January 18th, 2007 by Matteo
I usually use ssh keys to log in on other machines. This is done by having in the .ssh directory the public key (id_dsa.pub) readable by anyone (-rw-------) and the private key (id_dsa) readable by me (-rw-r--r--). But there is a problem if your home directory lies in AFS where you can set permissions just on the directory level: if you set .ssh as readable you expose your secret key and if you protect it you hide the public key. As a simple solution you can move your private key to a private folder and set a symbolic to it as follows:
cd $HOME/.ssh
mkdir private
mv id_dsa private
ln -s private/id_dsa .
fs sa private system:anyuser none
fs sa . system:anyuser read
Posted in Software | No Comments »
January 16th, 2007 by Matteo
I finally managed to configure name based virtual hosts with SSL (HTTPS).
Problem:
when connecting to a secure site the browser checks the validity of the (X.509) certificate and verifies if the address of the site is the same as the common name contained in the certificate. Since, in a secure connection, the accessed URL is encoded, when using multiple names (DNS) per IP address the server is not able to detect which virtual host should be used before the certificate check.
Approach:
- Issue a single X.509 certificate with the server name as common name (CN) and specify the DNS aliases as alternative names (using the SubjectAltName extenstion). CAcert.org has a nice shell script to generate certificate requests with alternative names.
- Configure named virtual hosts on port 443
- Use the same certificate for each virtual host
Technical:
add the following directives to your openssl configuration file:
[req]
req_extensions = v3_req
[ v3_req ]
subjectAltName=DNS:alias1.example.com,
DNS:alias2.example.com
Posted in Software | No Comments »