[stunnel-users] client auth saga

Michal Trojnara Michal.Trojnara at mirt.net
Mon Aug 30 20:04:38 CEST 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On Monday 30 of August 2004 16:04, markzero at logik.ath.cx wrote:
> By the way, please don't lecture me on ssh'ing into
> machines as root, they are located on an isolated network
> and of course, all logging in as root is disabled when
> they are put into production. :)

IMHO the only good reason to avoid direct root logins is to provide 
accountability on systems with more than one administrator.
In other words I don't see any good reason to avoid direct root login
on systems with only one administrator.

> 	chroot = /var/stunnel
> 	CAfile = /certs/cacert.pem

CAfile is *not* relative to chroot.  8-)

> records# ls -al /var/stunnel/certs/
> lrwxr-xr-x  1 root      _stunnel    33 Aug 30 14:33 4410a4d9.0 ->
> /var/stunnel/certs/clientcert.pem
> -rw-------  1 _stunnel  _stunnel  1489 Aug 30 14:32 clientcert.pem

CApath *is* relative to chroot.  Your symlink won't work in chroot jail.  8-)

I recommend to use CAfile instead of CApath for simple configurations.
It doesn't need a hashed directory and is not relative to chroot jail.

Best regards,
    Mike
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)

iD8DBQFBM2w2/NU+nXTHMtERAqQmAKCAZ/Vv9LRIyhw+Ca0ECrJ0lxA85QCgyKfS
9s089i9FYP9xcIN+qzsyYzo=
=kOzG
-----END PGP SIGNATURE-----



More information about the stunnel-users mailing list