On Mon, Feb 28, 2005 at 09:38:30AM -0500, Alamood, Bahaaldin wrote:
Date: Mon, 28 Feb 2005 09:38:30 -0500 From: "Alamood, Bahaaldin" <[EMAIL PROTECTED]> To: [email protected] Reply-To: [email protected] Subject: RE: [OpenCA-Devel] scp dataexchange
Here is the way we use the scp method for data exchange
1. On the CA machine which it has NO connection to the internet at all I set up a firewall rule to reject any connection to the CA regardless of it source. The network interface only brought up when there is a need
[snip]
That's how high security CA should work and I'd operate in the same.
My point was that we should warn user about not exposing ssh private
key. I think ther're a lot of users who setups openca for testing
purpose. And if they use scp dataexchange in the same way as guide
purpose, they may open a security hole.
why? since the ssh key is at the highly secured ca machine how should the key get exposed and how should this become e security issue?
if one can access your ssh key on the ca machine you have different problems then an insecure ssh connection for data exchange...
and by the way - if the ca is setup correct, there should be not any open ports at the interface which is connected to a network other machine, so there is no need for a separate firewall at the ca machine, since all packets gets droped by itself, since there are no services running...
greetings dalini
------------------------------------------------------- SF email is sponsored by - The IT Product Guide Read honest & candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click _______________________________________________ OpenCA-Devel mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-devel
