[stunnel-users] client auth saga

markzero at logik.ath.cx markzero at logik.ath.cx
Mon Aug 30 20:38:14 CEST 2004


On Mon, Aug 30, 2004 at 08:04:38PM +0200, Michal Trojnara wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> On Monday 30 of August 2004 16:04, markzero at logik.ath.cx wrote:
> > By the way, please don't lecture me on ssh'ing into
> > machines as root, they are located on an isolated network
> > and of course, all logging in as root is disabled when
> > they are put into production. :)
> 
> IMHO the only good reason to avoid direct root logins is to provide 
> accountability on systems with more than one administrator.
> In other words I don't see any good reason to avoid direct root login
> on systems with only one administrator.

To be honest, I'm just generally paranoid. I'd rather have a prospective
attacker have to crack two passwords (the root and one wheel group) than
one. I thought I'd write the above just so I didn't get a big lecture,
hehe. :)

> 
> > 	chroot = /var/stunnel
> > 	CAfile = /certs/cacert.pem
> 
> CAfile is *not* relative to chroot.  8-)
> 
> > records# ls -al /var/stunnel/certs/
> > lrwxr-xr-x  1 root      _stunnel    33 Aug 30 14:33 4410a4d9.0 ->
> > /var/stunnel/certs/clientcert.pem
> > -rw-------  1 _stunnel  _stunnel  1489 Aug 30 14:32 clientcert.pem
> 
> CApath *is* relative to chroot.  Your symlink won't work in chroot jail.  8-)
> 
> I recommend to use CAfile instead of CApath for simple configurations.
> It doesn't need a hashed directory and is not relative to chroot jail.

So something like:

CApath = /var/stunnel/certs

I'm paranoid that someone has been at my testing configs now. :) I previously
had a working setup, which worries me even further as I *did* use a symlink.

Thanks for the info, I'll give it a go soon. Perhaps I'll also start doing
minor backups of the test machines...

> 
> Best regards,
>     Mike
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.4 (GNU/Linux)
> 
> iD8DBQFBM2w2/NU+nXTHMtERAqQmAKCAZ/Vv9LRIyhw+Ca0ECrJ0lxA85QCgyKfS
> 9s089i9FYP9xcIN+qzsyYzo=
> =kOzG
> -----END PGP SIGNATURE-----
> _______________________________________________
> stunnel-users mailing list
> stunnel-users at mirt.net
> http://stunnel.mirt.net/mailman/listinfo/stunnel-users



More information about the stunnel-users mailing list