[freeside-users] Encryption

Steven Ball hamster at snurkle.net
Fri Mar 16 15:52:18 PDT 2007 

Alright, thank you.  I've spent too long around computers that I  
start to automatically classify things as, 'oh, come now, this  
doesn't require a restart for this' and gloss right over such  
things.  Whups.

I think I am starting to get this thing going here, I'm very  
excited.  Now just to get the invoice templates setup, and maybe even  
get the Radius stuff going... :)

-Steve

On Mar 16, 2007, at 4:44 PM, Peter Bowen wrote:

> Steve,
>
> Wiki says....
>
> "5. Save and restart the web server - just in case."
>
> :)  I just removed the "just in case."
>
> The public and private keys are stored in the same place as other
> configuration directives.  You don't have to have them both an all  
> machines.
> Just the public key is required.  However, you won't be able to  
> bill now or
> run a billing on a public only box.
>
> We have a cluster.  Half of the cluster doesn't have access to the  
> private
> key.  Most employees do not have access to the boxes with the  
> private key.
> The private key boxes have additional network protection as well.
>
> Be as paranoid as you want, but remember that boxes w/o the key  
> can't bill
> customers.
>
> If a hacker gets in, it's no longer just a select and go.  With  
> encryption
> turned on, he has to load up the modules, write a script to use the  
> freeside
> libs, and then get the info off the system.  Nothing is hacker  
> proof, but
> it's easier to go after much softer targets.
>
> Employees are an entirely different problem...
>
> -Peter
>
>
>
> On 3/16/07 4:15 PM, "Steven Ball" <hamster at snurkle.net> wrote:
>
>>
>> No worries, I'm glad I can 'help' with the wiki ;)
>>
>> I double checked for lack of spaces and the like, and reduced the key
>> length to 1024.
>>
>> It seemed to work right after i submitted the config changes, but
>> then the next time I edited or added a customer, I got the error  
>> again.
>>
>> Just as a sanity check, I restarted the web server.  And what do you
>> know, it seems to be working fine now.  Chalk this one up to an idiot
>> user error :)
>>
>> I just bumped it back to a 2048 bit key, -restarted the web server-,
>> and all seems happy.
>>
>> A question though, how is the public/private key stored?  Do you have
>> any suggestions for protecting the private key from 'theft'?
>>
>> Thanks again!
>>
>> -Steve
>>
>> On Mar 16, 2007, at 3:15 PM, Peter Bowen wrote:
>>
>>> Steve,
>>>
>>> I guess it's time for me to fess up... I wrote that code, but it
>>> has been
>>> two years since I did it.  We run encrypted, so I know it works. :)
>>> But to
>>> be fair, I may be the only one who is.
>>>
>>> I fixed the Wiki - I must have written it at a point when I was
>>> VERY tired.
>>> Shame on everyone else for missing it. Shame on me for writing it...
>>>
>>> It's really been two years since I've set this up... Try two things
>>> for
>>> me...
>>>
>>> 1. Create another key.  When you paste it, be sure that there are
>>> no extra
>>> newlines or spaces at the beginning or end.  It should be more
>>> robust than
>>> that, but I'm not sure that it is...
>>>
>>> 2. Try creating a shorter key. $length = 1024.
>>>
>>> Let me know how it goes.
>>>
>>> -Peter
>>>
>>>
>>> On 3/16/07 2:44 PM, "Steven Ball" <hamster at snurkle.net> wrote:
>>>
>>>>
>>>> Hello again,
>>>>
>>>> Working on getting this system all working,  but I have run into
>>>> another snag.
>>>>
>>>> I am trying to get encryption of CC info working.  I tend to be
>>>> paranoid about having this kind of data around, so I would sleep
>>>> easier knowing it is at least somewhat protected :)
>>>>
>>>> I followed the instructions in the Wiki in regards to setting up
>>>> encryption using Crypt::OpenSSL::RSA
>>>>
>>>> The first thing I note is that the code given to produce a public/
>>>> private key seems to be the wrong way around:
>>>>
>>>> print "Public:\n". $rsa->get_private_key_string();
>>>> print "Private:\n". $rsa->get_public_key_string();
>>>>
>>>> (ie, it prints 'Public' but then gives the private key, and vice
>>>> versa, is this correct?)
>>>>
>>>> The error I get is:
>>>>
>>>> unrecognized key format at /usr/local/share/perl/5.8.8/FS/Record.pm
>>>> line 2028
>>>>
>>>> I tried swapping the public/private keys around, just for giggles,
>>>> but that leads to:
>>>>
>>>> Can't locate object method "new_public_key" via package
>>>> "Crypt::OpenSSL::RSA" at /usr/local/share/perl/5.8.8/FS/Record.pm
>>>> line 2028.
>>>>
>>>> I have the module installed, via CPAN:
>>>>
>>>> "Crypt::OpenSSL::RSA is up to date (0.24)."
>>>>
>>>> I am running Freeside 1.7.2 on a Debian 'testing' box.
>>>>
>>>> Any hints again?
>>>>
>>>> Thanks!
>>>>
>>>> -Steve
>>>>
>>>> _______________________________________________
>>>> freeside-users mailing list
>>>> freeside-users at sisd.com
>>>> http://420.am/cgi-bin/mailman/listinfo/freeside-users
>>>
>>> _______________________________________________
>>> freeside-users mailing list
>>> freeside-users at sisd.com
>>> http://420.am/cgi-bin/mailman/listinfo/freeside-users
>>
>> _______________________________________________
>> freeside-users mailing list
>> freeside-users at sisd.com
>> http://420.am/cgi-bin/mailman/listinfo/freeside-users
>
> _______________________________________________
> freeside-users mailing list
> freeside-users at sisd.com
> http://420.am/cgi-bin/mailman/listinfo/freeside-users

More information about the freeside-users mailing list