ࡱ> 42-.5!` 2Objbj\\ >>>6$%888vT]]]8&^"_2`^p`"`&a&abb,bjllllll$htrdbbrdrd&a&akkkrd&a&ajkrdjkkRN&a` x]8iNΕ0j<NNblbL#c6kYc,cbbbk"bbbrdrdrdrd%J@J@tHJtvJ  Recommendations on Remote Access Hardening, Strong Password Enforcement, and Compliance Assessment on Unix Variants Christopher Vincent NASA SEWP Security Center May 30, 2006 Thanks to Ron Colvin for supplying helpful Mac OS X information and feedback! Hardening Remote Access (sshd and TCPWrappers) Overview Two different things can be hardened here. First, sshds configuration file can be changed from its default configuration to be much more restrictive. As a second layer of filtering, TCP wrappers can be configured to allow access to sshd by only specified hosts. Considerations The best method for universal deployment of an actual SSHD configuration file to Goddards user base is currently an open issue. First, users willingness to either allow Goddard to remotely manipulate their configuration file or personally install the configuration themselves is unknown. Perhaps these changes can be mandated or can be enforced via other mechanisms. Second, we make the assumption that most remote access users have likely not customized their SSH configuration. However, enforcing the secure configuration without unnecessarily alienating or overriding users custom settings may lead to technical deployment difficulties and an increased volume of technical support requests from users experiencing problems after the changes. The time window and user incentive for deployment and configuration verification remains an open issue. User cooperation likely presents the biggest hurdle to timely rollout. Finding a proper incentive to entice users to change their settings is difficult. Denial of network access until the proper configuration has been verified may be enough of an incentive for most of the user base. sshd_config The following changes to the sshd_config configuration file are a good baseline. This file is most often located in the /etc/ or /etc/ssh/ directories and requires super user/root permission to edit. Please note that in order for ssh to reflect changes, it must be restarted. Display a terms of use banner at login store a text banner in /etc/banner.txt *** *** This U.S. Government resource is for authorized use only. *** *** If not authorized to access this resource, disconnect now. *** Unauthorized use of, or access to, this resource may subject *** you to disciplinary action or criminal prosecution. *** *** By accessing and using this resource, you are consenting to *** monitoring, keystroke recording, or auditing. *** Figure  SEQ Figure \* ARABIC 1: Example banner message Disable root login (edit sshd_config) add/uncomment the line PermitRootLogin no Allow only specific users (edit sshd_config) add/uncomment the line AllowUsers where: is a list of usernames separated by spaces Usernames can contain * and ? as wildcards user@host format can be used; it specifies that the given user is allowed only from the host specified. It is better to leave this alone and specify such hosts using TCP Wrappers. Note: This works only if there is at least one username provided; if no users are specified, this setting has no effect (allowing everyone). Limit SSH protocol to version 2 (edit sshd_config) add/uncomment the line Protocol 2; ensure the number 1 does not appear anywhere on this line. Limit the number of login attempts per connection to 2 attempts (edit sshd_config) add/uncomment line MaxAuthTries 1 NOTE: Mac OS 10 does not currently support this option Optionally disable password-based authentication at login (edit sshd_config) add/uncomment the line PasswordAuthentiction no This is useful when all clients have arranged to use public/private key pairs and have, in some manner, stored their public key on the remote machine in the file $HOME/.ssh/authorized_keys2. A great guide to setting up ssh with public/private key pairs is Mick Bauers LINUX Journal article The 101 Uses of OpenSSH: Part II of II. TCP Wrappers The files of concern are /etc/hosts.allow and /etc/hosts.deny. sshd should be allowed from only trusted hosts (specified via IP or domain). There are different syntaxes that can be used with TCP wrappers, but some are older and more compatible. We recommend using the syntax used in the following example (it is better to use a more specific, tighter set of ALLOWed hosts): sshd : .gsfc.nasa.gov : ALLOW # allow ssh from *.gsfc.nasa.gov sshd : .hst.nasa.gov : ALLOW # allow ssh from *.hst.nasa.gov sshd : .sewpsc.sewp.nasa.gov : ALLOW # allow ssh from *.sewpsc.sewp.nasa.gov sshd : 192.168.100. : ALLOW # allow ssh from 192.168.100.* hosts ALL : ALL : DENY # deny all other incoming requests Figure  SEQ Figure \* ARABIC 2: Example /etc/hosts.allow file. * represents a wildcard and should NOT be used in the real rules in order to maintain compatibility. Please tailor your file to be as host-specific as possible; the domains above represent a range of hosts too broad for strong security. Finally, Ron Colvin points out that there are several automated scripts that monitor for dictionary attacks and add attacker IPs to a block list. At this point, perhaps it is best to recommend that a local decision be made determining the use of these tools. If the methods previously suggested here prove insufficient, then it would be apt to look at this group of software. Four mentioned are Daemon Shield, BlockHosts, Sshdfilter, and Denyhosts. Most of these operate by monitoring the systems authorization log for failed ssh authorization attempts and adding the respective IPs to the systems TCP Wrappers /etc/hosts.allow or /etc/hosts.deny files. Because each platform differs somewhat, most of these tools will not work across all platforms by default; rather, they must be custom configured. Before and After: Observations Summary Before: Are the following true by default?FreeBSD (6.0)Linux (FC4)Mac OS X (10.2.8/10.4.5)Terms of Use Banner DisplayedRoot Login DisabledX(note)Access Restricted to Specific UsersSSH Protocol Limited to v2 OnlyXXXMaximum # Allowed Authorization Attempts is 2Password-based Authentication Disabled (optional)Connections Restricted by TCP WrappersTable  SEQ Table \* ARABIC 1: Default settings. For each condition, an X indicates true; a blank indicates false After: Are the following true after recommended. changes?FreeBSD (6.0)Linux (FC4)Mac OS X (10.2.8/10.4.5)Terms of Use Banner DisplayedXXXRoot Login DisabledXXXAccess Restricted to Specific UsersXXXSSH Protocol Limited to v2 OnlyXXXMaximum # Allowed Authorization Attempts is 2XXPassword-based Authentication Disabled (optional)XXXConnections Restricted by TCP WrappersXXXTable 2: Changed settings. For each condition, an X indicates true; a blank indicates false Enforcing Strong Password Policy Overview Both Linux and FreeBSD have built-in mechanisms for enforcing password requirements. Linuxs pam_cracklib is customizable but not very polished, whereas FreeBSDs pam_passwdqc is less customizable yet more polished and user friendly. Both Linux and FreeBSD require some configuration editing to apply a given policy. Mac OS X client does not have a good mechanism to enforce strong user passwords at this time. Considerations Similar to the remote access configuration issues, deployment and user acceptance are an open issue. Strong passwords are typically mandated via policy, but often hard to enforce and audit across multiple platforms. Auditing of passwords themselves is not the best idea from a security standpoint; rather, the better option is to employ technical solutions (such as those discussed in this section) that ensure users passwords sufficiently adhere to policy. Therefore, it seems most appropriate to audit the machines local authentication configuration, ensuring that specific authentication modules and respective password policies are in active use. Technically, there exists no single multi-platform solution for the local machine. Active Directory and Kerberos are available for most platforms, but these assume a network service environment, ignoring machine-specific passwords. For example, user access credentials can be enforced for a Kerberized remote access service, but this does not affect a users machine password. This is important when one considers the situation of a user logged into Goddard remotely with a weak password on the local machine; the machine bears a greater risk of serving as a stepping stone into Goddards network. This problem exists because any authentication requirements for directory services do not carry over and apply to the local machine accounts. This may not be an issue if the primary focus is to simply reduce the casual adversarys ability to scan the Goddard campus and probe SSH daemons. If this is true, then only on-campus machines would require such password hardening. Again, note that laptop users complicate this issue. Finally, user acceptance of the technical solution(s) necessary could be troublesome. Primarily, once a solution is implemented, ensuring a user changes his or her local machine password is an open problem on Unix variants. It should be noted that for most solutions suggested here, the password requirements are enforced at the system level, which affects all users of the local machineGoddard employees or not. The time window and user incentive for deployment and configuration verification remains an open issue. The same discussion on this topic concerning remote access configuration changes applies in this case as well. Mac OS X Mac OS X client has no built-in or otherwise available means of enforcing strong user passwords. The NSAs own critique of version 10.3 discusses this fact at length. The following is what we have found: pwpolicy is a command-line utility in Mac OS 10.4 that seems to offer mechanisms for querying and setting password policy settings. However, upon testing, this is to be used only with Mac OS X Server, and it is neither intended for nor effective on Mac OS X client. Mac OS X does include and support the PAM architecture, and although cracklib has been ported to Mac OS X by the DarwinPorts group, the PAM version of it has not been ported. Linux Common to most Linux distributions and Solaris is the pam_cracklib module, which checks for weak passwords via a) dictionaries b) specifically defined criteria such as length and character diversity. It includes capabilities for ensuring a user is not repeating one of their last n passwords. General procedures for activating and configuring pam_cracklib are as follows: open the file /etc/pam.d/system-auth change/add the following options to the line containing pam_cracklib.so that looks like: password required pam_cracklib.so retry=n n is the number of attempts a user has to create a valid password. (This does not prevent a user from merely running passwd again) difok=n n is the number of characters in the new pass that must differ from the old pass minlen=n n is the minimum password length lcredit=-n amount of credit assigned for using a lower-case character suggested value is 0 since these are most common ucredit=-n amount of credit assigned for using an upper-case character suggested value is 1 since less common dcredit=-n amount of credit assigned for using a digit suggested value is 1 since less common ocredit=-n amount of credit assigned for using other characters For the credit settings above, negative values indicate that n characters of the pass are required to be from the specific character class. FreeBSD FreeBSD comes with pam_passwdqc. Compared to pam_cracklib, pam_passwdqc: provides less granular control over password requirements presents a message to the user explaining the password requirements suggests a valid password to the user explains to the user why an insufficient password has been rejected pam_passwdqc is disabled in the default installation, and can be enabled by uncommenting the following line in the file located at /etc/pam.d/passwd: password requisite pam_passwdqc.so is by default only enforce=users and should be changed to enforce=everyone. Other options that may be important include: min=N0,N1,N2,N3,N4 N0, N1, N3, N4 are for passwords N2 is for passphrases All can be either of two values: disabled an integer representing the minimum number of characters for a password containing a different number of character classes, where: N0 1 class N1 2 classes N3 3 classes N4 4 classes similar=permit|deny whether a new password is allowed to be similar to the old one The following is recommended to use for , where N is the minimum password character length required: enforce=everyone min=disabled,disabled,disabled,N,N Using everyone covers all users and additionally ensures that the next root password will conform to the requirements, and disabling passwords of 2 character classes or less and pass phrases seems appropriate. Auditing / Assessing Compliance PatchLink seems like it may work. Exploration of this is on the agenda. Miscellany: Commands to restart sshd after changing sshd_config: Fedora Core 4: /etc/rc.d/init.d/sshd restart FreeBSD 6: /etc/rc.d/sshd restart Mac OS X 10.2: sudo killall sshd; sudo sshd 10.3+: nothing - changes to sshd_config are reflected upon new connection attempts when sshd is either a) already active and b) not active Idea: perhaps signatures, banners, and block lists could be fetched live from a central point. Macintosh OS X Security Technical Implementation Guide: Version 1, Release 1. June 15, 2004.  HYPERLINK "http://csrc.nist.gov/pcig/STIGs/MAC-OS-X-STIG-V1R1.pdf" http://csrc.nist.gov/pcig/STIGs/MAC-OS-X-STIG-V1R1.pdf Corsaire Guide to Securing Mac OS X 10.4 Tiger.  HYPERLINK "http://www.corsaire.com/white-papers/050819-securing-mac-os-x-tiger.pdf" http://www.corsaire.com/white-papers/050819-securing-mac-os-x-tiger.pdf  Necessary are the configuration changes required to increase security. If one of these required should conflict with a users setting, the users setting takes lower priority and is replaced. Replacing other user configurations is viewed as unnecessary.  This implies that configuration changes would not be audited/verified remotely via the network since the user has no access to the network until properly verified.  Notes on how to do this can be found in the Miscellany section at the end of this document.  Specifying hosts works in testing, but only with numerical IP addresses; the ability to resolve hostnames does not seem to exist on any platform. Because of this, it is best to specify denied/allowed hosts via TCP Wrappers.  The value of 1 is used because MaxAuthTries actually sets a number for the maximum number of tolerated failed authorization attempts. For example, with a value of 1, a failure on only the first attempt will be tolerated, and the user will have a second chance to authenticate; should the user fail on the second attempt, the system will not tolerate it and will terminate the connection. Furthermore, note that this line is intended to limit the number of authorization attempts per connection attempt   HYPERLINK "http://www.linuxjournal.com/article/4413" http://www.linuxjournal.com/article/4413  More information on these tools is available in articles at the following locations: HYPERLINK "http://security.linux.com/article.pl?sid=05/09/15/1655234&from=rss"http://security.linux.com/article.pl?sid=05/09/15/1655234&from=rss HYPERLINK "http://www.unixreview.com/documents/s=9846/ur0508g/ur0508g.html"http://www.unixreview.com/documents/s=9846/ur0508g/ur0508g.html  Experimentally, on FreeBSD 6.0, root login seemed to be blocked by default by the PAM module.  By default, all Mac OS X builds come with the root account itself disabled; however, many advanced users will have enabled it. Once the root account is enabled, sshd itself is not set to block root login by default.  Of primary concern is password quality. Because of this, password aging and expiration requirements are not considered but information is available on how to perform this at:  HYPERLINK "http://www.puschitz.com/SecuringLinux.shtml" \l "EnablingPasswordAging" http://www.puschitz.com/SecuringLinux.shtml#EnablingPasswordAging  p. 13-14, Apple Mac OS X v10.3.x "Panther" Security Configuration Guide.  HYPERLINK "http://www.nsa.gov/snac/downloads_macX.cfm" http://www.nsa.gov/snac/downloads_macX.cfm  PAM stands for Pluggable Authentication Modules  A popular security-hardened Linux technology is SELinuxcreated and maintained by NSAand seems to be an access-control mechanism built in at the kernel level. Though it seems beyond the scope of password policy enforcement, it is noteworthy for future exploration.   HYPERLINK "http://www.puschitz.com/SecuringLinux.shtml#EnforcingStrongerPasswords" http://www.puschitz.com/SecuringLinux.shtml#EnforcingStrongerPasswords and  HYPERLINK "http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html" http://www.deer-run.com/~hal/sysadmin/pam_cracklib.html  Supposedly, on Debian-based systems, this file is /etc/pam.d/common-password. Platforms may vary.  On Fedora Core 4, this is true and is a sub-condition of the number of characters.  pam_passwdqc is maintained by the Openwall Project at  HYPERLINK "http://www.openwall.com/passwdqc/" http://www.openwall.com/passwdqc/. According to the site, Debian, SuSE, and recent versions of RedHat come with this module. Apparently, pam_cracklib is available, but several people have had issues getting it to work.  Note that root can of course change this setting so that its account is not subject to the requirements; however, given that its password is the most sensitive on a machine, the root password should at the very least comply with the policy.  In 10.3, sshd no longer runs continuously to listen for incoming SSH connections. Instead, xinetd (Mac OS 10.3) or launchd (Mac OS 10.4) does the listening and only starts sshd when it is actually needed.     PAGE  PAGE 6 $&'4>?@[kvw     B C շޮyqmdYhO hCJaJhU5CJaJh *h]dCJaJh5hBCJaJh5h *CJaJh8e]CJaJh5h@HCJaJhhzhBwhW25CJ aJ h>5CJ aJ h6L5CJ aJ hBwhBw5CJ aJ h?5CJ aJ hBw5CJ aJ hBw>*CJaJjhdshdsCJUaJ     $a$gd$a$gd&gd5gdds$a$gdgdBy> O1O  C D M V W f V W ,STXRV^gd & Fgd) & FgdW{gdgdO gdC D M x y = ? U V W f w H I i v ĸxjbZbRZh]CJaJhJV`CJaJhLTCJaJjhd0JCJUaJh`2CJaJhcMCJaJhdCJaJhq+CJaJhXCJaJhI+CJaJhh CJaJheZACJaJhY{!h^U>*CJaJh^UCJaJh3!CJaJh:5CJaJh"OCJaJh'CJaJhY{!h#H>*CJaJhCJaJ   ! T U V g k p z 9Z[\ (ظذsbZh3CJaJ hnjh3CJOJQJ^JaJhY{!h3>*CJaJh'CJaJh^UhiCJaJhlCJaJjhA0JCJUaJhI+CJaJhACJaJh!CJaJhJCJaJhrCJaJh=CJaJhiCJaJh^UCJaJhoKYCJaJhJV`CJaJhLTCJaJ#(ejnw"#+,/CRS϶~mbTPHPHjh%xUh%xhCJOJQJ^JaJhh8GgCJaJ hnjhV)CJOJQJ^JaJhV)CJaJhW{CJaJhw<CJaJhwCJaJh9CJaJhACJaJh'CJaJh]h'CJaJjh7G0JCJUaJh7GCJaJh{1CJaJhaCJaJ hnjh]CJOJQJ^JaJh]CJaJV.Z[!cd & Fgd~7 & FgdL & Fgd8E & Fgd & Fgd6 & Fgd'^gdG & Fgd%x & Fgd%ko$a$gd%x^gd!,.EFXYZ[\t{wog_N_Fh*%CJaJ hnjh6CJOJQJ^JaJh6CJaJh%CJaJhGCJaJh%xCJaJ hnjhKiCJOJQJ^JaJhYCJaJhKiCJaJ hnjh%koCJOJQJ^JaJh%koCJaJh'CJaJhACJaJh)hZBCJaJhCJaJhBCJOJQJ^JaJh%xjh%xUhmHnHuU[ko}bcd~vk_k_k_kvWLh8EhGCJaJhCJaJh8Eh`9i5CJaJh8Eh`9iCJaJh8ECJaJh8Eh`9i56CJaJh8EhLCJaJjhP0JCJUaJhxn%CJaJhCJaJh6CJaJhgCJaJh6CJaJh*%CJaJ hnjh*%CJOJQJ^JaJ hnjhCJOJQJ^JaJhCJaJdeiwz@KanopqrijĨykc[cPh~7hGCJaJhOTCJaJh1WCJaJjh8G[0JCJUaJh8G[CJOJQJ^JaJ hnjh8G[CJOJQJ^JaJh8G[CJaJhhCJaJh~7hACJaJ h~7h=CJOJQJ^JaJh~7h=CJaJ hnjh*%CJOJQJ^JaJh*%CJaJh'CJaJhfCJaJh%CJaJMr)z{CJzgdgdO gdTi$a$gd8gdAe & Fgd & Fgd^gdG & Fgd8G[ & Fgd8G[gd8G['()^v(9Fxyz{ꭥxg_ShY{!hxn%>*CJaJhAeCJaJ!jh^h^0JCJUaJh^h^6CJaJh/cCJaJh)CJaJ h^h^CJOJQJ^JaJhMCJaJh^h^CJaJhByCJaJ h^hCJOJQJ^JaJ hnjh8G[CJOJQJ^JaJh8G[CJaJh^hCJaJh^h%CJaJ "*35d}l}l}l}l}^}l}^}^h)CJOJQJ^JaJ h)hCJOJQJ^JaJ h)hDxCJOJQJ^JaJh6YCJaJhUiCJaJh8hGzCJaJhoCJaJhGzCJaJh{CJaJhDxCJaJ hnjhDxCJOJQJ^JaJ hnjhAeCJOJQJ^JaJhAeCJaJhY{!hAe>*CJaJ# 8IJQRhijkuyz~пzrjbZbRh!CJaJhnCJaJhTiCJaJh8e]CJaJh8hb6h8h86 h86h}h8hhOJQJ^JhmHnHujhUhhqlwCJOJQJ^JaJ h)hDxCJOJQJ^JaJ h)hKmCJOJQJ^JaJh)CJOJQJ^JaJ h)hMCJOJQJ^JaJ~PW (:>NWcgpòòѪѢٚxsk_VhT+6CJaJhT+hT+5CJaJhb(hb(>* hb(>* hO h%xh(9hTiCJaJh<CJaJh25CJaJhDVCJaJhCJaJh(CJaJ h}hTiCJOJQJ^JaJh}CJOJQJ^JaJh}CJaJhTiCJaJhnCJaJh!CJaJjh}?'0JCJUaJ, $$Ifa$gdRg{ $IfgdRg{gd#*-demn" ' R X Y n o p q s z ƸƪƢƢƢ}yuujfhh Uh9CJaJhvhGhhl)hmHnHujh9Uh9h4CJaJhJACJaJjh}0JCJUaJjh)0JCJUaJh}CJaJh'+CJaJh)_h9CJaJh Uh96CJaJh96CJaJh9G6CJaJ&,-K/& $IfgdRg{kda$$Ifl\d ,"8   t(044 lap(KLMNOcfD; $IfgdRg{kdJ$$Ifl\d ,"8   t 044 lap $$Ifa$gdRg{fgopD; $IfgdRg{kd$$Ifl\d ,"8   t 044 lap $$Ifa$gdRg{D; $IfgdRg{kd$$Ifl\d ,"8   t 044 lap $$Ifa$gdRg{PG;;; $$Ifa$gdRg{ $IfgdRg{kd?$$Ifl\d ,"8   t 044 lap # $ % & PG;;; $$Ifa$gdRg{ $IfgdRg{kd$$Ifl\d ,"8   t 044 lap & ' N O P Q PG;;; $$Ifa$gdRg{ $IfgdRg{kd$$Ifl\d ,"8   t 044 lap Q R !PHCC20$If^`0gdQgd$a$gd9kd4$$Ifl\d ,"8   t 044 lap  !!! ! !!!-!4!6!J!T!~!!!!!!!!!!!!!!!!!!ɷۮҢwwwwogowowh@CJaJhJACJaJhfCJaJh9GCJaJh)_CJaJh'+CJaJh)_h)_CJaJh Uh)_6CJaJhj6CJaJhQ$6CJaJhc96CJaJh!Z6CJaJh96CJaJh9G6CJaJhT+6CJaJhT+hT+5CJaJ hh9(!!!6! $$Ifa$gd)_6!7!U!/& $IfgdAekd$$Ifl\d ,"8   t(044 lap(U!W!Y![!\!p!r!D; $IfgdAekd$$Ifl\d ,"8   t 044 lap $$Ifa$gd)_r!t!v!w!!!!D; $IfgdAekdk$$Ifl\d ,"8   t 044 lap $$Ifa$gd)_!!!!!!!D; $IfgdAekd$$Ifl\d ,"8   t 044 lap $$Ifa$gd)_!!!!!!PG;;; $$Ifa$gd)_ $IfgdAekd$$Ifl\d ,"8   t 044 lap !!!d"j"k"m"""""""""""""""""""""""D#ŽofZRh,{CJaJhY{!h,{>*CJaJh,{5CJaJ$jhY{!h.E0J5CJUaJh0:5CJaJh 5CJaJhY{!hj$5CJaJhY{!hg5CJaJh 5CJaJhC_CJaJh ~CJaJh Uh)_CJaJhvh%hhh9h UhJACJaJhfCJaJhQCJaJ!!/"1"3"5"PG;;; $$Ifa$gd $Ifgdkd`$$Ifl\d ,"8   t 044 lap 5"6"]"_"a"c"PG;;; $$Ifa$gd $Ifgdkd$$Ifl\d ,"8   t 044 lap c"d"""""""PHCCCCCgdAe$a$gd Ukd$$Ifl\d ,"8   t 044 lap D#E#M#Y#]#i############.$/$9$$$$$%%%Q%[%t%u%%%%%%&𬤘xph`p`h CJaJhxCJaJho.CJaJh)CJaJh>/CJaJhnCJaJhj#CJaJhY{!ht5>*CJaJhj$CJaJh,{h,{CJaJhCJaJhKi.CJaJhVCJaJh=CJaJhD<CJaJ hh,{CJOJQJ^JaJh,{CJaJhCJaJ$"$$$-'.'8+9+,,---..//H0I0O0111s2{2 & Fgd> & Fgd> & Fgdh.gdfNgdAe&&&&,&.&3&9&?&@&A&a&i&&&&&'+','-'a'i'''''(^(k(l(s((((()))*"*&*)*,*T*Z**ะиЀЀwh&6CJaJh&CJaJh&ICJaJhnRECJaJhEN6CJaJh@CJaJhy CJaJh~uCJaJh,CJaJht5CJaJh:(CJaJhf*CJaJh|CJaJhxCJaJh CJaJho.CJaJh/CJaJ.*7+8+F,T,U,s,,,,,,,,,+-2-3----------..O.`.a..еyqcyjhfN0JCJUaJhfNCJaJh)CJaJhfCJaJh7&CJaJhPCJaJhBvCJaJhY{!hS>*CJaJhxCJaJh&hrCJaJhMzCJaJhBrCJaJhrCJaJhl) CJaJhoCJaJh CJaJht5CJaJhYCJaJ .....//X/[/^/e/o/s//////////////////0000 0ǿǴߎxpppph`hXhCJaJh98CJaJh)CJaJht#CJaJjh 0JCJUaJh$CJaJhXCJaJhmtCJaJhSh n_CJaJhSh;}vCJaJhSh!pCJaJh n_CJaJh;}vCJaJhZQCJaJh9CJaJhj$CJaJh)CJaJ h)hj$CJOJQJ^JaJ" 0G0H0I0O0Y0]0d0p0q0r0~0000001i1j1t1u1v1w1111111̶ԝԕԍԄ|tlt[tMtjhM.0JCJUaJ h)hM.CJOJQJ^JaJhv|CJaJhM.CJaJhC_CJaJhh-6CJaJh\dCJaJh CJaJ h)hh-CJOJQJ^JaJhLwCJaJjh0JCJUaJhUCJaJhCJaJhh-CJaJhY{!hh->*CJaJh!#CJaJhXCJaJht#CJaJ1111111&252G2r2s2y2{2223 33'37393Q3Y3Z3c333ȵ{s{s{b{Q h)h'/CJOJQJ^JaJ h)h0CJOJQJ^JaJh6RCJaJh0CJaJh:_[CJaJ h)h:_[CJOJQJ^JaJ h)h>CJOJQJ^JaJh>CJaJ$h>hh.0JCJOJQJ^JaJjhh.0JCJU^JaJh)hh.0JCJaJhh.CJaJhh.hh.CJaJh2X%CJaJ{23 3Z3c333334B4i4t4444555gd5 & FgdYF & Fgdn/ & Fgd  & Fgd]qx & Fgd'/ & Fgdq.; & Fgd0 & Fgd0 & Fgd:_[ & Fgd:_[ & Fgd>3333333444A4B4i4q4r4t444444445585@5A5E5S5c5k5r5v555ŽŽ޵޵shZjhYF0JCJUaJh;hCJaJh;h;6CJaJhhCJaJh;CJaJhhn/CJaJhn/CJaJh0wCJaJhX3CJaJh CJaJh'/CJaJh]qxCJaJ h)hq.;CJOJQJ^JaJ h)h'/CJOJQJ^JaJ h)h CJOJQJ^JaJ#5555555555555556N6g666666666666666V7ͼ}uumeeeT hG%h0LCJOJQJ^JaJh%CJaJhH&CJaJh45CJaJh9JCJaJh*'CJaJ hVhCJOJQJ^JaJh~6CJaJhCJaJjhX_0JCJUaJ hVh5CJOJQJ^JaJh5CJaJhY{!h5>*CJaJh56CJaJhYFhn/CJaJhhCJaJ 5555$6h6666i7j777828S8i8889#929A9 & FgdS & Fgdc & Fgdc & FgdBgd`gd5 & Fgdgdgd5V7g7h7j7z777777777881828A8R8V88888999˽٬zzozdzVhCJOJQJ^JaJhT$8hSCJaJhT$8h)~CJaJhT$8hcCJaJ hhcCJOJQJ^JaJhhCJaJhhBCJaJ hhBCJOJQJ^JaJhBCJOJQJ^JaJh5CJOJQJ^JaJh5CJaJhICJOJQJ^JaJ h)h5CJOJQJ^JaJ99"9&91959@9D9O9P9d99999::::H:I:P:X:Z:|:}::::::;Ƚnf^^fPjh9P0JCJUaJh [CJaJh9PCJaJ h [hgCJOJQJ^JaJhgCJaJh= @CJOJQJ^JaJhICJaJhCJaJhi~'CJaJh= @CJaJhm;CJaJhT$8hm;CJaJhm;CJOJQJ^JaJhSCJOJQJ^JaJhT$8hSCJaJ hhSCJOJQJ^JaJA9P9d999::H:I:;; ;@;A;;;;;;<(<M< & F gd  & F gdn & F gdngdgdrNgd0' & Fgdm; & Fgdm; & FgdS;;;;;;; ;(;?;@;a;i;;;;;;;;;;;;ʾ}qf^VEV hh)TCJOJQJ^JaJh)TCJaJhOVCJaJhHhCJaJhHh5CJaJhHhZB5CJaJ *hrNCJaJh{eCJaJh"CJaJhrNCJaJhY{!hrNCJaJhy=5CJaJhY{!ha 5CJaJh0'h= @CJaJh= @hC_CJaJh= @CJaJh3CJaJhgCJaJh [CJaJ;;;;;;;;;;;;<<<<,<.</<0<C<L<M<Q<R<T<U<\<Ƕ؝|k`XMh_[h CJaJh@CJaJh h CJaJ hnjhhCJOJQJ^JaJ hnjh;ACJOJQJ^JaJhPXCJaJh CJaJ hnjh)TCJOJQJ^JaJh CJaJ hnjh7OCJOJQJ^JaJ hnjhECJOJQJ^JaJhKC~CJaJh+CJaJh^ywCJaJh)TCJaJhCJaJ\<]<`<j<k<v<<<<<<<<<<<<<=9=:=======>>пطدymy[mNmhTNEhTNE0JCJaJ#jUhTNEhRg{CJUaJjhTNECJUaJhTNECJaJhTNEh{ CJaJhtCJaJh}{~CJaJhZBCJaJh hCJaJhlCJaJhCJaJ hhKqCJOJQJ^JaJhKqCJaJh_[hlCJaJh_[h_[CJaJ!jh_[h 0JCJUaJM<<:=>>?@@AC/DE FF/HHI"JHKKLIM>G>H>>>>>>>>??@@@@@pAAAAAABXCeCoCCCCCCCCCCC京{riih{6CJaJh56CJaJh(ZCJOJQJ^JaJh8G[CJaJjh8G[0JCJUaJCJaJh5CJaJjh50JCJUaJhhCJaJhh0JCJaJ#j4hhv$CJUaJjhCJUaJhCJaJh:CJaJ%CCDDD-D.D/D0DDDDDDEEEEgEhEiEEEEE F F FFFFGGGGG-H.H/H0H;HxHzH{HHжضжضЏЏжЀض|thTNECJaJh.Ejh5CJUaJ *h5CJaJjhs?CJUaJjhs?CJUaJjh5CJUaJjh50JCJUaJh5CJaJh50JCJaJjMh5CJUaJCJaJjCJUaJ,HHHHHHHIII"J#J$J%JyJzJ{JJJJJ KKKFKGKHKIK|KKKKLL9LǿvgvYh CJOJQJ^JaJjMh CJUaJh 0JCJaJjh CJUaJjh CJUaJh CJaJjh 0JCJUaJhjh0JUh5CJaJjh50JCJUaJhTNECJaJhTNE0JCJaJjCJUaJjhTNECJUaJ"9L:LiLjLkLLLIMJMrۤݪҌyŵ*Zjrךfka"r]n7^u_/Y{'߼m;eLÞ=\Þ= 4Ӽ|4/|aT26ó5dds&$OvP&۔2G2فD$1ٽs]2 2Z&dAKM.gtŃx$d[Fe &aM6lyɮ&E۶q3 2~&9̊HyMڙd[d͑k|A'9bML( -g,`lQGrׄMq+19l &.OYgF%%bD"FUm zʾ5k|l6 j1@u5_Nw&}w\骵Z?[ dԚf] LĒ4Z⾨)]5qk[YO'bJlff ̉T*mH[u=Y&ˠ9ٚP‰&J{8,vbeg md~O`qLM9}zHfԗp& >F?}25̡AK'X: lʠ>&;dzd-;i\aHlq2j|td{ H6q,Sʭ.OllF_ܲ' LNKwmh|<QAtl Yl=7heO'x#ko{ܬo/}cOd2Zl069S$Qkq:\qwws">lBa/b9iOM}yقX0}1$6m;sH_*m8o{DɷNmЏ,}^H~5S{Aw7[Hbju{t2`5;QYtj <1SQ#/D#<8md[r-ZJw`0a",kl=5hv%C+ͨ#gAyrը^69+aD&W烡@3!GإMlؒ'&:i3[<sM.{dd9H~dY6q5]`6cY[/l6+ɯY|sbjY&St$}FRk-RqՇH0 Lr6ȈdG Fs<vFCH>JGe }.th"sXd+s4Z2אu5Q!dV$/oȇA%3IX4:/:?oj1s+]t02z>-n'#lY?8?]OX{x_ ʛkb}<_S*Vvp_ˆO|5$],o 3uސt}|m-6SMm#Snk"gFIM|gm>ʶk=AT}>L䛢y<+Nj (8o7vlݑOg5 o_i ׈fc_G4ɷ䣠jb3њL >`$߷2dƆ=|*ΉjHS+#~!&Ύ^11 zƶS"Nɑkd`$] [.vhPcAIvSL+p3ܢPsi511jk]QDZ& jF}ʨ-E)[~*:iC}X{j1&'aSF{wFv/&-hX6w,"*L`S_~{ڏmK|g7?۷]&wٸ#lHb$$r[ɸ2kreüp| FZvAlNbMLٕ'‰QO^H@XiN֘5IOܖ6xΚhۈKG,St91d4^QI|kq8ygV>,@62Dl N1RsZt~Ҙx}+sTBFt8YJ,+hM(o D{skW@j@-v\у" 1[gcf0ywl% c7Re3n pL`NMf#pF;ln>\ [ۇ6F-Ժe$+"vItFR$?Z0x8| 2!J睑l&nk>W36Vp"DW F|\ $?wk1"k=WBr' gx6 `KB5A|]XĜ4 ;#Z๑|LnBֈeوf$Q  9lG"t>^6'=l& X\1eD#FcWk}`Qh:G,##0%2+ خ' &fKٔZla2An4`0 A6lΚ|$H1ٲW d:B&;Ȉ=2ǥ!Yf{R/hoNNDŕ;m۶:]6 2?)wa۞7ig^Kg_xXbiXlg3<;>&|ga3 q2e-lLΏevu?e{<['v^6n宪\ t7X㡘?pHd9c[p |/',vX d:o<'ZS)7ϡ+ ;ƭGl{yDNX(qQ98-Vnm٨<5b3[&b-|N&ۯM6mI><n[[2)wّDZ-rbiHp"''wK<#/X\VC&kCL&ۯO6XLvB>c$#x";2<#sXq;n13:֐p5I\Կ@"CPnDg(Y摮% Y v.j‹% \$2[=x~̃{KGV?{#_c+@tY&RXmr"p:Q 'jIaWzuk­Չ,pƧD(S5/:Qd`%'ѣeEuhz‰ /uD&%smHR?,`KNԢDFX5."x~k5JF䭮.98>Jc<ЗΡx魋Sís(S:^4e qϠc|߿X|?W~6*]3o=+ow_ؾk͒ &<H/ywGF-N,8R0tnt5hX* gR:c6 cE@kVq8 |,c|M/71Bو+`!>'">#P@EcQ3cwqNhFrfO /1Ґ5rcG5;̚[g9LF} MzfgipكWsnWa4wq<A,`c \pENGbFYK:0j-*lsJĔ/N_MvLl^ls-NwhǮeÞ(`LvI?'%x^mܨce_]EY }-Ƌ*{#Jח<\.9 Dv,?"t#}IS*bǵ  67$dIIjUx@e%}^S8lOm6_P@utT~jg?0CBPܦ`$`_m>Y91hvK4Kl:dM)J)Rx%aftˉ(-!|Sb ĐNp(>?51>Drnh 5~cD$+(؎ŚHɉ}btbS'U$fv_4bX9 v8  9,Ad@5FY#tD#c*x&&%f6x؆Lք촁1vY0DlSx(Xj؎:Ր|TrHK~Oo )H޼^$˟H!g>a*([qGȽX<+d"g2d&_0ɹjPt^ "0 3WǮZ@!O(wk.)fjr] acv +A5x HB%ȭٚwF嵑n_"YZ_>2"> M*|1ys^sH7v>&[;_u_zW_w~PgLuy_Qmsxق%jrG"YwE8G}cE9Sʓq~]$ԡDJsGw͵ב~oߗ N| GD9fiOٿ@Qtz[&5kwhstߚqAl &kwOP}t|dRk<}Jd=}V-pפ& ŲjV+>A4c ~!M)Lh=q< EIg@v_Łlnr4>Dz.Qi!ȹm~͆ &ZuɎ\F_ґ"0CcMA8ӊ20 *- J grf<u3٭~nm x|X&[?R6:Ye]f=j*}@Z\.|%|iU=hKsg?_,./?N]o%!X1 +#7ߨ>Wouӡ?(JNWosy _p1Tx6 >7?~ W~G_XJ?W x~MJF4o6R{)_TrPHf$C0̸rMʛ~s}O18.G򗿻;9֣nv"w$o}Z4<_9U\ YJR&tuk ++m<\ L!BL6P/MhVQv!h\C(|!7fne翈Yp5CeFII4[0B;׶ʴ>2?2 5gӣd|Bz\uϿİN0".2Nd}td ?roꔬ|jBHEf 2+dX\ Rͯt* q1VY!t |0 |:hx~؛ fmԒ~wgu ϵ1郟a*,k.<ƙ5wԲg7*0qUj WX+  hp5s׺dIa9S%B / <_j.maQttkϗ(<|'|+k|hotPG3%[zћͺh_uf{X;h ̓MKӿD} |Ssz9W}~~ʭiɬt~?NH/#d)ko?M(aawe7zDk|dNmO$o- ӧoc#W?.|HJٍZWy{BpNѣL x~Z#(K#BF:pTI~H5/_Vd4T+|.r.S62R{@dQf='ww\E&GVEre|ɆY~%Fj!qk<b6?,6VM$0E<[ŝO?@Wx~i qH/un?9E, $xϲcU>C=pN6VWW?ɣ{k 3YuIr7LG{Letv~)X=n+ GO[1iU~j9Y-]bʯ9}|Oܤt>x>owg{v`<Rx~:I2Mt)k]INٚ$:=p r4L[Fl)x~Wۯ|`n_k3q%nr\V9Y Lܶ)耔@lb=d|Q}0]dD&g<(x~$xF|nau\^bͻ]FF$ל.5M61\ʒ n,C_ΟFIj1lߋ|G8ٜ7<+jh9YWh9Y2J*pb->/NL6\M=6ϔeCο6gb ?ߋB@l:;ZMUxyhf0~M ~Y #m!STSe|lS3H:3~f_P=\] 7 x]WhxpHH9e!\eAٴ EJ / B_>l"7& tAP,0J[A*oq:oˑ5[\Wr[,{tB#7셱_6;i86X@T7z,4Yo+'zR8pvlI!Q .`Vx>'*+?881!u:CL6769ݭ F[e[IJ֦ik958H%`﹥ݻ^'@.X;:~@X+5ƚ5D]|^8n1F( lA+<_^S  j`#-/=`:x~O1_͚ ЭF s"`j'g(ORhdc=)s8l)T.2#*۳ӚYϯmW@[)/b7x/0µϷ/Y}n|_㟙Co>W} B_gu+CY\M8`Ib{~'Y?G#A?H?]>-:d5kNh'fbW[يYQ5n)2װ$?70z9bvWAH~F#$z̓DSB;"VmP4ӐY~2!b=`O,κWR@v`L*78{azH:ӄ*2R]dEyaЅ"(U|+0`r"6 N<ʇC2g (R3V1s.qwy&bA{Z̹L)Vy0e F=SFFV A'ب<$@3vVr)䂤R6`LBRhCMs(MjA[gͩU,'# exoxb-amȀIڐU7~_W/^ݮ<_/!Xg?\?S6~3E2v} 9-@ _wTۡ xJR9xU?Fb U^(#Y@Ey1յg& +Fpa&k):J@ u¼(g)e8S2@2|rh/-Q 1ѝrkQՊǨpTULCB\U0sr"V‰WQrkOn]RxFmIUP 60hgP] ?wY9(<Fwj΁_RduO2"$C{k-B 0}!C;Q#3$FB"QUp-J.N,bq խUX.˅T&鬜\z9WOio:KbHI'UGc;~sX*vω130L+`5aըDN9z<. |K(0xѓZD>)."]}T|^t~[{!;'`^'/:b'S+' [dԚrGuLS57 ͬ>Ɖ\pQ멝'{%j&&tw]m#L[vN5:c%?y*jL0 O4'֋(L^`NM^cn!8jQ%` zwf١ȣ?FNW; WIqFn=ɶQs<(qZl(JXmmc<Pwvĉ);4[Xe &:o'#('F|2p5ī/^قWl}3[jθzP保&wJq"JՄ=wi7~WS]6_.E3_F\Mᨆՙ#|||~~:vR{Ywཀ!.ےn(ٲyAFEjTPZ_N L Lljß}nVر ׸~2۽;9a?fQ"0ְgH ' J͛;歀Lm~ j-b Ef~lAQ !r5 UhCǟ@W$tSPael:b,FoDM Pc .V[Kj\Txl7p ~ ]D|wlܲcT.M&K-UGs5G^jj E%Lݣ_+pwٍ5rW,߰矊` "j/H%*aYWʟ]{qiY_9WyկKJ)`Msb {̓>R UoWlCv\mH Cps&uCoyICq2aQi l$q"k"ot}mB^cX3ZXʤQi*txF*~~&w}]O,'nonD4Q|tҮ$Mm 5&^[bJn yo ֫qN/Ln"]{zN=z[,cmI~O[I' m>]0 H_QלaK %|  ea|d?c^xnQGt-1JAnɶ+s,!/=Fv~>:?ʑ,Ulw|߻O _CxVijqN3"[LtDT q7_r/_ANnн|}K";O`O29}zŠU(ACv\s1R<_d]ÞG)[uFW yJ%I8[?kI )MѲQS H`aAKu>N@V\>=2rn/Ե@iNV$hgpVU$am +dnꈪ45dy͚mMaGNu+d<8H2#ގ8|J9d9Y,JJ9Y&dP@ ~G)[Ɖ|Lmz/ךF;+GXhYkl +C7'߮=zϗ[/̇mzbժ>n X#[zQ-73z'Tƶ@d׶Lڮ+#['߰X}4pێ[ľ_|K'&-5& GOЕ]n^k x+iNfKN@?dT[k!u)m.utT:yTcyB8 Z=1f>噥4fܯK~ RZN(HcBO)q$ .uV F;tH`+W~{p2`pr<ĻEGg7v.m<܁y00[+G]~իl۪B-s'+$J5e9 8G(Α>lτ[y †p5{Q*TL U7dX\}fs("^xfG~]1ƩUkIYkbp=}cT_糟737n8'P|'>r1RӃiRkpWC3qgRq[bN9M5̿/A&b&E{PÄhX־ QZGlk\AIOdca\TaŰX1;5zf]Em*`BS"D2B1SmbHO7L:H pOUvi|>i%Vւk;glH >;`1To:_UۧOuE- ]x+g@tRLܦ6Wa},T?5Q e[zܟ[v9ϧo( =}fK==*Ki _-5PgQP6*ui~9=^#X"55i/ mRBކ878+xT̒t%@C?Ov$#E?`远NQ,LDBtk/oSlx/VW9?^;"?Uc=WQC̔ZjM1M(qer蘬g{?_$cr?Zղ-7_I2QO 1Tk2w}iMR93x" ڑ1FZG~=}2 WDSg^;k]V+ot4Vukr@>V+eŲTx-G3,rme$[Ġ~rLxe ?kxzW>_޾s^oۿ}~ _ժS?=/_q+9z(PrkG{Qox?҆WO}UOʱ?zcn^ՏeBÖI׊7l; '%'KBq?!nH((h3ڊ6(=doT0zCMdanmo8%Fp7QT[cMzKXˑY)'mHb:]ro$ GTeY*kp<e0,nY6.^WiTq~ЮV <.o-y2r5 h2UdsP:䓿]Tސ-@ 4 mXjHg#Q&QB9t~#'a:G|7o&!E|CUen~՛W_Ƅ7 96o/'::^7_u\VP]!C?{=/^z➟?os=/}{>OmX7T_s& gB|1ÅߛtH5ٕ 5hOJ 1x72#[G$D2TX=U!q-:k1]j~w4lU zսl.X;z3((%_jQt>9=Q" TPu=Ͻԃ=~^3w>?KoxmyF}5{jP2%gސ4*TFC^  x;nzut{w/3,F,yx:ϚIh?}!`4P6=e8K-5ɌX<`Xl;@Ca2:< ѲUI hkA8eFȳwpyl|脎^3x|%x~, o;ȭ؎$WX0oUCdK Lh;TZR??ְZkӭ~Y "}0t*,,?:OB漥owR!+WJ@Z&}RKpwxӉX& SO\s6e٣߱5 $߫)e =SJ=S2+1Ҟ)W/۱KO_sFo~[ڽlWy{D}wҺGO?u_ַ~yǙ|W9W7>_?]zv#>,~rǾKzWϽ䆛^m羼K߀PoG"YIygGo;ZE׆Sx6og[pH֠luP2TeYePD­"%1΢,ZT30RHVoLƄ1yo!@"`kޞg/RGdIxjZ>~iV/CE.hZL`LzM^JiUxYZ2~-α@I|jSkjKA95[|/x H^h] ǃd }hfĥ2Z爆e[+q]7g>tݏ|+/6/x.ky~}?ɚ`C?X?ߒLO҆{8X^蹷I5/vJx}9bJ=1^5&xϏj|P6°9IŦ,D坵-\qKHOj%}Udor0ඥ|r9 {<_a67zSzUƭRDa/0P'%Fv~7h{R<$n4šd:8RiCX%v>_ p" Zn8~(v_ㆫ ֜3yweb˅o|&klNj Iq~ ہi 4hKn-.ӧ_vS~t@ eTdL+1&$F!x><K;X;y)~?/<o&B,Zv$\.oH fi}=~#ЂZOo2ķƍv[bmDCg# F%#,pfkq m C$}txs)}9tM+0V>GӧۤҔPQ4%y}R}(ۑV]XQ΢\ u4<_tB`hPS6Ω[.llDC6NLJk)=S x3X;CIBzF V@:CB:GP/vV֘FfRdkh#x=a`Fg xPb"küuZ{̝DG̟ڿoyeORPWӘLOåsuOop>:":_4koNqM+]C2<k$NOY\X̀[|9(:c͟4ev9d+`7+o)=Fw9#߮06>Yr+ʾ>#^|ǯ}/iFBBvJ 7$LCNO*gGB(@Q+~ p91Qo <90'";+m 1ĭPqCJW*kG#Y_ѩELlGjEĒޝzBaP'K2 aX@5og{OxC)՘3(g9/j&]wBN6#,}7^UjF |A rSVT¸-E(HP82uF'뒯ȀnO6D|n:^Lh:a}Wm?z߇iq5~K<,)b >S}UTڡE+>#HgiSI6BiyNuV\NrWS"5Z(<ߜU9dOk-YAKqT`.Y Z*>`*Z ٣jH*J:A돠_QN5th?]u)΀E|coADfP&6 OKjBݰM6D$ <[/|*%:_o>A8MӒ:ZQ/` d +.| _CBhD%Krk1\LQ]aq%3Ex-:Q*55jdE|9\{zokiVG懩r%?JBCvM_~Uᗪ/wi#+rئI×IjNvQZ'hZ//tj fov~uQ}I'葘;^? ζ(c2uϐ6J6X/Я^NX^~o'hU~zz<•i%qxDm<"C8:A \M)q :A;[UDhtnht5 nVu]@կ90yC;GʠunexZ'lp,;Ko:AG =A;4xQ̾||y.4afN ɺk~O4hnpNG: Zgq'hʷH'h䠺reА! zw:Ȍ>I *ի~" ՗(s!iߒ,́6m4Thz^$ϕNm@N) !uTs %h;A?@ :|`} ߕE戅 r=FʄN> t3$HZyFN\Q0V/LWFnhSvy}OMpETQq5 NE~>x?_դ}:rzV4S)%7v Ii+2W=NФ|L+'Cao}l )ռ֥x`:'Nw9>{tT%% T&AڄtM1KfV)^)1o"3b/X7~EKGZ|F#O]zgCܿqGY;o \U91]5=)tfC5κ(:A{(G޽*"8P`KrhbŪ#zV.8*qb^:A-$tNВbІ?iu" LIaixWR@$=)He02'_><7Oolx4 QTQ5Z7ZɼBюjKZN^<RcP<טH'h:WL?u@ݾ2jpdIі2Olp)r,ybhZ;-v.z(?sD˺Gj־'{sMcRiåRƟN].UWA tkNo'"JSZՑU|{_[2N: UGT'hiLK:Af]$v|b?ǨE >o[=qesW%-Mۛ}G7[wM@[tO&u|2IdAT] ֫K>JSm0N=:L Qv*MN%ZoQ:AK t=R`yق<'ц5`81Ljtw\Ih݂NЊ"xQ6K ˒BDcIdGnГ//U&^Pxtvb pZ%U߮F=mɧNEK'!tG"Y|أEBtXm }͚ZY #J:A'V.R[2+H̿{ oV_rl|Z})ll+n-\Տ~/n4FԐ9:A; 寣\ؿiDRtDT'klI{o'LMG>/۪N%_Q.}Ь)tۺu :/A\|OXt~n+Xú߀De- I▔*tRY P#+ )^l FZoN :iQ1TSx_:A,awtwཝ]:ȾR-]kJw4lzq!s%?<Лﭴƚ pƒњj0W8D'hMUA+mNЪ+NZZ:ASM&Up.Hu,o%7ξm3SsxdU{lOȵksusqng=/JEIɾMBl mij\ ZnB\ܳG.Ȼsk֓nD &H'Q$;:@q"X}@>mV /||>a*\"D 쟼|J3B`֖z"ec-/譅'FQ #DB%z%s"W-lm6.xz#[8Lt}݂$_GMn={# 脵k9l" vx)RVWS$ BWK!ɞScsN>R<_Mn-HoM ¿b PSqQ'o,oL>ϲXH~x7y_OY6إK *Σ|q ́T'hEM4ᒪ 7~4("jQ JJ'hw7;tFuLvi`:AӴ0G\JS_'<~ ڪz߹^,6/"r0P?+ۻ'hB-K|z#J'訤$|:A[] p/J~рדS-%=GJ'hwtI_ y~"zU&n;L8yp}^X냱ZFh{wt['9)DֽbK;Aks(#.ݼ z]?Ww%__,<~.^y챧nc}Wek_oQI?K=u>RzciNЋP~dU.|ALڲ.Q="V0ڹ=<B}қP+Ҕ +<_ktPl`f*vޢU!ܰG\tD 0/YqjzbK|҂AZ`zۑ$ pWT*t^2zHсb,z5X*{ރkUCdTo]-ݼ KE5H=x05 0RJZ4=mF`Yѵ\ɿg?O~~擿mzb7 _{ [jSslSU}ח]ZWL~|/]Fڹ(\gNcV t ϧ96p!aT-|9ULL-9ɧs ~W&Tk:A_Gwv}WiLa0ɉ481x%/دb*جhЙGb1Rd/(}2" S&e2S}d{t IoBjB&Z9*uיb'hiZB]xNP:.v&;}o#)r0]wϽ䯽yZQwTs Nj/)kES'J:A#H8ZV[De 靠u#(HZ'RutBFTe/XTz~o]NK;ArPaBEi`L:L3Zߺ0U.C]үJ:A/ &)Z$K*MCP\'u+4mMQ (M(] zҺ :I'h8A輏rѹy]9o^:A/vbL]QԧOl"^WSVLyjRǚPKٗX؉yBK~/۹{'NWu,*Ak?']/tҔڶm Z/MEN~#$f;Ai`jB];AgY`O[۬tI'~t{rHݣ:A۵N@w蝼һ5^ :Qo[WzFi͹sD8%FzeTMM Х"]QTOtN:Aۥ-mW\X?a$bt:A߶3<C p)M&(Ӯ:G u^)]AM'%x3IF&ڶr;*'z;4uVBuVx Z4\R~tPi*Jh T)tכ{b}Y&Zve0>Yn?t$G#SPwcOXO^p~YVPVUx-: J;ACW\Mi S쁮UTx\6mkzݔ@|:AӚSPD' NЊ@1)CZjFN<_.5AS*ltJC{ȬDCv .KY`ti'h*tȁZ TˢIQ2ST$h>Yc%FJSK;A esPztzQ' _ %+]CiS3 ϛ/'MZCJGEN!,W:G҄'+uTH;ASiJ iSœ'k"S%Uc :u&[uF߭. (Luo@'hU'h󋝠tWG`e/.q([6w|#gM>Χ'7x8[kD>s?7oV_C?gX گ5sv%+́6D%!́ØXė' ӏS5αhCekBiN>fx4⥝NЎN$]ߵʅNL{:A ftnxlZ-X?jtf["PbS>77(:=ХWƦm͏c}\'/L>bŹ^?w'D'3O' 47 +^ 48́V<4Eh4ج5xJѓ8Eq4|ᨯp"$&; uͪ}sez]f' rqxoj-qXvr Ί;q%O*É|G-B'>C"G2 uŧ\=h% $w䊤!5lMf ^ <99QP) ::46pzj'Xc]:AӗY\,zuҡ>97(M V&[u>J'h20Pɞe:3l폧}9,8sh"@: ۑ{ %BAZ.pU%$õ r/=l+O}-v|f߾e=̝s_? /U?ܞ;A+͢wֻ.ņ9p2~gըZ~\ҎY{ۥ]ƗV;#ȇ7h?'xA-B6(} .+Eleϥ#[s(o#NT4:Ak&D:ukRPIҁKg6Z0]O,tN,mM­9\:RZ&D~",X >nXZܡ߸{ZwEu)ĖH|Z1i$x& WO.ǟx;OͿ^\\ "o}`a\WUo ltRNЪ90}9:]INZs[l Uun90A><5U.¨pEME8+Y)fѯb ӣYuN WގډN<m N%>QLw&nI'eAݣ(N .  tTo C13j*tz4;A3wꝠCd>zNY:AtfUu띠Đ\yi'9i&Ҵ[9N, Iq%ÐǟpsH9{[3r./B?Û_GXͿ4")>#ulw `rK?Zl *#\Q4(۪֒;hQNЂ{<_v|Zt{S<\v}j&PrWm+hsD0 /}U /Nc`;K:AWTMl Nnلh*F Xx?p% $9c;K;Ad=Y.18TQBfy݅NЂ:AGX'hs#\~@523iU4Mrri'h:tVMty;\ai'h ZbWP pObxQ3鹫 w7DZ0=jjO<ΚU ljK:A WSzHC:ANJ'ht~[E Bz'h,7 z@u)vz;.7I$?Vw['hNV@/arAvxoRKX$z~O~}﫾?O$Ǖ.<\7ai|N<\PMCWV *ɀ1i l4Q|(Htݰ :>u4z=PB)\k Z˓IiLQH:A{g1U :C`J \e$UNZ)0PDSstĭ}_\M_Y vZaޥ _UoG1յҷYWV  2s,~DjG/ʵN rNNvX~iͮ=\PJKզmtb!xpQt~:h`kxR7(o ?R}mM6k) gP+|'wOkcT {\ * j<WV}~R]/,|.jqIPqE!0YLqM6G:+$'M<\:Gi%C{&F&G_6H?"?ߗACYm̢H!lsr"@tthD:A("Yq%ϯMq"D/"fr.ws))Y5ZNl0md-y>9|R&)2m&c"ϷLABs6ƅ3J8@um0h$,-ͫ&{XxW]L &](|O&bn~~i&;$G&W; seۮP].GrEHmq oNzGnp? ʖ YjotKf)`]#9Q/&7Wo<!?Yqt#eU+5~~iWت%f&.`o,"xR*5 U+%MiR35<;#pˉA'$qgUuҦp4kM.]Arض!ziL")23$W0=4B$*%H=C{;YT}Vu>K"YFN-? lI'h }8tvI/ /i5J$&0a(tP>hev|=U'ht+,yiK-/V:Askm"2J'熱F A/%tWW*iLW)dY2\r"s<_aRP|NoRWΥ5]? <`]u@ɱr{rP+?G/M-jZ½'_W? ᕯ~''߮hə/~<# ݂Jӏ, Uu]/]ŗD֎/|Ųйt'ן\M 0? #P_s8k+O!۫_W ҋU\ɗ!/,ʺ-w: kZf:; ZY޹jv>浫WxW:/'xc+6T@y)dx9d=4}e7kˊn|s׷ 8Rdv3UT<]"T^7jƖ+6132dXfDf{w777;i T5.]9޾(Wv76V=pvV?o,SS(buc6!NC"왇;:!ޜ!ܲJiu8ojÝ4\uH>655o,T}x܊ssڦ7O"8ʦc+VlC 琋MWtΰ' 1ˆ Feiq{|p%ˣ{feӾF}5׉,5Սǂ]q48ddކ*;QuC3UGf*;;NG TU?/JseuU-U7+Tm6>81>T>Ŀuٻ[dP%J)v3lFBjFi9wyH+X%`Aױ}ܳLYY7r̴4Սmo9vplxGY+wl8^bwV!L I^+Jth{QwydBeF!zyB8 6*FIT_uᎽR3[&v,[e|_! Q,H,f߾V쵺!F _ro@_dO{]uCLK]:"}s]\K}/>՛7_pqEU_َ+;ΜaoƱ`E !3[*٩Y%2G= _ CSttglZԎN~nDWwM#lt|bkW˘ym,iw$͇/c"5g![0s#jk(peU33Cݍ$l7Q_?l:(Sx* n M7ϰrS!jjGho*ǏDtɯG?͈N.(Gg*ٵ65c+0+\wUW`ʇ<xǙDfW5obn*߅baEF6 U)oNuƔ``Sclc-̮,J=V7VW=f;`]e!膙źNP9ˇMa+<^qΟ}Lg˱M"LwhK5$!bXQ6ٱL*c+vi69|ngQf=$}bFgԵԳ::vxsAPՖ;G۱nwa!~ss iǎuej CVN7)o>.Ogl@cgǙu{xG-2]eg=?QVYRykGM%\Utd^֎#bL45fjoFx}`Z#J8 &Ty#ʒ٬&ignXJt8pU !s, g߂ wK$<=ޱl˨؈Dif/# ;PS+Wocˮ#iMYL3U9tܦi^M= P<X8.Xo0떕UXzHp#Khnek'h/߄T.ZfnAGD1z3ܞ auud~ [j$ئrE5Mi4f?tVU3▊}R]5 'bJoY1Dtw)4n1)`VÖ9crA 0 /Aef:f1eHt7`LTWkxl;2܉p6vYU9~qW8^!͹]VljQسi6O%T >dٙȳ{q\؏+:q*_ZyKs%;bsr0wxe_>OWrrqtƹcL;yiLsZ02gQֈ@ G8- ފf,ad<);h.8/(*A} &O7 ~%P~(d,#U[*[c}8u99pv9ml8::rǰU7Wqq83BYWvY9ucM9RcB=RiXWƊb}Y&Kzey#{2Nn61i߱*$f02ґ>+ջ\]7\{K;K).;s OT֎8ǎ;|i'{[!JIa$XUO+;1۫fH`282>"DLdYuǻqJfP6uW#5u47*UQ3&[R=Z>ҍt2p.[ܾF.;8<=`}M6jLQ=1q>˱&g rUVSoa j䭣bWUհ0[ F/siŦfA%gmQwuoFpَe(cq<12*ˑ1n͒؋F Acǁub3 w ʉM0kgk:Rn/x׉gV w`bZJoiقMN]0Bk*Q֭/[ۑNz 7Yz-CRx3'ڈ,{% vPF_'Q<ƈ$-Ns88VcgKkFpAlYuYUqgx H)8k12YehoME)Ipq}.[^Vv,S\s]gNEYsfbNVn3,OS9;밥JCcqf,[n bFLĤm)׽Do*ؖNP,c'ET_vTGfM=TUCmgE[| =/GX|ǪϡG8!_X.XAznq7qKlX;jYw6oRGéoR?ӺlK𝪡:)v-ux=WcM8|Dk+'CnsU:A5fX`Xy Ő iլCMfa&qrˆ50vL?vˌ cL9S ^<}\-;NcO}xCbgVУsWP`#qElGtK`EwǮnm\9:.C|u4:+>MrBpMcG\=X7:{ܦJ kh9}hN @*11+9t ̖+H6p2Q`GF{Wڌյ459m=V?$nDEǓƺLA9scЖ:S67E ~஌򝺖s+:#hjyfr 7ѯg8xa:xC|ᎊq|s&>C9l J Y2x6f}N&(h¾ $6`X 6uqlb&&svf32s)` g_$KN;hKbn<~hDG ^}+ILf$Zm b0044a}gy b[J^Eۄ]G Ck)+[hsWa!Pi6@pljXwp!eVNw։Ke+er;G::K>j]\q-10Nn;ӈei`ເa)+g )̂j`(c2Qulَ`~`a7f@@Ħ\0,9ASl]GdRaMslAi%{vǑc`uGˇUdrܛu~ybA VEǮ!ԕ{^D7? ;yNA+V5_[y::;E,و<&Owծ;XX2hvsOT% H|Xx}\kMoL^ I,Y@x &eϊS6?0:‚!Loj9}\i ccU=i5/!fx:p%1&[Ft4w%"/n\|rW1|~3:֡#NTi@LޣLYvǪcˏwVr u׌q$oS&d$QnFgdIꮯU8 (al1 sG<>"qKϕ @TdԒRM qnX|ivWcxi M m(BEŀch0QaVLD m4(P:F~ TZ* xqD;8cYGgU:IpN*7V V=1dPD&qzjʊqX)-3l/~,5Ͷ4 +)#TPχO jkITQز1܂ mA¬XP8mP[NQ9;.,^bU,$oe4OQ3@LoS= 9w$q%Ӭ0j"V.h8q0 A7*0XE8bhmx8<~_UEyWG%PL0a3e@4s D}~l Up4h*lis %ʌS+7t-{#pPp.;V7掘vuYVMX6U5[oUH)Bi3U#xOWJvlu*>`NvrMNh:!tTAH}ݤ4M=(&`{iR#JTvdV d +tf=j; B,4nijJ@y@p% 7f]` FR9'eɍe"F4C+²Bvpf{*f0Ʊ@4zyŘjO ׋qlP$ɞ@%MCaILTٳʪXRw:5n 89Mوd hV +K [$_9Mkc)^Vܴ_X1 C"JH~:ǧ u5׵w'4A܋Gi|HX#F0웃!wu3&X\(v6k"U3X3L2aE嵷w<֌! ",:8ra?E%C j#%<T AQFE6,\s\ (dqKPmq5u0@T=`P:+:p1u$ƃN7Pe\,g$VbT5 = 4@G P: cR؊1}'oH^QD k8puK#-;!5$ w%KAlјplxhZxʨQ"Ms;t"l8 p ΰ ;PZWTQ:eѢy9k:ZoiLYb*`2*G'bK(@C@oĕmFxaȇ,Ww l Ww$J2ʇ2*ߩT;/ 4kn뇌 ME>vs,݁pљ'p]6&jFk/6;| z\)B-p,m[3wHkk1U*Ҙw {_ȁB$lrDFv!8,]N eGdKt%&4Sh@Ix\:l2b*'~Kh"? m8dd #yKtǺug@ֽ(% iess{EDnf@5SquhE$ecøe3͚2¯;lj ȓBt\PAKzuьqiCAL4 +PD1Tȵ]MFY;\$ cpt>yv>[=:M^F KEP؍^LS, FNG<7m!&T|b7,Co@f V0f<@!)$$PBfȉ0՛ꁹ'@#'@ RYd;Tt IB\2`8uCQMMew'LćwazkI8_v]M,HN@V7- 3@`GHї}e AbˇOغU IpDդ^a#.$0!csC( dw@4!c  +gX|G֭[1DB:;v0%C@Xw$;eXczT^L6!Dťk Y,1GDT$X&mRBū^B 톃KB4"J7  [R,) {NUA@*0"XU-N(Q.$_lhbу'ύe+j Of:K!lcn0Xu3gdaeUx$ƺ}Ӕ³b?q)eaC^v@u;Mд0;իvA*ϕ=o^V, UbGY3Bƪ&^h'1܎]ǁH 3^Qю HmC惖n lPMSؘOA(ȅXb Ȉu[hN|Z" 1_d >rН'N ;0QU__wt6#^Z ؓ*l>VEPi-Gȵbeo'i (:YG Ņ8ߋm inMp> !F\ǹr`#F0#T䠠vvk|~0a7XU&;-УY+X1aLedXW!b u'410\ atDi26 [.?)Aq%}eސ""5L ᢽd5UW]do!g@@]\5bW2PLqw npL̵9nE8V?4 SpPX`RԲq!2y$rPxXY>ӱlT׉Gj1\1;5rC"FLtt3 Ӛ_wC. x00&$hEXp?@,=2巺cwE$S3tlOI| :pŵq8<&HR[#kJ\;0еȡ4aWg䫈%C!["!zr@ٯ dHL@_`6!BXBrn1)불KvNǺرra ւ`\;cp03eGjW)@q;Sc0D&/[m;V(@ɣ> zI -2TZ:̍ssgʎAqEx*gG]cW#A$/DbH<& guCQc "žAJJp3$xe@;$ OYRmu 6$FBhN8$EWbH4Dp0}Qq}@J( ܂ULO[(aCN)y-H0VUWTVԡp Q>/^X(^\#y|-CU@aq DeHLUr'%,A*l0ɃTP!~lusc JxHh.࠹0< ?jJs>'9Н(v/Ҋi%]*W2 B!iFԞTQTsH>p' <`Ihmǒb{*T@MQOȦPq l|>J6`BG%<1-*_ P(lC[Bejge#DPsG 9qnW{8TɃR^^S^ҥS( ;Ecl3]xb9"*F*&IQkN V;:1y0Hǻ$ zGL#^V7lLp5/g]*/g6'9=A7ۑ0sOgIBAumlοsd4)@Ir~f+CI$Ķ#mbNJv.sb45!4lBgT#+̫fgZR1'<+ uL&@\a 8y94 ߉?U枉eȀk[tS D!k- '^`ApB 5Bf>I]Sat*J@,#yF+? oϐt0#Sbq3[X&N%K.%ڴQo_SAԭN|.{$Ym@  aK%;MjL5@O2ޏ3kl1Bi<.H\|_%ݾJRƣ$x`hM$Bb2 =pH$ U]q0$^^/dPPfXbb`,7@0=Ru嘦d 'A ِ䣚V'/H@X*PO?F0)I5 sR4ߴT1L8LkoVDA .Mw\e|0A *"Ap1߄]ͭH& |&*LLs!¿>,qɪ}f@nX |~)&5Ff0qD202LIENDB`$$If!vh55855 #v#v8#v#v :Vl  t(55855 p($$If!vh55855 #v#v8#v#v :Vl  t 55855 p $$If!vh55855 #v#v8#v#v :Vl  t 55855 p $$If!vh55855 #v#v8#v#v :Vl  t 55855 p $$If!vh55855 #v#v8#v#v :Vl  t 55855 p $$If!vh55855 #v#v8#v#v :Vl  t 55855 p $$If!vh55855 #v#v8#v#v :Vl  t 55855 p $$If!vh55855 #v#v8#v#v :Vl  t 55855 p $$If!vh55855 #v#v8#v#v :Vl  t(55855 p($$If!vh55855 #v#v8#v#v :Vl  t 55855 p $$If!vh55855 #v#v8#v#v :Vl  t 55855 p $$If!vh55855 #v#v8#v#v :Vl  t 55855 p $$If!vh55855 #v#v8#v#v :Vl  t 55855 p $$If!vh55855 #v#v8#v#v :Vl  t 55855 p $$If!vh55855 #v#v8#v#v :Vl  t 55855 p $$If!vh55855 #v#v8#v#v :Vl  t 55855 p DyK yK nhttp://csrc.nist.gov/pcig/STIGs/MAC-OS-X-STIG-V1R1.pdfDyK yK http://www.corsaire.com/white-papers/050819-securing-mac-os-x-tiger.pdfyX;H,]ą'c%DyK yK Rhttp://www.linuxjournal.com/article/4413DyK yK http://security.linux.com/article.pl?sid=05/09/15/1655234&from=rssDyK yK http://www.unixreview.com/documents/s=9846/ur0508g/ur0508g.htmlDyK  yK Xhttp://www.puschitz.com/SecuringLinux.shtmlEnablingPasswordAgingDyK yK Vhttp://www.nsa.gov/snac/downloads_macX.cfmDyK Ghttp://www.puschitz.com/SecuringLinux.shtml#EnforcingStrongerPasswordsyK Xhttp://www.puschitz.com/SecuringLinux.shtmlEnforcingStrongerPasswordsDyK yK phttp://www.deer-run.com/~hal/sysadmin/pam_cracklib.htmlDyK "http://www.openwall.com/passwdqc/yK Dhttp://www.openwall.com/passwdqc/@@@ NormalCJ_HaJmH sH tH DA@D Default Paragraph FontRi@R  Table Normal4 l4a (k(No List>@>  Footnote TextCJaJ@&@@ Footnote ReferenceH*Ng@N h.HTML TypewriterCJOJPJQJ^JaJ6U@!6 q.; Hyperlink >*B*phj@3j )_ Table Grid7:V08"@8  UCaption5CJ\aJFV@QF  FollowedHyperlink >*B* ph4 @b4 1UFooter  !.)@q. 1U Page Number4@4 Q2Header  ! p x~dm`&'q())--2\42G G"G - : `  aT#&GG - a&2G z z z z z z z zI(j/2GN+~ CDMVWfVW,STX R V    . Z [ ! c d M r )z{CJz,-KLMNOcfgop#$%&'NOPQR67UWY[\prtvw/1356]_acd-.8#9#$$%%%&&''H(I(O()))s*{*+ +Z+c+++++,B,i,t,,,,------$.h....i/j///020S0i0001#121A1P1d11122H2I233 3@3A3333334(4M44:5667889;/<= >>/@@A"BHCCDIE>/@@A"BHCCDIE>/@@"BHCCDIECH9L2O(,-.01245679BIMOPQRSUVXY[\]_`abV,Kf& Q !6!U!r!!!!5"c""{25A9M< O2O)+/38:;<=>?@ACDEFGHJKLNTWZ^c1O* QhjXnp556G6662G   XX  '!!E13 E < & ^ Q &XXXXXXXX8@0(  B S  ? _Hlt132421028 _Hlt132421029 _Hlt132421150 _Hlt132422345 _Hlt132422312===k@m@3G@@@@@===l@n@3GHWܗIW|JW KWLW\ 3G3G=*urn:schemas-microsoft-com:office:smarttags PlaceType=*urn:schemas-microsoft-com:office:smarttags PlaceName9*urn:schemas-microsoft-com:office:smarttagsplace  / -16A8< sv! , F U { ! * @ K a m $ `g*-CGknz$&06? ELMYS ] &%&&&'' (((())))&*5*Y*h***++Z+`++++,i,p,,,------../+/[/g/}//]0h0X1c1)2G2A3J3333333 44044454<4=4A4C4G4H4L4k4v44466699>>GANAYC_CCCDD%D-DDDDDDDDEGFKFFFFFFF G3Gz~sv   CIR $$&&{*|*..j/r///2261@y@DD G3G::::::::::::::::::::::::: QkzzXq""44566AA!B"B G G GGGGGGGGGGG G#G-G0G3G6 G3G XBܘb "ҰDT%Ҙc)8TXLM+.5f3}]1W"?l,Y+q`NTT?%rbcxxHO-N{L{}4D|h^`OJQJo(hHh^`OJQJ^Jo(hHohpp^p`OJQJo(hHh@ @ ^@ `OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohPP^P`OJQJo(hHhh^h`o(.h88^8`OJQJo(hH L^`LhH.   ^ `hH.   ^ `hH. xLx^x`LhH. HH^H`hH. ^`hH. L^`LhH.h^`OJQJo(hHh^`OJQJ^Jo(hHohpp^p`OJQJo(hHh@ @ ^@ `OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohPP^P`OJQJo(hH ^`hH. ^`hH. pLp^p`LhH. @ @ ^@ `hH. ^`hH. L^`LhH. ^`hH. ^`hH. PLP^P`LhH. L^`Lo(hH. ^`hH. pLp^p`LhH. @ @ ^@ `hH. ^`hH. L^`LhH. ^`hH. ^`hH. PLP^P`LhH.0^`0o(. 88^8`hH. L^`LhH.   ^ `hH.   ^ `hH. xLx^x`LhH. HH^H`hH. ^`hH. L^`LhH.h88^8`OJQJo(hHh^`OJQJ^Jo(hHoh  ^ `OJQJo(hHh  ^ `OJQJo(hHhxx^x`OJQJ^Jo(hHohHH^H`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hH ^`hH. pLp^p`LhH. @ @ ^@ `hH. ^`hH. L^`LhH. ^`hH. ^`hH. PLP^P`LhH.^`o(. ^`hH. pLp^p`LhH. @ @ ^@ `hH. ^`hH. L^`LhH. ^`hH. ^`hH. PLP^P`LhH.h^`OJQJo(hHh^`OJQJ^Jo(hHohpp^p`OJQJo(hHh@ @ ^@ `OJQJo(hHh^`OJQJ^Jo(hHoh^`OJQJo(hHh^`OJQJo(hHh^`OJQJ^Jo(hHohPP^P`OJQJo(hH808^8`0o(. ^`hH. pLp^p`LhH. @ @ ^@ `hH. ^`hH. L^`LhH. ^`hH. ^`hH. PLP^P`LhH.hh^h`OJQJo(hH88^8`OJQJ^Jo(hHo^`OJQJo(hH  ^ `OJQJo(hH  ^ `OJQJ^Jo(hHoxx^x`OJQJo(hHHH^H`OJQJo(hH^`OJQJ^Jo(hHo^`OJQJo(hH O-N{}]1 "T%"??%rcxXB{}c)LM+!+q`                                              Q                                   e                 UV.m;ySE"O'+PX  T+;><8}0S#(Y O  l)  c 4556|E{)Twjb=T U@g*:H@I+B@Hh)JSWXnn!Y{!$j$*%2X%xn%&& 4&7&H&R''0'}?'i~':(GO(b()l)q*+q+;~+h-t-h.Ki..'/>/{1Q2ip230j4Nz5~6EN6T$898$9(9c9Nt90:q.;w<?=y==?s?}?= @;AJAeZASCTNEnREXFbFGaG#H&I0L6L[LM8aMcM\NfN6qNrN>+O7OQLT;U UU1UVVOVqVXXYoKYX^Y(Z_[ [8G[:_[\jJ]8e]C_ n_JV`l`r`maycc+c\d]dAe6f8Gg`9iUinj= k%kVlnlmo%ko!pKqIkqBr.u~uf?vBv;}vaw0wLwqlw^yw x]qxByzGzgz {W{Rg{6N|}KC~}{~3G2BwQ$jlB f*;b"99Jo.W2$j#M.9#j8D<d ZS/cAC_3!Tifi7>J%!N8)~S* n&W<YFQk %A%x51W *{eDxDoBljepZQS4)V)v25)HKmny_^B N]$ 't5Agfa 8EQ%=;7Q#= L]o<2)EMdG%)2D|t#*% ~?.`2w9Gss!n/H`mt{@a%j)_nyv$5~7=Ki!%)+POTcv| 9<|9|#`b9P?"4y !PY1Sh,kX3}>.E)~/!Zds)%7G^"I6Rr L,{:5xdX_p"Ul7$I 8UeJ^SrB!#}ZBPTqyh Mz JS!6d)eR*'^t6^UwDV6Yg{ n:7,-KLMNOcfgop#$%&'NOPQR67UWY[\prtvw/1356]_acd3G@+x2G@@UnknownGz Times New Roman5Symbol3& z Arial?5 z Courier New;Wingdings"1h7R&kWS&51.c1.c!4d662QP ?6%Concerns on securing sshd on Mac OS X<         Oh+'0 ( H T ` lx(Concerns on securing sshd on Mac OS XNormal53Microsoft Office Word@l@dj\@j\@N1.՜.+,D՜.+,d  px  c6\ &Concerns on securing sshd on Mac OS X Title 8@ _PID_HLINKSA<+$ Hhttp://www.corsaire.com/white-papers/050819-securing-mac-os-x-tiger.pdf;t 7http://csrc.nist.gov/pcig/STIGs/MAC-OS-X-STIG-V1R1.pdfHA"http://www.openwall.com/passwdqc/98http://www.deer-run.com/~hal/sysadmin/pam_cracklib.htmlB,http://www.puschitz.com/SecuringLinux.shtmlEnforcingStrongerPasswordskJ +http://www.nsa.gov/snac/downloads_macX.cfm"a ,http://www.puschitz.com/SecuringLinux.shtmlEnablingPasswordAging`*@http://www.unixreview.com/documents/s=9846/ur0508g/ur0508g.html/sChttp://security.linux.com/article.pl?sid=05/09/15/1655234&from=rssI)http://www.linuxjournal.com/article/4413  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdfghijklmnopqrstuvwxyz{|}~      !"#$&'()*+,1Root Entry F&3Data e+1Table5WordDocument>SummaryInformation(DocumentSummaryInformation8%CompObjq  FMicrosoft Office Word Document MSWordDocWord.Document.89qRoot Entry Fᶦ3Data e+1Table5WordDocument>      !"#$>789:;<=՜.+,D՜.+,d  px  c6\ &Concerns on securing sshd on Mac OS X Title 8@ _PID_HLINKSA<+$ Hhttp://www.corsaire.com/white-papers/050819-securing-mac-os-x-tiger.pdf;t 7http://csrc.nist.gov/pcig/STIGs/MAC-OS-X-STIG-V1R1.pdfHA"http://www.openwall.com/passwdqc/98http://www.deer-run.com/~hal/sysadmin/pam_cracklib.htmlB,http://www.puschitz.com/SecuringLinux.shtmlEnforcingStrongerPasswordskJ +http://www.nsa.gov/snac/downloads_macX.cfm"a ,http://www.puschitz.com/SecuringLinux.shtmlEnablingPasswordAging`*@http://www.unixreview.com/documents/s=9846/ur0508g/ur0508g.html/sChttp://security.linux.com/article.pl?sid=05/09/15/1655234&from=rssI)http://www.linuxjournal.com/article/4413SummaryInformation(DocumentSummaryInformation86CompObjq