[Pkg-openssl-devel] Where should daemons put their RSA keyfiles?

Christoph Martin martin at uni-mainz.de
Tue May 30 20:14:42 UTC 2006 

Hi Ian,

Ian Beckwith schrieb:
> Where should daemons store their RSA key files?

There is real policy for that. You have two possibilities:

Idealy use /etc/ssl/certs for the certificate and /etc/ssl/private for
the key. This would make the certifacate possibly readable for all users
and the key only readeable for the service.

But in my opinion it is perfectly ok, to put the combined file in the
certs directory and make the file only readeable for the deamon, or not
readeable for users. A lot of the system deamons like imapd etc. use
this scheme.

Or use your own directory for the certificate and key. Like apache does it.

> telnetd-ssl stores both cert and key in /etc/ssl/certs/telnetd.pem:
> 
> -rw-r----- 1 root telnetd-ssl 2103 Jul 13  2005 /etc/ssl/certs/telnetd.pem
> 
> but according to #368416, gnutls refuses to verify a remote certificate
> once it hits an unreadable certificate in /etc/ssl/certs/.

I would consider this a bug in gnutls. There is no policy, that all
files in /etc/ssl/certs must be readeable for all applications.

> So, I need to split the .pem file in telnetd-ssl postinst and move the
> RSA key to somewhere else. Where would be best?
> Is /etc/ssl/private/ appropriate or is that reserved for some other purpose?

Yes. See above.

> Looking at my sid system, this would mean that the telnetd user would
> have to be a member of the ssl-cert group. Would that cause any
> problems, security or otherwise?

ups. Why is that?

> Would something under (for example) /etc/telnetd-ssl/ be a better location?

You could use this directory and solve your problems. You don't need to
publish the certificate for telnetd, do you?

> Alternatively, is the current situation ok and should I instead bug
> the gnutls people to fix this behaviour?

But to gnutls. See above.

> It appears several other packages have this problem (from a quick
> skim, at least bincimap, ejabberd, linux-ftpd-ssl, sslwrap and
> uw-imap) When I find out what the right thing to do is, I'll file
> bugs on those packages.

Ok.

Christoph

-- 
============================================================================
Christoph Martin, EDV der Verwaltung, Uni-Mainz, Germany
 Internet-Mail:  Christoph.Martin at Verwaltung.Uni-Mainz.DE
  Telefon: +49-6131-3926337

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
Url : http://lists.alioth.debian.org/pipermail/pkg-openssl-devel/attachments/20060530/34e288e7/signature.pgp

More information about the Pkg-openssl-devel mailing list