The other concern I have (and perhaps you folks can allay them?) is the issue of ssl certs with passwords. If I'm restarting apache to have it reread the conf file, wouldn't I have to enter the certificate password each time?
In my experience, yes. I believe that you can add to whatever startup script you're using and pass it as an option to httpd.
Of course you can always use an empty passphrase when you generate the certificate. This permits Apache to restart in SSL mode without needing a password. I've done this with self-signed certificates when experimenting with SSL and on a couple of test/development machines.
When I'm feeling lazy, I also do this with my ssh keys so I can ssh without needing a password at all.
Yes, I know it's considered bad security practice, but if the system is otherwise secure, then the risk of empty passphrases isn't that great. It's only a danger is someone breaks into the machine and steals the original keys, or if you do it on a machine where you aren't root, or at least not the only admin with root access and you can't trust the other admins.
Anyway, I've never considered passphrases and passwords as a "security mechanism." They're really more of an "access mechanism." So, I have no qualms about using empty passphrases for my self-signed certs and ssh keys. If my machine was ever to be compromised, I'd probably generate all new keys for ssh, ssl and gpg anyway. (Yes, I use a rather long passphrase with gpg.)
Besides, most people pick lousy passphrases anyway. That's why I wrote my own passphrase generator to spit out random gibbersish such as (actual program output):
[EMAIL PROTECTED]:~$ pgen
8T(U[TcY
[EMAIL PROTECTED]:~$ pgen 12
mp{6$}9:_+\
[EMAIL PROTECTED]:~$ pgen 24
EQ;WcpgHbT\8pxJD.h_mOwe:
[EMAIL PROTECTED]:~$Note that the first character of the 12-character passphrase is a blank space.
Trouble with that is, you have to write them down or store them in a database, which just means there's one more thing you have to worry about guarding/losing.
OK, so I veered off topic, but that's not unusual for me, or for this list. :-)
_______________________________________________ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
