11:03 p.m.
Hi
I am setting up my sync repl to use certificates, my problem is I don't
want to leave my private key for the server un encrypted.
the file pointed to by TLSCertificateKeyFile is is just read at slapd
load up time, ie can i unencrypt the file start slapd and then remove
the un encrypted file ?
Alex
11:20 p.m.
New subject: Fwd: tls private key
Hi
THought I would re ask, do certificates only get read at start up, I
store my cert's with password, can i unpassword protect and then start
slapd and then remove the unpassworded cert private file ?
will this be okay until such a time as slapd get restart ?
Alex
---------- Forwarded message ----------
From: Alex Samad <alex(a)samad.com.au>
Date: Sat, Jan 16, 2010 at 6:03 PM
Subject: tls private key
To: openldap-technical(a)openldap.org
Hi
I am setting up my sync repl to use certificates, my problem is I don't
want to leave my private key for the server un encrypted.
the file pointed to by TLSCertificateKeyFile is is just read at slapd
load up time, ie can i unencrypt the file start slapd and then remove
the un encrypted file ?
Alex
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktRZMcACgkQkZz88chpJ2MJYQCeIJ5FtSLGRpQJpr1Gco0NSjr8
VlYAnRmvR+YgJTplXoiX9Xsp+JgQH5VH
=iN8i
-----END PGP SIGNATURE-----
10:02 a.m.
Alexander,
I don't know if they only get read at startup or not... but it does bring up the
question: Why?
Protect the file with chmod 440 permissions (with root/root or ldap/ldap or whatever the
user/group you use to run slapd).
If there are others with root permission to this box that shouldn't or you don't
want to have access to these files - you /really should/ fix that issue first. Then trust
the file system permissions to do their job.
Sadly, I suspect though that you're dead set on keeping the certs password protected,
and won't be doing the above.
However, you could always just /try/ - if it works, then you know the answer. Just get
used to restarting/starting slapd being a needless PITA.
Thanks,
- chris
-----Original Message-----
From: openldap-technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org
[mailto:openldap-technical-bounces+chris.jacobs=apollogrp.edu@OpenLDAP.org] On Behalf Of
Alexander Samad
Sent: Monday, March 22, 2010 11:21 PM
To: openldap-technical(a)openldap.org
Subject: Fwd: tls private key
Hi
THought I would re ask, do certificates only get read at start up, I store my cert's
with password, can i unpassword protect and then start slapd and then remove the
unpassworded cert private file ?
will this be okay until such a time as slapd get restart ?
Alex
---------- Forwarded message ----------
From: Alex Samad <alex(a)samad.com.au>
Date: Sat, Jan 16, 2010 at 6:03 PM
Subject: tls private key
To: openldap-technical(a)openldap.org
Hi
I am setting up my sync repl to use certificates, my problem is I don't want to leave
my private key for the server un encrypted.
the file pointed to by TLSCertificateKeyFile is is just read at slapd load up time, ie can
i unencrypt the file start slapd and then remove the un encrypted file ?
Alex
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktRZMcACgkQkZz88chpJ2MJYQCeIJ5FtSLGRpQJpr1Gco0NSjr8
VlYAnRmvR+YgJTplXoiX9Xsp+JgQH5VH
=iN8i
-----END PGP SIGNATURE-----
This message is private and confidential. If you have received it in error, please notify
the sender and remove it from your system.
3:32 p.m.
On Wed, Mar 24, 2010 at 4:02 AM, Chris Jacobs
<Chris.Jacobs(a)apollogrp.edu> wrote:
Alexander,
Just Alex :) (getting used to google mail) Alexander reminds me of
being in trouble from the parents
I don't know if they only get read at startup or not... but it does bring up the
question: Why?
I would like to have another layer of protection on the machine /
certificates. I would have thought it would have been a quick and easy
question - yes I could go and read the src, but.
Protect the file with chmod 440 permissions (with root/root or ldap/ldap or whatever the
user/group you use to run slapd).
yep I do, root.openldap (debian)
If there are others with root permission to this box that shouldn't or you don't
want to have access to these files - you /really should/ fix that issue first. Then trust
the file system permissions to do their job.
so why allow for encrypted private keys :)
Sadly, I suspect though that you're dead set on keeping the certs password protected,
and won't be doing the above.
The above is already done.
However, you could always just /try/ - if it works, then you know the answer. Just get
used to restarting/starting slapd being a needless PITA.
not sure where you got the idea I haven't already done this ?
And I am note sure why its bad to look for another layer of security
Thanks,
- chris
-----Original Message-----
From: openldap-technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org
[mailto:openldap-technical-bounces+chris.jacobs=apollogrp.edu@OpenLDAP.org] On Behalf Of
Alexander Samad
Sent: Monday, March 22, 2010 11:21 PM
To: openldap-technical(a)openldap.org
Subject: Fwd: tls private key
Hi
THought I would re ask, do certificates only get read at start up, I store my cert's
with password, can i unpassword protect and then start slapd and then remove the
unpassworded cert private file ?
will this be okay until such a time as slapd get restart ?
Alex
---------- Forwarded message ----------
From: Alex Samad <alex(a)samad.com.au>
Date: Sat, Jan 16, 2010 at 6:03 PM
Subject: tls private key
To: openldap-technical(a)openldap.org
Hi
I am setting up my sync repl to use certificates, my problem is I don't want to leave
my private key for the server un encrypted.
the file pointed to by TLSCertificateKeyFile is is just read at slapd load up time, ie
can i unencrypt the file start slapd and then remove the un encrypted file ?
Alex
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAktRZMcACgkQkZz88chpJ2MJYQCeIJ5FtSLGRpQJpr1Gco0NSjr8
VlYAnRmvR+YgJTplXoiX9Xsp+JgQH5VH
=iN8i
-----END PGP SIGNATURE-----
This message is private and confidential. If you have received it in error, please notify
the sender and remove it from your system.
6:09 p.m.
Alex,
encrypting the private key really isn't necessary and I highly
doubt it would work for your application nor be worth the hassel.
Securing via file permisssions as mentioned previously is really the
best way to tackle this. Think of 'other layers of protection' being
firewalls, intrusion detection, restricted logins, chroot jails, etc.,
etc...
Encryption really works best for UDP like transportation like email
where you cannot guarantee the recipient is the only person able to
'see' the document ;)
On Mar 25, 2010, at 6:32 PM, Alexander Samad <alex(a)samad.com.au> wrote:
On Wed, Mar 24, 2010 at 4:02 AM, Chris Jacobs
<Chris.Jacobs(a)apollogrp.edu> wrote:
> Alexander,
Just Alex :) (getting used to google mail) Alexander reminds me of
being in trouble from the parents
>
> I don't know if they only get read at startup or not... but it does
> bring up the question: Why?
I would like to have another layer of protection on the machine /
certificates. I would have thought it would have been a quick and easy
question - yes I could go and read the src, but.
>
> Protect the file with chmod 440 permissions (with root/root or ldap/
> ldap or whatever the user/group you use to run slapd).
yep I do, root.openldap (debian)
>
> If there are others with root permission to this box that shouldn't
> or you don't want to have access to these files - you /really
> should/ fix that issue first. Then trust the file system
> permissions to do their job.
so why allow for encrypted private keys :)
>
> Sadly, I suspect though that you're dead set on keeping the certs
> password protected, and won't be doing the above.
The above is already done.
>
> However, you could always just /try/ - if it works, then you know
> the answer. Just get used to restarting/starting slapd being a
> needless PITA.
not sure where you got the idea I haven't already done this ?
And I am note sure why its bad to look for another layer of security
>
> Thanks,
> - chris
>
> -----Original Message-----
> From: openldap-technical-bounces+chris.jacobs=apollogrp.edu(a)OpenLDAP.org
> [mailto:openldap-technical-bounces
> +chris.jacobs=apollogrp.edu(a)OpenLDAP.org] On Behalf Of Alexander
> Samad
> Sent: Monday, March 22, 2010 11:21 PM
> To: openldap-technical(a)openldap.org
> Subject: Fwd: tls private key
>
> Hi
>
> THought I would re ask, do certificates only get read at start up,
> I store my cert's with password, can i unpassword protect and then
> start slapd and then remove the unpassworded cert private file ?
>
> will this be okay until such a time as slapd get restart ?
>
> Alex
>
>
> ---------- Forwarded message ----------
> From: Alex Samad <alex(a)samad.com.au>
> Date: Sat, Jan 16, 2010 at 6:03 PM
> Subject: tls private key
> To: openldap-technical(a)openldap.org
>
>
> Hi
>
>
> I am setting up my sync repl to use certificates, my problem is I
> don't want to leave my private key for the server un encrypted.
>
> the file pointed to by TLSCertificateKeyFile is is just read at
> slapd load up time, ie can i unencrypt the file start slapd and
> then remove the un encrypted file ?
>
> Alex
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEARECAAYFAktRZMcACgkQkZz88chpJ2MJYQCeIJ5FtSLGRpQJpr1Gco0NSjr8
> VlYAnRmvR+YgJTplXoiX9Xsp+JgQH5VH
> =iN8i
> -----END PGP SIGNATURE-----
>
> This message is private and confidential. If you have received it
> in error, please notify the sender and remove it from your system.
>
>
>
6:44 p.m.
HI
On Fri, Mar 26, 2010 at 12:09 PM, Tyler Gates <tgates81(a)gmail.com> wrote:
Alex,
encrypting the private key really isn't necessary and I highly doubt it
would work for your application nor be worth the hassel. Securing via file
permisssions as mentioned previously is really the best way to tackle this.
Think of 'other layers of protection' being firewalls, intrusion detection,
restricted logins, chroot jails, etc., etc...
yep go those, firewalls, permissions etc.
I am not sure why every one is against me trying to use another layer
of protection, just because I permission it as root.root 440, doesn't
mean its safe. I could make it safer, but unecrypting the private key,
starting slapd and removing the unecrypted file.
Or thing of it another way, my private key could be on a usb key, that
i insert into the machine on start up and remove once slapd has
started.
I have seen secure machine compromised before, somebody installed cvs
forgot to change the cvs userid password, root hack and a remote user
had access to the system. Some times people do silly things
on my laptop - I encrypt the fs and the swap space and my gpg key have
userid/passwords and my certs have userid password protection, like to
do the same for my ldap setup as well :)
I understand the reasons for encrypting and signing packets or
information, just asking if slapd needs access to the private key
after it has read the file on startup.
Encryption really works best for UDP like transportation like email
where
you cannot guarantee the recipient is the only person able to 'see' the
document ;)
[snip]
4813
days inactive
4882
days old
openldap-technical@openldap.org
5 comments
4 participants
participants (4)
-
Alex Samad -
Alexander Samad
-
Chris Jacobs -
Tyler Gates