[Slackbuilds-users] Best place to install the EasyRSA scripts?
Rob McGee
rob0 at slackbuilds.org
Sat Nov 5 00:56:32 UTC 2016
On Fri, Nov 04, 2016 at 11:23:06PM +0100, Thomas Szteliga wrote:
> On 11/04/2016 12:02 PM, Sebastian Arcus wrote:
> > I am making the SBo scripts for EasyRSA, and I need to decide
> > where they will be installed. Before they were removed from
> > Slackware - when they were part of Openvpn, I think they used to
> > go under /usr/share/doc/openvpn. However, it seems a bit strange
> > to install a package in the directory of another package. Maybe
> > /usr/share/doc/easyrsa instead? However, they are sample scripts
> > - not really documentation. According to Linux filesystem
> > standards, would there be a better place? Maybe /usr/share
> > directly, or /us/lib or something?
>
> It was very handy to have them in /etc/openvpn/...
Eeek! Why?
At least 3 problems I see with that as it implies:
1. that you have your CA on an openvpn server or client;
2. that you will be running these scripts as root;
3. that your CA is limited to use for openvpn.
#1 is the big one, because that promotes insecure user practices;
Slackbuilds.org MUST NOT do that.
> EasyRSA scripts will create keys in the `keys` subdir,
> so /usr/share and /usr/doc are probably not the best location
> without patching KEY_DIR in easyrsa/*/vars to point
> to a more reasonable location
>
> export KEY_DIR="$EASY_RSA/keys"
>
> But this still should not be an absolute path,
> because when you're running multiple openvpn servers
> you would normally have something like:
>
> /etc/openvpn/server/server1/easyrsa/*/keys
> /etc/openvpn/server/server2/easyrsa/*/keys
> /etc/openvpn/server/server3/easyrsa/*/keys
Ewww, really, why?
First thing, see above. Also a server only needs ITS OWN KEY, it
does not need (and should not have!) any other keys.
Admittedly I have never been in the position of having to support
multiple servers, but I'd still only maintain a single CA for all of
them in any given organization. If you need to restrict access on
any given server, use a --client-config-dir and --ccd-exclusive
(touch a file in the CCD for any permitted client's commonName on
that server instance.)
> and a patched KEY_DIR would place all keys by default
> in one directory. That's not what you want (with multiple servers).
>
>
> So after rethinking this my suggestion is:
>
>
> /usr/share/easyrsa without patching KEY_DIR (keys placed in subdir)
Hehe, actually I don't have any strong feelings against this
suggestion. It's as good as any.
> and users will have to copy the contents of /usr/share/easyrsa
> to a writable location like /etc/openvpn/server/server1/easyrsa
Eeek! How about /home/ca/<name-of-CA> ?
--
Rob McGee - /dev/rob0 - rob0 at slackbuilds.org
More information about the SlackBuilds-users
mailing list