r2874 - in trunk: BOOK BOOK/introduction/welcome BOOK/postlfs/security bootscripts bootscripts/blfs/init.d

randy at linuxfromscratch.org randy at linuxfromscratch.org
Wed Oct 27 11:23:00 PDT 2004


Author: randy
Date: 2004-10-27 12:22:58 -0600 (Wed, 27 Oct 2004)
New Revision: 2874

Added:
   trunk/BOOK/postlfs/security/stunnel.xml
   trunk/bootscripts/blfs/init.d/stunnel
Modified:
   trunk/BOOK/general.ent
   trunk/BOOK/introduction/welcome/changelog.xml
   trunk/BOOK/postlfs/security/security.xml
   trunk/bootscripts/ChangeLog
   trunk/bootscripts/Makefile
Log:
Added new package Stunnel-4.05

Modified: trunk/BOOK/general.ent
===================================================================
--- trunk/BOOK/general.ent	2004-10-27 15:58:47 UTC (rev 2873)
+++ trunk/BOOK/general.ent	2004-10-27 18:22:58 UTC (rev 2874)
@@ -1,4 +1,4 @@
-<!ENTITY day          "25">
+<!ENTITY day          "27">
 <!ENTITY month        "10">
 <!ENTITY year         "2004">
 <!ENTITY version      "svn-&year;&month;&day;">
@@ -19,7 +19,7 @@
 <!ENTITY publisher      "Unknown">
 
 
-<!ENTITY blfs-bootscripts-version     "20041023"> 
+<!ENTITY blfs-bootscripts-version     "20041027"> 
 <!ENTITY blfs-bootscripts-download    "&downloads-root;/blfs-bootscripts-&blfs-bootscripts-version;.tar.bz2">
                                      
 <!-- Part II -->                     
@@ -36,6 +36,7 @@
 <!ENTITY heimdal-version              "0.6.2">   
 <!ENTITY mitkrb-version               "1.3.5"> 
 <!ENTITY cyrus-sasl-version           "2.1.20"> 
+<!ENTITY stunnel-version              "4.05"> 
                                   
 <!-- Chapter 5 -->                
 <!ENTITY reiser-version               "3.6.19"> 

Modified: trunk/BOOK/introduction/welcome/changelog.xml
===================================================================
--- trunk/BOOK/introduction/welcome/changelog.xml	2004-10-27 15:58:47 UTC (rev 2873)
+++ trunk/BOOK/introduction/welcome/changelog.xml	2004-10-27 18:22:58 UTC (rev 2874)
@@ -22,6 +22,9 @@
 
 <itemizedlist>
 
+<listitem><para>October 27th, 2004 [randy]: Added new package 
+Stunnel-4.05.</para></listitem>
+
 <listitem><para>October 25th, 2004 [igor]: Added aspell, pkgconfig, HTML
 Tidy, Net-SNMP, SQLite, Cyrus SASL and Dmalloc dependencies and a
 configure switch utilizing readline to PHP instructions, thanks to

Modified: trunk/BOOK/postlfs/security/security.xml
===================================================================
--- trunk/BOOK/postlfs/security/security.xml	2004-10-27 15:58:47 UTC (rev 2873)
+++ trunk/BOOK/postlfs/security/security.xml	2004-10-27 18:22:58 UTC (rev 2874)
@@ -18,7 +18,9 @@
 how to enhance <command>login</command> by setting policies with
 <application><acronym>PAM</acronym></application> modules.  Access via networks
 can also be secured by policies set by <application>iptables</application>, 
-commonly referred to as a firewall.</para>
+commonly referred to as a firewall. For applications that don't offer the
+best security, you can use the <application>Stunnel</application> package to
+wrap an application daemon inside an <acronym>SSL</acronym> tunnel.</para>
 
 <para>Prevention of breaches, like a trojan, are assisted by applications like 
 <application>GnuPG</application>, specifically the ability to confirm signed 
@@ -39,5 +41,6 @@
 <xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="heimdal.xml"/>
 <xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="mitkrb.xml"/>
 <xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="cyrus-sasl.xml"/>
+<xi:include xmlns:xi="http://www.w3.org/2003/XInclude" href="stunnel.xml"/>
 
 </chapter>

Added: trunk/BOOK/postlfs/security/stunnel.xml
===================================================================
--- trunk/BOOK/postlfs/security/stunnel.xml	2004-10-27 15:58:47 UTC (rev 2873)
+++ trunk/BOOK/postlfs/security/stunnel.xml	2004-10-27 18:22:58 UTC (rev 2874)
@@ -0,0 +1,183 @@
+<?xml version="1.0" encoding="ISO-8859-1"?>
+<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.3//EN"
+   "http://www.oasis-open.org/docbook/xml/4.3/docbookx.dtd" [
+  <!ENTITY % general-entities SYSTEM "../../general.ent">
+  %general-entities;
+
+  <!ENTITY stunnel-download-http "http://www.stunnel.org/download/stunnel/src/stunnel-&stunnel-version;.tar.gz">
+  <!ENTITY stunnel-download-ftp  "ftp://ftp.fu-berlin.de/unix/linux/mirrors/gentoo/distfiles/stunnel-&stunnel-version;.tar.gz">
+  <!ENTITY stunnel-size          "341 KB">
+  <!ENTITY stunnel-buildsize     "2.9 MB">
+  <!ENTITY stunnel-time          "0.08 SBU">
+]>
+
+<sect1 id="stunnel" xreflabel="Stunnel-&stunnel-version;">
+<sect1info>
+<othername>$LastChangedBy$</othername>
+<date>$Date$</date>
+</sect1info>
+<?dbhtml filename="stunnel.html"?>
+<title>Stunnel-&stunnel-version;</title>
+
+<sect2>
+<title>Introduction to <application>Stunnel</application></title>
+
+<para>The <application>Stunnel</application> package contains a program that 
+allows you to encrypt arbitrary <acronym>TCP</acronym> connections inside 
+<acronym>SSL</acronym> (Secure Sockets Layer) so you can easily communicate 
+with clients over secure channels. <application>Stunnel</application> can be 
+used to add <acronym>SSL</acronym> functionality to commonly used Inetd 
+daemons like <acronym>POP</acronym>-2, <acronym>POP</acronym>-3, and 
+<acronym>IMAP</acronym> servers, to standalone daemons like 
+<acronym>NNTP</acronym>, <acronym>SMTP</acronym> and <acronym>HTTP</acronym>, 
+and in tunneling <acronym>PPP</acronym> over network sockets without changes 
+to the server package source code.</para>
+
+<sect3><title>Package information</title>
+<itemizedlist spacing="compact">
+<listitem><para>Download (HTTP): <ulink url="&stunnel-download-http;"/></para></listitem>
+<listitem><para>Download (FTP): <ulink url="&stunnel-download-ftp;"/></para></listitem>
+<listitem><para>Download size: &stunnel-size;</para></listitem>
+<listitem><para>Estimated disk space required: &stunnel-buildsize;</para></listitem>
+<listitem><para>Estimated build time: &stunnel-time;</para></listitem></itemizedlist>
+</sect3>
+
+<sect3><title><application>Stunnel</application> dependencies</title>
+<sect4><title>Required</title>
+<para><xref linkend="openssl"/></para>
+</sect4>
+
+<sect4><title>Optional</title>
+<para><xref linkend="tcpwrappers"/></para>
+</sect4>
+</sect3>
+
+</sect2>
+
+<sect2>
+<title>Installation of <application>Stunnel</application></title>
+
+<para>The <command>stunnel</command> daemon will be run in a 
+<command>chroot</command> jail by an unprivileged user. Create the new user, 
+group and <command>chroot</command> home directory structure using the 
+following commands:</para>
+
+<screen><userinput><command>groupadd stunnel &&
+useradd -c "Stunnel Daemon" -d /var/lib/stunnel -g stunnel -s /bin/false stunnel &&
+install -d -m 700 -o stunnel -g stunnel /var/lib/stunnel/run</command></userinput></screen>
+
+<note><para>A signed Certificate of Authority and a Private Key is necessary 
+to run the <command>stunnel</command> daemon. If you own, or have already 
+created a signed Certificate of Authority you wish to use, copy it to 
+<filename>tools/stunnel.pem</filename> in the source directory before starting 
+the build, otherwise you will be prompted to create one. The 
+<filename>.pem</filename> file must be formatted as shown below:</para>
+
+<screen>-----BEGIN RSA PRIVATE KEY-----
+<replaceable>[many encrypted lines of unencrypted key]</replaceable>
+-----END RSA PRIVATE KEY-----
+-----BEGIN CERTIFICATE-----
+<replaceable>[many encrypted lines of certificate]</replaceable>
+-----END CERTIFICATE-----</screen></note>
+
+<para>Install <application>Stunnel</application> by running the following 
+commands:</para>
+
+<screen><userinput><command>./configure --prefix=/usr --sysconfdir=/etc &&
+make &&
+make install</command></userinput></screen>
+
+</sect2>
+
+<sect2>
+<title>Command explanations</title>
+
+<para><parameter>--sysconfdir=/etc</parameter>: This parameter forces the 
+configuration directory to <filename class='directory'>/etc</filename> instead 
+of <filename class='directory'>/usr/etc</filename>.</para>
+
+<para><command>make</command>: This command builds the package and, if you
+did not copy an <filename>stunnel.pem</filename> file to the source 
+<filename class='directory'>tools/</filename> directory, prompts you for the
+necessary information to create one. Ensure you reply to the</para>
+
+<screen><computeroutput>Common Name (FQDN of your server) [localhost]:</computeroutput></screen>
+
+<para>prompt with the name or <acronym>IP</acronym> address you will be using 
+to access the service.</para>
+
+</sect2>
+
+<sect2>
+<title>Configuring <application>Stunnel</application></title>
+
+<sect3><title>Config files</title>
+<para><filename>/etc/stunnel/stunnel.conf</filename></para>
+</sect3>
+
+<sect3><title>Configuration Information</title>
+
+<para>Create a basic <filename>/etc/stunnel/stunnel.conf</filename> 
+configuration file using the following commands:</para>
+
+<screen><userinput><command>cat >/etc/stunnel/stunnel.conf << "EOF"</command>
+# File: /etc/stunnel/stunnel.conf
+
+pid = /run/stunnel.pid
+chroot = /var/lib/stunnel
+client = no
+setuid = stunnel
+setgid = stunnel
+
+<command>EOF</command></userinput></screen>
+
+<para>Next, you need to add the service you wish to encrypt to the 
+configuration file. The format is as follows:</para> 
+
+<screen><userinput>[<replaceable>[service]</replaceable>]
+accept  = <replaceable>[hostname:portnumber]</replaceable>
+connect = <replaceable>[hostname:portnumber]</replaceable></userinput></screen>
+
+<para>If you use <application>Stunnel</application> to encrypt a daemon 
+started from <command>[x]inetd</command>, you may need to disable that daemon 
+in the <filename>/etc/[x]inetd.conf</filename> file and enable a corresponding 
+<replaceable>[service]</replaceable>_stunnel service. You may have to add an 
+appropriate entry in <filename>/etc/services</filename> as well.</para>
+
+<para>For a full explanation of the commands and syntax used in the 
+configuration file, run <command>man stunnel</command>. To see a 
+<acronym>BLFS</acronym> example of an actual setup of an 
+<command>stunnel</command> encrypted service, read the 
+<acronym>SWAT</acronym> configuration section in the <xref linkend="samba3"/> 
+instructions.</para>
+
+<para>To automatically start the <command>stunnel</command> daemon when the system
+is rebooted, install the <filename>/etc/rc.d/init.d/stunnel</filename> 
+bootscript from the <xref linkend="intro-important-bootscripts"/> 
+package.</para>
+
+<screen><userinput><command>make install-stunnel</command></userinput></screen>
+</sect3>
+
+</sect2>
+
+<sect2>
+<title>Contents</title>
+
+<para>The <application>Stunnel</application> package contains 
+<command>stunnel</command> and 
+<filename class='libraryfile'>libstunnel</filename>.</para>
+
+</sect2>
+
+<sect2><title>Description</title>
+
+<sect3><title>stunnel</title>
+<para><command>stunnel</command> is a program designed to work as an 
+<acronym>SSL</acronym> encryption wrapper between remote clients and local 
+(<command>[x]inetd</command>-startable) or remote servers.</para></sect3>
+
+</sect2>
+
+</sect1>
+


Property changes on: trunk/BOOK/postlfs/security/stunnel.xml
___________________________________________________________________
Name: svn:keywords
   + LastChangedBy Date

Modified: trunk/bootscripts/ChangeLog
===================================================================
--- trunk/bootscripts/ChangeLog	2004-10-27 15:58:47 UTC (rev 2873)
+++ trunk/bootscripts/ChangeLog	2004-10-27 18:22:58 UTC (rev 2874)
@@ -1,3 +1,6 @@
+2004-10-27 Randy McMurchy <randy at linuxfromscratch.org>
+	* Added new bootscript for Stunnel.
+
 2004-10-23 Randy McMurchy <randy at linuxfromscratch.org>
 	* Modified PostgreSQL script because the pg_ctl script
 	  is no longer able to run as user root.

Modified: trunk/bootscripts/Makefile
===================================================================
--- trunk/bootscripts/Makefile	2004-10-27 15:58:47 UTC (rev 2873)
+++ trunk/bootscripts/Makefile	2004-10-27 18:22:58 UTC (rev 2874)
@@ -358,6 +358,16 @@
 	ln -sf  ../init.d/sshd ${EXTDIR}/rc.d/rc5.d/S30sshd
 	ln -sf  ../init.d/sshd ${EXTDIR}/rc.d/rc6.d/K30sshd
 
+install-stunnel: create-dirs
+        install -m ${MODE} blfs/init.d/stunnel    ${EXTDIR}/rc.d/init.d/
+        ln -sf  ../init.d/stunnel ${EXTDIR}/rc.d/rc0.d/K47stunnel
+        ln -sf  ../init.d/stunnel ${EXTDIR}/rc.d/rc1.d/K47stunnel
+        ln -sf  ../init.d/stunnel ${EXTDIR}/rc.d/rc2.d/S26stunnel
+        ln -sf  ../init.d/stunnel ${EXTDIR}/rc.d/rc3.d/S26stunnel
+        ln -sf  ../init.d/stunnel ${EXTDIR}/rc.d/rc4.d/S26stunnel
+        ln -sf  ../init.d/stunnel ${EXTDIR}/rc.d/rc5.d/S26stunnel
+        ln -sf  ../init.d/stunnel ${EXTDIR}/rc.d/rc6.d/K47stunnel
+
 install-svn: create-dirs
 	install -m ${MODE} blfs/init.d/svn        ${EXTDIR}/rc.d/init.d/
 	ln -sf ../init.d/svn ${EXTDIR}/rc.d/rc0.d/K27svn
@@ -442,6 +452,7 @@
 	install-samba \
 	install-sendmail \
 	install-sshd \
+	install-stunnel \
 	install-svn \
 	install-sysstat \
 	install-vsftpd \

Added: trunk/bootscripts/blfs/init.d/stunnel
===================================================================
--- trunk/bootscripts/blfs/init.d/stunnel	2004-10-27 15:58:47 UTC (rev 2873)
+++ trunk/bootscripts/blfs/init.d/stunnel	2004-10-27 18:22:58 UTC (rev 2874)
@@ -0,0 +1,40 @@
+#!/bin/sh
+# Begin $rc_base/init.d/stunnel
+
+# Based on sysklogd script from LFS-3.1 and earlier.
+# Rewritten by Gerard Beekmans  - gerard at linuxfromscratch.org
+
+#$LastChangedBy$
+#$Date$
+
+. /etc/sysconfig/rc
+. $rc_functions
+
+case "$1" in
+        start)
+                echo "Starting the Stunnel Daemon..."
+                loadproc /usr/sbin/stunnel
+                ;;
+
+        stop)
+                echo "Stopping the Stunnel Daemon..."
+                killproc /usr/sbin/stunnel
+                ;;
+
+        restart)
+                $0 stop
+                sleep 1
+                $0 start
+                ;;
+
+        status)
+                statusproc /usr/sbin/stunnel
+                ;;
+
+        *)
+                echo "Usage: $0 {start|stop|restart|status}"
+                exit 1
+                ;;
+esac
+
+# End $rc_base/init.d/stunnel


Property changes on: trunk/bootscripts/blfs/init.d/stunnel
___________________________________________________________________
Name: svn:keywords
   + LastChangedBy Date




More information about the blfs-book mailing list