[stunnel-users] client auth saga
Michal Trojnara
Michal.Trojnara at mirt.net
Mon Aug 30 20:04:38 CEST 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On Monday 30 of August 2004 16:04, markzero at logik.ath.cx wrote:
> By the way, please don't lecture me on ssh'ing into
> machines as root, they are located on an isolated network
> and of course, all logging in as root is disabled when
> they are put into production. :)
IMHO the only good reason to avoid direct root logins is to provide
accountability on systems with more than one administrator.
In other words I don't see any good reason to avoid direct root login
on systems with only one administrator.
> chroot = /var/stunnel
> CAfile = /certs/cacert.pem
CAfile is *not* relative to chroot. 8-)
> records# ls -al /var/stunnel/certs/
> lrwxr-xr-x 1 root _stunnel 33 Aug 30 14:33 4410a4d9.0 ->
> /var/stunnel/certs/clientcert.pem
> -rw------- 1 _stunnel _stunnel 1489 Aug 30 14:32 clientcert.pem
CApath *is* relative to chroot. Your symlink won't work in chroot jail. 8-)
I recommend to use CAfile instead of CApath for simple configurations.
It doesn't need a hashed directory and is not relative to chroot jail.
Best regards,
Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
iD8DBQFBM2w2/NU+nXTHMtERAqQmAKCAZ/Vv9LRIyhw+Ca0ECrJ0lxA85QCgyKfS
9s089i9FYP9xcIN+qzsyYzo=
=kOzG
-----END PGP SIGNATURE-----
More information about the stunnel-users
mailing list