[Box Backup] Signing Server Certificate Fails.

Nigel Marsh boxbackup@fluffy.co.uk
Thu, 28 Oct 2004 10:35:40 +0100


I do not find the install and setup instructions complicated. What I do find 
though is that for a newcomer, a typical client install requires jumping from 
one page to another and then back. The docs on the web site are nicely 
separated by subject but, not by setup. If you had a page that just listed a 
client setup from start to finish, that may aleviate some of the problems 
that some folk are having. 

I find that having the backup keys and CA on my laptop in my /home/ca dir 
helps a lot. I have recently bought a usb memory stick and intend to start 
keeping it all on that for security. That will certainly keep it off the net.

Again, I have had zero problems with Box Backup and am very happy with the 
current setup.  I run clients successfully on Suse 9.1, Debian Sarge and 
Gentoo with the server on a Suse 9.1 box. I await with anticipation the 
emergence of clients for OSX and Windows.

As an aside. I have not seen this mentioned but just if anyone is interested. 
My clients are small businesses that tend to be between 5 and 100 employees 
that have one or two servers. All backup is done to our office over the net. 
As some of the larger clients are backing up, up to 100G, I keep a clone of 
the backup server on my laptop for initial backup on their own LAN.  The 
laptop backs up to a firewire drive and the client account and backed up data 
is then just copied to the server back at the office.  For this initial 
backup I edit the clients /etc/hosts file to tell it that the backup servers 
name resolves to the laptop on the local LAN and remove the entry once done.

Thanks for an excellent solution Ben.

Nige.


On Wednesday 27 Oct 2004 20:52, Ben Summers wrote:
> On 27 Oct 2004, at 20:42, Martin Ebourne wrote:
> > On Wed, 2004-10-27 at 20:02, ken wrote:
> >> Hi Martin,
> >>
> >> That didn't work.  I did create user box before I installed the rpm
> >> since
> >> the first time it said no user box using root.
> >>
> >> Ideas on the spec file?
> >
> > Ken,
> >
> > I saw your other posts, glad it is working. The user was the only
> > error;
> > it's a one off creation thing and the RPM should all be fine from now
> > on.
> >
> > Ben is right that following the instructions EXACTLY works, but even
> > for
> > a seasoned unix user I found them rather lengthy and complicated! I've
> > tried to take away a little of the complexity with the RPM, but I'd
> > still like to make it do more. I originally had it creating the config
> > files but it had various problems so I removed that.
>
> I'd be interested in any suggestions people might have about reducing
> the complexity of the install. I think the thing which gets most people
> is the certificate generation and all that copying of files around --
> the other steps are quite simple as these things go.
>
> The reason everything has to be signed is that certificates are used to
> authenticate client and server to each other, sort of like each side
> presenting a very secure password to each other.
>
> An option might be an option to relax the authentication requirements,
> and use SSL only for obscuring the communications. A simple password
> could be used to authenticate the client to the server, and the client
> could just assume that the server is correct.
>
> However, it's a bit of an effort to write, support and test this
> alternative method just to ease installation, and the result will be
> exactly the same just less secure. Encouraging people to follow the
> instructions carefully does always work, and most of these instructions
> are tailored to your exact setup.
>
> Thoughts, as ever, welcomed!
>
> > As to the plan about keeping the CA on a machine not connected to the
> > internet - well the only one I've got is my Psion, and even that's been
> > connected on occasion! I suspect in these days of broadband and
> > wireless
> > routers very few people have machines not connected. And if an intruder
> > hacks root on the client machine then all bets are off anyway. My CA is
> > on the server in a 600-root only directory (/etc/box/ca in fact, just
> > like yours).
>
> Practically, a machine which is behind a NAT gateway and cannot accept
> incoming connections is as good as you're going to get. This is what I
> use. But then, it's all about making appropriate efforts to give the
> required level of security in a system.
>
> Ben
>
> _______________________________________________
> boxbackup mailing list
> boxbackup@fluffy.co.uk
> http://lists.warhead.org.uk/mailman/listinfo/boxbackup

-- 
 Zoidberg: This letter has to be very personal, so I'm 
  writing it in my own ink.