Dynamic apache config

Jason Stephenson jason at sigio.com
Wed Jun 4 14:07:43 EDT 2003


Cole Tuininga wrote:
> The other concern I have (and perhaps you folks can allay them?) is the
> issue of ssl certs with passwords.  If I'm restarting apache to have it
> reread the conf file, wouldn't I have to enter the certificate password
> each time?

In my experience, yes. I believe that you can add to whatever startup 
script you're using and pass it as an option to httpd.

Of course you can always use an empty passphrase when you generate the 
certificate. This permits Apache to restart in SSL mode without needing 
a password. I've done this with self-signed certificates when 
experimenting with SSL and on a couple of test/development machines.

When I'm feeling lazy, I also do this with my ssh keys so I can ssh 
without needing a password at all.

Yes, I know it's considered bad security practice, but if the system is 
otherwise secure, then the risk of empty passphrases isn't that great. 
It's only a danger is someone breaks into the machine and steals the 
original keys, or if you do it on a machine where you aren't root, or at 
least not the only admin with root access and you can't trust the other 
admins.

Anyway, I've never considered passphrases and passwords as a "security 
mechanism." They're really more of an "access mechanism." So, I have no 
qualms about using empty passphrases for my self-signed certs and ssh 
keys. If my machine was ever to be compromised, I'd probably generate 
all new keys for ssh, ssl and gpg anyway. (Yes, I use a rather long 
passphrase with gpg.)

Besides, most people pick lousy passphrases anyway. That's why I wrote 
my own passphrase generator to spit out random gibbersish such as 
(actual program output):

jason at casanova:~$ pgen
8T(U[TcY
jason at casanova:~$ pgen 12
  mp{6$}9:_+\
jason at casanova:~$ pgen 24
EQ;WcpgHbT\8pxJD.h_mOwe:
jason at casanova:~$

Note that the first character of the 12-character passphrase is a blank 
space.

Trouble with that is, you have to write them down or store them in a 
database, which just means there's one more thing you have to worry 
about guarding/losing.

OK, so I veered off topic, but that's not unusual for me, or for this 
list. :-)




More information about the gnhlug-discuss mailing list