Hi, It should be possible to do this.
In the postinst of ftpd-ssl there is a cert created with openssl req -new -x509 -nodes -out ftpd.pem -keyout ftpd.pem If the keyout of this argument is changed then the private key is written to a separate file, and the cert file can then be world readable. The key file can then be placed somewhere else. As I see it there are 4 options 1) place the key file in /etc/ssl/private mode 600. This will then be readable as the ftpd is run as root. This is the purpose of this dir as far as I can tell. There would probably need to be a README.Debian note for if the user wants to run the ftpd process as a different user that user must be a member of the ssl-cert group. 2) place the key file in /etc/ftpd-ssl this is a little more flexible, at the cost of expanding /etc slightly. This was the approach taken by most of the other packages with the same bug as far as I can see. 3) place both key and cert file in /etc/ftpd-ssl, then you can do whatever you want with them. If you are concerned about the users being able to look up the cert of ftpd on the machine then appropriate symlinks could be set up back to /etc/ssl/certs. Though I'm not sure whether this is necessary as most users of ftp are not on the same machine. 4) Don't bother splitting the file and move it to /etc/ftpd-ssl and set permissions accordingly. You may want to look at the latest uploads of telnetd-ssl and ejabberd for their solutions. The consideration will have to be in handling of the upgrade path. As for the mechanics of using the split files accoring to man 8 ftpd this can be done using -z cert_file=file -z key_file=file adding these to the line in the inetd config seems to try to do the right thing, but fails. On my system I get the error message Error loading /etc/ftpd-ssl/ftpd-cert.pem: 32200:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:644:Expecting: ANY PRIVATE KEY which suggests that it is still trying to load the private key from the same file. James -- James Westby [EMAIL PROTECTED] http://jameswestby.net/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
