From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Message-ID: <4263628F.8030304@inbox.ru> Date: Mon, 18 Apr 2005 12:32:31 +0500 From: Boldin Pavel User-Agent: Mozilla Thunderbird 1.0 (X11/20050302) X-Accept-Language: ru-ru, ru MIME-Version: 1.0 To: openldap@lists.osdn.org.ua, ALT Linux Sisyphus discussion list Subject: Re: [sisyphus] Re: SSH +ldap References: <1802698194.20050416154823@mail.ru> <20050417151353.GN6352@osdn.org.ua> <162974050.20050417200546@mail.ru> <4262B323.9010801@inbox.ru> <157469756.20050417233934@mail.ru> <20050418062929.GE11819@osdn.org.ua> In-Reply-To: <20050418062929.GE11819@osdn.org.ua> Content-Type: multipart/mixed; boundary="------------090101050806060002080908" Cc: X-BeenThere: sisyphus@altlinux.ru X-Mailman-Version: 2.1.5 Precedence: list Reply-To: ALT Linux Sisyphus discussion list List-Id: ALT Linux Sisyphus discussion list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 18 Apr 2005 07:29:57 -0000 Archived-At: List-Archive: This is a multi-part message in MIME format. --------------090101050806060002080908 Content-Type: text/plain; charset=KOI8-R; format=flowed Content-Transfer-Encoding: 8bit Michael Shigorin пишет: > On Sun, Apr 17, 2005 at 11:39:34PM +0400, Gor_lov aka Stalker wrote: > >>>зря вы боитесь, ldap over tls работает почти везде... >> >>Кстати -а чем генерить сертефикат? > > > openssl -- кажется, в документации Master 2.4 (см. docs/ в его > корне на ftp) приводился пример, да и на opennet.ru их было. > tinyca,,, я для него патч написал, чтобы можно было ключи без паролей создавать (pam_ldap пароленые ключи не принимает), я вам его скидываю... еще там есть скрипт ./CA.pl | ./CA.sh он тоже умеет -- Болдин Павел aka davinchi ldavinchi@inbox.ru or davinchi@zu.org.ru ZU - Zagovor Unixoidov. SSAU 303. --------------090101050806060002080908 Content-Type: text/x-patch; name="tinyca-0.6.7-zu-pam_ldap.patch" Content-Transfer-Encoding: 7bit Content-Disposition: inline; filename="tinyca-0.6.7-zu-pam_ldap.patch" diff -NurpP tinyca-0.6.7.orig/lib/GUI.pm tinyca-0.6.7/lib/GUI.pm --- tinyca-0.6.7.orig/lib/GUI.pm 2004-12-07 12:14:18 +0400 +++ tinyca-0.6.7/lib/GUI.pm 2005-04-03 21:21:19 +0500 @@ -1241,7 +1241,7 @@ sub show_req_dialog { my ($self, $opts) = @_; my ($box, $button_ok, $button_cancel, $reqtable, $radiobox, $key1, $key2, - $key3, $key4, $key5, $entry, $label); + $key3, $key4, $key5, $key6, $entry, $label); $button_ok = Gnome::Stock->button('Button_Ok'); $button_ok->signal_connect('clicked', @@ -1360,6 +1360,13 @@ sub show_req_dialog { \$opts->{'digest'}, 'md4'); $radiobox->add($key5); + $key6 = Gtk::RadioButton->new('No Des', $key1); + $key6->set_active(1) + if(defined($opts->{'digest'}) && $opts->{'digest'} eq 'nodes'); + $key6->signal_connect('toggled', \&GUI::CALLBACK::toggle_to_var, + \$opts->{'digest'}, 'nodes'); + $radiobox->add($key6); + $reqtable->attach_defaults($radiobox, 1, 2, 15, 16); $label = GUI::HELPERS::create_label(gettext("Algorithm").":", 'left', 0, 0); diff -NurpP tinyca-0.6.7.orig/lib/OpenSSL.pm tinyca-0.6.7/lib/OpenSSL.pm --- tinyca-0.6.7.orig/lib/OpenSSL.pm 2004-12-07 12:14:18 +0400 +++ tinyca-0.6.7/lib/OpenSSL.pm 2005-04-03 23:56:06 +0500 @@ -81,12 +81,15 @@ sub newkey { return($ret, $ext) if($ret); $cmd = "$self->{'bin'} gendsa"; + $cmd .= " -des3"; $cmd .= " -passout env:SSLPASS"; + $cmd .= " -out \"$opts->{'outfile'}\""; $cmd .= " $param"; } else { $cmd = "$self->{'bin'} genrsa"; + $cmd .= " -des3"; $cmd .= " -passout env:SSLPASS"; @@ -96,6 +99,7 @@ sub newkey { } $ENV{'SSLPASS'} = $opts->{'pass'}; + my($rdfh, $wtfh); $ext = "$cmd\n\n"; $pid = open3($wtfh, $rdfh, $rdfh, $cmd); @@ -120,6 +124,7 @@ sub newkey { delete($ENV{'SSLPASS'}); + return($ret, $ext); } @@ -290,19 +295,33 @@ sub newreq { my $self = shift; my $opts = { @_ }; - my ($ext, $ret, $cmd, $pid); + my ($ext, $ret, $cmd, $pid, $t, $bar, $box, $i, $c); $cmd = "$self->{'bin'} req -new"; $cmd .= " -keyform PEM"; $cmd .= " -outform PEM"; - $cmd .= " -passin env:SSLPASS"; + + $cmd .= " -passin env:SSLPASS" + if ( $opts->{'digest'} ne "nodes"); $cmd .= " -config $opts->{'config'}"; $cmd .= " -out $opts->{'outfile'}"; - $cmd .= " -key $opts->{'keyfile'}"; + + if ( $opts->{'digest'} ne "nodes") + { + $cmd .= " -key $opts->{'keyfile'}"; + } + else + { + $cmd .= " -keyout $opts->{'keyfile'}"; + } + + $cmd .= " -"."$opts->{'digest'}"; - $ENV{'SSLPASS'} = $opts->{'pass'}; + $ENV{'SSLPASS'} = $opts->{'pass'} + if ( $opts->{'digest'} ne "nodes"); + # print "DEBUG call: $cmd\n"; my($rdfh, $wtfh); @@ -318,13 +337,23 @@ sub newreq { } } - while(<$rdfh>) { - $ext .= $_; + $t = gettext("Creating key and req in progress..."); + ($box, $bar) = GUI::HELPERS::create_activity_bar($t); + $i = 0; + while(defined($c = getc($rdfh))) { + $ext .= $c; + $bar->update(($i++%100)/100); + while(Gtk->events_pending) { + Gtk->main_iteration; + } } + $box->destroy(); + waitpid($pid, 0); $ret = $? >> 8; - delete($ENV{'SSLPASS'}); + delete($ENV{'SSLPASS'}) + if ( $opts->{'digest'} ne "nodes"); return($ret, $ext); } diff -NurpP tinyca-0.6.7.orig/lib/REQ.pm tinyca-0.6.7/lib/REQ.pm --- tinyca-0.6.7.orig/lib/REQ.pm 2004-12-07 12:14:18 +0400 +++ tinyca-0.6.7/lib/REQ.pm 2005-04-03 23:49:03 +0500 @@ -46,6 +46,7 @@ sub get_req_create { $ca = $main->{'CA'}->{'actca'}; + if(!(defined($opts)) || !(ref($opts))) { if(defined($opts) && $opts eq "signserver") { $opts = {}; @@ -94,8 +95,12 @@ sub get_req_create { if((not defined($opts->{'CN'})) || ($opts->{'CN'} eq "") || - (not defined($opts->{'passwd'})) || - ($opts->{'passwd'} eq "")) { + ( + ((not defined($opts->{'passwd'})) || + ($opts->{'passwd'} eq "")) && + $opts->{'digest'} ne "nodes" + ) + ) { $main->show_req_dialog($opts); GUI::HELPERS::print_warning( gettext("Please specify at least Common Name ") @@ -103,8 +108,14 @@ sub get_req_create { return; } - if((not defined($opts->{'passwd2'})) || - $opts->{'passwd'} ne $opts->{'passwd2'}) { + if( + ( + (not defined($opts->{'passwd2'})) || + $opts->{'passwd'} ne $opts->{'passwd2'} + ) + && ($opts->{'digest'} ne "nodes") + ) + { $main->show_req_dialog($opts); GUI::HELPERS::print_warning(gettext("Passwords don't match")); return; @@ -153,18 +164,21 @@ sub create_req { $reqfile = $cadir."/req/".$opts->{'reqname'}.".pem"; $keyfile = $cadir."/keys/".$opts->{'reqname'}.".pem"; - ($ret, $ext) = $self->{'OpenSSL'}->newkey( - 'algo' => $opts->{'algo'}, - 'bits' => $opts->{'bits'}, - 'outfile' => $keyfile, - 'pass' => $opts->{'passwd'} - ); - - if (not -s $keyfile || $ret) { - unlink($keyfile); - GUI::HELPERS::set_cursor($main, 0); - GUI::HELPERS::print_warning(gettext("Generating key failed"), $ext); - return; + if ( defined($opts->{'passwd'}) && "$opts->{'passwd'}" ne "" ) + { + ($ret, $ext) = $self->{'OpenSSL'}->newkey( + 'algo' => $opts->{'algo'}, + 'bits' => $opts->{'bits'}, + 'outfile' => $keyfile, + 'pass' => $opts->{'passwd'} + ); + + if (not -s $keyfile || $ret) { + unlink($keyfile); + GUI::HELPERS::set_cursor($main, 0); + GUI::HELPERS::print_warning(gettext("Generating key failed"), $ext); + return; + } } ($ret, $ext) = $self->{'OpenSSL'}->newreq( --------------090101050806060002080908 Content-Type: text/plain; name="tinyca.spec" Content-Transfer-Encoding: 8bit Content-Disposition: inline; filename="tinyca.spec" # spec file for package tinyca # # $Id: tinyca.spec,v 1.16 2004/08/09 19:40:51 sm Exp $ # # Copyright (c) 2002 Stephan Martin # This file and all modifications and additions to the pristine # package are under the same license as the package itself. # # Adopted for Sisyphus by Nikolay A. Fetisov Name: tinyca Version: 0.6.7 Release: alt1 Summary: Graphical Tool for Managing a Certification Authority Summary(ru_RU.KOI8-R): Графическая утилита для управления Certification Authority License: GPL Group: Security/Networking URL: http://tinyca.sm-zone.net/ Packager: Nikolay A. Fetisov BuildArch: noarch %define real_name %name Source0: %real_name-%version.tar.bz2 Source1: %name.xpm Patch001: %name-%version-zu-pam_ldap.patch AutoReqProv: perl, yes BuildPreReq: perl-devel, perl-GTK-Gnome, perl-gettext Requires: openssl %description TinyCA is a graphical tool written in Perl/Gtk to manage a small Certification Authority (CA) using openssl. TinyCA supports - creation and revocation of x509 - S/MIME certificates. - PKCS#10 requests. - exporting certificates as PEM, DER, TXT, and PKCS#12. - server certificates for use in web servers, email servers, IPsec, and more. - client certificates for use in web browsers, email clients, IPsec, and more. - creation and management of SubCAs Authors: -------- Stephan Martin %description -l ru_RU.KOI8-R TinyCA - графическая утилита, написанная на Perl/GTK, для управления Certification Authority (CA) небольших размеров используя openssl. TinyCA поддерживает: - создание и отзыв сертификатов x509 и S/MIME - запросы PKCS#10 - экспорт сертификатов в форматах PEM, DER, TXT и PKCS#12 - управление серверными сертификатами для использования с серверами web, email, с IPsec, и т.д. - управление клиентскими сертификатами для использования в браузерах, почтовых клиентах, для IPsec и пр. - создание и управление SubCA Авторы: -------- Stephan Martin %define bindir %_bindir %define libdir %_datadir/TinyCA/lib %define templatesdir %_datadir/TinyCA/templates %define localedir %_datadir/TinyCA/locale/ # Defining _perl_lib_path for correct work of AutoReqProv %define _perl_lib_path %libdir %prep %setup %patch001 -p1 %build # Configure pristine source perl -pi -e 's:./lib:%libdir:g' tinyca perl -pi -e 's:./templates:%templatesdir:g' tinyca perl -pi -e 's:./locale:%localedir:g' tinyca make -C po %install LANGUAGES="de es cs" %__mkdir -p $RPM_BUILD_ROOT%bindir %__mkdir -p $RPM_BUILD_ROOT%libdir %__mkdir -p $RPM_BUILD_ROOT%libdir/GUI %__mkdir -p $RPM_BUILD_ROOT%templatesdir %__install -m644 lib/*.pm $RPM_BUILD_ROOT%libdir/ %__install -m644 lib/GUI/*.pm $RPM_BUILD_ROOT%libdir/GUI/ %__install -m644 templates/openssl.cnf $RPM_BUILD_ROOT%templatesdir/ %__install -m755 tinyca $RPM_BUILD_ROOT%bindir/ for LANG in $LANGUAGES; do %__mkdir -p $RPM_BUILD_ROOT%localedir/$LANG/LC_MESSAGES/ %__install -m644 locale/$LANG/LC_MESSAGES/tinyca.mo %buildroot%localedir/$LANG/LC_MESSAGES/ done %__mkdir -p $RPM_BUILD_ROOT%_iconsdir/ %__install -m644 %SOURCE1 $RPM_BUILD_ROOT%_iconsdir/ %__mkdir -p $RPM_BUILD_ROOT/%_menudir %__cat << EOF > $RPM_BUILD_ROOT/%_menudir/%name ?package(%name): \ command="%_bindir/%name"\ icon="tinyca.xpm" \ needs="x11" \ section="Networking/Other" \ title="TinyCA" \ longtitle="пёя.п╦п╩п╦я.п╟ п╢п╩я. я.п©я.п╟п╡п╩п╣п╫п╦я. Certification Authority" EOF %find_lang %name %post %update_menus %postun %clean_menus %files -f %name.lang %doc CHANGES INSTALL %_datadir/TinyCA* %_menudir/%name %_iconsdir/%name.xpm %bindir/tinyca %changelog * Mon Feb 07 2005 Nikolay A. Fetisov 0.6.7-alt1 - new version 0.6.7 - spec file cleanup - adding icon to the menu entry - First build for ALT Linux * Tue Oct 5 2004 - Nikolay A. Fetisov - First build for Sisyphus * Fri Aug 13 2004 - sm@sm-zone.net - czech translation * Sun Jun 13 2004 - sm@sm-zone.net - gui polishing - code cleanup - some usability improvements * Wed Jun 2 2004 - sm@sm-zone.net - gui polishing - GUI module splitted to several files * Fri Oct 3 2003 - sm@sm-zone.net - added a lot of configuration options - correctly import/show details of requests without extensions (thanks to James.Leavitt@anywaregroup.com) * Mon Sep 1 2003 - sm@sm-zone.net - added renewal of certificates * Wed Aug 13 2003 - sm@sm-zone.net - rewite, now using perl-Gtk * Sat Jul 5 2003 - sm@sm-zone.net - added german translation * Tue Jul 1 2003 - sm@sm-zone.net - convert index.txt if openssl changed from 0.9.6x to 0.9.7x * Fri Jun 27 2003 - sm@sm-zone.net - added export into zip-file thanks to ludwig.nussel@suse.de * Mon Jun 23 2003 - sm@sm-zone.net - some tiny usability improvements thanks to ludwig.nussel@suse.de again * Thu Jun 19 2003 - sm@sm-zone.net - some usability improvements thanks to ludwig.nussel@suse.de - some more configuration options * Fri Oct 4 2002 - sm@sm-zone.net - Fixed bug exporting keys in PEM format - Fixed possible empty lines in cert/key/reqlist thanks to waldemar.mertke@gmx.de * Fri Sep 27 2002 - sm@sm-zone.net - fixed some minor bugs and typos (e.g. concerning openssl 0.9.7) thanks to iebgener@yahoo.com and waldemar.mertke@gmx.de * Wed Aug 21 2002 - sm@sm-zone.net - fixed revocation - added some colors - thanks to curly@e-card.bg * Sun Aug 18 2002 - sm@sm-zone.net - new version 0.4.0 - works independent of OpenCA modules now - some enhancements to functionality (e.g. export of key without passwd) - some smaller bugfixes in usability - new specfile (thanks to oron@actcom.co.il) * Thu Jun 6 2002 - Oron Peled - Cleaned .spec file * Mon Jun 3 2002 - sm@sm-zone.net - fixed wrong templatedir when creating new CA * Sun Jun 2 2002 - sm@sm-zone.net - fixed some minor bugs and typos * Sat May 11 2002 - sm@sm-zone.net - Added parser for x509 extensions * Fri May 03 2002 - sm@sm-zone.net - added possibility to view requests/certificates * Thu Apr 18 2002 - sm@sm-zone.net - added configuration * Sun Apr 7 2002 - sm@sm-zone.net - improved usability * Sun Mar 31 2002 - sm@sm-zone.net - added function to delete ca * Sat Mar 30 2002 - sm@sm-zone.net - allow import of pkcs#10 requests * Thu Mar 21 2002 - sm@sm-zone.et - use different listboxes * Mon Mar 18 2002 - sm@sm-zone.net - initial package --------------090101050806060002080908--