Date: Thu, 25 Apr 2002 20:18:19 +0100 From: Marc Rogers <marcr@closed-networks.com> To: ANdrei <andrei@abc.ro> Cc: freebsd-security@freebsd.org Subject: Re: apache Message-ID: <20020425201819.B9744@closed-networks.com> In-Reply-To: <3CC851E7.3529C7AB@abc.ro>; from andrei@abc.ro on Thu, Apr 25, 2002 at 09:58:47PM %2B0300 References: <3CC851E7.3529C7AB@abc.ro>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Apr 25, 2002 at 09:58:47PM +0300, ANdrei wrote: > let me give you a scenario that i want solved :) > > i have a webserver that needs to run apache with SSL (httpd -SSL, if i > remember correctly), but the server is not considered to be secure > enough to have an unencrypted key on it's hard drives... so the key is > crypted, but then, again, apache is unable to start with SSL enabled if > somebody doesn't enter the passphrase by hand... i'm talking about > apache with mod-ssl, it's one of many big servers, and any minute of it > not being up is a big pain in the ass, so starting apache on every > server every time by entering the passphrase by hand is not what i am > looking for... starting it from a script where the passphrase is plain > text is also considered to be insecure for what i need.... Unfortunately you are either going to have to get a human to do it, or commit the passphrase to a program or script. You can obfuscate the passphrase as much as you like but one way or other the key to the passphrase ends up being stored in a program. The solution that i opted for was to create a server on a secure network that acted as the key manager for the secure webservers. The system was kept off the normal network, and only had ssh access to the machines on the private network. No services ran on the machine appart from an sshd accessable through a gateway. This machine periodically checked to see if the secure servers were running and if not, logged in via ssh and restarted them with the passphrase. Not wonderfully elegant, but necessary and secure enough for its purpose. > > hope smbd had this problem already :) > Im sure many people have had this problem. Better solutions anyone? > ANdrei > Marc -- Marc Rogers Vizzavi UK www.itv.com/popidol To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20020425201819.B9744>