Editorial fixes.

2025-02-20 12:54:24 +01:00 · 2014-09-30 21:46:19 +02:00 · 2014-09-30 21:46:19 +02:00 · d53ec2c576
commit d53ec2c576
parent 99ea0a9c95
10 changed files with 86 additions and 109 deletions
--- a/doc/DecryptionProtocol.txt
+++ b/doc/DecryptionProtocol.txt
@ -1,4 +1,5 @@
-== Yubikey KSM Decryption Protocol ==
+Yubikey KSM Decryption Protocol
 -------------------------------
 The protocol for asking the Yubikey Key Storage Module to decrypt an
 OTP is to request a HTTP resource as follows:
--- a/doc/DesignGoals.txt
+++ b/doc/DesignGoals.txt
@ -1,9 +1,11 @@
-== YK-KSM Design Goals ==
+YK-KSM Design Goals
 -------------------
 The YK-KSM component was designed for these objectives:
 * Have AES key storage be separate from the validation server
-* Allow distribution of AES keys to multiple servers for load-balancing and high-availability
+* Allow distribution of AES keys to multiple servers for
  load-balancing and high-availability
 * The code must be short and easy to audit
--- a/doc/GenerateKSMKey.txt
+++ b/doc/GenerateKSMKey.txt
@ -1,4 +1,5 @@
-== Generate KSM Key ==
+Generate KSM Key
 ----------------
 Import of key material to an YK-KSM is typically always done via the
 OpenPGP encrypted/signed KeyProvisioningFormat format.  This setup
@ -12,7 +13,6 @@ After this step you may want to generate AES keys for your YubiKeys,
 see [[GenerateKeys]], and then import them to your KSM, see
 [[ImportKeysToKSM]].
 user@crater:~$ gpg --gen-key
 gpg (GnuPG) 1.4.9; Copyright (C) 2008 Free Software Foundation, Inc.
 This is free software: you are free to change and redistribute it.
--- a/doc/GenerateKeys.txt
+++ b/doc/GenerateKeys.txt
@ -1,4 +1,5 @@
-== Generate Keys ==
+Generate Keys
 -------------
 To generate some AES keys for your !YubiKeys served via your YK-KSM,
 you use the 'ykksm-gen-keys' tool.  The tool is useful for generating
@ -28,7 +29,7 @@ into a separate machine with a separate OpenPGP key.
 To display the test keys above, you can decrypt them using GnuPG:
- <nowiki>user@ksm:~$ gpg < keys.txt 
+ user@ksm:~$ gpg < keys.txt
 You need a passphrase to unlock the secret key for
 user: "YK-KSM crater Import Key"
@ -45,7 +46,7 @@ To display the test keys above, you can decrypt them using GnuPG:
 5,cccccccccccg,c55773192393,7387b5f6bede83f64a9cd75b2023826a,d70c937bbbff,2009-12-14T16:40:57,
 gpg: Signature made Mon 14 Dec 2009 04:40:57 PM CET using DSA key ID 8B88A11B
 gpg: Good signature from "YK-KSM crater Import Key"
- user@ksm:~$</nowiki>
+ user@ksm:~$
 The format is documented in the KeyProvisioningFormat wiki page.
@ -53,7 +54,7 @@ To generate many small files each containing just one key, you can use
 a small wrapper like this:
- <nowiki>#!/bin/sh
+ #!/bin/sh
 set -e
@ -75,4 +76,4 @@ a small wrapper like this:
 while test $cur -le $stop; do
     ykksm-gen-keys $urandom $cur | gpg -a --sign --encrypt -r $key > $cur.asc
     cur=`expr $cur + 1`
- done</nowiki>
+ done
--- a/doc/ImportKeysToKSM.txt
+++ b/doc/ImportKeysToKSM.txt
@ -1,4 +1,5 @@
-== Import Keys To Yubikey KSM ==
+Import Keys To Yubikey KSM
 --------------------------
 To import keys into the YK-KSM database from text files in the
 encrypted/signed KeyProvisioningFormat format, you can use the tool
@ -13,8 +14,6 @@ The tool requires that your system has a GnuPG private key, read
 For example, to import the file generated by the [[GenerateKeys]]
 document:
 <nowiki>
 user@ksm:~$ ykksm-import --verbose --database 'DBI:Pg:dbname=ykksm;host=127.0.0.1' --db-user ykksmimporter --db-passwd otherpassword < ~/keys.txt 
 You need a passphrase to unlock the secret key for
@ -58,7 +57,6 @@ document:
 	serialnr 5 publicName cccccccccccg internalName c55773192393 aesKey 7387b5f6bede83f64a9cd75b2023826a lockCode d70c937bbbff created 2009-12-14T16:40:57 accessed  eol
 user@ksm:~$
 </nowiki>
 When importing large data sets it is recommended to avoid the
 --verbose flag to reduce noise.
--- a/doc/Installation.txt
+++ b/doc/Installation.txt
@ -1,4 +1,5 @@
-== Installation and configuration of Yubikey KSM ==
+Installation and Configuration of Yubikey KSM
 ---------------------------------------------
 The Yubikey KSM module is responsible for storing AES keys and
 providing two interfaces:
@ -20,11 +21,12 @@ will here explain how to set it up using MySQL or PostgreSQL.  Note
 that you only need to install either MySQL or PostgreSQL (or any other
 supported database), not both!
-=== Step 1: YK-KSM Installation ===
+Step 1: YK-KSM Installation
 ---------------------------
 First you should download and install the latest YK-KSM release:
- <nowiki>user@ksm:~$ sudo apt-get install wget make help2man
+ user@ksm:~$ sudo apt-get install wget make help2man
 ...
 user@ksm:~$ wget http://yubico.github.com/yubikey-ksm/releases/yubikey-ksm-1.8.tgz
 ...
@ -32,23 +34,24 @@ First you should download and install the latest YK-KSM release:
 user@ksm:~$ cd yubikey-ksm-1.8
 user@ksm:~/yubikey-ksm-1.8$ sudo make install
 ...
- user@ksm:~/yubikey-ksm-1.8$</nowiki>
+ user@ksm:~/yubikey-ksm-1.8$
 Alternatively, you may also check out YK-KSM from its source code repository.  For example:
- <nowiki>user@ksm:~$ sudo apt-get install git make help2man
+ user@ksm:~$ sudo apt-get install git make help2man
 ...
 user@ksm:~$ git clone git://github.com/Yubico/yubikey-ksm.git
 ...
 user@ksm:~$ cd yubikey-ksm
 user@ksm:~/yubikey-ksm$ sudo make install
 ...
- user@ksm:~/yubikey-ksm$</nowiki>
+ user@ksm:~/yubikey-ksm$
 The rest of this documentation will assume you have installed the
 YK-KSM with 'make install'.
-=== Step 2: Install web server and PHP ===
+Step 2: Install web server and PHP
 ----------------------------------
 You will need to install a web server with PHP5 and the PHP mcrypt
 interface:
@ -57,13 +60,14 @@ interface:
 Any web server with PHP support should work.
-=== Step 3A: MySQL Installation ===
+Step 3A: MySQL Installation
 ---------------------------
 Install the required packages:
- <nowiki>user@ksm:~$ sudo apt-get install mysql-server php5-mysql libdbd-mysql-perl
+ user@ksm:~$ sudo apt-get install mysql-server php5-mysql libdbd-mysql-perl
 ...
- user@ksm:~$</nowiki>
+ user@ksm:~$
 The installation asks you for a MySQL "root" password, and I recommend
 to specify one.
@ -72,22 +76,22 @@ To avoid having to specify a password when using the 'mysql' tool
 interactively, you can store the password in ~/.my.cnf, see
 /usr/share/doc/mysql-server-5.0/README.Debian.gz.  For example:
- <nowiki>user@ksm:~$ cat > .my.cnf
+ user@ksm:~$ cat > .my.cnf
 [client]
 user = root
 password = YOURPASSWORD
- user@ksm:~$</nowiki>
+ user@ksm:~$
 First create the database and the tables as follows:
- <nowiki>user@ksm:~$ echo 'create database ykksm' | mysql
+ user@ksm:~$ echo 'create database ykksm' | mysql
 user@ksm:~$ mysql ykksm < /usr/share/doc/yubikey-ksm/ykksm-db.sql 
- user@ksm:~$</nowiki>
+ user@ksm:~$
 You should also create database users for the decrypt and import
 interfaces, normally called 'ykksmreader' and 'ykksmimporter':
- <nowiki>user@ksm:~$ mysql --silent ykksm
+ user@ksm:~$ mysql --silent ykksm
 mysql> CREATE USER 'ykksmreader';
 mysql> GRANT SELECT ON ykksm.yubikeys TO 'ykksmreader'@'localhost';
 mysql> SET PASSWORD FOR 'ykksmreader'@'localhost' = PASSWORD('yourpassword');
@ -96,31 +100,27 @@ interfaces, normally called 'ykksmreader' and 'ykksmimporter':
 mysql> SET PASSWORD FOR 'ykksmimporter'@'localhost' = PASSWORD('otherpassword');
 mysql> FLUSH PRIVILEGES;
 mysql> \q
- user@ksm:~$</nowiki>
+ user@ksm:~$
-== Step 3B: PostgreSQL Installation ==
+Step 3B: PostgreSQL Installation
 --------------------------------
 Install some packages:
 <nowiki>
 user@ksm:~$ sudo apt-get install postgresql php5-pgsql libdbd-pg-perl
 ...
 user@ksm:~$ 
 </nowiki>
 The database needs to be initialized as follows:
 <nowiki>
 user@ksm:~$ sudo su postgres
 postgres@ksm:~$ createdb ykksm
 postgres@ksm:~$ psql ykksm < /usr/share/doc/yubikey-ksm/ykksm-db.sql 
 postgres@ksm:~$
 </nowiki>
 You also need to create a user for the decrypt interface, normally
 called 'ykksmreader':
 <nowiki>
 postgres@ksm:~$ psql ykksm -q
 ykksm=# CREATE USER ykksmreader PASSWORD 'yourpassword';
 ykksm=# GRANT SELECT ON yubikeys TO ykksmreader;
@ -128,31 +128,28 @@ called 'ykksmreader':
 ykksm=# GRANT INSERT ON yubikeys TO ykksmimporter;
 ykksm=# \q
 postgres@ksm:~$ 
 </nowiki>
 During installation and debugging it may be useful to watch the
 database log entries:
 <nowiki>
 user@ksm:~$ sudo tail -F /var/log/postgresql/postgresql-*-main.log &
 </nowiki>
-== Step 4: Include path configuration ==
+Step 4: Include path configuration
 ----------------------------------
 Set the include path by creating a file /etc/php5/conf.d/ykksm.ini
 with the following content:
 <nowiki>
 user@ksm:~$ sudo sh -c 'cat > /etc/php5/conf.d/ykksm.ini'
 include_path = "/etc/yubico/ksm:/usr/share/yubikey-ksm"
 user@ksm:~$ sudo /etc/init.d/apache2 restart
 user@ksm:~$ 
 </nowiki>
 The paths are the default, if you installed the YK-KSM in some other
 place you need to modify the paths.
-== Step 5: Logging ==
+Step 5: Logging
 ---------------
 The PHP interface uses syslog for logging of incoming requests.  The
 facility is set in ykksm-config.php but defaults the LOG_LOCAL0.  To
@ -160,13 +157,11 @@ place these messages in a separate file, you can add the following to
 /etc/syslog.conf, or if you use rsyslog, create a file
 /etc/rsyslog.d/ykksm.conf with this content:
 <nowiki>
 user@ksm:~$ sudo sh -c 'cat > /etc/rsyslog.d/ykksm.conf'
 local0.* -/var/log/ykksm.log
 user@ksm:~$ sudo /etc/init.d/rsyslog restart
 ...
 user@ksm:~$ 
 </nowiki>
 The '-' before the filename avoids syncing the file after each write,
 which is recommended for performance.
@ -175,7 +170,6 @@ The log file can grow large quickly, so it is a good idea to setup
 rotation of log files.  Here is an example that rotates the log file
 weekly.  Create a file /etc/logrotate.d/ykksm like this:
 <nowiki>
 user@ksm:~$ sudo sh -c 'cat > /etc/logrotate.d/ykksm'
 /var/log/ykksm.log {
 	weekly
@ -187,9 +181,9 @@ weekly.  Create a file /etc/logrotate.d/ykksm like this:
 	endscript
 }
 user@ksm:~$ 
 </nowiki>
-=== Step 5.1: Fix default log (optional) ===
+Step 5.1: Fix default log (optional)
 ------------------------------------
 Unfortunately, most default syslog configuration, including the
 syslog.conf configuration file on Debian, will also log all entries to
@ -200,49 +194,44 @@ rules.  To avoid YK-KSM log entries in these other files, you must
 modify the default rules.  For example, edit the following lines of
 /etc/rsyslog.conf (or /etc/syslog.conf if you don't use rsyslog):
 <nowiki>
 *.*;auth,authpriv.none          -/var/log/syslog
 *.=info;*.=notice;*.=warn;\
         auth,authpriv.none;\
         cron,daemon.none;\
         mail,news.none          -/var/log/messages
 </nowiki>
 Change them into:
 <nowiki>
 *.*;auth,authpriv.none,local0.none              -/var/log/syslog
 *.=info;*.=notice;*.=warn;\
         auth,authpriv.none;\
         cron,daemon.none;\
         local0.none;\
         mail,news.none          -/var/log/messages
 </nowiki>
-== Step 6: Decrypt OTP Interface ==
+Step 6: Decrypt OTP Interface
 -----------------------------
 The interface to decrypt OTPs is implemented using a PHP script.  You
 can place the script under any URL, but we recommend serving it as
 http://ykksm.example.org/wsapi/decrypt.  The simplest way is to use
 the 'symlink' rule in our makefile:
 <nowiki>
 user@ksm:~$ sudo make -f /usr/share/doc/yubikey-ksm/ykksm.mk symlink
 install -d /var/www/wsapi
 ln -sf /usr/share/yubikey-ksm/.htaccess /var/www/wsapi/.htaccess
 ln -sf /usr/share/yubikey-ksm/ykksm-decrypt.php /var/www/wsapi/decrypt.php
 user@ksm:~$ 
 </nowiki>
 You may also run the commands manually.
-== Step 7: YK-KSM Configuration ==
+Step 7: YK-KSM Configuration
 ----------------------------
 You need to edit the ykksm-config.php script.  An example file is
 included in YK-KSM as 'ykksm-config.php'.  It is normally installed as
 /etc/yubico/ksm/ykksm-config.php:
 <nowiki>
 user@ksm:~$ sudo cat /etc/yubico/ksm/ykksm-config.php 
 <?php
 $db_dsn      = "mysql:dbname=ykksm;host=127.0.0.1";
@ -252,7 +241,6 @@ included in YK-KSM as 'ykksm-config.php'.  It is normally installed as
 $logfacility = LOG_LOCAL0;
 ?>
 user@ksm:~$ 
 </nowiki>
 Be careful about the user permissions and ownership so that unrelated
 users on the system cannot read the database password.
@ -266,17 +254,16 @@ An example DSN for a PostgreSQL setup:
 $db_dsn      = "pgsql:dbname=ykksm;host=127.0.0.1";
-=== The End ===
+The End
 -------
 You now have a YK-KSM up and running.  You can test the service by
 requesting a URL.  Using wget, for example:
 <nowiki>
 user@ksm:~$ sudo apt-get install wget
 user@ksm:~$ wget -q -O - 'http://localhost/wsapi/decrypt?otp=dteffujehknhfjbrjnlnldnhcujvddbikngjrtgh'
 ERR Unknown yubikey
 user@ksm:~$
 </nowiki>
 You will need to import keys into the database for the decrypt
 function to do anything useful.  See [[ServerHardening]] on how to
--- a/doc/KeyProvisioningFormat.txt
+++ b/doc/KeyProvisioningFormat.txt
@ -89,7 +89,8 @@ be encrypted to a particular OpenPGP key id):
 -----END PGP MESSAGE-----
 ....
-=== Naming Scheme ===
+Naming Scheme
 -------------
 The files should use the standard GnuPG output extension '.asc'.
--- a/doc/MakeRelease.txt
+++ b/doc/MakeRelease.txt
@ -1,11 +1,11 @@
-==Maintainer instructions for making releases==
+Maintainer instructions for making releases
-
+-------------------------------------------
 ===Introduction===
 The point of this document is to describe all steps required to make a
 proper release of the yubikey-personalization project.
-===Dependencies===
+Dependencies
 ------------
 Making a release requires the following packages:
@ -15,7 +15,8 @@ which can be installed (under Ubuntu) by running:
  sudo apt-get install make git gnupg help2man git2cl
-===Details===
+Details
 -------
 * Make sure the version number in Makefile has been incremented.
--- a/doc/ServerHardening.txt
+++ b/doc/ServerHardening.txt
@ -1,54 +1,52 @@
-== Server Hardening ==
+Server Hardening
 ----------------
 While the defaults should be secure, there are some simple
 administrative actions that will increase your overall security.  None
 of these steps are required, but we encourage you to read this
 document to see if the enhancements are relevant for your environment.
-=== Tighten PHP configuration ===
+Tighten PHP configuration
 -------------------------
 Tighten the security of the PHP installation by creating a file
 /etc/php5/conf.d/harden.ini with the following content:
 <nowiki>
 user@host:~$ sudo sh -c 'cat > /etc/php5/conf.d/harden.ini'
 display_errors = Off
 log_errors = On
 user@host:~$ 
 </nowiki>
-=== Tighten Apache configuration ===
+Tighten Apache configuration
 ----------------------------
 Tighten the security of the Apache installation by making sure
 directory listings are disabled globally.  Edit
 /etc/apache2/conf.d/security and make sure the following is
 uncommented:
 <nowiki>
 <Directory />
 	AllowOverride None
 	Order Deny,Allow
 	Deny from all
 </Directory>
 </nowiki>
-=== Time synchronization ===
+Time Synchronization
 --------------------
 For logging and (on the validation server) time-stamping it is
 important to have synchronized clocks.  Install ntp.
 <nowiki>
 user@host:~$ sudo apt-get install ntp
 ...
 </nowiki>
-=== Firewall ===
+Firewall
 --------
 There is no reason why the KSM needs to listen to incoming requests
 from the entire Internet, and restricting access to the intended
 YK-VAL servers are recommended.
 <nowiki>
 user@ksm:~$ sudo sh -c 'cat > /etc/network/if-pre-up.d/iptables'
 #!/bin/sh
 # IPv4 firewall:
@ -74,7 +72,6 @@ YK-VAL servers are recommended.
 ip6tables -A INPUT -p tcp -i eth0 -s 2000:2:3::4 --dport 443 -j ACCEPT
 user@ksm:~$ chmod +x /etc/network/if-pre-up.d/iptables
 user@ksm:~$ 
 </nowiki>
 Replace 1.2.3.4 (for IPv4) and 2000:1:2::3 (for IPv6) with the address
 of the host you want to be able to login from via SSH, and replace
@ -85,7 +82,6 @@ validation server and SSH host.
 For a validation server, you may want to allow HTTP(S) requests from
 anyone, but not anything else.
 <nowiki>
 user@val:~$ sudo sh -c 'cat > /etc/network/if-pre-up.d/iptables'
 #!/bin/sh
 # IPv4 firewall
@ -111,7 +107,6 @@ anyone, but not anything else.
 ip6tables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT
 user@ksm:~$ chmod +x /etc/network/if-pre-up.d/iptables
 user@ksm:~$ 
 </nowiki>
 Again, replace 1.2.3.4 (for IPv4) and 2000:1:2::3 (for IPv6) with the
 address of the host you want to be able to login from via SSH.
@ -119,7 +114,6 @@ address of the host you want to be able to login from via SSH.
 If you want to allow SSH and HTTP(S) from everywhere, but nothing
 else, try this:
 <nowiki>
 user@val:~$ sudo sh -c 'cat > /etc/network/if-pre-up.d/iptables'
 #!/bin/sh
 # IPv4 firewall
@ -145,9 +139,9 @@ else, try this:
 ip6tables -A INPUT -p tcp -i eth0 --dport 443 -j ACCEPT
 user@ksm:~$ chmod +x /etc/network/if-pre-up.d/iptables
 user@val:~$ 
 </nowiki>
-=== Database encryption ===
+Database Encryption
 -------------------
 The database contains sensitive information.  If someone is able to
 access your machine physically, they may shut it off and steal it with
@ -180,7 +174,6 @@ attempt to mount your encrypted partition automatically.
 Setup:
 <nowiki>
 user@ksm:~$ sudo apt-get install loop-aes-utils loop-aes-modules-2.6-amd64
 ...
 user@ksm:~$ sudo rmmod loop && sudo modprobe loop
@ -212,11 +205,9 @@ Setup:
 umount /ksm
 losetup -d /dev/loop0
 user@ksm:~$ sudo chmod +x /usr/local/sbin/ykksm-{start,stop}
 </nowiki>
 Slightly adapted for MySQL:
 <nowiki>
 user@ksm:~$ sudo apt-get install loop-aes-utils loop-aes-modules-2.6-686
 ...
 user@ksm:~$ sudo rmmod loop && sudo modprobe loop
@ -247,7 +238,6 @@ Slightly adapted for MySQL:
 umount /ksm
 losetup -d /dev/loop0
 user@ksm:~$ sudo chmod +x /usr/local/sbin/ykksm-{start,stop}
 </nowiki>
 Then in the future, to start the YK-KSM, you will need to login to the
 machine and issue the command 'sudo ykksm-start' and enter the disk
@ -255,7 +245,8 @@ encryption password.
 Again, make sure that you don't use any unencrypted swap.
-=== Intrusion detection ===
+Intrusion Detection
 -------------------
 To make some attacks discussed in the previous section harder, make
 sure that your system has a hardware intrusion detection system and
--- a/doc/SyncMonitor.txt
+++ b/doc/SyncMonitor.txt
@ -1,4 +1,5 @@
-== YK-KSM Synchronization Monitor ==
+YK-KSM Synchronization Monitor
 ------------------------------
 If you deploy multiple redundant YK-KSM instances, it is important to
 monitor them to make sure the data they have is synchronized.  While
@ -13,18 +14,14 @@ and AES key.
 Sample output looks like this, first there is a Unix time (for
 freshness) and then is the truncated hash value.
 <nowiki>
  1284488221
  50f5649b80
 </nowiki>
 The script requires the Perl SHA-1 package.  Install it like this:
 <nowiki>
  user@ksm:~$ sudo apt-get install libdigest-sha1-perl
  ...
  user@ksm:~$ 
 </nowiki>
 The typical way to use this is either manually or to run it in a cron
 job and output the hash to a file that can be downloaded by a remote
@ -33,14 +30,12 @@ that downloads this file from all of your KSMs, and the Nagios check
 verify that all values are 1) fresh (Unix time is not too old) and 2)
 that the truncated hash value is identical on all KSMs.
 <nowiki>
  user@ksm:~$ sudo sh -c 'cat > /etc/cron.hourly/run-ykksm-checksum'
  #!/bin/sh
  FILE=/var/www/checksum.txt
  (date --utc +%s; ykksm-checksum --db-user ykksmreader --db-passwd `grep passwo rd /etc/yubico/ksm/ykksm-config.php|cut -d\  -f3|cut -d\" -f2`) > $FILE.tmp
  mv $FILE.tmp $FILE
  user@ksm:~$ sudo chmod +x /etc/cron.hourly/run-ykksm-checksum
 </nowiki>
 If you notice mismatches, you may want to run ykksm-checksum with the
 '-v' parameter on the different hosts and then use 'diff -ur' or