How to bypass reading any config file so that all needed options were fed from command line ? (security reasons)
On Thu, 14 Jun 2012 22:22:30 +0500, Ivanko B wrote:
How to bypass reading any config file so that all needed options were fed from command line ? (security reasons)
I run stunnel from a program that uses it and what I do is:
generate the .pem files (cert and key) generate the .conf file start stunnel monitor the log file until I see that all of my services have been bound then I scrub the files I generated above.
Not perfect, but it works. I guess it would be nice if stunnel had either a way to pass in the data by arguments or an /scrubconfig option to do what I do from outside.
putting config file in a folder properly protected by permissions set is the best way to do that. I always wonder why some people want to use stunnel without leaving any trace on their (?) server machine: many of those are just trying to open backdoors on systems...
"security reasons"...hmm...just bad excuse.
Anyway, is next question "how to hide stunnel from running in ps or netstat sys command" ?
Pierre
Le 14/06/2012 19:32, Steve Marvin a écrit :
On Thu, 14 Jun 2012 22:22:30 +0500, Ivanko B wrote:
How to bypass reading any config file so that all needed options were fed from command line ? (security reasons)
I run stunnel from a program that uses it and what I do is:
generate the .pem files (cert and key) generate the .conf file start stunnel monitor the log file until I see that all of my services have been bound then I scrub the files I generated above.Not perfect, but it works. I guess it would be nice if stunnel had either a way to pass in the data by arguments or an /scrubconfig option to do what I do from outside.
stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
On Thu, 14 Jun 2012 20:40:12 +0200, Pierre DELAAGE wrote:
putting config file in a folder properly protected by permissions set is the best way to do that. I always wonder why some people want to use stunnel without leaving any trace on their (?) server machine: many of those are just trying to open backdoors on systems...
"security reasons"...hmm...just bad excuse.
Some people have a requirement not to have the private key in an unencrypted file on disk. At least my project does.
-----------------
So why not autogenerate it ? What does a key have to do with configurations ? Just use stunnel for your purpose, scrub, and then regenerate every time. Or point the configuration to an encrypted volume ? I am confused.
Brian
On Thu, Jun 14, 2012 at 2:51 PM, Steve Marvin smarvin@pobox.com wrote:
On Thu, 14 Jun 2012 20:40:12 +0200, Pierre DELAAGE wrote:
putting config file in a folder properly protected by permissions set is the best way to do that. I always wonder why some people want to use stunnel without leaving any trace on their (?) server machine: many of those are just trying to open backdoors on systems...
"security reasons"...hmm...just bad excuse.
Some people have a requirement not to have the private key in an unencrypted file on disk. At least my project does.
stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
On Thu, 14 Jun 2012 15:56:37 -0400, Brian Wilkins wrote:
So why not autogenerate it ? What does a key have to do with configurations ? Just use stunnel for your purpose, scrub, and then regenerate every time. Or point the configuration to an encrypted volume ? I am confused.
The key has to reside in a .pem file on disk. .pem files are not encrypted.
Before starting stunnel, I create the .pem from a cert and private key in the windows store. After stunnel is finished starting all of the services in the .conf file I scrub the .pem files.
My reply was to "security reasons"...hmm...just bad excuse. In my case it was the only way I am allowed to use stunnel in the project - otherwise I would have to write a tls wrapper myself.
Brian
On Thu, Jun 14, 2012 at 2:51 PM, Steve Marvin smarvin@pobox.com wrote:
On Thu, 14 Jun 2012 20:40:12 +0200, Pierre DELAAGE wrote:
putting config file in a folder properly protected by permissions set is the best way to do that. I always wonder why some people want to use stunnel without leaving any trace on their (?) server machine: many of those are just trying to open backdoors on systems...
"security reasons"...hmm...just bad excuse.
Some people have a requirement not to have the private key in an unencrypted file on disk. At least my project does.
stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Ivanko,
I don't see how that would make your setup more secure. In fact, by default, in unix/linux command line parameters are visible using ps. I'm not sure in windows, but probably process wexplorer give you the same. Having said that, maybe the stunnel3 wrapper helps you.
-----Original Message----- From: Ivanko B ivankob4mse2@gmail.com Sender: stunnel-users-bounces@stunnel.org Date: Thu, 14 Jun 2012 22:22:30 To: stunnel-users@stunnel.org Subject: [stunnel-users] Stunnel 4.53 for win32 - without config file
How to bypass reading any config file so that all needed options were fed from command line ? (security reasons) _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
Why not just lock down the directory to only be read/write/executable by a special stunnel user? This is how I did it in Windows.
On Thu, Jun 14, 2012 at 1:42 PM, josealf@rocketmail.com wrote:
Ivanko,
I don't see how that would make your setup more secure. In fact, by default, in unix/linux command line parameters are visible using ps. I'm not sure in windows, but probably process wexplorer give you the same. Having said that, maybe the stunnel3 wrapper helps you.
-----Original Message----- From: Ivanko B ivankob4mse2@gmail.com Sender: stunnel-users-bounces@stunnel.org Date: Thu, 14 Jun 2012 22:22:30 To: stunnel-users@stunnel.org Subject: [stunnel-users] Stunnel 4.53 for win32 - without config file
How to bypass reading any config file so that all needed options were fed from command line ? (security reasons) _______________________________________________ stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
stunnel-users mailing list stunnel-users@stunnel.org http://stunnel.mirt.net/mailman/listinfo/stunnel-users
-
Brian Wilkins -
Ivanko B -
josealf@rocketmail.com -
Pierre DELAAGE -
Steve Marvin