Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
I'm trying to set up sftp on this box (as per this guide) and have run into an issue with ssl certificate verification:
Code:
Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:
root@grieserver:/etc/ftpcert# ./sign.sh server.csr
CA signing: server.csr -> server.crt:
Using configuration from ca.config
Enter pass phrase for ./ca.key:
Check that the request matches the signature
Signature ok
The Subject's Distinguished Name is as follows
countryName :PRINTABLE:'US'
stateOrProvinceName :PRINTABLE:'Utah'
localityName :PRINTABLE:'...'
organizationName :PRINTABLE:'...'
commonName :PRINTABLE:'...'
emailAddress :IA5STRING:'...'
Certificate is to be certified until Jan 31 22:22:01 2009 GMT (365 days)
Sign the certificate? [y/n]:y
1 out of 1 certificate requests certified, commit? [y/n]y
Write out database with 1 new entries
Data Base Updated
CA verifying: server.crt <-> CA cert
server.crt: /C=US/ST=Utah/...
error 18 at 0 depth lookup:self signed certificate
/C=US/ST=Utah/....
error 7 at 0 depth lookup:certificate signature failure
7187:error:0407006A:rsa routines:RSA_padding_check_PKCS1_type_1:block type is not 01:rsa_pk1.c:100:
7187:error:04067072:rsa routines:RSA_EAY_PUBLIC_DECRYPT:padding check failed:rsa_eay.c:699:
7187:error:0D0C5006:asn1 encoding routines:ASN1_item_verify:EVP lib:a_verify.c:168:
As usual i'm sure i'm doing something blatanly wrong... help is always well appreciated.
this is a bad line...it is the problem. you should switch to the directory
cd /etc/ftpcert (notice here you should not have the # in there)
and then set it to sign the certificate
./sign.sh server.csr
by the way sftpd (or maybe vftpd...i have not used this in a while) is a better program the proftpd...
search this in the forum and look it up...
consider why you need a secure connection to a ftp server...as long as the password and log in are passed secure, after that, it is usually transferring large files over the internet and if that is encrypted, you are giving many, many unique chances to crack the encryption...defeating the purpose of the encryption itself...
baldur [ LINK REMOVED BY MODERATOR ]
Last edited by win32sux; 02-08-2008 at 01:46 PM.
Reason: Removed SPAM.
after that, it is usually transferring large files over the internet and if that is encrypted, you are giving many, many unique chances to crack the encryption...defeating the purpose of the encryption itself...
Could you clarify this please? Are you saying that using SSL for large file transfers is bad because it gives people more of a chance to crack the encryption? Could you provide some links to more info about why transferring files via SSL over FTP is a concern?
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.