On Wed 17 Sep 2008 (09:38 -0700), David Schwartz wrote:
> 
> Dan Ribe:
> 
> > I am using the private key just to authenticate the client.
> > Once server has authenticated the client (by using the public
> > key of client), it will give access to that client.

If the application is a single process that does not offer shell
escapes, then one method is the following:

Give users ordinary login access, users of the application get
membership in a specific group - say app_grp.
Run the application under a different user ID, say app_adm.
Make the application suid app_adm, executable only by app_adm:adm_grp
(permissions 4550). Make the private key file owned by and read-only
for  app_adm, permissions 0400.

Now users who are allowed to run the app login as themselves and can
execute the program, but can't read the keyfile, only the program
itself can do that. Users not allowed to use the program can neither
start it nor read the keyfile.

-- 
Jim Segrave           [EMAIL PROTECTED]


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to