commit: openscep

To: pkgsrc-wip-discuss%lists.sourceforge.net@localhost
Subject: commit: openscep
From: Miles Nordin <carton%Ivy.NET@localhost>
Date: Thu, 03 Nov 2005 12:30:28 -0500 See http://spamassassin.org/tag/ for more details. Report problems to http://sf.net/tracker/?func=add&group_id=1&atid=200001

I haven't been keeping up with this list as much as I'd like, but just
wanted to give you heads up I checked in OpenSCEP.  It lets you load
X.509 certificates into Cisco devices.  

I still need to go through a trial run with a new-in-box PIX, but I
think the package encapsulates most of the weeks of struggle I've had
with OpenSCEP bit-rot and messy installation getting this
properly-configured VPN running.  

Most people use road warrior VPN's based on short XAuth passwords, and
``shared group authentication,'' which according to my rather hazy
understanding means that any of the road warriors you have out there
has enough information loaded into his client to impersonate your
security gateway and act as a man in the middle, so he could intercept
the VPN session of another employee staying in the same hotel or at
the same conference, and then get the guy's XAuth password which is
probably the same as his EnTee Domain Password, and then go read the
other guy's email.  Also passwords are too short, and people choose
very poor ones, so the VPN is supposed to be an additional layer of
security, not just a second identical password prompt.  Really I think
everyone should be using certificates, but I think many are not doing
so largely because SCEP CA's are expensive and complicated.  If that
describes you, try my package!

If you need to do this and want sample PIX 501 configs or a copy of my
terse instructions for loading a certificate into Cisco's ``Unity''
Windows client using the OpenSSL Mini-CA that my package sets up, let
me know privately.

in files/ I also put a patch to the openldap package in the main
source.  I don't know the patch has much of a prayer of getting rolled
into the main openldap package, but using my patch it is much faster
to get a basic slapd running chroot, dropped-privs, and on a
Unix-domain socket only.  The problem with openscep is that it depends
on a web server and LDAP, which is garbage you would maybe rather not
run as part of a VPN project.  If you are irritated by LDAP in general
and have measured the code to be of rather suspicious quality, running
it strictly on a Unix-domain socket and chroot is probably a good
idea.  

Unfortunately the overall configuration still leaves the CA Key
readable by the Apache user, so someone who exploits the web server as
user 'web' has enough access to sign a certificate and thus get into
your VPN. :(

Attachment: pgpr9qan2ZyGa.pgp
Description: PGP signature

Prev by Date: Re: CVS commit: wip
Next by Date: Need help with xenconsole
Previous by Thread: Re: CVS commit: wip
Next by Thread: Need help with xenconsole
Indexes:

Home | Main Index | Thread Index | Old Index