Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
ca.key, ca.csr & ca.crt (self generated) are created in Redhat 6.4 with default permissions 644. Is there any reason these are being created with world readable permissions ?
The openssl tool set doesn't worry about permissions as it is available for several platforms. It's up to the admin to set up proper permissions. 600 is recommended for the private key but 644 can be the public key permissions.
You might be thinking about ssh, which does care about file-permissions (in that, if the permissions on the file are "too permissive," it won't recognize it). I don't think that SSL does that ...
As far as I know, though, none of these files contain "secret" information. They are generated using secret information, in each case held only by one of the two parties, but "they are not secret themselves ... and that is the point." The purpose of the whole thing, as I understand it, is: "I can generate it (you can't) ... you can sign it (I can't) ... I can verify the signature and can't alter what has been signed."
Working together, each party revealing none of its secrets (but employing those secrets), the key exchange can be accomplished, using files that do not have to be kept secret or conveyed across a secure channel. And that's the essential reason for the entire contretemps.
Last edited by sundialsvcs; 10-21-2013 at 06:44 PM.
You might be thinking about ssh, which does care about file-permissions (in that, if the permissions on the file are "too permissive," it won't recognize it). I don't think that SSL does that ...
As far as I know, though, none of these files contain "secret" information. They are generated using secret information, in each case held only by one of the two parties, but "they are not secret themselves ... and that is the point." The purpose of the whole thing, as I understand it, is: "I can generate it (you can't) ... you can sign it (I can't) ... I can verify the signature and can't alter what has been signed."
Working together, each party revealing none of its secrets (but employing those secrets), the key exchange can be accomplished, using files that do not have to be kept secret or conveyed across a secure channel. And that's the essential reason for the entire contretemps.
"ca.key, ca.csr & ca.crt" is not part openssh but appear to be of SSL public key infrastructure. The files in OpenSSH which you're referring about permissions is mentioned in the openssh FAQ (namely authorized_keys, .ssh, and user $HOME). The names the OP refers to appear to be x509 certificates. While OpenSSL (and SSL in general) does not require any special permissions to operate correctly it is *recommended* that any keys (*.key) be 600 permissions (not required). Public certificates(*.crt) and certificate signing requests (*.csr) do not matter so much about the permissions because they're intended to be publicly distributed.
"ca.key, ca.csr & ca.crt" is not part openssh but appear to be of SSL public key infrastructure. The files in OpenSSH which you're referring about permissions is mentioned in the openssh FAQ (namely authorized_keys, .ssh, and user $HOME). The names the OP refers to appear to be x509 certificates. While OpenSSL (and SSL in general) does not require any special permissions to operate correctly it is *recommended* that any keys (*.key) be 600 permissions (not required). Public certificates(*.crt) and certificate signing requests (*.csr) do not matter so much about the permissions because they're intended to be publicly distributed.
Yes. Exactly my point. It's easy to confuse the two. Very easy.
You setup your own ca and sign keys using only openssl. I kow there are different solutions which are better, but just for a handful of internal certs i quite like that setup.
You setup your own ca and sign keys using only openssl. I kow there are different solutions which are better, but just for a handful of internal certs i quite like that setup.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
