[Pkg-openssl-devel] Where should daemons put their RSA keyfiles?

Ian Beckwith ianb at nessie.mcc.ac.uk
Wed Jun 7 04:07:45 UTC 2006 

Hi, thanks for the reply.

On Tue, May 30, 2006 at 10:14:42PM +0200, Christoph Martin wrote:
> Ian Beckwith schrieb:
> > Where should daemons store their RSA key files?
> 
> There is real policy for that.

Is the policy documented anywhere?

> You have two possibilities:
> 
> Idealy use /etc/ssl/certs for the certificate and /etc/ssl/private for
> the key. This would make the certifacate possibly readable for all users
> and the key only readeable for the service.

telnetd-ssl runs from inetd as user telnetd-ssl not root, so wouldn't
have rights to read keys from /etc/ssl/private (but see below about
ssl-cert).

> > but according to #368416, gnutls refuses to verify a remote certificate=
> 
> > once it hits an unreadable certificate in /etc/ssl/certs/.
> 
> I would consider this a bug in gnutls. There is no policy, that all
> files in /etc/ssl/certs must be readeable for all applications.

This has been reported (by the same person who reported the
netkit-telnet-ssl bug) as #368421.

> > Looking at my sid system, this would mean that the telnetd user would
> > have to be a member of the ssl-cert group. Would that cause any
> > problems, security or otherwise?
> 
> ups. Why is that?

On investigation, this is because I have the ssl-cert package installed.
The ssl-cert package postinst sets permissions to:

drwx--x--- 2 root ssl-cert 4096 May  5 16:38 /etc/ssl/private/

> > Would something under (for example) /etc/telnetd-ssl/ be a better locat=
> ion?
> 
> You could use this directory and solve your problems. You don't need to
> publish the certificate for telnetd, do you?

erm, I don't know, are there any setups in which that would make sense?

So it looks like I have three options. Which do you recommend?

1: depend on ssl-cert, use /etc/ssl/private/
2: use /etc/telnetd-ssl
3: leave things where they are, close the bug and let the gnutls people sort it out.

If I move the key, should I leave the cert in /etc/ssl/certs or keep
them together in the same file?

thanks,

Ian.

-- 
Ian Beckwith - ianb at nessie.mcc.ac.uk - http://nessie.mcc.ac.uk/~ianb/
GPG fingerprint: AF6C C0F1 1E74 424B BCD5  4814 40EC C154 A8BA C1EA
Listening to: Orb - Uforb - Oobe

More information about the Pkg-openssl-devel mailing list