[Slackbuilds-users] Easy-rsa package (from OpenVPN) on SBo
Rob McGee
rob0 at slackbuilds.org
Wed Nov 2 15:47:07 UTC 2016
On Wed, Nov 02, 2016 at 01:38:16PM +0000, Sebastian Arcus wrote:
> OpenVPN used to include scripts to manage certificate authorities,
> keys and certificates. These were bundled under the easy-rsa
> scripts, in /usr/share/docs/openvpn/easy-rsa - if I remember
> correctly, in Slackware.
>
> At some point in time, the OpenVPN maintainers decided to spin them
> off separately (https://github.com/OpenVPN/easy-rsa) - and from
> that moment on, they disappeared from Slackware. As this is only
> (relatively) easy way I'm aware of generating a CA for Openvpn,
> together with corresponding server and client certificates and
> keys, ...
The idea of generating a key anywhere other than on the client who
would be using it was part of the "easy" in easy-rsa, but it is
incorrect from a security perspective. Users should generate their
own key and CSR (certificate signing request), and send the CA only
the CSR. The key should be securely maintained and not sent via
insecure means.
> I've asked several times on LQ if they could be included back
> in Slackware - without success.
Did you try emailing Pat directly? He might not see some things
posted on LQ.
> I'm thinking of making an easy-rsa package for SBo, to make it easy
> to add them back to Slackware. What do people think? Good idea, bad
When you install such a thing to a location writable only by root,
people get the bad idea to run it as root. Worse, they often run it
on the OpenVPN server itself. Then some others get the harebrained
idea to put easy-rsa on a VM ... uh, no! Cryptography requires
entropy (random data), and a VM has no means of getting entropy.
None of these caveats say that SBo should not have a build for
easy-rsa; just perhaps that a good stern README should be added
(maybe the upstream one covers all this?)
I have run my CA in a dedicated user account on a physical machine
which is not a VPN client nor server. (No, I am not suggesting we
should add a UID/GID for easy-rsa, but rather that this is one of
several ways to DTRT.)
> idea? Maybe they are redundant and there are other tools in place
> already doing this job?
They are just scripts which wrap around openssl commands. It's
possible (albeit not easy, BTDT) to read them and figure out what
they're doing.
--
Rob McGee - /dev/rob0 - rob0 at slackbuilds.org
More information about the SlackBuilds-users
mailing list