[Box Backup] Signing Server Certificate Fails.

Ben Summers boxbackup@fluffy.co.uk
Wed, 27 Oct 2004 20:52:02 +0100


On 27 Oct 2004, at 20:42, Martin Ebourne wrote:

> On Wed, 2004-10-27 at 20:02, ken wrote:
>> Hi Martin,
>>
>> That didn't work.  I did create user box before I installed the rpm 
>> since
>> the first time it said no user box using root.
>>
>> Ideas on the spec file?
>
> Ken,
>
> I saw your other posts, glad it is working. The user was the only 
> error;
> it's a one off creation thing and the RPM should all be fine from now
> on.
>
> Ben is right that following the instructions EXACTLY works, but even 
> for
> a seasoned unix user I found them rather lengthy and complicated! I've
> tried to take away a little of the complexity with the RPM, but I'd
> still like to make it do more. I originally had it creating the config
> files but it had various problems so I removed that.

I'd be interested in any suggestions people might have about reducing 
the complexity of the install. I think the thing which gets most people 
is the certificate generation and all that copying of files around -- 
the other steps are quite simple as these things go.

The reason everything has to be signed is that certificates are used to 
authenticate client and server to each other, sort of like each side 
presenting a very secure password to each other.

An option might be an option to relax the authentication requirements, 
and use SSL only for obscuring the communications. A simple password 
could be used to authenticate the client to the server, and the client 
could just assume that the server is correct.

However, it's a bit of an effort to write, support and test this 
alternative method just to ease installation, and the result will be 
exactly the same just less secure. Encouraging people to follow the 
instructions carefully does always work, and most of these instructions 
are tailored to your exact setup.

Thoughts, as ever, welcomed!

>
> As to the plan about keeping the CA on a machine not connected to the
> internet - well the only one I've got is my Psion, and even that's been
> connected on occasion! I suspect in these days of broadband and 
> wireless
> routers very few people have machines not connected. And if an intruder
> hacks root on the client machine then all bets are off anyway. My CA is
> on the server in a 600-root only directory (/etc/box/ca in fact, just
> like yours).

Practically, a machine which is behind a NAT gateway and cannot accept 
incoming connections is as good as you're going to get. This is what I 
use. But then, it's all about making appropriate efforts to give the 
required level of security in a system.

Ben