>>>>> "AC" == Alexei Chetroi <[EMAIL PROTECTED]> writes: AC> On Wed, Feb 07, 2007 at 12:12:44PM +0100, Joachim Schrod wrote:
>> Date: Wed, 7 Feb 2007 12:12:44 +0100 >> From: Joachim Schrod <[EMAIL PROTECTED]> >> Reply-To: "Ideas, tips and discussions about OpenCA installation and >> management." <[email protected]> >> Subject: Re: [Openca-Users] CA to RA Synchronisation via scp fails >> >> >>>>> "AC" == Alexei Chetroi <[EMAIL PROTECTED]> writes: >> AC> Have you ran this command locally as root user or as openca user? Make AC> sure /var/www/.ssh/known_hosts actually contains RA host key and is AC> readable by openca proccess, eg have root:openca perms. and 0640 access AC> mode. >> >> Hmm, at my installation the ssh command is issued by the Web server >> and not by the openca process. I.e., it suffices that the files are >> readable by wwwrun (or whatever the Web server account is named >> today). AC> What version of openca are you using? AFAIK all of operations are done AC> by the openca server and it is recommended to run openca proccess AC> with uid different from the web server's.Web server only need AC> write access to the openca's socket. --with-openca-user and AC> --with-httpd-user configure options names are a bit misguiding. AC> With openca-user credentials, static stuff is installed so AC> root:root 0644 permissions are recommended for it. With httpd-user AC> credentials, files to which openca process should have access, not AC> the http server. I have to say that this is news for me; when I look at my system, you are right, of course. But to say that the option names are "a bit" misguiding is more than an understatement. This is a severe error in the OpenCA documentation which contradicts your (seemingly correct) statement. There, in section 2.4.1 it explicitly states that --with-httpd-user shall be the user of the webserver. And I would have never thought that an option with this name would serve for other purposes. And please note that the OP with the ssh problem has probably the same configuration. Otherwise he would not have mentioned /var/www as the home directory that he needs to configure. It would have been the home directory /{var,home}/openca or something similar. I have to say that in these small details, OpenCA is in dire need of improvements. (Just like the many many typos in the Web interface, or the session state losses when one changes between node and ?A interface if they run on one system.) Anyhow, thanks for this information; it is very appreciated, Joachim -- =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Joachim Schrod Email: [EMAIL PROTECTED] Roedermark, Germany ------------------------------------------------------------------------- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier. Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnk&kid=120709&bid=263057&dat=121642 _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
