From: Boldin Pavel <ldavinchi@inbox.ru>
To: openldap@lists.osdn.org.ua,
ALT Linux Sisyphus discussion list <sisyphus@altlinux.ru>
Subject: Re: [sisyphus] Re: SSH +ldap
Date: Mon, 18 Apr 2005 12:32:31 +0500
Message-ID: <4263628F.8030304@inbox.ru> (raw)
In-Reply-To: <20050418062929.GE11819@osdn.org.ua>
[-- Attachment #1: Type: text/plain, Size: 650 bytes --]
Michael Shigorin пишет:
> On Sun, Apr 17, 2005 at 11:39:34PM +0400, Gor_lov aka Stalker wrote:
>
>>>зря вы боитесь, ldap over tls работает почти везде...
>>
>>Кстати -а чем генерить сертефикат?
>
>
> openssl -- кажется, в документации Master 2.4 (см. docs/ в его
> корне на ftp) приводился пример, да и на opennet.ru их было.
>
tinyca,,, я для него патч написал, чтобы можно было ключи без паролей
создавать (pam_ldap пароленые ключи не принимает),
я вам его скидываю...
еще там есть скрипт ./CA.pl | ./CA.sh
он тоже умеет
--
Болдин Павел aka davinchi
ldavinchi@inbox.ru or davinchi@zu.org.ru
ZU - Zagovor Unixoidov. SSAU 303.
[-- Attachment #2: tinyca-0.6.7-zu-pam_ldap.patch --]
[-- Type: text/x-patch, Size: 5812 bytes --]
diff -NurpP tinyca-0.6.7.orig/lib/GUI.pm tinyca-0.6.7/lib/GUI.pm
--- tinyca-0.6.7.orig/lib/GUI.pm 2004-12-07 12:14:18 +0400
+++ tinyca-0.6.7/lib/GUI.pm 2005-04-03 21:21:19 +0500
@@ -1241,7 +1241,7 @@ sub show_req_dialog {
my ($self, $opts) = @_;
my ($box, $button_ok, $button_cancel, $reqtable, $radiobox, $key1, $key2,
- $key3, $key4, $key5, $entry, $label);
+ $key3, $key4, $key5, $key6, $entry, $label);
$button_ok = Gnome::Stock->button('Button_Ok');
$button_ok->signal_connect('clicked',
@@ -1360,6 +1360,13 @@ sub show_req_dialog {
\$opts->{'digest'}, 'md4');
$radiobox->add($key5);
+ $key6 = Gtk::RadioButton->new('No Des', $key1);
+ $key6->set_active(1)
+ if(defined($opts->{'digest'}) && $opts->{'digest'} eq 'nodes');
+ $key6->signal_connect('toggled', \&GUI::CALLBACK::toggle_to_var,
+ \$opts->{'digest'}, 'nodes');
+ $radiobox->add($key6);
+
$reqtable->attach_defaults($radiobox, 1, 2, 15, 16);
$label = GUI::HELPERS::create_label(gettext("Algorithm").":", 'left', 0, 0);
diff -NurpP tinyca-0.6.7.orig/lib/OpenSSL.pm tinyca-0.6.7/lib/OpenSSL.pm
--- tinyca-0.6.7.orig/lib/OpenSSL.pm 2004-12-07 12:14:18 +0400
+++ tinyca-0.6.7/lib/OpenSSL.pm 2005-04-03 23:56:06 +0500
@@ -81,12 +81,15 @@ sub newkey {
return($ret, $ext) if($ret);
$cmd = "$self->{'bin'} gendsa";
+
$cmd .= " -des3";
$cmd .= " -passout env:SSLPASS";
+
$cmd .= " -out \"$opts->{'outfile'}\"";
$cmd .= " $param";
} else {
$cmd = "$self->{'bin'} genrsa";
+
$cmd .= " -des3";
$cmd .= " -passout env:SSLPASS";
@@ -96,6 +99,7 @@ sub newkey {
}
$ENV{'SSLPASS'} = $opts->{'pass'};
+
my($rdfh, $wtfh);
$ext = "$cmd\n\n";
$pid = open3($wtfh, $rdfh, $rdfh, $cmd);
@@ -120,6 +124,7 @@ sub newkey {
delete($ENV{'SSLPASS'});
+
return($ret, $ext);
}
@@ -290,19 +295,33 @@ sub newreq {
my $self = shift;
my $opts = { @_ };
- my ($ext, $ret, $cmd, $pid);
+ my ($ext, $ret, $cmd, $pid, $t, $bar, $box, $i, $c);
$cmd = "$self->{'bin'} req -new";
$cmd .= " -keyform PEM";
$cmd .= " -outform PEM";
- $cmd .= " -passin env:SSLPASS";
+
+ $cmd .= " -passin env:SSLPASS"
+ if ( $opts->{'digest'} ne "nodes");
$cmd .= " -config $opts->{'config'}";
$cmd .= " -out $opts->{'outfile'}";
- $cmd .= " -key $opts->{'keyfile'}";
+
+ if ( $opts->{'digest'} ne "nodes")
+ {
+ $cmd .= " -key $opts->{'keyfile'}";
+ }
+ else
+ {
+ $cmd .= " -keyout $opts->{'keyfile'}";
+ }
+
+
$cmd .= " -"."$opts->{'digest'}";
- $ENV{'SSLPASS'} = $opts->{'pass'};
+ $ENV{'SSLPASS'} = $opts->{'pass'}
+ if ( $opts->{'digest'} ne "nodes");
+
# print "DEBUG call: $cmd\n";
my($rdfh, $wtfh);
@@ -318,13 +337,23 @@ sub newreq {
}
}
- while(<$rdfh>) {
- $ext .= $_;
+ $t = gettext("Creating key and req in progress...");
+ ($box, $bar) = GUI::HELPERS::create_activity_bar($t);
+ $i = 0;
+ while(defined($c = getc($rdfh))) {
+ $ext .= $c;
+ $bar->update(($i++%100)/100);
+ while(Gtk->events_pending) {
+ Gtk->main_iteration;
+ }
}
+ $box->destroy();
+
waitpid($pid, 0);
$ret = $? >> 8;
- delete($ENV{'SSLPASS'});
+ delete($ENV{'SSLPASS'})
+ if ( $opts->{'digest'} ne "nodes");
return($ret, $ext);
}
diff -NurpP tinyca-0.6.7.orig/lib/REQ.pm tinyca-0.6.7/lib/REQ.pm
--- tinyca-0.6.7.orig/lib/REQ.pm 2004-12-07 12:14:18 +0400
+++ tinyca-0.6.7/lib/REQ.pm 2005-04-03 23:49:03 +0500
@@ -46,6 +46,7 @@ sub get_req_create {
$ca = $main->{'CA'}->{'actca'};
+
if(!(defined($opts)) || !(ref($opts))) {
if(defined($opts) && $opts eq "signserver") {
$opts = {};
@@ -94,8 +95,12 @@ sub get_req_create {
if((not defined($opts->{'CN'})) ||
($opts->{'CN'} eq "") ||
- (not defined($opts->{'passwd'})) ||
- ($opts->{'passwd'} eq "")) {
+ (
+ ((not defined($opts->{'passwd'})) ||
+ ($opts->{'passwd'} eq "")) &&
+ $opts->{'digest'} ne "nodes"
+ )
+ ) {
$main->show_req_dialog($opts);
GUI::HELPERS::print_warning(
gettext("Please specify at least Common Name ")
@@ -103,8 +108,14 @@ sub get_req_create {
return;
}
- if((not defined($opts->{'passwd2'})) ||
- $opts->{'passwd'} ne $opts->{'passwd2'}) {
+ if(
+ (
+ (not defined($opts->{'passwd2'})) ||
+ $opts->{'passwd'} ne $opts->{'passwd2'}
+ )
+ && ($opts->{'digest'} ne "nodes")
+ )
+ {
$main->show_req_dialog($opts);
GUI::HELPERS::print_warning(gettext("Passwords don't match"));
return;
@@ -153,18 +164,21 @@ sub create_req {
$reqfile = $cadir."/req/".$opts->{'reqname'}.".pem";
$keyfile = $cadir."/keys/".$opts->{'reqname'}.".pem";
- ($ret, $ext) = $self->{'OpenSSL'}->newkey(
- 'algo' => $opts->{'algo'},
- 'bits' => $opts->{'bits'},
- 'outfile' => $keyfile,
- 'pass' => $opts->{'passwd'}
- );
-
- if (not -s $keyfile || $ret) {
- unlink($keyfile);
- GUI::HELPERS::set_cursor($main, 0);
- GUI::HELPERS::print_warning(gettext("Generating key failed"), $ext);
- return;
+ if ( defined($opts->{'passwd'}) && "$opts->{'passwd'}" ne "" )
+ {
+ ($ret, $ext) = $self->{'OpenSSL'}->newkey(
+ 'algo' => $opts->{'algo'},
+ 'bits' => $opts->{'bits'},
+ 'outfile' => $keyfile,
+ 'pass' => $opts->{'passwd'}
+ );
+
+ if (not -s $keyfile || $ret) {
+ unlink($keyfile);
+ GUI::HELPERS::set_cursor($main, 0);
+ GUI::HELPERS::print_warning(gettext("Generating key failed"), $ext);
+ return;
+ }
}
($ret, $ext) = $self->{'OpenSSL'}->newreq(
[-- Attachment #3: tinyca.spec --]
[-- Type: text/plain, Size: 6320 bytes --]
# spec file for package tinyca
#
# $Id: tinyca.spec,v 1.16 2004/08/09 19:40:51 sm Exp $
#
# Copyright (c) 2002 Stephan Martin
# This file and all modifications and additions to the pristine
# package are under the same license as the package itself.
#
# Adopted for Sisyphus by Nikolay A. Fetisov
Name: tinyca
Version: 0.6.7
Release: alt1
Summary: Graphical Tool for Managing a Certification Authority
Summary(ru_RU.KOI8-R): çÒÁÆÉÞÅÓËÁÑ ÕÔÉÌÉÔÁ ÄÌÑ ÕÐÒÁ×ÌÅÎÉÑ Certification Authority
License: GPL
Group: Security/Networking
URL: http://tinyca.sm-zone.net/
Packager: Nikolay A. Fetisov <naf@altlinux.ru>
BuildArch: noarch
%define real_name %name
Source0: %real_name-%version.tar.bz2
Source1: %name.xpm
Patch001: %name-%version-zu-pam_ldap.patch
AutoReqProv: perl, yes
BuildPreReq: perl-devel, perl-GTK-Gnome, perl-gettext
Requires: openssl
%description
TinyCA is a graphical tool written in Perl/Gtk to manage a small
Certification Authority (CA) using openssl.
TinyCA supports
- creation and revocation of x509 - S/MIME certificates.
- PKCS#10 requests.
- exporting certificates as PEM, DER, TXT, and PKCS#12.
- server certificates for use in web servers, email servers, IPsec,
and more.
- client certificates for use in web browsers, email clients, IPsec,
and more.
- creation and management of SubCAs
Authors:
--------
Stephan Martin <sm@sm-zone.net>
%description -l ru_RU.KOI8-R
TinyCA - ÇÒÁÆÉÞÅÓËÁÑ ÕÔÉÌÉÔÁ, ÎÁÐÉÓÁÎÎÁÑ ÎÁ Perl/GTK, ÄÌÑ ÕÐÒÁ×ÌÅÎÉÑ
Certification Authority (CA) ÎÅÂÏÌØÛÉÈ ÒÁÚÍÅÒÏ× ÉÓÐÏÌØÚÕÑ openssl.
TinyCA ÐÏÄÄÅÒÖÉ×ÁÅÔ:
- ÓÏÚÄÁÎÉÅ É ÏÔÚÙ× ÓÅÒÔÉÆÉËÁÔÏ× x509 É S/MIME
- ÚÁÐÒÏÓÙ PKCS#10
- ÜËÓÐÏÒÔ ÓÅÒÔÉÆÉËÁÔÏ× × ÆÏÒÍÁÔÁÈ PEM, DER, TXT É PKCS#12
- ÕÐÒÁ×ÌÅÎÉÅ ÓÅÒ×ÅÒÎÙÍÉ ÓÅÒÔÉÆÉËÁÔÁÍÉ ÄÌÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ Ó ÓÅÒ×ÅÒÁÍÉ web, email, Ó IPsec,
É Ô.Ä.
- ÕÐÒÁ×ÌÅÎÉÅ ËÌÉÅÎÔÓËÉÍÉ ÓÅÒÔÉÆÉËÁÔÁÍÉ ÄÌÑ ÉÓÐÏÌØÚÏ×ÁÎÉÑ × ÂÒÁÕÚÅÒÁÈ, ÐÏÞÔÏ×ÙÈ
ËÌÉÅÎÔÁÈ, ÄÌÑ IPsec É ÐÒ.
- ÓÏÚÄÁÎÉÅ É ÕÐÒÁ×ÌÅÎÉÅ SubCA
á×ÔÏÒÙ:
--------
Stephan Martin <sm@sm-zone.net>
%define bindir %_bindir
%define libdir %_datadir/TinyCA/lib
%define templatesdir %_datadir/TinyCA/templates
%define localedir %_datadir/TinyCA/locale/
# Defining _perl_lib_path for correct work of AutoReqProv
%define _perl_lib_path %libdir
%prep
%setup
%patch001 -p1
%build
# Configure pristine source
perl -pi -e 's:./lib:%libdir:g' tinyca
perl -pi -e 's:./templates:%templatesdir:g' tinyca
perl -pi -e 's:./locale:%localedir:g' tinyca
make -C po
%install
LANGUAGES="de es cs"
%__mkdir -p $RPM_BUILD_ROOT%bindir
%__mkdir -p $RPM_BUILD_ROOT%libdir
%__mkdir -p $RPM_BUILD_ROOT%libdir/GUI
%__mkdir -p $RPM_BUILD_ROOT%templatesdir
%__install -m644 lib/*.pm $RPM_BUILD_ROOT%libdir/
%__install -m644 lib/GUI/*.pm $RPM_BUILD_ROOT%libdir/GUI/
%__install -m644 templates/openssl.cnf $RPM_BUILD_ROOT%templatesdir/
%__install -m755 tinyca $RPM_BUILD_ROOT%bindir/
for LANG in $LANGUAGES; do
%__mkdir -p $RPM_BUILD_ROOT%localedir/$LANG/LC_MESSAGES/
%__install -m644 locale/$LANG/LC_MESSAGES/tinyca.mo %buildroot%localedir/$LANG/LC_MESSAGES/
done
%__mkdir -p $RPM_BUILD_ROOT%_iconsdir/
%__install -m644 %SOURCE1 $RPM_BUILD_ROOT%_iconsdir/
%__mkdir -p $RPM_BUILD_ROOT/%_menudir
%__cat << EOF > $RPM_BUILD_ROOT/%_menudir/%name
?package(%name): \
command="%_bindir/%name"\
icon="tinyca.xpm" \
needs="x11" \
section="Networking/Other" \
title="TinyCA" \
longtitle="УÑ.илиÑ.а длÑ. Ñ.пÑ.авлениÑ. Certification Authority"
EOF
%find_lang %name
%post
%update_menus
%postun
%clean_menus
%files -f %name.lang
%doc CHANGES INSTALL
%_datadir/TinyCA*
%_menudir/%name
%_iconsdir/%name.xpm
%bindir/tinyca
%changelog
* Mon Feb 07 2005 Nikolay A. Fetisov <naf@altlinux.ru> 0.6.7-alt1
- new version 0.6.7
- spec file cleanup
- adding icon to the menu entry
- First build for ALT Linux
* Tue Oct 5 2004 - Nikolay A. Fetisov <naf@naf.net.ru>
- First build for Sisyphus
* Fri Aug 13 2004 - sm@sm-zone.net
- czech translation
* Sun Jun 13 2004 - sm@sm-zone.net
- gui polishing
- code cleanup
- some usability improvements
* Wed Jun 2 2004 - sm@sm-zone.net
- gui polishing
- GUI module splitted to several files
* Fri Oct 3 2003 - sm@sm-zone.net
- added a lot of configuration options
- correctly import/show details of requests without extensions
(thanks to James.Leavitt@anywaregroup.com)
* Mon Sep 1 2003 - sm@sm-zone.net
- added renewal of certificates
* Wed Aug 13 2003 - sm@sm-zone.net
- rewite, now using perl-Gtk
* Sat Jul 5 2003 - sm@sm-zone.net
- added german translation
* Tue Jul 1 2003 - sm@sm-zone.net
- convert index.txt if openssl changed from 0.9.6x to 0.9.7x
* Fri Jun 27 2003 - sm@sm-zone.net
- added export into zip-file
thanks to ludwig.nussel@suse.de
* Mon Jun 23 2003 - sm@sm-zone.net
- some tiny usability improvements
thanks to ludwig.nussel@suse.de again
* Thu Jun 19 2003 - sm@sm-zone.net
- some usability improvements
thanks to ludwig.nussel@suse.de
- some more configuration options
* Fri Oct 4 2002 - sm@sm-zone.net
- Fixed bug exporting keys in PEM format
- Fixed possible empty lines in cert/key/reqlist
thanks to waldemar.mertke@gmx.de
* Fri Sep 27 2002 - sm@sm-zone.net
- fixed some minor bugs and typos (e.g. concerning openssl 0.9.7)
thanks to iebgener@yahoo.com and waldemar.mertke@gmx.de
* Wed Aug 21 2002 - sm@sm-zone.net
- fixed revocation
- added some colors
- thanks to curly@e-card.bg
* Sun Aug 18 2002 - sm@sm-zone.net
- new version 0.4.0
- works independent of OpenCA modules now
- some enhancements to functionality (e.g. export of key without
passwd)
- some smaller bugfixes in usability
- new specfile (thanks to oron@actcom.co.il)
* Thu Jun 6 2002 - Oron Peled <oron@actcom.co.il>
- Cleaned .spec file
* Mon Jun 3 2002 - sm@sm-zone.net
- fixed wrong templatedir when creating new CA
* Sun Jun 2 2002 - sm@sm-zone.net
- fixed some minor bugs and typos
* Sat May 11 2002 - sm@sm-zone.net
- Added parser for x509 extensions
* Fri May 03 2002 - sm@sm-zone.net
- added possibility to view requests/certificates
* Thu Apr 18 2002 - sm@sm-zone.net
- added configuration
* Sun Apr 7 2002 - sm@sm-zone.net
- improved usability
* Sun Mar 31 2002 - sm@sm-zone.net
- added function to delete ca
* Sat Mar 30 2002 - sm@sm-zone.net
- allow import of pkcs#10 requests
* Thu Mar 21 2002 - sm@sm-zone.et
- use different listboxes
* Mon Mar 18 2002 - sm@sm-zone.net
- initial package
next prev parent reply other threads:[~2005-04-18 7:32 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-04-16 11:48 [sisyphus] " Anton Gorlov aka stalker
2005-04-16 12:15 ` Boldin Pavel
2005-04-16 12:16 ` Re[2]: " Anton Gorlov aka stalker
2005-04-16 12:28 ` Boldin Pavel
2005-04-16 12:45 ` Re[2]: " Anton Gorlov aka stalker
2005-04-16 12:57 ` Boldin Pavel
2005-04-16 12:30 ` Boldin Pavel
2005-04-16 12:47 ` Re[2]: " Anton Gorlov aka stalker
2005-04-16 13:55 ` Anton Gorlov aka stalker
2005-04-16 14:00 ` Boldin Pavel
2005-04-16 13:57 ` Re[2]: " Anton Gorlov aka stalker
2005-04-16 13:00 ` Boldin Pavel
2005-04-16 13:56 ` Re[2]: " Anton Gorlov aka stalker
2005-04-17 15:13 ` [sisyphus] " Michael Shigorin
2005-04-17 15:55 ` Arioch
2005-04-17 16:05 ` Gor_lov aka Stalker
2005-04-17 17:42 ` Michael Shigorin
2005-04-17 19:10 ` Gor_lov aka Stalker
2005-04-18 6:30 ` Michael Shigorin
2005-04-20 8:20 ` Andrei Bulava
2005-04-20 8:56 ` Michael Shigorin
2005-04-22 13:51 ` beware an insecure vtun! (was: Re: [sisyphus] Re: SSH +ldap) Andrei Bulava
2005-04-20 10:57 ` [sisyphus] Re: SSH +ldap Maxim Tyurin
2005-04-20 11:35 ` Ivan Fedorov
2005-04-20 12:27 ` Pokidko Mikhail
2005-04-17 19:04 ` Boldin Pavel
2005-04-17 19:39 ` Re[2]: " Gor_lov aka Stalker
2005-04-18 6:29 ` Michael Shigorin
2005-04-18 7:05 ` Anton Gorlov aka stalker
2005-04-18 7:35 ` Boldin Pavel
2005-04-18 7:39 ` Boldin Pavel
2005-04-18 7:40 ` Re[2]: " Anton Gorlov aka stalker
2005-04-18 7:45 ` Re[3]: " Anton Gorlov aka stalker
2005-04-18 7:32 ` Boldin Pavel [this message]
2005-04-18 10:18 ` Re[2]: " Anton Gorlov aka stalker
2005-04-18 11:58 ` Nikolay A. Fetisov
2005-04-18 15:05 ` Boldin Pavel
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4263628F.8030304@inbox.ru \
--to=ldavinchi@inbox.ru \
--cc=openldap@lists.osdn.org.ua \
--cc=sisyphus@altlinux.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
ALT Linux Sisyphus discussions
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/sisyphus/0 sisyphus/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 sisyphus sisyphus/ http://lore.altlinux.org/sisyphus \
sisyphus@altlinux.ru sisyphus@altlinux.org sisyphus@lists.altlinux.org sisyphus@lists.altlinux.ru sisyphus@lists.altlinux.com sisyphus@linuxteam.iplabs.ru sisyphus@list.linux-os.ru
public-inbox-index sisyphus
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.sisyphus
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git