1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
CryWrap notes for Debian
========================
In order to run CryWrap, you either need a certificate, or must tell
CryWrap to run in anonymous mode. The installation process does not
and will not attempt to create a certificate, nor does CryWrap default
to anon mode. You'll have to finish the installation manually.
sslwrap emulation
-----------------
There is a script in /usr/share/crywrap, `sslwrap' which tries to
mimic the syntax of sslwrap - it transforms most of the sslwrap
options to crywrap options. Feel free to use it as a drop-in
replacement!
Running in anonymous mode
-------------------------
Anonymous mode does not require a certificate of any kind - it does
not offer host verification either. It is sufficient if you are going
to use CryWrap on a local LAN, or on a box only trusted people use,
where it doesn't really matter.
If you'd like to allow random, unknown users to connect to your
services, you're better off with a certificate.
Anyways, if you really want anonymous mode, use the CRYWRAP_OPTIONS
variable in /etc/default/crywrap, and set it to `--anon'.
Generating a certificate
------------------------
Unfortunately, you need openssl for this, so install that package
first.
Then, run the following command, filing out the details:
openssl req -new -x509 -nodes -out /etc/crywrap/server.pem \
-keyout /etc/crywrap/server.pem -days 365
Remember that "Common Name" is not your name, as the question would
indicate, but the hostname of the server your clients will be
connecting to.
Also, don't forget to make the certificate unreadable to mere
mortals. Changing its owner to crywrap:crywrap, and doing a chmod 600
on it should suffice.
|
