Security takes many forms in a computing environment. This chapter gives examples of three different types of security: access, prevention and detection.
Access for users is usually handled by login or an application designed to handle the login function. In this chapter, we show how to enhance login by setting policies with PAM modules. Access via networks can also be secured by policies set by iptables, commonly referred to as a firewall. The Network Security Services (NSS) and Netscape Portable Runtime (NSPR) libraries can be installed and shared among the many applications requiring them. For applications that don't offer the best security, you can use the Stunnel package to wrap an application daemon inside an SSL tunnel.
Prevention of breaches, like a trojan, are assisted by applications like GnuPG, specifically the ability to confirm signed packages, which recognizes modifications of the tarball after the packager creates it.
Finally, we touch on detection with a package that stores "signatures" of critical files (defined by the administrator) and then regenerates those "signatures" and compares for files that have been changed.
The OpenSSL package contains management tools and libraries relating to cryptography. These are useful for providing cryptography functions to other packages, notably OpenSSH, email applications and web browsers (for accessing HTTPS sites).
Download (HTTP): http://www.openssl.org/source/openssl-0.9.8d.tar.gz
Download (FTP): ftp://ftp.openssl.org/source/openssl-0.9.8d.tar.gz
Download MD5 sum: 8ed1853538e1d05a1f5ada61ebf8bffa
Download size: 3.2 MB
Estimated disk space required: 38.1 MB
Estimated build time: 1.1 SBU (additional 0.6 SBU to run the test suite)
bc-1.06 (recommended if you run the test suite during the build)
User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/OpenSSL
To avoid a lot of warnings caused by using a deprecated compilation option, run:
sed -i -e 's/mcpu/march/' config
Install OpenSSL by running the following commands:
patch -Np1 -i ../openssl-0.9.8d-fix_manpages-1.patch && ./config --openssldir=/etc/ssl --prefix=/usr shared && make MANDIR=/usr/share/man
To test the results, issue: make test.
Now, as the root user:
make MANDIR=/usr/share/man install && cp -v -r certs /etc/ssl && install -v -d -m755 /usr/share/doc/openssl-0.9.8d && cp -v -r doc/{HOWTO,README,*.{txt,html,gif}} \ /usr/share/doc/openssl-0.9.8d
no-rc5 no-idea: When added to the ./config command, this will eliminate the building of those encryption methods. Patent licenses may be needed for you to utilize either of those methods in your projects.
make MANDIR=/usr/share/man; make MANDIR=/usr/share/man install: These commands install OpenSSL with the man pages in /usr/share/man instead of /etc/ssl/man.
cp -v -r certs /etc/ssl: The certificates must be copied manually as the default installation skips this step.
Most people who just want to use OpenSSL for providing functions to other programs such as OpenSSH and web browsers won't need to worry about configuring OpenSSL. Configuring OpenSSL is an advanced topic and so those who do would normally be expected to either know how to do it or to be able to find out how to do it.
Last updated on 2007-01-13 18:36:10 -0600