This is about copying the default certificates. Don't do that unless on very early tests ; you probably want to generate your own certificates: see next section.
For nufw
cp conf/certs/nufw-*.pem /etc/nufw/For nuauth:
cp conf/certs/nuauth*.pem /etc/nufw/ cp conf/certs/NuFW*.pem /etc/nufw/
Generating your own Certificate authority:
mkdir private chmod 700 private openssl req -new -x509 -keyout private/CAkey.pem -out private/CAcert.pemYou have to set a strong password here and keep it secret.
Generating nufw and nuauth private keys:
openssl genrsa -out private/nufw-key.pem
openssl genrsa -out private/nuauth-key.pem
Generating Certificate Signing Requests for both nufw and nuauth keys:
openssl req -new -key private/nufw-key.pem -out nufw.csr
openssl req -new -key private/nuauth-key.pem -out nuauth.csr
Having our keys signed by the certificate authority we created:
openssl x509 -req -days 365 -in nufw.csr -CA private/CAcert.pem \
-CAkey private/CAkey.pem -CAcreateserial -out nufw-cert.pem
openssl x509 -req -days 365 -in nuauth.csr -CA private/CAcert.pem \
-CAkey private/CAkey.pem -CAcreateserial -out nuauth-cert.pem
Then, as in previous section, copy the files where needed: For nufw:
cp private/nufw-key.pem /etc/nufw/
cp nufw-cert.pem /etc/nufw/For nuauth:
cp private/nuauth-key.pem /etc/nufw/
cp nuauth-cert.pem /etc/nufw/And don't forget your key files (here, nufw-key.pem and nuauth-key.pem) should always remain private.
NuFW sources provide a sample configuration file for nuauth nuauth.conf which is available in the conf directory.
The two most important configuration variables are:
nuauth_client_listen_addr which sets the address
where nuauth listens for client requests and nuauth_nufw_listen_addr
which sets the address where nuauth listens for nufw requests.
The list of nufw servers authorized to connect to server nuauth is the
nufw_gw_addr.
The next thing to do after setting this variable is to choose your authentication and acl checking module. Authentication modules for user have to be chosen in:
plaintext: user credentials are stored in a text file
system: authentication is done against PAM and groups are system groups. This provides a convenient way to use nss features and/or pam-modules
nuauth_user_check_module
which default is libsystem (if not set in config file).
Further choice for the acl checking module has to be done if you choose:
libldap
plaintext
nuauth_acl_check_module.
To be able to proceed quickly to test, we will use the system module for user and the plaintext module for acl. A sample file for the plaintext acl check module is available in the conf directory, acls.nufw. Copy it to /etc/nufw and adjust the group of the ssh acl to have it matching the group of a system user you will use later to authenticate on the system.