[Slackbuilds-users] Best place to install the EasyRSA scripts?
rob0 at slackbuilds.org
Sat Nov 5 18:24:10 UTC 2016
On Sat, Nov 05, 2016 at 02:43:14AM +0100, Thomas Szteliga wrote:
> On 11/05/2016 01:56 AM, Rob McGee wrote:
> > At least 3 problems I see with that as it implies:
> > 1. that you have your CA on an openvpn server or client;
> > 2. that you will be running these scripts as root;
> > 3. that your CA is limited to use for openvpn.
> > #1 is the big one, because that promotes insecure user practices;
> > Slackbuilds.org MUST NOT do that.
> I'm aware. I have a separated isolated VM just for generating
> CA's, keys and testing configs for multiple servers/clients.
Did you miss my post about this a few days back, in the original
thread about easy-rsa? This violates another principle of
cryptographic software: that crypto requires a good source of random
data (entropy), and a VM has no good source of entropy.
If your random data is predictable, your cryptography could be weak
and vulnerable to attack.
Yes, yes, I know in the real world that such attacks aren't going to
happen (a gov't would apply a $5 hammer to your head until you decide
to turn over the keys.) But still, why not do it right?
> > Admittedly I have never been in the position of having to support
> > multiple servers, but I'd still only maintain a single CA for all
> > of them in any given organization. If you need to restrict
> > access on any given server, use a --client-config-dir and
> > --ccd-exclusive (touch a file in the CCD for any permitted
> > client's commonName on that server instance.)
> I have individual CA's for each server, even when in a single
> organization and of course if clients of a single server
> need individual settings ccd's are used.
Okay, I still don't see the point in multiple CAs, but that's a
choice you can make which isn't "wrong" in some way.
[ /usr/share/easy-rsa ]
> > Hehe, actually I don't have any strong feelings against this
> > suggestion. It's as good as any.
> I think /usr/doc/easy-rsa is way better than
> /usr/doc/easy-rsa-<VERSION> /usr/libexec somehow feels really
I don't think /usr/doc is an appropriate place to put the scripts,
and yes, /usr/libexec is wrong also.
> CentOS: /usr/share/easy-rsa/
Best idea so far.
> Archlinux: /etc/easy-rsa
Yuck, not in line with FHS.
> FreeBSD: /usr/local/share/easy-rsa
Not permitted by Slackbuilds.org policy nor FHS. Note also that
FreeBSD != Linux, so they use different standards.
> >> and users will have to copy the contents of /usr/share/easyrsa
> >> to a writable location like /etc/openvpn/server/server1/easyrsa
> > Eeek! How about /home/ca/<name-of-CA> ?
> Oh no, really, a user for each CA? ;-)
You were the one who brought up the idea of multiple CAs. I
seriously doubt very many OpenVPN users have those; if so, it
suggests to me that they misunderstood the basic ideas behind X.509
and certificate authorities.
That said, for maximum security precautions with multiple CAs, yes,
different non-root users make sense. Note that a compromise of a
CA's user account means the compromise of that CA.
> And just another fun-fact ;-)
> If you are using Linux, BSD, or a unix-like OS, open a shell and cd
> to the easy-rsa subdirectory. If you installed OpenVPN from an RPM
> or DEB file, the easy-rsa directory can usually be found in
> /usr/share/doc/packages/openvpn or /usr/share/doc/openvpn (it's
This is no longer correct since the split of easy-rsa from openvpn.
> best to copy this directory to another location such as
> /etc/openvpn, before any edits, so that future OpenVPN package
This was bad advice even then. The people in OpenVPN project
probably know this (at least I think the ones I know do), but they
haven't gotten around to fixing old documentation. They're not the
only free software project with outdated documentation online.
(Another example is Slackware.com.)
> upgrades won't overwrite your modifications). If you installed from
> a .tar.gz file, the easy-rsa directory will be in the top level
> directory of the expanded source tree.
And that's clearly outdated as well.
> "it's best to copy this directory to another location such as
> /etc/openvpn" :-))))
> It's from the official howto:
Wrong when that was written, and all these years later it's still
Rob McGee - /dev/rob0 - rob0 at slackbuilds.org
More information about the SlackBuilds-users