Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

login requires server key to be world readable

3 views
Skip to first unread message

Plugh

unread,
Feb 16, 2005, 7:36:19 PM2/16/05
to
Hi,

I've got my nss_ldap / pam_ldap to work thru TLS!!

I now have a problem with TLS key usage during login, in this case via ssh.
Despite the error, the login does ultimately succeed.

Output is shown by the logs below. The first is from slapd and the second is
what is shown in the ssh login window. I have debugging enabled in the
ldap.conf file.

Note the line TLS: could not use key file `/etc/ssl/private/serverkey.pem'.

The problem is caused because this key, defined in ldap.conf under
"tls_key", is root readable only.

The problem goes away if I make this key world readable. However, this is
the server's private key and I don't think that it should be world readable.
I think I'm doing something wrong. Hopefully someone can tell me what it is
?

Thanks in anticipation,

John

//===============slapd debug output==================/

connection_get(19): got connid=9

connection_read(19): checking for input on id=9

TLS trace: SSL_accept:before/accept initialization

TLS: can't accept.

connection_read(19): TLS accept error error=-1 id=9, closing

connection_closing: readying conn=9 sd=19 for close

connection_close: conn=9 sd=19

The logs shown below (between the second 'ldap_create' and 'ldap_unbind') in
the ldap log is repeated 7 times before the command prompt is displayed.

//===============ldap debug output ??nss_ldap or pam_ldap??==============/

login as: testuser

Authenticating with public key "General Purpose RSA Key" from agent

Last login: Wed Feb 16 23:53:09 2005 from jl-dual.lan

ldap_create

ldap_create

ldap_simple_bind

ldap_sasl_bind

ldap_send_initial_request

ldap_new_connection

ldap_int_open_connection

ldap_connect_to_host: TCP blfs.jelweb.com:636

ldap_new_socket: 4

ldap_prepare_socket: 4

ldap_connect_to_host: Trying 10.0.0.100:636

ldap_connect_timeout: fd: 4 tm: 30 async: 0

ldap_ndelay_on: 4

ldap_is_sock_ready: 4

ldap_ndelay_off: 4

TLS: could not use key file `/etc/ssl/private/serverkey.pem'.

TLS: error:0906D06C:PEM routines:PEM_read_bio:no start line pem_lib.c:637

TLS: error:0200100D:system library:fopen:Permission denied bss_file.c:276

TLS: error:20074002:BIO routines:FILE_CTRL:system lib bss_file.c:278

TLS: error:140B0002:SSL routines:SSL_CTX_use_PrivateKey_file:system lib
ssl_rsa.c:693

ldap_unbind


0 new messages