From owner-freebsd-questions@FreeBSD.ORG Wed Oct 18 17:36:01 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 86FF816A412 for ; Wed, 18 Oct 2006 17:36:01 +0000 (UTC) (envelope-from cswiger@mac.com) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.174]) by mx1.FreeBSD.org (Postfix) with ESMTP id 3D20D43D73 for ; Wed, 18 Oct 2006 17:36:01 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin05-en2 [10.13.10.150]) by smtpout.mac.com (Xserve/8.12.11/smtpout04/MantshX 4.0) with ESMTP id k9IHa049002665; Wed, 18 Oct 2006 10:36:00 -0700 (PDT) Received: from [17.214.13.96] (a17-214-13-96.apple.com [17.214.13.96]) (authenticated bits=0) by mac.com (Xserve/smtpin05/MantshX 4.0) with ESMTP id k9IHZwvW014417; Wed, 18 Oct 2006 10:35:59 -0700 (PDT) In-Reply-To: <4536600A.9010602@chamonix.reportlab.co.uk> References: <4536600A.9010602@chamonix.reportlab.co.uk> Mime-Version: 1.0 (Apple Message framework v752.2) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: <047A0126-6119-45A8-8BC5-497FC6ADF08F@mac.com> Content-Transfer-Encoding: 7bit From: Chuck Swiger Date: Wed, 18 Oct 2006 10:35:57 -0700 To: Robin Becker X-Mailer: Apple Mail (2.752.2) X-Brightmail-Tracker: AAAAAA== X-Brightmail-scanned: yes Cc: freebsd-questions@freebsd.org Subject: Re: kick off a post boot job X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 18 Oct 2006 17:36:01 -0000 On Oct 18, 2006, at 10:10 AM, Robin Becker wrote: > I have a number of servers which don't have console access, but I > would like to have apache started automatically if the server is > rebooted. However, it seems that if https is used then I need to > type in a secret at boot time (on the console). > > Is there a way to start processes up automatically after the boot > is finished? Sure. Cron or at will do so, for example. But you're not going to truly resolve the actual problem of needing human input for a passphrase by having some other machine do something automatically. > I could imagine asking another, trusted, server to supply the magic > string using scp or some other secure transport and then using the > decoded result to start up apache. The "magic string" is normally called the SSH private key, ~/.ssh/ id_rsa or ~/.ssh/id_dsa. :-) I suppose you could use SSH from some remote trusted server to do an "apachectl startssl" and then feed it the passphrase, but then you've ended up putting the passphrase in cleartext on the trusted host, and you need to permit the trusted host to login to the webserver without needing human intervention via SSH keypairs, so you're just moving the problem from one place to another. If you've got 24-7 sysadmin availability, then keeping your x.509 certs passphrase-protected might well make sense-- if a machine is rebooted, a sysadmin needs to login and start apache by hand. Otherwise, most people leave the x.509 certs unsecured with a passphrase so that the webserver can be setup to start itself upon a reboot without manual intervention. -- -Chuck