[Slackbuilds-users] Best place to install the EasyRSA scripts?

Rob McGee rob0 at slackbuilds.org
Sat Nov 5 18:24:10 UTC 2016 

On Sat, Nov 05, 2016 at 02:43:14AM +0100, Thomas Szteliga wrote:
> On 11/05/2016 01:56 AM, Rob McGee wrote:
> > At least 3 problems I see with that as it implies:
> >   1. that you have your CA on an openvpn server or client;
> >   2. that you will be running these scripts as root;
> >   3. that your CA is limited to use for openvpn.
> > #1 is the big one, because that promotes insecure user practices; 
> > Slackbuilds.org MUST NOT do that.
> 
> I'm aware. I have a separated isolated VM just for generating
> CA's, keys and testing configs for multiple servers/clients.

Did you miss my post about this a few days back, in the original 
thread about easy-rsa?  This violates another principle of 
cryptographic software: that crypto requires a good source of random 
data (entropy), and a VM has no good source of entropy.

If your random data is predictable, your cryptography could be weak 
and vulnerable to attack.

Yes, yes, I know in the real world that such attacks aren't going to 
happen (a gov't would apply a $5 hammer to your head until you decide 
to turn over the keys.)  But still, why not do it right?

> > Admittedly I have never been in the position of having to support 
> > multiple servers, but I'd still only maintain a single CA for all 
> > of them in any given organization.  If you need to restrict 
> > access on any given server, use a --client-config-dir and 
> > --ccd-exclusive (touch a file in the CCD for any permitted 
> > client's commonName on that server instance.)
> 
> I have individual CA's for each server, even when in a single
> organization and of course if clients of a single server
> need individual settings ccd's are used.

Okay, I still don't see the point in multiple CAs, but that's a 
choice you can make which isn't "wrong" in some way.

[ /usr/share/easy-rsa ]

> > Hehe, actually I don't have any strong feelings against this 
> > suggestion.  It's as good as any.
> 
> I think /usr/doc/easy-rsa is way better than 
> /usr/doc/easy-rsa-<VERSION> /usr/libexec somehow feels really 
> wrong.

I don't think /usr/doc is an appropriate place to put the scripts, 
and yes, /usr/libexec is wrong also.

> CentOS: /usr/share/easy-rsa/

Best idea so far.

> Archlinux: /etc/easy-rsa

Yuck, not in line with FHS.

> FreeBSD: /usr/local/share/easy-rsa

Not permitted by Slackbuilds.org policy nor FHS.  Note also that 
FreeBSD != Linux, so they use different standards.

> >> and users will have to copy the contents of /usr/share/easyrsa
> >> to a writable location like /etc/openvpn/server/server1/easyrsa
> > Eeek!  How about /home/ca/<name-of-CA> ?
> 
> Oh no, really, a user for each CA? ;-)

You were the one who brought up the idea of multiple CAs.  I 
seriously doubt very many OpenVPN users have those; if so, it 
suggests to me that they misunderstood the basic ideas behind X.509 
and certificate authorities.

That said, for maximum security precautions with multiple CAs, yes, 
different non-root users make sense.  Note that a compromise of a 
CA's user account means the compromise of that CA.

> And just another fun-fact ;-)
> 
> ~~~~
> If you are using Linux, BSD, or a unix-like OS, open a shell and cd 
> to the easy-rsa subdirectory. If you installed OpenVPN from an RPM 
> or DEB file, the easy-rsa directory can usually be found in 
> /usr/share/doc/packages/openvpn or /usr/share/doc/openvpn (it's 

This is no longer correct since the split of easy-rsa from openvpn.

> best to copy this directory to another location such as 
> /etc/openvpn, before any edits, so that future OpenVPN package 

This was bad advice even then.  The people in OpenVPN project 
probably know this (at least I think the ones I know do), but they 
haven't gotten around to fixing old documentation.  They're not the 
only free software project with outdated documentation online.  
(Another example is Slackware.com.)

> upgrades won't overwrite your modifications). If you installed from 
> a .tar.gz file, the easy-rsa directory will be in the top level 
> directory of the expanded source tree.
> ~~~~

And that's clearly outdated as well.

> Again:
> 
> "it's best to copy this directory to another location such as
> /etc/openvpn" :-))))
> 
> 
> It's from the official howto:
> https://openvpn.net/index.php/open-source/documentation/howto.html

Wrong when that was written, and all these years later it's still 
wrong.
-- 
    Rob McGee - /dev/rob0 - rob0 at slackbuilds.org

More information about the SlackBuilds-users mailing list