[Gllug] ssh authentification
Ryland, Peter
peter.ryland at squaregain.co.uk
Thu Jul 27 17:03:56 UTC 2006
On Wed, 2006-07-19 at 01:26 +0100, Tethys wrote:
> Joel Bernstein writes:
>
> >Frighteningly, you can remove the passphrase on a SSL private key.
> >Stupid apache admins who don't know about "apachectl -k graceful" do
> >that so they can have unattended restarts of apache mod_ssl.
>
> There's nothing stupid about it at all. You have a choice. Either
> you require human interaction to start the server, or you don't. If
> you choose the latter, then you basically have to use passphraseless
> private keys (unless you go for a hardware solution, but that's not
> practical in most cases). You're trading off security for availability.
> Where you lie on that spectrum determines which strategy you use.
You could also ask apache to run an arbitrary command to ascertain the
password, so all sorts of things are then possible.
Pete
*****************************************************************************
This communication is confidential and is intended solely for
the use of the individual or entity to whom they are addressed.
If you are not that person you are not permitted to make use of
the information and you are requested to notify
postmaster at squaregain.co.uk immediately that you have
received it and then destroy the copy in your possession.
Squaregain Ltd is authorised and regulated by the
Financial Services Authority and is a member of the LSE.
******************************************************************************
--
Gllug mailing list - Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug
More information about the GLLUG
mailing list