author: Xin LI <delphij@FreeBSD.org> 2006-10-27 06:37:48 +0000
committer: Xin LI <delphij@FreeBSD.org> 2006-10-27 06:37:48 +0000
commit: ea9c8ce4b83f619b2d91d213b3f2862c84fd7c16 (patch)
tree: d672f04ed7f9d7d88352c13bda187a85ffef1625 /zh_CN.GB2312/books/handbook/security/chapter.sgml
parent: 23a6330e5224821a2835193c645427df90a3b689 (diff)
1 files changed, 32 insertions, 15 deletions
diff --git a/zh_CN.GB2312/books/handbook/security/chapter.sgml b/zh_CN.GB2312/books/handbook/security/chapter.sgml
index d276dbe962..cd29458074 100644
--- a/zh_CN.GB2312/books/handbook/security/chapter.sgml
+++ b/zh_CN.GB2312/books/handbook/security/chapter.sgml
@@ -2,7 +2,7 @@
      The FreeBSD Documentation Project
      The FreeBSD Simplified Chinese Project
 
-     Original Revision: 1.298
+     Original Revision: 1.303
      $FreeBSD$
 -->
 
@@ -1992,6 +1992,9 @@ Credentials cache: FILE:<filename>/tmp/krb5cc_500</filename>
   Issued           Expires          Principal
 Aug 27 15:37:58  Aug 28 01:37:58  krbtgt/EXAMPLE.ORG@EXAMPLE.ORG</screen>
 
+	<para>完成所需的操作之后， 可以撤消这一 ticket：</para>
+
+	<screen>&prompt.user; <userinput>k5destroy</userinput></screen>
       </sect2>
 
       <sect2>
@@ -2340,6 +2343,17 @@ jdoe@example.org</screen>
 	  行为需要使用 <command>login.krb5</command> 来进行验证，
 	  才能够正确地修改转发凭据的属主。</para></note>
 
+	<para>除此之外， 还应修改 <filename>rc.conf</filename> 并加入下列配置：</para>
+
+	<programlisting>kerberos5_server="/usr/local/sbin/krb5kdc"
+kadmind5_server="/usr/local/sbin/kadmind"
+kerberos5_server_enable="YES"
+kadmind5_server_enable="YES"</programlisting>
+
+	<para>这样做的原因是，
+	  <acronym>MIT</acronym> kerberos 会将可执行文件装到
+	  <filename role="directory">/usr/local</filename>
+	  之下。</para>
       </sect2>
 
       <sect2>
@@ -3010,17 +3024,19 @@ options   IPSEC_DEBUG  #debug for IP security
         (或公网的) IP 地址， 可以通过 &man.ifconfig.8; 来完成这步。
         私网 IP 地址则必须使用 &man.ifconfig.8; 来配置。</para>
 
-      <para>在网络 #1 的网关机上可以通过下面的两个命令来配置隧道。</para>
-
-      <programlisting>ifconfig gif0 A.B.C.D W.X.Y.Z
-ifconfig gif0 inet 192.168.1.1 192.168.2.1 netmask 0xffffffff
-      </programlisting>
+      <para>在网络 #1 的网关机上可以通过下面的这些命令来配置隧道。</para>
+ 
+      <screen>&prompt.root; <userinput>ifconfig <replaceable>gif0</replaceable> create</userinput>
+&prompt.root; <userinput>ifconfig tunnel <replaceable>gif0</replaceable> <replaceable>A.B.C.D</replaceable> <replaceable>W.X.Y.Z</replaceable></userinput>
+&prompt.root; <userinput>ifconfig <replaceable>gif0</replaceable> inet <replaceable>192.168.1.1</replaceable> <replaceable>192.168.2.1</replaceable> netmask <replaceable>0xffffffff</replaceable></userinput>
+      </screen>
 
-      <para>在另一边也需要做类似的设置， 只是 IP 地址的顺序是反过来的。</para>
+      <para>在另一台网关上也需要执行同样的命令， 但 IP 地址的顺序相反。</para>
 
-      <programlisting>ifconfig gif0 W.X.Y.Z A.B.C.D
-ifconfig gif0 inet 192.168.2.1 192.168.1.1 netmask 0xffffffff
-      </programlisting>
+      <screen>&prompt.root; <userinput>ifconfig <replaceable>gif0</replaceable> create</userinput>
+&prompt.root; <userinput>ifconfig tunnel <replaceable>gif0</replaceable> <replaceable>W.X.Y.Z</replaceable> <replaceable>A.B.C.D</replaceable></userinput>
+&prompt.root; <userinput>ifconfig <replaceable>gif0</replaceable> inet <replaceable>192.168.2.1</replaceable> <replaceable>192.168.1.1</replaceable> netmask <replaceable>0xffffffff</replaceable></userinput>
+      </screen>
  
       <para>随后执行：</para>
  
@@ -3030,9 +3046,9 @@ ifconfig gif0 inet 192.168.2.1 192.168.1.1 netmask 0xffffffff
         的网关上您应该能够看到：</para>
  
       <screen>&prompt.root; <userinput>ifconfig gif0</userinput>
-gif0: flags=8011&lt;UP,POINTTOPOINT,MULTICAST&gt; mtu 1280
-inet 192.168.1.1 --&gt; 192.168.2.1 netmask 0xffffffff
-physical address inet A.B.C.D --&gt; W.X.Y.Z
+gif0: flags=8051&lt;UP,POINTOPOINT,RUNNING,MULTICAST&gt; mtu 1280
+        tunnel inet A.B.C.D --&gt; W.X.Y.Z
+        inet 192.168.1.1 --&gt; 192.168.2.1 netmask 0xffffffff
       </screen>
 
       <para>如您所见， 虽然到已经在物理地址 <hostid role="ipaddr">A.B.C.D</hostid> 和
@@ -3044,7 +3060,7 @@ physical address inet A.B.C.D --&gt; W.X.Y.Z
       <para>这同时会在两边机器的路由表中加入一项，
         可以通过 <command>netstat -rn</command> 来观察。
         来自网络 #1的网关机的输出如下。</para>
-
+ 
       <screen>&prompt.root; <userinput>netstat -rn</userinput>
 Routing tables
 
@@ -3137,7 +3153,8 @@ Destination      Gateway       Flags    Refs    Use    Netif  Expire
         <listitem>
           <para>编辑网关 #1 上的 <filename>/etc/rc.conf</filename> 并将下面的行添加进去
             (根据需要改 IP )。</para>
-          <programlisting>gifconfig_gif0="A.B.C.D W.X.Y.Z"
+          <programlisting>gif_interfaces="gif0"
+gifconfig_gif0="A.B.C.D W.X.Y.Z"
 ifconfig_gif0="inet 192.168.1.1 192.168.2.1 netmask 0xffffffff"
 static_routes="vpn"
 route_vpn="192.168.2.0 192.168.2.1 netmask 0xffffff00"
author	Xin LI <delphij@FreeBSD.org>	2006-10-27 06:37:48 +0000
committer	Xin LI <delphij@FreeBSD.org>	2006-10-27 06:37:48 +0000
commit	ea9c8ce4b83f619b2d91d213b3f2862c84fd7c16 (patch)
tree	d672f04ed7f9d7d88352c13bda187a85ffef1625 /zh_CN.GB2312/books/handbook/security/chapter.sgml
parent	23a6330e5224821a2835193c645427df90a3b689 (diff)