[stunnel-users] client auth saga
markzero at logik.ath.cx
markzero at logik.ath.cx
Mon Aug 30 20:38:14 CEST 2004
On Mon, Aug 30, 2004 at 08:04:38PM +0200, Michal Trojnara wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On Monday 30 of August 2004 16:04, markzero at logik.ath.cx wrote:
> > By the way, please don't lecture me on ssh'ing into
> > machines as root, they are located on an isolated network
> > and of course, all logging in as root is disabled when
> > they are put into production. :)
>
> IMHO the only good reason to avoid direct root logins is to provide
> accountability on systems with more than one administrator.
> In other words I don't see any good reason to avoid direct root login
> on systems with only one administrator.
To be honest, I'm just generally paranoid. I'd rather have a prospective
attacker have to crack two passwords (the root and one wheel group) than
one. I thought I'd write the above just so I didn't get a big lecture,
hehe. :)
>
> > chroot = /var/stunnel
> > CAfile = /certs/cacert.pem
>
> CAfile is *not* relative to chroot. 8-)
>
> > records# ls -al /var/stunnel/certs/
> > lrwxr-xr-x 1 root _stunnel 33 Aug 30 14:33 4410a4d9.0 ->
> > /var/stunnel/certs/clientcert.pem
> > -rw------- 1 _stunnel _stunnel 1489 Aug 30 14:32 clientcert.pem
>
> CApath *is* relative to chroot. Your symlink won't work in chroot jail. 8-)
>
> I recommend to use CAfile instead of CApath for simple configurations.
> It doesn't need a hashed directory and is not relative to chroot jail.
So something like:
CApath = /var/stunnel/certs
I'm paranoid that someone has been at my testing configs now. :) I previously
had a working setup, which worries me even further as I *did* use a symlink.
Thanks for the info, I'll give it a go soon. Perhaps I'll also start doing
minor backups of the test machines...
>
> Best regards,
> Mike
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
>
> iD8DBQFBM2w2/NU+nXTHMtERAqQmAKCAZ/Vv9LRIyhw+Ca0ECrJ0lxA85QCgyKfS
> 9s089i9FYP9xcIN+qzsyYzo=
> =kOzG
> -----END PGP SIGNATURE-----
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at mirt.net
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users
More information about the stunnel-users
mailing list