On Sat, Nov 05, 2016 at 02:43:14AM +0100, Thomas Szteliga wrote: > On 11/05/2016 01:56 AM, Rob McGee wrote: > > At least 3 problems I see with that as it implies: > > 1. that you have your CA on an openvpn server or client; > > 2. that you will be running these scripts as root; > > 3. that your CA is limited to use for openvpn. > > #1 is the big one, because that promotes insecure user practices; > > Slackbuilds.org MUST NOT do that. > > I'm aware. I have a separated isolated VM just for generating > CA's, keys and testing configs for multiple servers/clients.
Did you miss my post about this a few days back, in the original thread about easy-rsa? This violates another principle of cryptographic software: that crypto requires a good source of random data (entropy), and a VM has no good source of entropy. If your random data is predictable, your cryptography could be weak and vulnerable to attack. Yes, yes, I know in the real world that such attacks aren't going to happen (a gov't would apply a $5 hammer to your head until you decide to turn over the keys.) But still, why not do it right? > > Admittedly I have never been in the position of having to support > > multiple servers, but I'd still only maintain a single CA for all > > of them in any given organization. If you need to restrict > > access on any given server, use a --client-config-dir and > > --ccd-exclusive (touch a file in the CCD for any permitted > > client's commonName on that server instance.) > > I have individual CA's for each server, even when in a single > organization and of course if clients of a single server > need individual settings ccd's are used. Okay, I still don't see the point in multiple CAs, but that's a choice you can make which isn't "wrong" in some way. [ /usr/share/easy-rsa ] > > Hehe, actually I don't have any strong feelings against this > > suggestion. It's as good as any. > > I think /usr/doc/easy-rsa is way better than > /usr/doc/easy-rsa-<VERSION> /usr/libexec somehow feels really > wrong. I don't think /usr/doc is an appropriate place to put the scripts, and yes, /usr/libexec is wrong also. > CentOS: /usr/share/easy-rsa/ Best idea so far. > Archlinux: /etc/easy-rsa Yuck, not in line with FHS. > FreeBSD: /usr/local/share/easy-rsa Not permitted by Slackbuilds.org policy nor FHS. Note also that FreeBSD != Linux, so they use different standards. > >> and users will have to copy the contents of /usr/share/easyrsa > >> to a writable location like /etc/openvpn/server/server1/easyrsa > > Eeek! How about /home/ca/<name-of-CA> ? > > Oh no, really, a user for each CA? ;-) You were the one who brought up the idea of multiple CAs. I seriously doubt very many OpenVPN users have those; if so, it suggests to me that they misunderstood the basic ideas behind X.509 and certificate authorities. That said, for maximum security precautions with multiple CAs, yes, different non-root users make sense. Note that a compromise of a CA's user account means the compromise of that CA. > And just another fun-fact ;-) > > ~~~~ > If you are using Linux, BSD, or a unix-like OS, open a shell and cd > to the easy-rsa subdirectory. If you installed OpenVPN from an RPM > or DEB file, the easy-rsa directory can usually be found in > /usr/share/doc/packages/openvpn or /usr/share/doc/openvpn (it's This is no longer correct since the split of easy-rsa from openvpn. > best to copy this directory to another location such as > /etc/openvpn, before any edits, so that future OpenVPN package This was bad advice even then. The people in OpenVPN project probably know this (at least I think the ones I know do), but they haven't gotten around to fixing old documentation. They're not the only free software project with outdated documentation online. (Another example is Slackware.com.) > upgrades won't overwrite your modifications). If you installed from > a .tar.gz file, the easy-rsa directory will be in the top level > directory of the expanded source tree. > ~~~~ And that's clearly outdated as well. > Again: > > "it's best to copy this directory to another location such as > /etc/openvpn" :-)))) > > > It's from the official howto: > https://openvpn.net/index.php/open-source/documentation/howto.html Wrong when that was written, and all these years later it's still wrong. -- Rob McGee - /dev/rob0 - r...@slackbuilds.org _______________________________________________ SlackBuilds-users mailing list SlackBuilds-users@slackbuilds.org http://lists.slackbuilds.org/mailman/listinfo/slackbuilds-users Archives - https://lists.slackbuilds.org/pipermail/slackbuilds-users/ FAQ - https://slackbuilds.org/faq/