RE: [OpenCA-Devel] scp dataexchange

[Alamood, Bahaaldin]

Hello Alexi,

Here is the way we use the scp method for data exchange

1. On the CA machine which it has NO connection to the internet at all I
set up a firewall rule to reject any connection to the CA regardless of
it source. The network interface only brought up when there is a need
for a data exchange and this process is initiated from the CA machine
(which requires someone to be physically present at the console of this
machine to do so) then the interface brought down after that. This
process is automatic and OpenCA already does it for you (Not the
firewall though). This way no one not on the console of the CA can
access any of the CA services. I also DO NOT have an SSH server
installed on the CA to eliminate the possibility of someone trying to
SSH into it during this brief moment that the CA connects to the RA
machine.


2. On the RA machine we do the following, we have 2 NIC cards. One
connects the machine to the internet and the other (private IP) connects
it to the CA machine. On the one that connects to the RA it will be
almost dead at all times except when there is an actual data exchange.



I hope you fine this helpful


Best regards,
Bahaa Al-amood


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Alexei
Chetroi
Sent: Monday, February 28, 2005 5:29 AM
To: openca-devel@lists.sourceforge.net
Subject: [OpenCA-Devel] scp dataexchange

  Hi, 

  Point 9.1.2 in openca's guide describe how to setup dataexchange via
scp and public keys. While that setup may be ok if access to ca
webinterface is limited from localhost only, in other case private
key gets exposed via http. IMHO we should mention that home directory of
www user shouldn't coincide with apache's document root or protect .ssh
directory with <Directory> directive in httpd config. 

  Also it may we wise on RA machine in authorized_keys file, add CA's
ssh public key with "from" option to limit it's use from certain IPs
only.

  Best wishes,

PS: Am I too paranoid??? :)

--
Alexei Chetroi

Smile... Tomorrow will be worse. (c) Murphy's Law


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
_______________________________________________
OpenCA-Devel mailing list
OpenCA-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-devel



-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
OpenCA-Devel mailing list
OpenCA-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-devel