On Mon, Aug 30, 2004 at 08:04:38PM +0200, Michal Trojnara wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On Monday 30 of August 2004 16:04, markzero@logik.ath.cx wrote:
By the way, please don't lecture me on ssh'ing into machines as root, they are located on an isolated network and of course, all logging in as root is disabled when they are put into production. :)
IMHO the only good reason to avoid direct root logins is to provide accountability on systems with more than one administrator. In other words I don't see any good reason to avoid direct root login on systems with only one administrator.
To be honest, I'm just generally paranoid. I'd rather have a prospective attacker have to crack two passwords (the root and one wheel group) than one. I thought I'd write the above just so I didn't get a big lecture, hehe. :)
chroot = /var/stunnel CAfile = /certs/cacert.pem
CAfile is *not* relative to chroot. 8-)
records# ls -al /var/stunnel/certs/ lrwxr-xr-x 1 root _stunnel 33 Aug 30 14:33 4410a4d9.0 -> /var/stunnel/certs/clientcert.pem -rw------- 1 _stunnel _stunnel 1489 Aug 30 14:32 clientcert.pem
CApath *is* relative to chroot. Your symlink won't work in chroot jail. 8-)
I recommend to use CAfile instead of CApath for simple configurations. It doesn't need a hashed directory and is not relative to chroot jail.
So something like:
CApath = /var/stunnel/certs
I'm paranoid that someone has been at my testing configs now. :) I previously had a working setup, which worries me even further as I *did* use a symlink.
Thanks for the info, I'll give it a go soon. Perhaps I'll also start doing minor backups of the test machines...
Best regards, Mike -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBM2w2/NU+nXTHMtERAqQmAKCAZ/Vv9LRIyhw+Ca0ECrJ0lxA85QCgyKfS 9s089i9FYP9xcIN+qzsyYzo= =kOzG -----END PGP SIGNATURE----- _______________________________________________ stunnel-users mailing list stunnel-users@mirt.net http://stunnel.mirt.net/mailman/listinfo/stunnel-users