Dynamic apache config
Jason Stephenson
jason at sigio.com
Wed Jun 4 14:07:43 EDT 2003
Cole Tuininga wrote:
> The other concern I have (and perhaps you folks can allay them?) is the
> issue of ssl certs with passwords. If I'm restarting apache to have it
> reread the conf file, wouldn't I have to enter the certificate password
> each time?
In my experience, yes. I believe that you can add to whatever startup
script you're using and pass it as an option to httpd.
Of course you can always use an empty passphrase when you generate the
certificate. This permits Apache to restart in SSL mode without needing
a password. I've done this with self-signed certificates when
experimenting with SSL and on a couple of test/development machines.
When I'm feeling lazy, I also do this with my ssh keys so I can ssh
without needing a password at all.
Yes, I know it's considered bad security practice, but if the system is
otherwise secure, then the risk of empty passphrases isn't that great.
It's only a danger is someone breaks into the machine and steals the
original keys, or if you do it on a machine where you aren't root, or at
least not the only admin with root access and you can't trust the other
admins.
Anyway, I've never considered passphrases and passwords as a "security
mechanism." They're really more of an "access mechanism." So, I have no
qualms about using empty passphrases for my self-signed certs and ssh
keys. If my machine was ever to be compromised, I'd probably generate
all new keys for ssh, ssl and gpg anyway. (Yes, I use a rather long
passphrase with gpg.)
Besides, most people pick lousy passphrases anyway. That's why I wrote
my own passphrase generator to spit out random gibbersish such as
(actual program output):
jason at casanova:~$ pgen
8T(U[TcY
jason at casanova:~$ pgen 12
mp{6$}9:_+\
jason at casanova:~$ pgen 24
EQ;WcpgHbT\8pxJD.h_mOwe:
jason at casanova:~$
Note that the first character of the 12-character passphrase is a blank
space.
Trouble with that is, you have to write them down or store them in a
database, which just means there's one more thing you have to worry
about guarding/losing.
OK, so I veered off topic, but that's not unusual for me, or for this
list. :-)
More information about the gnhlug-discuss
mailing list