-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Monday 30 of August 2004 16:04, markzero@logik.ath.cx wrote:
By the way, please don't lecture me on ssh'ing into machines as root, they are located on an isolated network and of course, all logging in as root is disabled when they are put into production. :)
IMHO the only good reason to avoid direct root logins is to provide accountability on systems with more than one administrator. In other words I don't see any good reason to avoid direct root login on systems with only one administrator.
chroot = /var/stunnel CAfile = /certs/cacert.pem
CAfile is *not* relative to chroot. 8-)
records# ls -al /var/stunnel/certs/ lrwxr-xr-x 1 root _stunnel 33 Aug 30 14:33 4410a4d9.0 -> /var/stunnel/certs/clientcert.pem -rw------- 1 _stunnel _stunnel 1489 Aug 30 14:32 clientcert.pem
CApath *is* relative to chroot. Your symlink won't work in chroot jail. 8-)
I recommend to use CAfile instead of CApath for simple configurations. It doesn't need a hashed directory and is not relative to chroot jail.
Best regards, Mike