Re: Dynamic apache config
Besides, most people pick lousy passphrases anyway. That's why I wrote
my own passphrase generator to spit out random gibbersish such as
(actual program output):
[EMAIL PROTECTED]:~$ pgen
8T(U[TcY
[EMAIL PROTECTED]:~$ pgen 12
mp{6$}9:_+\
[EMAIL PROTECTED]:~$ pgen 24
EQ;WcpgHbT\8pxJD.h_mOwe:
[EMAIL PROTECTED]:~$
In a pinch, similar random glop can be generated thus:
dd if=/dev/random bs=44 count=1 2/dev/null | uuencode fubar | sed -e 1d -e 2q
___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Dynamic apache config
On Tue, 2003-06-03 at 17:12, [EMAIL PROTECTED] wrote: On 3 Jun 2003, at 4:16pm, [EMAIL PROTECTED] wrote: I'm looking for a little more magic with a little less regenerating httpd.conf. *grin* Question: Why? How often will your virtual host setup change? Potentially fairly frequently... The other concern I have (and perhaps you folks can allay them?) is the issue of ssl certs with passwords. If I'm restarting apache to have it reread the conf file, wouldn't I have to enter the certificate password each time? -- ... one of the main causes of the fall of the Roman Empire was that, lacking zero, they had no way to indicate successful termination of their C programs. -- Robert Firth Cole Tuininga Lead Developer Code Energy, Inc [EMAIL PROTECTED] PGP Key ID: 0x43E5755D ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Dynamic apache config
Cole Tuininga wrote:
The other concern I have (and perhaps you folks can allay them?) is the
issue of ssl certs with passwords. If I'm restarting apache to have it
reread the conf file, wouldn't I have to enter the certificate password
each time?
In my experience, yes. I believe that you can add to whatever startup
script you're using and pass it as an option to httpd.
Of course you can always use an empty passphrase when you generate the
certificate. This permits Apache to restart in SSL mode without needing
a password. I've done this with self-signed certificates when
experimenting with SSL and on a couple of test/development machines.
When I'm feeling lazy, I also do this with my ssh keys so I can ssh
without needing a password at all.
Yes, I know it's considered bad security practice, but if the system is
otherwise secure, then the risk of empty passphrases isn't that great.
It's only a danger is someone breaks into the machine and steals the
original keys, or if you do it on a machine where you aren't root, or at
least not the only admin with root access and you can't trust the other
admins.
Anyway, I've never considered passphrases and passwords as a security
mechanism. They're really more of an access mechanism. So, I have no
qualms about using empty passphrases for my self-signed certs and ssh
keys. If my machine was ever to be compromised, I'd probably generate
all new keys for ssh, ssl and gpg anyway. (Yes, I use a rather long
passphrase with gpg.)
Besides, most people pick lousy passphrases anyway. That's why I wrote
my own passphrase generator to spit out random gibbersish such as
(actual program output):
[EMAIL PROTECTED]:~$ pgen
8T(U[TcY
[EMAIL PROTECTED]:~$ pgen 12
mp{6$}9:_+\
[EMAIL PROTECTED]:~$ pgen 24
EQ;WcpgHbT\8pxJD.h_mOwe:
[EMAIL PROTECTED]:~$
Note that the first character of the 12-character passphrase is a blank
space.
Trouble with that is, you have to write them down or store them in a
database, which just means there's one more thing you have to worry
about guarding/losing.
OK, so I veered off topic, but that's not unusual for me, or for this
list. :-)
___
gnhlug-discuss mailing list
[EMAIL PROTECTED]
http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Dynamic apache config
On 3 Jun 2003, at 4:16pm, [EMAIL PROTECTED] wrote: I'm looking for a little more magic with a little less regenerating httpd.conf. *grin* Question: Why? How often will your virtual host setup change? I agree that generating a config file is not as elegant as pulling it right from the database, but, from a strictly pragmatic point of view, it might be the best overall solution. I've found something that seemingly does what I want (http://www.synthemesc.com/mod_vdbh/) but is only available for Apache 2.0.x ... and I'm running 1.3.x right now. I think I remember reading that one of the goals with the Apache 2.x redesign was to make things like what you're talking about easier. -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
