[Slackbuilds-users] Best place to install the EasyRSA scripts?

Rob McGee rob0 at slackbuilds.org
Sat Nov 5 00:56:32 UTC 2016 

On Fri, Nov 04, 2016 at 11:23:06PM +0100, Thomas Szteliga wrote:
> On 11/04/2016 12:02 PM, Sebastian Arcus wrote:
> > I am making the SBo scripts for EasyRSA, and I need to decide 
> > where they will be installed. Before they were removed from 
> > Slackware - when they were part of Openvpn, I think they used to 
> > go under /usr/share/doc/openvpn. However, it seems a bit strange 
> > to install a package in the directory of another package. Maybe 
> > /usr/share/doc/easyrsa instead? However, they are sample scripts 
> > - not really documentation. According to Linux filesystem 
> > standards, would there be a better place? Maybe /usr/share 
> > directly, or /us/lib or something?
> 
> It was very handy to have them in /etc/openvpn/...

Eeek!  Why?

At least 3 problems I see with that as it implies:
  1. that you have your CA on an openvpn server or client;
  2. that you will be running these scripts as root;
  3. that your CA is limited to use for openvpn.

#1 is the big one, because that promotes insecure user practices; 
Slackbuilds.org MUST NOT do that.

> EasyRSA scripts will create keys in the `keys` subdir,
> so /usr/share and /usr/doc are probably not the best location
> without patching KEY_DIR in easyrsa/*/vars to point
> to a more reasonable location
> 
> 	export KEY_DIR="$EASY_RSA/keys"
> 
> But this still should not be an absolute path,
> because when you're running multiple openvpn servers
> you would normally have something like:
> 
> /etc/openvpn/server/server1/easyrsa/*/keys
> /etc/openvpn/server/server2/easyrsa/*/keys
> /etc/openvpn/server/server3/easyrsa/*/keys

Ewww, really, why?

First thing, see above.  Also a server only needs ITS OWN KEY, it 
does not need (and should not have!) any other keys.

Admittedly I have never been in the position of having to support 
multiple servers, but I'd still only maintain a single CA for all of 
them in any given organization.  If you need to restrict access on 
any given server, use a --client-config-dir and --ccd-exclusive 
(touch a file in the CCD for any permitted client's commonName on 
that server instance.)

> and a patched KEY_DIR would place all keys by default
> in one directory. That's not what you want (with multiple servers).
> 
> 
> So after rethinking this my suggestion is:
> 
> 
>  /usr/share/easyrsa without patching KEY_DIR (keys placed in subdir)

Hehe, actually I don't have any strong feelings against this 
suggestion.  It's as good as any.

> and users will have to copy the contents of /usr/share/easyrsa
> to a writable location like /etc/openvpn/server/server1/easyrsa

Eeek!  How about /home/ca/<name-of-CA> ?
-- 
    Rob McGee - /dev/rob0 - rob0 at slackbuilds.org

More information about the SlackBuilds-users mailing list