Re: [Hampshire] OpenVPN + TrueCrypt
On Fri, 14 Aug 2009 07:42:07 +0100, sanel...@gmail.com said: I'm wondering how the openvpn client knows where to find the keys? From the configuration file (the ca, cert and key lines). am considering enhancing the security by having the users keep their keys on an encrypted USB stick. It's not clear to me what problem you are attempting to solve - could you elucidate? Keith -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] OpenVPN + TrueCrypt
On Fri, Aug 14, 2009 at 7:46 AM, Keith Edmundsk...@midnighthax.com wrote: On Fri, 14 Aug 2009 07:42:07 +0100, sanel...@gmail.com said: I'm wondering how the openvpn client knows where to find the keys? From the configuration file (the ca, cert and key lines). Obviously. I'd have struggled to have delivered a working VPN if I didn't know that! Sorry if I gave the impression that I didn't understand this - I plead lack of sleep and early-morning bleariness. It's not clear to me what problem you are attempting to solve - could you elucidate? I'll try! At present I have given each user a set of keys and certs, an openvpn client config, and an openvpn client. In each client config, the path to the keys is defined, for example /home/stephen/vpn/stephen.key, crt etc. I haven't yet been able (at least with Tunnelblick on Macs) to get the openvpn client to demand a passphrase, so if someone gains access to their machine, they can get onto the VPN. I am proposing that the keys live on an encrypted USB stick - one per user. The user then inserts the stick into their machine, enters the password, uses the keyfile or whatever method we choose to decrypt the filesystem, and only then fires up the VPN. My question concerned where in the filesystem the keys would appear. It may not aways be the same - using automatic mounting, the user may get /media/disk1 one day and /media/disk2 another, if something else was mounted at disk1. I don't want users to change their config file. You may assume I know how to handle this manually. You may assume my users don't. I'd like their exerience to be as simple as: 1) User inserts USB stick 2) User enters password 3) User fires up vpn client. I'm also curious to know if anyone else is doing anything similar, and can share whether it has been a success, what they might do differently. Furthermore, I am open to alternative ways to increase the security of the VPN setup. Is that clearer? Thanks! S. -- Stephen Nelson-Smith Technical Director Atalanta Systems Ltd www.atalanta-systems.com -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] [OT] Recommendations for email hosting?
+1 for Google Domains I think I've setup about 6 now, just for email. Ciemon -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] OpenVPN + TrueCrypt
Hi, Like Keith, I'm a little confused as to what problem you're trying to solve by using the USB keys. The location of the various keys is set in whichever configuration file you're using for the client. You should find that in /etc/openvpn. If you can make a usb key always mount in the same place then you should be able to reference a key on it. You can make the keys openvpn uses require a passphrase. That way the keys are encrypted and not usable without the passphrase. If the key is presented to the server then server can be certain the user has the passphrase. The advantage of this approach is that if the user walks away and leaves an unlocked machine the key can be copied but the copy can't be used without the passphrase. With an encrypted stick the key can be copied and will automatically be decrypted so the copied key could be used by anyone. Cheers, Paul. --Original Message-- From: Keith Edmunds Sender: hampshire-boun...@mailman.lug.org.uk To: Hampshire LUG Mailing List ReplyTo: Hampshire LUG Mailing List Subject: Re: [Hampshire] OpenVPN + TrueCrypt Sent: 14 Aug 2009 07:46 On Fri, 14 Aug 2009 07:42:07 +0100, sanel...@gmail.com said: I'm wondering how the openvpn client knows where to find the keys? From the configuration file (the ca, cert and key lines). am considering enhancing the security by having the users keep their keys on an encrypted USB stick. It's not clear to me what problem you are attempting to solve - could you elucidate? Keith -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk -- . Sent from my BlackBerry® wireless device -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] OpenVPN + TrueCrypt
On Fri, Aug 14, 2009 at 09:15:32AM +0100, Stephen Nelson-Smith wrote: My question concerned where in the filesystem the keys would appear. It may not aways be the same - using automatic mounting, the user may get /media/disk1 one day and /media/disk2 another, if something else was mounted at disk1. I don't want users to change their config file. You may assume I know how to handle this manually. You may assume my users don't. I'd like their exerience to be as simple as: 1) User inserts USB stick 2) User enters password 3) User fires up vpn client. The solution to this is to use some definitive unique ID on the USB stick to get it to mount in the same place every time. The usual way of doing this is to ensure that the stick always has exactly the same device node name, and that you can then map that device to e.g. /media/vpn-keys in fstab. You can therefore use one of: * /dev/disk/by-uuid/... (for the filesystem UUID) * /dev/disk/by-label/... (for a manually-set label on the filesystem: do this if you want any key to be usable in any machine, and set the labels the same on all USB sticks) * udev (see /etc/udev/rules.d/*) to create your own device node (e.g. /dev/vpn-keys), identifying the device by device ID, UUID or filesystem label. Hugo. -- === Hugo Mills: h...@... carfax.org.uk | darksatanic.net | lug.org.uk === PGP key: 515C238D from wwwkeys.eu.pgp.net or http://www.carfax.org.uk --- Questions are a burden, and answers a prison for oneself. --- signature.asc Description: Digital signature -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] OpenVPN + TrueCrypt
Hi Hugo, * udev (see /etc/udev/rules.d/*) to create your own device node (e.g. /dev/vpn-keys), identifying the device by device ID, UUID or filesystem label. This sounds like the way to do it. Thanks for the hint. S. -- Stephen Nelson-Smith Technical Director Atalanta Systems Ltd www.atalanta-systems.com -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] OpenVPN + TrueCrypt
On Fri, 14 Aug 2009 10:12:15 +0100 Stephen Nelson-Smith sanel...@gmail.com wrote: * udev (see /etc/udev/rules.d/*) to create your own device node (e.g. /dev/vpn-keys), identifying the device by device ID, UUID or filesystem label. This sounds like the way to do it. Thanks for the hint. While that would solve the problem you've described, the whole solution still smells of doing it wrong. There are specialist USB devices out there that are designed to hold secure certificates. You should really be using one of those*. Cheers, /j * although to be fair, I have no idea if OpenVPN would support these devices. I certainly hope it would, though... -- Jon Fautley RHCE, RHCDS, RHCX, RHCA email: jfaut...@redhat.com Senior Consultantcell : +44 7841 558683 Global Professional Services Red Hat UK, 200 Fowler Avenue, Farnborough, Hampshire, GU14 7JP signature.asc Description: PGP signature -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] [OT] Armoured network cable supplier?
Chris Dennis wrote: Chris Dennis wrote: Hello folks Can anyone recommend a supplier and/or installer of armoured ethernet cable? My client (www.lotusflowertrust.org) needs a network connection to their outside office about 30m from the main house. cheers Chris Well, that generated some interesting discussion. Thanks to everyone. On consideration, I'll go for the ethernet-over-mains option. (And if that doesn't work, I'll mess about with wifi.) For the record, I installed a NET-PL-200AV-PUSH[1] at the router end in the house, and a NET-PLA-AV-3E-PIGGY6[2] in the office at the end of the garden. where there are currently two PCs. It all worked perfectly. The office is on a separate ring main , but connected to the same fuse board (or whatever it's called) as the house. [1] Solwise 200Mbps HomePlug AV Ethernet Adaptor with Simple Connect [2] VeseNET 200Mbps HomePlug AV 3 Ethernet Port Power Strip with Simple Connect both from www.solwise.com cheers Chris -- Chris Dennis cgden...@btinternet.com Fordingbridge, Hampshire, UK -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
[Hampshire] apache redirection problem
If I use a web browser to look at a local html or pdf file, is it possible to set things up so that a link to an external web site is redirected to the local file system? I have tried a .htaccess file along these lines: RewriteEngine on Redirect http://external.site.com/filename.html file:///home/pra/abc/filename.html and also RewriteEngine on RedirectMatch http://external\.site\.com file:///home/pra/abc but in all cases I just get the error message external.site.com could not be found. I have tried putting the .htaccess file in /home/pra/abc and in /home/pra/public_html which is the usual place apache would look for local files. I am not sure where it should go in this case. I am using apache 1.3.34-4.1 on Debian 4.0. This is an isolated system with no internet connection. Peter Alefounder. -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] apache redirection problem
On Fri, Aug 14, 2009 at 04:31:53AM -0700, Peter Alefounder wrote: If I use a web browser to look at a local html or pdf file, is it possible to set things up so that a link to an external web site is redirected to the local file system? I think the only thing you could do is ensure that external.site.com resolves to 127.0.0.1 (via either /etc/hosts, or a local DNS server: the former is easiest), and then set up a name-based virtual host in your apache to host external.site.com, with the directory structure you want in it, and then let Apache serve the files from your local filesystem. Using file:// URLs is probably a recipe for disaster. I wouldn't try doing that unless absolutely desperate. Serve everything via HTTP through your local Apache. (And I'd strongly recommend upgrading to a later Apache if you can. v1.3 is a bugger to configure, IME). Hugo. -- === Hugo Mills: h...@... carfax.org.uk | darksatanic.net | lug.org.uk === PGP key: 515C238D from wwwkeys.eu.pgp.net or http://www.carfax.org.uk --- I am but mad north-north-west: when the wind is southerly, I --- know a hawk from a handsaw. signature.asc Description: Digital signature -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] OpenVPN + TrueCrypt
On Fri, Aug 14, 2009 at 07:42:07 +0100 (+0100), Stephen Nelson-Smith wrote: Morning, I've just deployed an OpenVPN solution for a client, and am considering enhancing the security by having the users keep their keys on an encrypted USB stick. We use PAM authentication on top of openvpn which works well. What doesn't work so well is that openvpn+LDAP+TLS+PAM auth (yes, you need all four) leaks two file descriptors per connection which I never managed to track down (on Debian Etch). We also use the per client key/certs settings but as we can't control passwords on those keys, we can at least control the PAM passwords :) Adrian -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
Re: [Hampshire] Is anybody here using puppet?
We use puppet for all our clients - it's excellent. Is there anything specific you're struggling with? Portability was the biggest issue I've run into so far. e.g. I can use the User and SSHAuthorizedKey options on Linux and Solaris, but they fail to work fully under OpenBSD. (e.g. adding the user succeeds, but the password is never set.) Otherwise I think I've managed to resolve most of my outstanding queries via IRC the documentation. It's just unfortunate that the primitives are still at the mercy of per-OS implementations. But providing the gaps in the implementation don't widen I may be able to muddle round! Simon -- -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
[Hampshire] Safely unmounting a server's external hard drive
Hello folks I'm planning to use one or more external USB hard drives to backup a headless server running Debian. I'll probably use rsnapshot, with a script that detects for the presence of the right drive. But how can the server tell the user when it is safe to unplug the drive? Or maybe the user should somehow tell the server I want to unplug the drive -- stop using it and unmount it. The user's only way of communicating with the server is by email or possibly via Webmin. Has anyone come up with a cunning plan to deal with this? cheers Chris -- Chris Dennis cgden...@btinternet.com Fordingbridge, Hampshire, UK -- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --
