml b/el_GR.ISO8859-7/books/faq/book.sgml
index a86f0cdcac..376be73920 100644
--- a/el_GR.ISO8859-7/books/faq/book.sgml
+++ b/el_GR.ISO8859-7/books/faq/book.sgml
@@ -5286,7 +5286,7 @@ kern.sched.name: 4BSD</screen>
for both, move the parent partition as described above,
then move the child partition into the empty directory
that the first move created:</para>
-
+
<screen>&prompt.root; <userinput>newfs /dev/ad1s1a</userinput>
&prompt.root; <userinput>mount /dev/ad1s1a /mnt</userinput>
&prompt.root; <userinput>cd /mnt</userinput>
@@ -5753,7 +5753,7 @@ C:\="DOS"</programlisting>
<para>Booting &os; using GRUB is very simple. Just
add the following to your configuration file
<filename>/boot/grub/grub.conf</filename>.</para>
-
+
<programlisting>title FreeBSD 6.1
root (hd0,a)
kernel /boot/loader
@@ -5926,7 +5926,7 @@ C:\="DOS"</programlisting>
<para>I burned a CD under FreeBSD and now I can not read it
under any other operating system. Why?</para>
</question>
-
+
<answer>
<para>You most likely burned a raw file to your CD, rather
than creating an ISO 9660 filesystem. Take a look at the
@@ -6022,7 +6022,7 @@ C:\="DOS"</programlisting>
</step>
<step>
- <para>If you are running &os; 5.X or later, you will need to alter
+ <para>If you are running &os; 5.X or later, you will need to alter
<filename>/etc/devfs.conf</filename> to make these changes
permanent across reboots.</para>
@@ -6161,7 +6161,7 @@ perm /dev/acd0 0660</programlisting>
<para>Disk manufacturers calculate gigabytes as a billion bytes
each, whereas &os; calculates them as 1,073,741,824 bytes
each. This explains why, for example, &os;'s boot messages
- will report a disk that supposedly has 80GB as holding
+ will report a disk that supposedly has 80GB as holding
76319MB.</para>
<para>Also note that &os; will (by default)
<link linkend="disk-more-than-full">reserve</link> 8% of the disk
@@ -6910,7 +6910,7 @@ options SYSVMSG # enable for messaging</programlisting>
<answer>
<para>The reason why <filename>.shosts</filename>
authentication does not work by default in more recent
- versions of FreeBSD is because &man.ssh.1;
+ versions of FreeBSD is because &man.ssh.1;
is not installed suid <username>root</username> by default. To
<quote>fix</quote> this, you can do one of the
following:</para>
@@ -7104,7 +7104,7 @@ options SYSVMSG # enable for messaging</programlisting>
period, it was basically only provided as a reference
platform, as it had suffered greatly from bitrot over
the years.</para>
-
+
<para>However, early in 2004, some XFree86 developers left
that project
over issues including the pace of code changes, future
@@ -7715,7 +7715,7 @@ UserConfig&gt; <userinput>quit</userinput></screen>
<application>&xorg;</application>.
If you want to run a different X11 implementation
than the default one, add the following line to
- <filename>/etc/make.conf</filename>, (if you
+ <filename>/etc/make.conf</filename>, (if you
do not have this file, create it):</para>
<programlisting>X_WINDOW_SYSTEM= xorg</programlisting>
@@ -8053,7 +8053,7 @@ Key F15 A A Menu Workplace Nop</programlisting>
<answer>
<para>If the alias is on the same subnet as an address
- already configured on the interface, then add
+ already configured on the interface, then add
<literal>netmask 0xffffffff</literal> to your
&man.ifconfig.8; command-line, as in the following:</para>
@@ -11213,7 +11213,7 @@ raisechar=^^</programlisting>
<para><emphasis>And then I was enlightened :-)</emphasis></para>
</answer>
</qandaentry>
-
+
<qandaentry>
<question id="dev-null">
<para>Where does data written to <filename>/dev/null</filename>
@@ -11286,7 +11286,7 @@ raisechar=^^</programlisting>
<para>At this time, there is only one book on FreeBSD-specific OS
internals, namely <quote>The Design and Implementation of the
FreeBSD Operating System</quote> by Marshall Kirk McKusick and
- George V. Neville-Neil, ISBN 0-201-70245-2, which
+ George V. Neville-Neil, ISBN 0-201-70245-2, which
focuses on version 5.X of FreeBSD.</para>
<para>Additionally, much general &unix; knowledge is directly
diff --git a/el_GR.ISO8859-7/books/handbook/Makefile b/el_GR.ISO8859-7/books/handbook/Makefile
index 0a3c88284f..04f0f7cc7e 100644
--- a/el_GR.ISO8859-7/books/handbook/Makefile
+++ b/el_GR.ISO8859-7/books/handbook/Makefile
@@ -22,7 +22,7 @@
# pgpkeyring This target will read the contents of
# pgpkeys/chapter.sgml and will extract all of
# the pgpkeys to standard out. This output can then
-# be redirected into a file and distributed as a
+# be redirected into a file and distributed as a
# public keyring of FreeBSD developers that can
# easily be imported into PGP/GPG.
#
diff --git a/el_GR.ISO8859-7/books/handbook/advanced-networking/chapter.sgml b/el_GR.ISO8859-7/books/handbook/advanced-networking/chapter.sgml
index 81583a5df6..3a10c8de95 100644
--- a/el_GR.ISO8859-7/books/handbook/advanced-networking/chapter.sgml
+++ b/el_GR.ISO8859-7/books/handbook/advanced-networking/chapter.sgml
@@ -2165,7 +2165,7 @@ hcsecd[16484]: Sending PIN_Code_Reply to 'ubt0hci' for remote bdaddr 0:80:37:29:
<para>SDP involves communication between a SDP server and a SDP client.
The server maintains a list of service records that describe the
characteristics of services associated with the server. Each service
- record contains information about a single service. A client may
+ record contains information about a single service. A client may
retrieve information from a service record maintained by the SDP server
by issuing a SDP request. If the client, or an application associated
with the client, decides to use a service, it must open a separate
@@ -2179,7 +2179,7 @@ hcsecd[16484]: Sending PIN_Code_Reply to 'ubt0hci' for remote bdaddr 0:80:37:29:
server's service records without any a priori information about the
services. This process of looking for any offered services is called
<emphasis>browsing</emphasis>.</para>
-
+
<para>The Bluetooth SDP server &man.sdpd.8; and command line client
&man.sdpcontrol.8; are included in the standard &os; installation.
The following example shows how to perform a SDP browse query.</para>
@@ -2595,7 +2595,7 @@ net.link.ether.bridge_cfg=<replaceable>if1</replaceable>,<replaceable>if2</repla
net.link.ether.bridge_ipfw=1</programlisting>
</sect2>
-
+
<sect2>
<title>Other Information</title>
@@ -2610,7 +2610,7 @@ net.link.ether.bridge_ipfw=1</programlisting>
<para>A bridge can add latency to your &man.ping.8; times, especially for
traffic from one segment to another.</para>
-
+
</sect2>
</sect1>
@@ -2743,7 +2743,7 @@ net.link.ether.bridge_ipfw=1</programlisting>
<para>Several operations need to be performed for a successful
bootstrap:</para>
-
+
<itemizedlist>
<listitem>
<para>The machine needs to obtain initial parameters such as its IP
diff --git a/el_GR.ISO8859-7/books/handbook/cutting-edge/chapter.sgml b/el_GR.ISO8859-7/books/handbook/cutting-edge/chapter.sgml
index 80661a68da..73be8185b1 100644
--- a/el_GR.ISO8859-7/books/handbook/cutting-edge/chapter.sgml
+++ b/el_GR.ISO8859-7/books/handbook/cutting-edge/chapter.sgml
@@ -1272,7 +1272,7 @@ DOCSUPFILE?= /usr/share/examples/cvsup/doc-supfile</programlisting>
</sect3>
</sect2>
-<![ IGNORE [
+<![ IGNORE [
<sect2 id="docsnap">
<sect2info>
<authorgroup>
diff --git a/el_GR.ISO8859-7/books/handbook/disks/chapter.sgml b/el_GR.ISO8859-7/books/handbook/disks/chapter.sgml
index 4519efcdb0..c1c3b63b72 100644
--- a/el_GR.ISO8859-7/books/handbook/disks/chapter.sgml
+++ b/el_GR.ISO8859-7/books/handbook/disks/chapter.sgml
@@ -1288,7 +1288,7 @@ scsibus1:
charset you use with the <option>-C</option> option. For more
information, consult the &man.mount.cd9660.8; manual
page.</para>
-
+
<note>
<para>To be able to do this character conversion with the help
of the <option>-C</option> option, the kernel will require
@@ -3924,7 +3924,7 @@ device crypto</screen>
the data source for key file will be
<filename>/dev/random</filename>. The sector size of
<filename>/dev/da2.eli</filename>, which we call provider,
- will be 4kB.</para>
+ will be 4kB.</para>
<screen>&prompt.root; <userinput>dd if=/dev/random of=/root/da2.key bs=64 count=1</userinput>
&prompt.root; <userinput>geli init -s 4096 -K /root/da2.key /dev/da2</userinput>
@@ -4017,7 +4017,7 @@ geli_da2_flags="-p -k /root/da2.key"</screen>
<link linkend="configtuning-rcd">rc.d</link> section of the
Handbook.</para>
</sect3>
- </sect2>
+ </sect2>
</sect1>
diff --git a/el_GR.ISO8859-7/books/handbook/eresources/chapter.sgml b/el_GR.ISO8859-7/books/handbook/eresources/chapter.sgml
index 3f2f1f19c3..25905ad668 100644
--- a/el_GR.ISO8859-7/books/handbook/eresources/chapter.sgml
+++ b/el_GR.ISO8859-7/books/handbook/eresources/chapter.sgml
@@ -1915,7 +1915,7 @@
περιβάλλοντος <application>Zope</application> στο &os;.
Πρόκειται για λίστα τεχνικών συζητήσεων. Απευθύνεται κυρίως
σε άτομα που συμμετέχουν ενεργά στη μεταφορά του
- <application>Zope</application> στο &os; και συζητούνται
+ <application>Zope</application> στο &os; και συζητούνται
προβλήματα και εναλλακτικές λύσεις. Η λίστα είναι επίσης
ανοικτή σε όσους ενδιαφέρονται για τεχνική συζήτηση αυτού
του είδους.</para>
diff --git a/el_GR.ISO8859-7/books/handbook/kernelconfig/chapter.sgml b/el_GR.ISO8859-7/books/handbook/kernelconfig/chapter.sgml
index 8c734dcd0a..df8b91cb37 100644
--- a/el_GR.ISO8859-7/books/handbook/kernelconfig/chapter.sgml
+++ b/el_GR.ISO8859-7/books/handbook/kernelconfig/chapter.sgml
@@ -1086,7 +1086,7 @@ device splash # Splash screen and screen saver support</programlist
<para>Γραφική οθόνη (splash) κατά την εκκίνηση! Η συσκευή αυτή
χρησιμοποιείται επίσης από τα προγράμματα προφύλαξης οθόνης (κονσόλας).
- </para>
+ </para>
<programlisting># syscons is the default console driver, resembling an SCO console
device sc</programlisting>
@@ -1450,7 +1450,7 @@ device fwe # Ethernet over FireWire (non-standard!)</programl
<acronym>KVA</acronym>). Εξαιτίας αυτού του περιορισμού, η Intel
πρόσθεσε υποστήριξη για 36bit φυσικών διευθύνσεων, από τον
επεξεργαστή &pentium; Pro και μετά.</para>
-
+
<para>Η δυνατότητα Επέκτασης Φυσικών Διευθύνσεων, (Physical Address
Extension, <acronym>PAE</acronym>) των &intel; &pentium; Pro και
μεταγενέστερων CPU, επιτρέπει χρήση μνήμης ως 64 gigabytes. To &os;
@@ -1465,7 +1465,7 @@ device fwe # Ethernet over FireWire (non-standard!)</programl
<para>Για να ενεργοποιήσετε την υποστήριξη <acronym>PAE</acronym>
στον πυρήνα, απλώς προσθέστε την ακόλουθη γραμμή στο αρχείο
των ρυθμίσεων σας:</para>
-
+
<programlisting>options PAE</programlisting>
<note>
@@ -1479,7 +1479,7 @@ device fwe # Ethernet over FireWire (non-standard!)</programl
<para>Η υποστήριξη <acronym>PAE</acronym> στο &os; υπόκειται σε
κάποιους περιορισμούς:</para>
-
+
<itemizedlist>
<listitem>
<para>Μια διαδικασία δεν έχει πρόσβαση σε περισσότερα από 4
diff --git a/el_GR.ISO8859-7/books/handbook/linuxemu/chapter.sgml b/el_GR.ISO8859-7/books/handbook/linuxemu/chapter.sgml
index 842b07952d..b607aa9951 100644
--- a/el_GR.ISO8859-7/books/handbook/linuxemu/chapter.sgml
+++ b/el_GR.ISO8859-7/books/handbook/linuxemu/chapter.sgml
@@ -1235,7 +1235,7 @@ export PATH</programlisting>
ως <username>root</username>, καταγράφονται σε ένα shell script που
λέγεται <filename>root.sh</filename>. Το script αυτό δημιουργείται
στον κατάλογο <filename>orainst</filename>. Εφαρμόστε το παρακάτω
- patch στο <filename>root.sh</filename>, για να μπορέσει να βρει και
+ patch στο <filename>root.sh</filename>, για να μπορέσει να βρει και
να χρησιμοποιήσει το <command>chown</command>. Εναλλακτικά, τρέξτε
το script μέσα από ένα κέλυφος Linux.</para>
@@ -1314,7 +1314,7 @@ export PATH</programlisting>
<title>Πως Λειτουργεί;</title>
<indexterm><primary>execution class loader</primary></indexterm>
- <para>Το &os; περιέχει ένα επίπεδο αφαίρεσης (abstraction) που
+ <para>Το &os; περιέχει ένα επίπεδο αφαίρεσης (abstraction) που
ονομάζεται <quote>execution class loader</quote>. Αυτό βασίζεται στο
&man.execve.2;.</para>
diff --git a/el_GR.ISO8859-7/books/handbook/mac/chapter.sgml b/el_GR.ISO8859-7/books/handbook/mac/chapter.sgml
index 158c8e0c63..dc5d148ae3 100644
--- a/el_GR.ISO8859-7/books/handbook/mac/chapter.sgml
+++ b/el_GR.ISO8859-7/books/handbook/mac/chapter.sgml
@@ -712,7 +712,7 @@ test: biba/high</screen>
implement the labeling feature, including the Biba, Lomac,
<acronym>MLS</acronym> and <acronym>SEBSD</acronym>
policies.</para>
-
+
<para>In many cases, the <option>multilabel</option> may not need
to be set at all. Consider the following situation and
security model:</para>
@@ -1586,7 +1586,7 @@ test: biba/low</screen>
utilities. While other users would be grouped into other
categories such as testers, designers, or just ordinary
users and would only be permitted read access.</para>
-
+
<para>With its natural security control, a lower integrity subject
is unable to write to a higher integrity subject; a higher
integrity subject cannot observe or read a lower integrity
@@ -1749,7 +1749,7 @@ mac_seeotheruids_load="YES"</programlisting>
<username>www</username> users into the insecure class:</para>
<screen>&prompt.root; <userinput>pw usermod nagios -L insecure</userinput></screen>
- <screen>&prompt.root; <userinput>pw usermod www -L insecure</userinput></screen>
+ <screen>&prompt.root; <userinput>pw usermod www -L insecure</userinput></screen>
</sect2>
<sect2>
diff --git a/el_GR.ISO8859-7/books/handbook/multimedia/chapter.sgml b/el_GR.ISO8859-7/books/handbook/multimedia/chapter.sgml
index d0202dd637..ea78f30ea7 100644
--- a/el_GR.ISO8859-7/books/handbook/multimedia/chapter.sgml
+++ b/el_GR.ISO8859-7/books/handbook/multimedia/chapter.sgml
@@ -111,7 +111,7 @@
<para>Αν προσπαθήσετε να προσαρτήσετε μουσικά CD
με την εντολή &man.mount.8; θα προκληθεί κατ' ελάχιστον
σφάλμα, ή στη χειρότερη περίπτωση <emphasis>kernel
- panic</emphasis>. Τέτοια μέσα έχουν εξειδικευμένες κωδικοποιήσεις
+ panic</emphasis>. Τέτοια μέσα έχουν εξειδικευμένες κωδικοποιήσεις
που διαφέρουν από το συνηθισμένο σύστημα αρχείων ISO.</para>
</warning>
</sect1>
@@ -137,7 +137,7 @@
</sect1info>
<title>Ρύθμιση της Κάρτας Ήχου</title>
-
+
<sect2 id="sound-device">
<title>Ρυθμίζοντας το Σύστημα</title>
@@ -175,7 +175,7 @@
&soundblaster; Live!. Υπάρχουν διαθέσιμα και άλλα modules για κάρτες
ήχου και μπορείτε να τα δείτε στο αρχείο
<filename>/boot/defaults/loader.conf</filename>.
- Αν δεν είστε σίγουρος για το πρόγραμμα οδήγησης που πρέπει να
+ Αν δεν είστε σίγουρος για το πρόγραμμα οδήγησης που πρέπει να
χρησιμοποιήσετε, μπορείτε να προσπαθήσετε να φορτώσετε το module
<filename>snd_driver</filename>:</para>
@@ -586,7 +586,7 @@ MPEG 1.0 layer III, 128 kbit/s, 44100 Hz joint-stereo
MP3, θα πρέπει να αντιγράψετε τα μουσικά δεδομένα από το CD στο σκληρό
σας δίσκο. Αυτό γίνεται γράφοντας τα δεδομένα τύπου CDDA (CD Digital
Audio) σε αρχεία WAV.</para>
-
+
<para>Το εργαλείο <command>cdda2wav</command>, το οποίο ανήκει στη
συλλογή εργαλείων
<filename role="package">sysutils/cdrtools</filename> μπορεί να
@@ -602,7 +602,7 @@ MPEG 1.0 layer III, 128 kbit/s, 44100 Hz joint-stereo
<para>Το <application>cdda2wav</application> υποστηρίζει οδηγούς CDROM
τύπου ATAPI (IDE). Για να διαβάσετε δεδομένα από μια συσκευή IDE,
χρησιμοποιήστε το όνομα συσκευής αντί για τον αριθμό μονάδας SCSI. Για
- παράδειγμα, για να αποθηκεύσετε το κομμάτι 7 από ένα οδηγό IDE:</para>
+ παράδειγμα, για να αποθηκεύσετε το κομμάτι 7 από ένα οδηγό IDE:</para>
<screen>&prompt.root; <userinput>cdda2wav -D <replaceable>/dev/acd0</replaceable> -t 7</userinput></screen>
<para>Το <option>-D <replaceable>0,1,0</replaceable></option>
@@ -618,7 +618,7 @@ MPEG 1.0 layer III, 128 kbit/s, 44100 Hz joint-stereo
<para>Το παράδειγμα αυτό διαβάζει το κομμάτι επτά του μουσικού CD. Για
να διαβάσετε μια σειρά από κομμάτια, για παράδειγμα από το ένα ως το
επτά, καθορίστε μια περιοχή:</para>
-
+
<screen>&prompt.root; <userinput>cdda2wav -D <replaceable>0,1,0</replaceable> -t 1+7</userinput></screen>
<para>Μπορείτε επίσης να χρησιμοποιήσετε το βοηθητικό πρόγραμμα
@@ -875,7 +875,7 @@ screen #0
Adaptor #0: "Savage Streams Engine"
number of ports: 1
port base: 43
- operations supported: PutImage
+ operations supported: PutImage
supported visuals:
depth 16, visualID 0x22
depth 16, visualID 0x23
@@ -1010,7 +1010,7 @@ no adaptors present</screen>
video που εκτελούνται στο &os; αναπτύχθηκαν αρχικά ως εφαρμογές Linux.
Πολλές από αυτές τις εφαρμογές είναι ακόμα ποιότητας beta. Κάποια από τα
προβλήματα που μπορεί να συναντήσετε στις εφαρμογές video του &os;
- περιλαμβάνουν:</para>
+ περιλαμβάνουν:</para>
<orderedlist>
@@ -1058,7 +1058,7 @@ no adaptors present</screen>
υπάρχουν στο Linux. Τα προβλήματα αυτά δεν είναι σίγουρο ότι
ανακαλύπτονται και διορθώνονται πάντα από τους συντηρητές του port, το
οποίο μπορεί να οδηγήσει σε προβλήματα όπως τα παρακάτω:</para>
-
+
<orderedlist>
<listitem>
@@ -1318,7 +1318,7 @@ zoom=yes</programlisting>
την ίδια στιγμή, δεν επιτρέπει τόσο λεπτομερειακό έλεγχο. Το
<application>xine</application> αποδίδει καλύτερα σε λειτουργία XVideo.
</para>
-
+
<para>Από προεπιλογή, το <application>xine</application> θα ξεκινήσει σε
γραφικό περιβάλλον (GUI). Μπορείτε να χρησιμοποιήσετε το μενού για να
ανοίξετε ένα συγκεκριμένο αρχείο:</para>
@@ -1495,7 +1495,7 @@ WITH_MJPEG=yes -DWITH_XVID=yes</userinput></screen>
<para>Εναλλακτικά, μπορείτε να προσθέσετε στατική υποστήριξη για την
κάρτα στο πυρήνα σας, και για το σκοπό αυτό προσθέστε τις ακόλουθες
γραμμές στο αρχείο ρυθμίσεων του πυρήνα:</para>
-
+
<programlisting>device bktr
device iicbus
device iicbb
@@ -1725,7 +1725,7 @@ bktr0: Pinnacle/Miro TV, Philips SECAM tuner.</programlisting>
<para>Όπως είπαμε παραπάνω, υποστηρίζονται σαρωτές τόσο SCSI όσο και
USB. Ανάλογα με το τρόπο διασύνδεσης του σαρωτή σας, θα χρειαστείτε
διαφορετικούς οδηγούς συσκευών.</para>
-
+
<sect3 id="scanners-kernel-usb">
<title>Διασύνδεση USB</title>
diff --git a/el_GR.ISO8859-7/books/handbook/network-servers/chapter.sgml b/el_GR.ISO8859-7/books/handbook/network-servers/chapter.sgml
index 5f114b42a6..f59c9f271c 100644
--- a/el_GR.ISO8859-7/books/handbook/network-servers/chapter.sgml
+++ b/el_GR.ISO8859-7/books/handbook/network-servers/chapter.sgml
@@ -3463,7 +3463,7 @@ zone "1.168.192.in-addr.arpa" {
<primary>BIND</primary>
<secondary>zone files</secondary>
</indexterm>
-
+
<para>An example master zone file for <hostid
role="domainname">example.org</hostid> (existing within
<filename>/etc/namedb/master/example.org</filename>) is as
diff --git a/el_GR.ISO8859-7/books/handbook/security/chapter.sgml b/el_GR.ISO8859-7/books/handbook/security/chapter.sgml
index fc321742d8..f2fc7a3f6b 100644
--- a/el_GR.ISO8859-7/books/handbook/security/chapter.sgml
+++ b/el_GR.ISO8859-7/books/handbook/security/chapter.sgml
@@ -81,7 +81,7 @@
<para>Πως να ρυθμίσετε το IPsec και να δημιουργήσετε ένα
<acronym>VPN</acronym> μεταξύ μηχανημάτων &os;/&windows;.</para>
</listitem>
-
+
<listitem>
<para>Πως να ρυθμίσετε και να χρησιμοποιήσετε την κατά &os; υλοποίηση
<acronym>SSH</acronym> του <application>OpenSSH</application>
@@ -203,7 +203,7 @@
</indexterm>
<para>A user account compromise is even more common than a DoS
- attack. Many sysadmins still run standard
+ attack. Many sysadmins still run standard
<application>telnetd</application>, <application>rlogind</application>,
<application>rshd</application>,
and <application>ftpd</application> servers on their machines.
@@ -511,7 +511,7 @@
<application>rshd</application> or
<application>rlogind</application>, then turn off those
services!</para>
-
+
<para>&os; now defaults to running
<application>ntalkd</application>,
<application>comsat</application>, and
@@ -622,7 +622,7 @@
</indexterm>
<para>But even if you turn off the <devicename>bpf</devicename>
device, you still have
- <filename>/dev/mem</filename> and
+ <filename>/dev/mem</filename> and
<filename>/dev/kmem</filename>
to worry about. For that matter, the intruder can still write to
raw disk devices. Also, there is another kernel feature called
@@ -709,7 +709,7 @@
<para>When using ssh rather than NFS,
writing the security script is much more difficult. You
- essentially have to <command>scp</command> the scripts to the client
+ essentially have to <command>scp</command> the scripts to the client
box in order to
run them, making them visible, and for safety you also need to
<command>scp</command> the binaries (such as find) that those
@@ -792,7 +792,7 @@
<para>A common DoS attack scenario is attacking a forking server and
making it spawning so many child processes that the host system
eventually runs out of memory, file descriptors, etc. and then
- grinds to a halt. <application>inetd</application>
+ grinds to a halt. <application>inetd</application>
(see &man.inetd.8;) has several
options to limit this sort of attack. It should be noted that
while it is possible to prevent a machine from going down, it is
@@ -801,7 +801,7 @@
page carefully and pay
specific attention to the <option>-c</option>, <option>-C</option>,
and <option>-R</option> options. Note that spoofed-IP attacks
- will circumvent the <option>-C</option> option to
+ will circumvent the <option>-C</option> option to
<application>inetd</application>, so
typically a combination of options must be used. Some standalone
servers have self-fork-limitation parameters.</para>
@@ -887,7 +887,7 @@
Use the <application>sysctl</application>
variable <literal>net.inet.icmp.icmplim</literal> to limit these attacks.
The last major class of springboard
- attacks is related to certain internal
+ attacks is related to certain internal
<application>inetd</application> services such as the
udp echo service. An attacker simply spoofs a UDP packet with the
source address being server A's echo port, and the destination
@@ -895,7 +895,7 @@
on your LAN. The two servers then bounce this one packet back and
forth between each other. The attacker can overload both servers
and their LANs simply by injecting a few packets in this manner.
- Similar problems exist with the internal
+ Similar problems exist with the internal
<application>chargen</application> port. A
competent sysadmin will turn off all of these inetd-internal test
services.</para>
@@ -909,22 +909,22 @@
<command>netstat -rna | fgrep W3</command>. These routes
typically timeout in 1600 seconds or so. If the kernel detects
that the cached route table has gotten too big it will dynamically
- reduce the <varname>rtexpire</varname> but will never decrease it
- to less than <varname>rtminexpire</varname>. There are two
+ reduce the <varname>rtexpire</varname> but will never decrease it
+ to less than <varname>rtminexpire</varname>. There are two
problems:</para>
-
+
<orderedlist>
<listitem>
<para>The kernel does not react quickly enough when a lightly
loaded server is suddenly attacked.</para>
</listitem>
-
+
<listitem>
<para>The <varname>rtminexpire</varname> is not low enough for
the kernel to survive a sustained attack.</para>
</listitem>
</orderedlist>
-
+
<para>If your servers are connected to the Internet via a T3 or
better, it may be prudent to manually override both
<varname>rtexpire</varname> and <varname>rtminexpire</varname>
@@ -1018,11 +1018,11 @@
&unix; came into being was based on DES, the Data Encryption
Standard. This was not such a problem for users resident in
the US, but since the source code for DES could not be exported
- outside the US, &os; had to find a way to both comply with
+ outside the US, &os; had to find a way to both comply with
US law and retain compatibility with all the other &unix;
variants that still used DES.</para>
- <para>The solution was to divide up the encryption libraries
+ <para>The solution was to divide up the encryption libraries
so that US users could install the DES libraries and use
DES but international users still had an encryption method
that could be exported abroad. This is how &os; came to
@@ -1037,7 +1037,7 @@
functions. By default &os; uses MD5 to encrypt
passwords.</para>
- <para>It is pretty easy to identify which encryption method
+ <para>It is pretty easy to identify which encryption method
&os; is set up to use. Examining the encrypted passwords in
the <filename>/etc/master.passwd</filename> file is one way.
Passwords encrypted with the MD5 hash are longer than those
@@ -1180,7 +1180,7 @@ MOS MALL GOAT ARM AVID COED
<sect2>
<title>Insecure Connection Initialization</title>
-
+
<para>To initialize or change your secret password over an
insecure connection, you will need to already have a secure
connection to some place where you can run
@@ -1225,7 +1225,7 @@ GAME GAG WELT OUT DOWN CHAT
<sect2>
<title>Generating a Single One-time Password</title>
- <para>Once you have initialized OPIE and login, you will be
+ <para>Once you have initialized OPIE and login, you will be
presented with a prompt like this:</para>
<screen>&prompt.user; <userinput>telnet example.com</userinput>
@@ -1311,7 +1311,7 @@ Enter secret pass phrase: <userinput>&lt;secret password&gt;</userinput>
Please check &man.opieaccess.5;
for more information on this file and which security considerations
you should be aware of when using it.</para>
-
+
<para>Here is a sample <filename>opieaccess</filename> file:</para>
<programlisting>permit 192.168.0.0 255.255.0.0</programlisting>
@@ -1319,7 +1319,7 @@ Enter secret pass phrase: <userinput>&lt;secret password&gt;</userinput>
<para>This line allows users whose IP source address (which is
vulnerable to spoofing) matches the specified value and mask,
to use &unix; passwords at any time.</para>
-
+
<para>If no rules in <filename>opieaccess</filename> are matched,
the default is to deny non-OPIE logins.</para>
@@ -1340,7 +1340,7 @@ Enter secret pass phrase: <userinput>&lt;secret password&gt;</userinput>
<title>TCP Wrappers</title>
<indexterm><primary>TCP Wrappers</primary></indexterm>
-
+
<para>Anyone familiar with &man.inetd.8; has probably heard
of <acronym>TCP</acronym> Wrappers at some point. But few
individuals seem to fully comprehend its usefulness in a
@@ -1452,7 +1452,7 @@ qpopper : ALL : allow</programlisting>
configuration options known as <literal>wildcards</literal>,
expansion characters and external command execution. The
next two sections are written to cover these situations.</para>
-
+
<sect3>
<title>External Commands</title>
@@ -1613,28 +1613,28 @@ sendmail : PARANOID : deny</programlisting>
<sect2>
<title>Creating the Initial Database</title>
-
+
<para>This is done on the Kerberos server only. First make sure that
you do not have any old Kerberos databases around. You should change
to the directory <filename>/etc/kerberosIV</filename> and check that
only the following files are present:</para>
-
+
<screen>&prompt.root; <userinput>cd /etc/kerberosIV</userinput>
&prompt.root; <userinput>ls</userinput>
README krb.conf krb.realms</screen>
-
+
<para>If any additional files (such as <filename>principal.*</filename>
or <filename>master_key</filename>) exist, then use the
<command>kdb_destroy</command> command to destroy the old Kerberos
database, or if Kerberos is not running, simply delete the extra
files.</para>
-
+
<para>You should now edit the <filename>krb.conf</filename> and
<filename>krb.realms</filename> files to define your Kerberos realm.
In this case the realm will be <literal>EXAMPLE.COM</literal> and the
server is <hostid role="fqdn">grunt.example.com</hostid>. We edit
or create the <filename>krb.conf</filename> file:</para>
-
+
<screen>&prompt.root; <userinput>cat krb.conf</userinput>
EXAMPLE.COM
EXAMPLE.COM grunt.example.com admin server
@@ -1646,11 +1646,11 @@ ATHENA.MIT.EDU kerberos-3.mit.edu
LCS.MIT.EDU kerberos.lcs.mit.edu
TELECOM.MIT.EDU bitsy.mit.edu
ARC.NASA.GOV trident.arc.nasa.gov</screen>
-
+
<para>In this case, the other realms do not need to be there. They are
here as an example of how a machine may be made aware of multiple
realms. You may wish to not include them for simplicity.</para>
-
+
<para>The first line names the realm in which this system works. The
other lines contain realm/host entries. The first item on a line is a
realm, and the second is a host in that realm that is acting as a
@@ -1658,59 +1658,59 @@ ARC.NASA.GOV trident.arc.nasa.gov</screen>
server</literal> following a host's name means that host also
provides an administrative database server. For further explanation
of these terms, please consult the Kerberos manual pages.</para>
-
+
<para>Now we have to add <hostid role="fqdn">grunt.example.com</hostid>
to the <literal>EXAMPLE.COM</literal> realm and also add an entry to
put all hosts in the <hostid role="domainname">.example.com</hostid>
domain in the <literal>EXAMPLE.COM</literal> realm. The
<filename>krb.realms</filename> file would be updated as
follows:</para>
-
+
<screen>&prompt.root; <userinput>cat krb.realms</userinput>
grunt.example.com EXAMPLE.COM
.example.com EXAMPLE.COM
.berkeley.edu CS.BERKELEY.EDU
.MIT.EDU ATHENA.MIT.EDU
.mit.edu ATHENA.MIT.EDU</screen>
-
+
<para>Again, the other realms do not need to be there. They are here as
an example of how a machine may be made aware of multiple realms. You
may wish to remove them to simplify things.</para>
-
+
<para>The first line puts the <emphasis>specific</emphasis> system into
the named realm. The rest of the lines show how to default systems of
a particular subdomain to a named realm.</para>
-
+
<para>Now we are ready to create the database. This only needs to run
on the Kerberos server (or Key Distribution Center). Issue the
<command>kdb_init</command> command to do this:</para>
-
+
<screen>&prompt.root; <userinput>kdb_init</userinput>
<prompt>Realm name [default ATHENA.MIT.EDU ]:</prompt> <userinput>EXAMPLE.COM</userinput>
You will be prompted for the database Master Password.
It is important that you NOT FORGET this password.
-
+
<prompt>Enter Kerberos master key:</prompt> </screen>
-
+
<para>Now we have to save the key so that servers on the local machine
can pick it up. Use the <command>kstash</command> command to do
this:</para>
-
+
<screen>&prompt.root; <userinput>kstash</userinput>
-
+
<prompt>Enter Kerberos master key:</prompt>
Current Kerberos master key version is 1.
Master key entered. BEWARE!</screen>
-
+
<para>This saves the encrypted master password in
<filename>/etc/kerberosIV/master_key</filename>.</para>
</sect2>
-
+
<sect2>
<title>Making It All Run</title>
-
+
<indexterm>
<primary>KerberosIV</primary>
<secondary>initial startup</secondary>
@@ -1721,14 +1721,14 @@ Master key entered. BEWARE!</screen>
Their names are <literal>kpasswd</literal> and <literal>rcmd</literal>.
These two principals are made for each system, with the instance being
the name of the individual system.</para>
-
+
<para>These daemons, <application>kpasswd</application> and
<application>rcmd</application> allow other systems to change Kerberos
passwords and run commands like &man.rcp.1;,
&man.rlogin.1; and &man.rsh.1;.</para>
-
+
<para>Now let us add these entries:</para>
-
+
<screen>&prompt.root; <userinput>kdb_edit</userinput>
Opening database...
@@ -1781,7 +1781,7 @@ Edit O.K.
<sect2>
<title>Creating the Server File</title>
-
+
<para>We now have to extract all the instances which define the
services on each machine. For this we use the
<command>ext_srvtab</command> command. This will create a file
@@ -1818,7 +1818,7 @@ Generating 'grunt-new-srvtab'....</screen>
<screen>&prompt.root; <userinput>mv grumble-new-srvtab srvtab</userinput>
&prompt.root; <userinput>chmod 600 srvtab</userinput></screen>
</sect2>
-
+
<sect2>
<title>Populating the Database</title>
@@ -1857,14 +1857,14 @@ Edit O.K.
<sect2>
<title>Testing It All Out</title>
-
+
<para>First we have to start the Kerberos daemons. Note that if you
have correctly edited your <filename>/etc/rc.conf</filename> then this
will happen automatically when you reboot. This is only necessary on
the Kerberos server. Kerberos clients will automatically get what
they need from the <filename>/etc/kerberosIV</filename>
directory.</para>
-
+
<screen>&prompt.root; <userinput>kerberos &amp;</userinput>
Kerberos server starting
Sleep forever on error
@@ -1883,19 +1883,19 @@ regular kill instead
Current Kerberos master key version is 1.
Master key entered. BEWARE!</screen>
-
+
<para>Now we can try using the <command>kinit</command> command to get a
ticket for the ID <username>jane</username> that we created
above:</para>
-
+
<screen>&prompt.user; <userinput>kinit jane</userinput>
MIT Project Athena (grunt.example.com)
Kerberos Initialization for "jane"
<prompt>Password:</prompt> </screen>
-
+
<para>Try listing the tokens using <command>klist</command> to see if we
really have them:</para>
-
+
<screen>&prompt.user; <userinput>klist</userinput>
Ticket file: /tmp/tkt245
Principal: jane@EXAMPLE.COM
@@ -1904,7 +1904,7 @@ Principal: jane@EXAMPLE.COM
Apr 30 11:23:22 Apr 30 19:23:22 krbtgt.EXAMPLE.COM@EXAMPLE.COM</screen>
<para>Now try changing the password using &man.passwd.1; to
- check if the <application>kpasswd</application> daemon can get
+ check if the <application>kpasswd</application> daemon can get
authorization to the Kerberos database:</para>
<screen>&prompt.user; <userinput>passwd</userinput>
@@ -1918,7 +1918,7 @@ Password changed.</screen>
<sect2>
<title>Adding <command>su</command> Privileges</title>
-
+
<para>Kerberos allows us to give <emphasis>each</emphasis> user
who needs <username>root</username> privileges their own
<emphasis>separate</emphasis> &man.su.1; password.
@@ -1928,7 +1928,7 @@ Password changed.</screen>
associated with a principal. Using <command>kdb_edit</command>
we can create the entry <literal>jane.root</literal> in the
Kerberos database:</para>
-
+
<screen>&prompt.root; <userinput>kdb_edit</userinput>
Opening database...
@@ -1957,27 +1957,27 @@ Principal's new key version = 1
<prompt>Attributes [ 0 ] ?</prompt>
Edit O.K.
<prompt>Principal name:</prompt> &lt;---- null entry here will cause an exit</screen>
-
+
<para>Now try getting tokens for it to make sure it works:</para>
-
+
<screen>&prompt.root; <userinput>kinit jane.root</userinput>
MIT Project Athena (grunt.example.com)
Kerberos Initialization for "jane.root"
<prompt>Password:</prompt></screen>
-
+
<para>Now we need to add the user to <username>root</username>'s
<filename>.klogin</filename> file:</para>
-
+
<screen>&prompt.root; <userinput>cat /root/.klogin</userinput>
jane.root@EXAMPLE.COM</screen>
-
+
<para>Now try doing the &man.su.1;:</para>
-
+
<screen>&prompt.user; <userinput>su</userinput>
<prompt>Password:</prompt></screen>
-
+
<para>and take a look at what tokens we have:</para>
-
+
<screen>&prompt.root; <userinput>klist</userinput>
Ticket file: /tmp/tkt_root_245
Principal: jane.root@EXAMPLE.COM
@@ -1988,7 +1988,7 @@ May 2 20:43:12 May 3 04:43:12 krbtgt.EXAMPLE.COM@EXAMPLE.COM</screen>
<sect2>
<title>Using Other Commands</title>
-
+
<para>In an earlier example, we created a principal called
<literal>jane</literal> with an instance <literal>root</literal>.
This was based on a user with the same name as the principal, and this
@@ -1999,17 +1999,17 @@ May 2 20:43:12 May 3 04:43:12 krbtgt.EXAMPLE.COM@EXAMPLE.COM</screen>
<username>root</username> if the necessary entries are in the
<filename>.klogin</filename> file in <username>root</username>'s
home directory:</para>
-
+
<screen>&prompt.root; <userinput>cat /root/.klogin</userinput>
jane.root@EXAMPLE.COM</screen>
-
+
<para>Likewise, if a user has in their own home directory lines of the
form:</para>
-
+
<screen>&prompt.user; <userinput>cat ~/.klogin</userinput>
jane@EXAMPLE.COM
jack@EXAMPLE.COM</screen>
-
+
<para>This allows anyone in the <literal>EXAMPLE.COM</literal> realm
who has authenticated themselves as <username>jane</username> or
<username>jack</username> (via <command>kinit</command>, see above)
@@ -2017,10 +2017,10 @@ jack@EXAMPLE.COM</screen>
account or files on this system (<hostid>grunt</hostid>) via
&man.rlogin.1;, &man.rsh.1; or
&man.rcp.1;.</para>
-
+
<para>For example, <username>jane</username> now logs into another system using
Kerberos:</para>
-
+
<screen>&prompt.user; <userinput>kinit</userinput>
MIT Project Athena (grunt.example.com)
<prompt>Password:</prompt>
@@ -2030,13 +2030,13 @@ Copyright (c) 1980, 1983, 1986, 1988, 1990, 1991, 1993, 1994
The Regents of the University of California. All rights reserved.
FreeBSD BUILT-19950429 (GR386) #0: Sat Apr 29 17:50:09 SAT 1995</screen>
-
+
<para>Or <username>jack</username> logs into <username>jane</username>'s account on the same machine
(<username>jane</username> having
set up the <filename>.klogin</filename> file as above, and the person
in charge of Kerberos having set up principal
<emphasis>jack</emphasis> with a null instance):</para>
-
+
<screen>&prompt.user; <userinput>kinit</userinput>
&prompt.user; <userinput>rlogin grunt -l jane</userinput>
MIT Project Athena (grunt.example.com)
@@ -2952,7 +2952,7 @@ An optional company name []:<userinput><replaceable>Another Name</replaceable></
generate the <acronym>RSA</acronym> key:</para>
<screen>&prompt.root; <userinput>openssl dsaparam -rand -genkey -out <filename>myRSA.key</filename> 1024</userinput></screen>
-
+
<para>Next, generate the <acronym>CA</acronym> key:</para>
<screen>&prompt.root; <userinput>openssl gendsa -des3 -out <filename>myca.key</filename> <filename>myRSA.key</filename></userinput></screen>
@@ -3065,7 +3065,7 @@ Connection closed by foreign host.</screen>
<para>Creating a VPN between two networks, separated by the
Internet, using FreeBSD gateways.</para>
-
+
<sect2>
<sect2info>
<authorgroup>
@@ -3089,7 +3089,7 @@ Connection closed by foreign host.</screen>
IPsec, it is necessary that you are familiar with the concepts
of building a custom kernel (see
<xref linkend="kernelconfig"/>).</para>
-
+
<para><emphasis>IPsec</emphasis> is a protocol which sits on top
of the Internet Protocol (IP) layer. It allows two or more
hosts to communicate in a secure manner (hence the name). The
@@ -3135,12 +3135,12 @@ options FAST_IPSEC # new IPsec (cannot define w/ IPSEC)
options IPSEC_FILTERGIF #filter ipsec packets from a tunnel
</screen>
</note>
-
+
<indexterm>
<primary>IPsec</primary>
<secondary>ESP</secondary>
</indexterm>
-
+
<indexterm>
<primary>IPsec</primary>
<secondary>AH</secondary>
@@ -3166,11 +3166,11 @@ options IPSEC_FILTERGIF #filter ipsec packets from a tunnel
packet to be authenticated.</para>
</listitem>
</itemizedlist>
-
+
<para><acronym>ESP</acronym> and <acronym>AH</acronym> can
either be used together or separately, depending on the
environment.</para>
-
+
<indexterm>
<primary>VPN</primary>
</indexterm>
@@ -3189,7 +3189,7 @@ options IPSEC_FILTERGIF #filter ipsec packets from a tunnel
known as a <emphasis>Virtual Private Network (VPN)</emphasis>.
The &man.ipsec.4; manual page should be consulted for detailed
information on the IPsec subsystem in FreeBSD.</para>
-
+
<para>To add IPsec support to your kernel, add the following
options to your kernel configuration file:</para>
@@ -3223,25 +3223,25 @@ options IPSEC_DEBUG #debug for IP security
<sect2>
<title>The Problem</title>
-
+
<para>There is no standard for what constitutes a VPN. VPNs can
be implemented using a number of different technologies, each of
which have their own strengths and weaknesses. This section
presents a scenario, and the strategies used for implementing a
VPN for this scenario.</para>
</sect2>
-
- <sect2>
+
+ <sect2>
<title>The Scenario: Two networks, connected to the Internet, to
behave as one</title>
-
+
<indexterm>
<primary>VPN</primary>
<secondary>creating</secondary>
</indexterm>
<para>The premise is as follows:</para>
-
+
<itemizedlist>
<listitem>
<para>You have at least two sites</para>
@@ -3270,15 +3270,15 @@ options IPSEC_DEBUG #debug for IP security
configuration nightmare.</para>
</listitem>
</itemizedlist>
-
+
<para>If you find that you are trying to connect two networks,
both of which, internally, use the same private IP address range
(e.g. both of them use <hostid
role="ipaddr">192.168.1.x</hostid>), then one of the networks will
have to be renumbered.</para>
-
+
<para>The network topology might look something like this:</para>
-
+
<mediaobject>
<imageobject>
<imagedata fileref="security/ipsec-network" align="center"/>
@@ -3308,7 +3308,7 @@ Network #2 [ Internal Hosts ]
[ UNIX ]</literallayout>
</textobject>
</mediaobject>
-
+
<para>Notice the two public IP addresses. I will use the letters to
refer to them in the rest of this article. Anywhere you see those
letters in this article, replace them with your own public IP
@@ -3320,35 +3320,35 @@ Network #2 [ Internal Hosts ]
machines on the private networks have been configured to use the
<hostid role="ipaddr">.1</hostid> machine as their default
gateway.</para>
-
+
<para>The intention is that, from a network point of view, each
network should view the machines on the other network as though
they were directly attached the same router -- albeit a slightly
slow router with an occasional tendency to drop packets.</para>
-
+
<para>This means that (for example), machine <hostid
role="ipaddr">192.168.1.20</hostid> should be able to run</para>
-
+
<programlisting>ping 192.168.2.34</programlisting>
-
+
<para>and have it work, transparently. &windows; machines should
be able to see the machines on the other network, browse file
shares, and so on, in exactly the same way that they can browse
machines on the local network.</para>
-
+
<para>And the whole thing has to be secure. This means that
traffic between the two networks has to be encrypted.</para>
-
+
<para>Creating a VPN between these two networks is a multi-step
process. The stages are as follows:</para>
-
+
<orderedlist>
<listitem>
<para>Create a <quote>virtual</quote> network link between the two
networks, across the Internet. Test it, using tools like
&man.ping.8;, to make sure it works.</para>
</listitem>
-
+
<listitem>
<para>Apply security policies to ensure that traffic between
the two networks is transparently encrypted and decrypted as
@@ -3366,7 +3366,7 @@ Network #2 [ Internal Hosts ]
<sect3>
<title>Step 1: Creating and testing a <quote>virtual</quote>
network link</title>
-
+
<para>Suppose that you were logged in to the gateway machine on
network #1 (with public IP address <hostid
role="ipaddr">A.B.C.D</hostid>, private IP address <hostid
@@ -3400,7 +3400,7 @@ Network #2 [ Internal Hosts ]
role="ipaddr">192.168.2.1</hostid>.</para>
</listitem>
</orderedlist>
-
+
<para>You can think of this as requiring a <quote>tunnel</quote>
between the two networks. The two <quote>tunnel mouths</quote> are the IP
addresses <hostid role="ipaddr">A.B.C.D</hostid> and <hostid
@@ -3408,31 +3408,31 @@ Network #2 [ Internal Hosts ]
addresses of the private IP addresses that will be allowed to pass
through it. The tunnel is used to transfer traffic with private
IP addresses across the public Internet.</para>
-
+
<para>This tunnel is created by using the generic interface, or
<devicename>gif</devicename> devices on FreeBSD. As you can
imagine, the <devicename>gif</devicename> interface on each
gateway host must be configured with four IP addresses; two for
the public IP addresses, and two for the private IP
addresses.</para>
-
+
<para>Support for the gif device must be compiled in to the
&os; kernel on both machines. You can do this by adding the
line:</para>
-
+
<programlisting>device gif</programlisting>
-
+
<para>to the kernel configuration files on both machines, and
then compile, install, and reboot as normal.</para>
-
+
<para>Configuring the tunnel is a two step process. First the
tunnel must be told what the outside (or public) IP addresses
are, using &man.ifconfig.8;. Then the private IP addresses must be
configured using &man.ifconfig.8;.</para>
-
+
<para>On the gateway machine on network #1 you would run the
following commands to configure the tunnel.</para>
-
+
<screen>&prompt.root; <userinput>ifconfig <replaceable>gif0</replaceable> create</userinput>
&prompt.root; <userinput>ifconfig <replaceable>gif0</replaceable> tunnel <replaceable>A.B.C.D</replaceable> <replaceable>W.X.Y.Z</replaceable></userinput>
&prompt.root; <userinput>ifconfig <replaceable>gif0</replaceable> inet <replaceable>192.168.1.1</replaceable> <replaceable>192.168.2.1</replaceable> netmask <replaceable>0xffffffff</replaceable></userinput>
@@ -3445,14 +3445,14 @@ Network #2 [ Internal Hosts ]
&prompt.root; <userinput>ifconfig <replaceable>gif0</replaceable> tunnel <replaceable>W.X.Y.Z</replaceable> <replaceable>A.B.C.D</replaceable></userinput>
&prompt.root; <userinput>ifconfig <replaceable>gif0</replaceable> inet <replaceable>192.168.2.1</replaceable> <replaceable>192.168.1.1</replaceable> netmask <replaceable>0xffffffff</replaceable></userinput>
</screen>
-
+
<para>You can then run:</para>
-
+
<programlisting>ifconfig gif0</programlisting>
-
+
<para>to see the configuration. For example, on the network #1
gateway, you would see this:</para>
-
+
<screen>&prompt.root; <userinput>ifconfig gif0</userinput>
gif0: flags=8051&lt;UP,POINTOPOINT,RUNNING,MULTICAST&gt; mtu 1280
tunnel inet A.B.C.D --&gt; W.X.Y.Z
@@ -3465,65 +3465,65 @@ gif0: flags=8051&lt;UP,POINTOPOINT,RUNNING,MULTICAST&gt; mtu 1280
through the tunnel is that between <hostid
role="ipaddr">192.168.1.1</hostid> and <hostid
role="ipaddr">192.168.2.1</hostid>.</para>
-
+
<para>This will also have added an entry to the routing table
on both machines, which you can examine with the command <command>netstat -rn</command>.
This output is from the gateway host on network #1.</para>
-
+
<screen>&prompt.root; <userinput>netstat -rn</userinput>
Routing tables
-
+
Internet:
Destination Gateway Flags Refs Use Netif Expire
...
192.168.2.1 192.168.1.1 UH 0 0 gif0
...
</screen>
-
+
<para>As the <quote>Flags</quote> value indicates, this is a
host route, which means that each gateway knows how to reach the
other gateway, but they do not know how to reach the rest of
their respective networks. That problem will be fixed
shortly.</para>
-
+
<para>It is likely that you are running a firewall on both
machines. This will need to be circumvented for your VPN
traffic. You might want to allow all traffic between both
networks, or you might want to include firewall rules that
protect both ends of the VPN from one another.</para>
-
+
<para>It greatly simplifies testing if you configure the
firewall to allow all traffic through the VPN. You can always
tighten things up later. If you are using &man.ipfw.8; on the
gateway machines then a command like</para>
<programlisting>ipfw add 1 allow ip from any to any via gif0</programlisting>
-
+
<para>will allow all traffic between the two end points of the
VPN, without affecting your other firewall rules. Obviously
you will need to run this command on both gateway hosts.</para>
-
+
<para>This is sufficient to allow each gateway machine to ping
the other. On <hostid role="ipaddr">192.168.1.1</hostid>, you
should be able to run</para>
-
+
<programlisting>ping 192.168.2.1</programlisting>
-
+
<para>and get a response, and you should be able to do the same
thing on the other gateway machine.</para>
-
+
<para>However, you will not be able to reach internal machines
on either network yet. This is because of the routing --
although the gateway machines know how to reach one another,
they do not know how to reach the network behind each one.</para>
-
+
<para>To solve this problem you must add a static route on each
gateway machine. The command to do this on the first gateway
would be:</para>
-
+
<programlisting>route add 192.168.2.0 192.168.2.1 netmask 0xffffff00
</programlisting>
-
+
<para>This says <quote>In order to reach the hosts on the
network <hostid role="ipaddr">192.168.2.0</hostid>, send the
packets to the host <hostid
@@ -3531,24 +3531,24 @@ Destination Gateway Flags Refs Use Netif Expire
run a similar command on the other gateway, but with the
<hostid role="ipaddr">192.168.1.x</hostid> addresses
instead.</para>
-
+
<para>IP traffic from hosts on one network will now be able to
reach hosts on the other network.</para>
-
+
<para>That has now created two thirds of a VPN between the two
networks, in as much as it is <quote>virtual</quote> and it is a
<quote>network</quote>. It is not private yet. You can test
this using &man.ping.8; and &man.tcpdump.1;. Log in to the
gateway host and run</para>
-
+
<programlisting>tcpdump dst host 192.168.2.1</programlisting>
<para>In another log in session on the same host run</para>
<programlisting>ping 192.168.2.1</programlisting>
-
+
<para>You will see output that looks something like this:</para>
-
+
<programlisting>
16:10:24.018080 192.168.1.1 &gt; 192.168.2.1: icmp: echo request
16:10:24.018109 192.168.1.1 &gt; 192.168.2.1: icmp: echo reply
@@ -3557,16 +3557,16 @@ Destination Gateway Flags Refs Use Netif Expire
16:10:26.028896 192.168.1.1 &gt; 192.168.2.1: icmp: echo request
16:10:26.029112 192.168.1.1 &gt; 192.168.2.1: icmp: echo reply
</programlisting>
-
+
<para>As you can see, the ICMP messages are going back and forth
unencrypted. If you had used the <option>-s</option> parameter to
&man.tcpdump.1; to grab more bytes of data from the packets you
would see more information.</para>
-
+
<para>Obviously this is unacceptable. The next section will
discuss securing the link between the two networks so that
all traffic is automatically encrypted.</para>
-
+
<itemizedlist>
<title>Summary:</title>
<listitem>
@@ -3601,14 +3601,14 @@ route_vpn="192.168.2.0 192.168.2.1 netmask 0xffffff00"
<sect3>
<title>Step 2: Securing the link</title>
-
+
<para>To secure the link we will be using IPsec. IPsec provides
a mechanism for two hosts to agree on an encryption key, and to
then use this key in order to encrypt data between the two
hosts.</para>
-
+
<para>The are two areas of configuration to be considered here.</para>
-
+
<orderedlist>
<listitem>
<para>There must be a mechanism for two hosts to agree on the
@@ -3625,13 +3625,13 @@ route_vpn="192.168.2.0 192.168.2.1 netmask 0xffffff00"
<quote>security policies</quote>.</para>
</listitem>
</orderedlist>
-
+
<para>Security associations and security policies are both
maintained by the kernel, and can be modified by userland
programs. However, before you can do this you must configure the
kernel to support IPsec and the Encapsulated Security Payload
(ESP) protocol. This is done by configuring a kernel with:</para>
-
+
<indexterm>
<primary>kernel options</primary>
<secondary>IPSEC</secondary>
@@ -3640,11 +3640,11 @@ route_vpn="192.168.2.0 192.168.2.1 netmask 0xffffff00"
<programlisting>options IPSEC
options IPSEC_ESP
</programlisting>
-
+
<para>and recompiling, reinstalling, and rebooting. As before
you will need to do this to the kernels on both of the gateway
hosts.</para>
-
+
<indexterm>
<primary>IKE</primary>
</indexterm>
@@ -3654,10 +3654,10 @@ options IPSEC_ESP
which entails choosing the encryption algorithm, encryption keys,
and so forth, or you can use daemons that implement the Internet
Key Exchange protocol (IKE) to do this for you.</para>
-
+
<para>I recommend the latter. Apart from anything else, it is
easier to set up.</para>
-
+
<indexterm>
<primary>IPsec</primary>
<secondary>security policies</secondary>
@@ -3674,13 +3674,13 @@ options IPSEC_ESP
also display the current security associations, and to continue
the analogy further, is akin to <command>netstat -r</command>
in that respect.</para>
-
+
<para>There are a number of choices for daemons to manage
security associations with FreeBSD. This article will describe
how to use one of these, racoon&nbsp;&mdash; which is available from
<filename role="package">security/ipsec-tools</filename> in the &os; Ports
collection.</para>
-
+
<indexterm>
<primary>racoon</primary>
</indexterm>
@@ -3689,7 +3689,7 @@ options IPSEC_ESP
is configured with the IP address of the other end of the VPN,
and a secret key (which you choose, and must be the same on both
gateways).</para>
-
+
<para>The two daemons then contact one another, confirm that they
are who they say they are (by using the secret key that you
configured). The daemons then generate a new secret key, and use
@@ -3698,14 +3698,14 @@ options IPSEC_ESP
of the keys (which is as theoretically close to unfeasible as it
gets) it will not do them much good -- by the time they have cracked
the key the two daemons have chosen another one.</para>
-
+
<para>The configuration file for racoon is stored in
<filename>${PREFIX}/etc/racoon</filename>. You should find a
configuration file there, which should not need to be changed
too much. The other component of racoon's configuration,
which you will need to change, is the <quote>pre-shared
key</quote>.</para>
-
+
<para>The default racoon configuration expects to find this in
the file <filename>${PREFIX}/etc/racoon/psk.txt</filename>. It is important to note
that the pre-shared key is <emphasis>not</emphasis> the key that will be used to
@@ -3716,55 +3716,55 @@ options IPSEC_ESP
remote site you are dealing with. In this example, where there
are two sites, each <filename>psk.txt</filename> file will contain one line (because
each end of the VPN is only dealing with one other end).</para>
-
+
<para>On gateway host #1 this line should look like this:</para>
-
+
<programlisting>W.X.Y.Z secret</programlisting>
-
+
<para>That is, the <emphasis>public</emphasis> IP address of the remote end,
whitespace, and a text string that provides the secret.
Obviously, you should not use <quote>secret</quote> as your key -- the normal
rules for choosing a password apply.</para>
-
+
<para>On gateway host #2 the line would look like this</para>
-
+
<programlisting>A.B.C.D secret</programlisting>
-
+
<para>That is, the public IP address of the remote end, and the
same secret key. <filename>psk.txt</filename> must be mode
<literal>0600</literal> (i.e., only read/write to
<username>root</username>) before racoon will run.</para>
-
+
<para>You must run racoon on both gateway machines. You will
also need to add some firewall rules to allow the IKE traffic,
which is carried over UDP to the ISAKMP (Internet Security Association
Key Management Protocol) port. Again, this should be fairly early in
your firewall ruleset.</para>
-
+
<programlisting>ipfw add 1 allow udp from A.B.C.D to W.X.Y.Z isakmp
ipfw add 1 allow udp from W.X.Y.Z to A.B.C.D isakmp
</programlisting>
-
+
<para>Once racoon is running you can try pinging one gateway host
from the other. The connection is still not encrypted, but
racoon will then set up the security associations between the two
hosts -- this might take a moment, and you may see this as a
short delay before the ping commands start responding.</para>
-
+
<para>Once the security association has been set up you can
view it using &man.setkey.8;. Run</para>
-
+
<programlisting>setkey -D</programlisting>
-
+
<para>on either host to view the security association information.</para>
-
+
<para>That's one half of the problem. The other half is setting
your security policies.</para>
-
+
<para>To create a sensible security policy, let's review what's
been set up so far. This discussions hold for both ends of the
link.</para>
-
+
<para>Each IP packet that you send out has a header that contains
data about the packet. The header includes the IP addresses of
both the source and destination. As we already know, private IP
@@ -3773,9 +3773,9 @@ ipfw add 1 allow udp from W.X.Y.Z to A.B.C.D isakmp
Instead, they must first be encapsulated inside another packet.
This packet must have the public source and destination IP
addresses substituted for the private addresses.</para>
-
+
<para>So if your outgoing packet started looking like this:</para>
-
+
<mediaobject>
<imageobject>
<imagedata fileref="security/ipsec-out-pkt" align="center"/>
@@ -3792,10 +3792,10 @@ ipfw add 1 allow udp from W.X.Y.Z to A.B.C.D isakmp
`----------------------'</literallayout>
</textobject>
</mediaobject>
-
+
<para>Then it will be encapsulated inside another packet, looking
something like this:</para>
-
+
<mediaobject>
<imageobject>
<imagedata fileref="security/ipsec-encap-pkt" align="center"/>
@@ -3818,13 +3818,13 @@ ipfw add 1 allow udp from W.X.Y.Z to A.B.C.D isakmp
`--------------------------'</literallayout>
</textobject>
</mediaobject>
-
+
<para>This encapsulation is carried out by the
<devicename>gif</devicename> device. As
you can see, the packet now has real IP addresses on the outside,
and our original packet has been wrapped up as data inside the
packet that will be put out on the Internet.</para>
-
+
<para>Obviously, we want all traffic between the VPNs to be
encrypted. You might try putting this in to words, as:</para>
@@ -3832,51 +3832,51 @@ ipfw add 1 allow udp from W.X.Y.Z to A.B.C.D isakmp
role="ipaddr">A.B.C.D</hostid>, and it is destined for <hostid
role="ipaddr">W.X.Y.Z</hostid>, then encrypt it, using the
necessary security associations.</quote></para>
-
+
<para><quote>If a packet arrives from <hostid
role="ipaddr">W.X.Y.Z</hostid>, and it is destined for <hostid
role="ipaddr">A.B.C.D</hostid>, then decrypt it, using the
necessary security associations.</quote></para>
-
+
<para>That's close, but not quite right. If you did this, all
traffic to and from <hostid role="ipaddr">W.X.Y.Z</hostid>, even
traffic that was not part of the VPN, would be encrypted. That's
not quite what you want. The correct policy is as follows</para>
-
+
<para><quote>If a packet leaves from <hostid
role="ipaddr">A.B.C.D</hostid>, and that packet is encapsulating
another packet, and it is destined for <hostid
role="ipaddr">W.X.Y.Z</hostid>, then encrypt it, using the
necessary security associations.</quote></para>
-
+
<para><quote>If a packet arrives from <hostid
role="ipaddr">W.X.Y.Z</hostid>, and that packet is encapsulating
another packet, and it is destined for <hostid
role="ipaddr">A.B.C.D</hostid>, then decrypt it, using the
necessary security associations.</quote></para>
-
+
<para>A subtle change, but a necessary one.</para>
-
+
<para>Security policies are also set using &man.setkey.8;.
&man.setkey.8; features a configuration language for defining the
policy. You can either enter configuration instructions via
stdin, or you can use the <option>-f</option> option to specify a
filename that contains configuration instructions.</para>
-
+
<para>The configuration on gateway host #1 (which has the public
IP address <hostid role="ipaddr">A.B.C.D</hostid>) to force all
outbound traffic to <hostid role="ipaddr">W.X.Y.Z</hostid> to be
encrypted is:</para>
-
+
<programlisting>
spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P out ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require;
</programlisting>
-
+
<para>Put these commands in a file (e.g.
<filename>/etc/ipsec.conf</filename>) and then run</para>
<screen>&prompt.root; <userinput>setkey -f /etc/ipsec.conf</userinput></screen>
-
+
<para><option>spdadd</option> tells &man.setkey.8; that we want
to add a rule to the secure policy database. The rest of this
line specifies which packets will match this policy. <hostid
@@ -3889,7 +3889,7 @@ spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P out ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/req
packets. <option>-P out</option> says that this policy applies
to outgoing packets, and <option>ipsec</option> says that the
packet will be secured.</para>
-
+
<para>The second line specifies how this packet will be
encrypted. <option>esp</option> is the protocol that will be
used, while <option>tunnel</option> indicates that the packet
@@ -3899,37 +3899,37 @@ spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P out ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/req
association to use, and the final <option>require</option>
mandates that packets must be encrypted if they match this
rule.</para>
-
+
<para>This rule only matches outgoing packets. You will need a
similar rule to match incoming packets.</para>
-
+
<programlisting>spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P in ipsec esp/tunnel/W.X.Y.Z-A.B.C.D/require;</programlisting>
-
+
<para>Note the <option>in</option> instead of
<option>out</option> in this case, and the necessary reversal of
the IP addresses.</para>
-
+
<para>The other gateway host (which has the public IP address
<hostid role="ipaddr">W.X.Y.Z</hostid>) will need similar rules.</para>
-
+
<programlisting>spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec esp/tunnel/W.X.Y.Z-A.B.C.D/require;
spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec esp/tunnel/A.B.C.D-W.X.Y.Z/require;</programlisting>
-
+
<para>Finally, you need to add firewall rules to allow ESP and
IPENCAP packets back and forth. These rules will need to be
added to both hosts.</para>
-
+
<programlisting>ipfw add 1 allow esp from A.B.C.D to W.X.Y.Z
ipfw add 1 allow esp from W.X.Y.Z to A.B.C.D
ipfw add 1 allow ipencap from A.B.C.D to W.X.Y.Z
ipfw add 1 allow ipencap from W.X.Y.Z to A.B.C.D
</programlisting>
-
+
<para>Because the rules are symmetric you can use the same rules
on each gateway host.</para>
-
+
<para>Outgoing packets will now look something like this:</para>
-
+
<mediaobject>
<imageobject>
<imagedata fileref="security/ipsec-crypt-pkt" align="center"/>
@@ -3966,34 +3966,34 @@ ipfw add 1 allow ipencap from W.X.Y.Z to A.B.C.D
<devicename>gif</devicename> interface, which will unwrap
the second layer, until you are left with the innermost
packet, which can then travel in to the inner network.</para>
-
+
<para>You can check the security using the same &man.ping.8; test from
earlier. First, log in to the
<hostid role="ipaddr">A.B.C.D</hostid> gateway machine, and
run:</para>
-
+
<programlisting>tcpdump dst host 192.168.2.1</programlisting>
-
+
<para>In another log in session on the same host run</para>
-
+
<programlisting>ping 192.168.2.1</programlisting>
-
+
<para>This time you should see output like the following:</para>
-
+
<programlisting>XXX tcpdump output</programlisting>
-
+
<para>Now, as you can see, &man.tcpdump.1; shows the ESP packets. If
you try to examine them with the <option>-s</option> option you will see
(apparently) gibberish, because of the encryption.</para>
-
+
<para>Congratulations. You have just set up a VPN between two
remote sites.</para>
-
+
<itemizedlist>
<title>Summary</title>
<listitem>
<para>Configure both kernels with:</para>
-
+
<programlisting>options IPSEC
options IPSEC_ESP
</programlisting>
@@ -4009,7 +4009,7 @@ options IPSEC_ESP
<listitem>
<para>Add the following lines to
<filename>/etc/rc.conf</filename> on each host:</para>
-
+
<programlisting>ipsec_enable="YES"
ipsec_file="/etc/ipsec.conf"
</programlisting>
@@ -4018,16 +4018,16 @@ ipsec_file="/etc/ipsec.conf"
<para>Create an <filename>/etc/ipsec.conf</filename> on each
host that contains the necessary spdadd lines. On gateway
host #1 this would be:</para>
-
+
<programlisting>
spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P out ipsec
esp/tunnel/A.B.C.D-W.X.Y.Z/require;
spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P in ipsec
esp/tunnel/W.X.Y.Z-A.B.C.D/require;
</programlisting>
-
+
<para>On gateway host #2 this would be:</para>
-
+
<programlisting>
spdadd W.X.Y.Z/32 A.B.C.D/32 ipencap -P out ipsec
esp/tunnel/W.X.Y.Z-A.B.C.D/require;
@@ -4038,7 +4038,7 @@ spdadd A.B.C.D/32 W.X.Y.Z/32 ipencap -P in ipsec
<listitem>
<para>Add firewall rules to allow IKE, ESP, and IPENCAP
traffic to both hosts:</para>
-
+
<programlisting>
ipfw add 1 allow udp from A.B.C.D to W.X.Y.Z isakmp
ipfw add 1 allow udp from W.X.Y.Z to A.B.C.D isakmp
@@ -4054,8 +4054,8 @@ ipfw add 1 allow ipencap from W.X.Y.Z to A.B.C.D
running. Machines on each network will be able to refer to one
another using IP addresses, and all traffic across the link will
be automatically and securely encrypted.</para>
- </sect3>
- </sect2>
+ </sect3>
+ </sect2>
</sect1>
<sect1 id="openssh">
@@ -4092,7 +4092,7 @@ ipfw add 1 allow ipencap from W.X.Y.Z to A.B.C.D
<sect2>
<title>Advantages of Using OpenSSH</title>
-
+
<para>Normally, when using &man.telnet.1; or &man.rlogin.1;,
data is sent over the network in an clear, un-encrypted form.
Network sniffers anywhere in between the client and server can
@@ -4108,7 +4108,7 @@ ipfw add 1 allow ipencap from W.X.Y.Z to A.B.C.D
<secondary>enabling</secondary>
</indexterm>
- <para>The
+ <para>The
<application>sshd</application> is an option presented during
a <literal>Standard</literal> install of &os;. To see if
<application>sshd</application> is enabled, check the
@@ -4129,7 +4129,7 @@ ipfw add 1 allow ipencap from W.X.Y.Z to A.B.C.D
<secondary>client</secondary>
</indexterm>
- <para>The &man.ssh.1; utility works similarly to
+ <para>The &man.ssh.1; utility works similarly to
&man.rlogin.1;.</para>
<screen>&prompt.root; <userinput>ssh <replaceable>user@example.com</replaceable></userinput>
@@ -4141,7 +4141,7 @@ user@example.com's password: <userinput>*******</userinput></screen>
<para>The login will continue just as it would have if a session was
created using <command>rlogin</command> or
<command>telnet</command>. SSH utilizes a key fingerprint
- system for verifying the authenticity of the server when the
+ system for verifying the authenticity of the server when the
client connects. The user is prompted to enter
<literal>yes</literal> only when
connecting for the first time. Future attempts to login are all
@@ -4161,7 +4161,7 @@ user@example.com's password: <userinput>*******</userinput></screen>
The version 1 compatibility is maintained in the client for
backwards compatibility with older versions.</para>
</sect2>
-
+
<sect2>
<title>Secure Copy</title>
<indexterm>
@@ -4176,8 +4176,8 @@ user@example.com's password: <userinput>*******</userinput></screen>
<screen>&prompt.root; <userinput> scp <replaceable>user@example.com:/COPYRIGHT COPYRIGHT</replaceable></userinput>
user@example.com's password: <userinput>*******</userinput>
-COPYRIGHT 100% |*****************************| 4735
-00:00
+COPYRIGHT 100% |*****************************| 4735
+00:00
&prompt.root;</screen>
<para>Since the fingerprint was already saved for this host in the
previous example, it is verified when using &man.scp.1;
@@ -4203,8 +4203,8 @@ COPYRIGHT 100% |*****************************| 4735
<application>OpenSSH</application> daemon and client reside
within the <filename>/etc/ssh</filename> directory.</para>
- <para><filename>ssh_config</filename> configures the client
- settings, while <filename>sshd_config</filename> configures the
+ <para><filename>ssh_config</filename> configures the client
+ settings, while <filename>sshd_config</filename> configures the
daemon.</para>
<para>Additionally, the <option>sshd_program</option>
@@ -4312,7 +4312,7 @@ Identity added: /home/user/.ssh/id_dsa (/home/user/.ssh/id_dsa)
<para><application>OpenSSH</application> has the ability to create a tunnel to encapsulate
another protocol in an encrypted session.</para>
- <para>The following command tells &man.ssh.1; to create a tunnel
+ <para>The following command tells &man.ssh.1; to create a tunnel
for <application>telnet</application>:</para>
<screen>&prompt.user; <userinput>ssh -2 -N -f -L <replaceable>5023:localhost:23 user@foo.example.com</replaceable></userinput>
@@ -4324,7 +4324,7 @@ Identity added: /home/user/.ssh/id_dsa (/home/user/.ssh/id_dsa)
<variablelist>
<varlistentry>
<term><option>-2</option></term>
-
+
<listitem>
<para>Forces <command>ssh</command> to use version 2 of
the protocol. (Do not use if you are working with older
@@ -4395,7 +4395,7 @@ user@mailserver.example.com's password: <userinput>*****</userinput>
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
-220 mailserver.example.com ESMTP</screen>
+220 mailserver.example.com ESMTP</screen>
<para>This can be used in conjunction with an
&man.ssh-keygen.1; and additional user accounts to create a
@@ -4494,7 +4494,7 @@ user@unfirewalled-system.example.org's password: <userinput>*******</userinput><
<sect2>
<title>Further Reading</title>
<para><ulink url="http://www.openssh.com/">OpenSSH</ulink></para>
- <para>&man.ssh.1; &man.scp.1; &man.ssh-keygen.1;
+ <para>&man.ssh.1; &man.scp.1; &man.ssh-keygen.1;
&man.ssh-agent.1; &man.ssh-add.1; &man.ssh.config.5;</para>
<para>&man.sshd.8; &man.sftp-server.8; &man.sshd.config.5;</para>
</sect2>
@@ -4583,7 +4583,7 @@ user@unfirewalled-system.example.org's password: <userinput>*******</userinput><
users of the system, and re-enabling <acronym>ACL</acronym>s may re-attach the previous
<acronym>ACL</acronym>s to files that have since had their permissions changed,
resulting in other unpredictable behavior.</para></note>
-
+
<para>File systems with <acronym>ACL</acronym>s enabled will show a <literal>+</literal>
(plus) sign in their permission settings when viewed. For example:</para>
@@ -4989,5 +4989,5 @@ VII. References<co id="co-ref"/></programlisting>
&man.lastcomm.1;, &man.acct.5; and &man.sa.8; manual
pages.</para>
</sect2>
- </sect1>
+ </sect1>
</chapter>
diff --git a/el_GR.ISO8859-7/htdocs/doc/Makefile b/el_GR.ISO8859-7/htdocs/doc/Makefile
index f2ffd22813..010cd81d7c 100644
--- a/el_GR.ISO8859-7/htdocs/doc/Makefile
+++ b/el_GR.ISO8859-7/htdocs/doc/Makefile
@@ -1,7 +1,7 @@
#
# $FreeBSD$
#
-#
+#
# The FreeBSD Greek Documentation Project
#
# Build the FreeBSD documentation *outside* of the www tree, and install it
diff --git a/el_GR.ISO8859-7/share/sgml/freebsd.dsl b/el_GR.ISO8859-7/share/sgml/freebsd.dsl
index 5d7a08ee86..1d29906e31 100644
--- a/el_GR.ISO8859-7/share/sgml/freebsd.dsl
+++ b/el_GR.ISO8859-7/share/sgml/freebsd.dsl
@@ -15,7 +15,7 @@
<!ENTITY % freebsd.l10n PUBLIC "-//FreeBSD//ENTITIES DocBook Language Specific Entities//EN">
%freebsd.l10n;
-<!ENTITY % output.html "IGNORE">
+<!ENTITY % output.html "IGNORE">
<!ENTITY % output.print "IGNORE">
<!ENTITY % lang.el.dsssl "IGNORE">
]>
@@ -39,7 +39,7 @@
(literal ".")))
(make element gi: "p"
attributes: (list (list "align" "center"))
- (make element gi: "small"
+ (make element gi: "small"
(literal "Για ερωτήσεις σχετικά με το FreeBSD, διαβάστε την ")
(create-link
(list (list "HREF" "http://www.FreeBSD.org/docs.html"))
diff --git a/el_GR.ISO8859-7/share/sgml/navibar.l10n.ent b/el_GR.ISO8859-7/share/sgml/navibar.l10n.ent
index b243f9c750..06b24d59e3 100644
--- a/el_GR.ISO8859-7/share/sgml/navibar.l10n.ent
+++ b/el_GR.ISO8859-7/share/sgml/navibar.l10n.ent
@@ -104,10 +104,10 @@
<li><a href="&u.rel.announce;">Σταθερή Έκδοση: &rel.current;</a></li>
<li><a href="&u.rel2.announce;">Σταθερή Έκδοση (Legacy): &rel2.current;</a></li>
<li><a href="&base;/snapshots/">Εκδόσεις Snapshot</a></li>
-<![ %beta.testing; [
+<![ %beta.testing; [
<li><a href="&u.betarel.schedule;">Η Επόμενη Έκδοση: &betarel.current;</a></li>
]]>
-<![ %beta2.testing; [
+<![ %beta2.testing; [
<li><a href="&u.betarel2.schedule;">Η Επόμενη Έκδοση: &betarel2.current;</a></li>
]]>
</ul></li>