[Slackbuilds-users] Best place to install the EasyRSA scripts?
Thomas Szteliga
ts at websafe.pl
Sat Nov 5 01:43:14 UTC 2016
On 11/05/2016 01:56 AM, Rob McGee wrote:
> At least 3 problems I see with that as it implies:
> 1. that you have your CA on an openvpn server or client;
> 2. that you will be running these scripts as root;
> 3. that your CA is limited to use for openvpn.
> #1 is the big one, because that promotes insecure user practices;
> Slackbuilds.org MUST NOT do that.
I'm aware. I have a separated isolated VM just for generating
CA's, keys and testing configs for multiple servers/clients.
> Admittedly I have never been in the position of having to support
> multiple servers, but I'd still only maintain a single CA for all of
> them in any given organization. If you need to restrict access on
> any given server, use a --client-config-dir and --ccd-exclusive
> (touch a file in the CCD for any permitted client's commonName on
> that server instance.)
I have individual CA's for each server, even when in a single
organization and of course if clients of a single server
need individual settings ccd's are used.
> Hehe, actually I don't have any strong feelings against this
> suggestion. It's as good as any.
I think /usr/doc/easy-rsa is way better than /usr/doc/easy-rsa-<VERSION>
/usr/libexec somehow feels really wrong.
CentOS: /usr/share/easy-rsa/
Archlinux: /etc/easy-rsa
FreeBSD: /usr/local/share/easy-rsa
>> and users will have to copy the contents of /usr/share/easyrsa
>> to a writable location like /etc/openvpn/server/server1/easyrsa
> Eeek! How about /home/ca/<name-of-CA> ?
Oh no, really, a user for each CA? ;-)
And just another fun-fact ;-)
~~~~
If you are using Linux, BSD, or a unix-like OS, open a shell and cd to
the easy-rsa subdirectory. If you installed OpenVPN from an RPM or DEB
file, the easy-rsa directory can usually be found in
/usr/share/doc/packages/openvpn or /usr/share/doc/openvpn (it's best to
copy this directory to another location such as /etc/openvpn, before any
edits, so that future OpenVPN package upgrades won't overwrite your
modifications). If you installed from a .tar.gz file, the easy-rsa
directory will be in the top level directory of the expanded source tree.
~~~~
Again:
"it's best to copy this directory to another location such as
/etc/openvpn" :-))))
It's from the official howto:
https://openvpn.net/index.php/open-source/documentation/howto.html
--
Thomas Szteliga
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3719 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.slackbuilds.org/pipermail/slackbuilds-users/attachments/20161105/ece00f11/attachment.p7s>
More information about the SlackBuilds-users
mailing list