– The RADIUS configuration allows an imported certificate be used for the server as well as an imported CA as a trusted CA, but does not provide a way for the imported CA’s CRL to be imported. With this config, the “Check CRL” option cannot be checked as radiusd will fail to initialize. Would it be possible to add support of pulling in more than the local CA’s CRL? This would allow for a “more secure” type setup where the CA is not on the same box and is not networked. Of course, this also means that user management may also be done elsewhere which isn’t exactly the intended use of ZeroShell, but I think you may see how this would be beneficial.
I know this problem and I am going to solve it with the 1.0.beta4 release
Excellent! That is great news, thanks!
– I’ve noticed that if power is lost to the router/server the database (stored on USB flash disk) will not be recognized at the next boot. I have to restore the
database from backup. Is there any way this can be adjusted so that power loss does not completely kill the box?
Very strange because my Internet router is a WRAP board with Zeroshell on CompactFlash and I never do a regular shutdown, but I just disconnect the power. It always worked fine without filesystem corruption. In any case, keep in mind that Zeroshell supports ext3, ext2, reiserFS and fat32 filesystem, but only ext3 and reiserfs have the journaling feature which allow a safe recovery from a crash.
Is your USB Flash disk formatted with FAT32?
I thought it was strange as well, but I’ve seen this with both beta1 and beta2. Yes, the USB disk is FAT32. I’m using a spare PC and a 1GB USB flash drive that I use for other things as well, which is why it’s not formatted reiser, ext3, jfs, etc.
The really odd thing is that after I “create” a new db on the same flash drive, zeroshell then shows the old database as being present. Prior to that the old database would not show up after scanning the drive.
– Would it be possible to have logs & runtime use of the filesystem separated from the database and possibly use a RAM filesystem mount so as not to excessively use flash based devices, etc.? This would be a handy configuration option. Perhaps this ties into the above item since a sudden loss of power doesn’t umount the filesystem cleanly?
This is a good idea. I will keep it in mind and on the todo list.
– Would it be possible to add SSH as a feature so some users can be allowed remote console access and administration of this be done like everything else via the web interface?
You just need to type the command
service sshd start
and reset your root user password with the passwd command from the console.
Ok, but is there a way to store this in the configuration so that each reboot of the box will result in SSH being enable? Or what about a configuration option on the web interface? I’d like to have this device as a headless box that is just accessible via network, so either web interface or SSH.
– Would it be possible to add an additional OpenVPN configuration so ZeroShell could act as the server side in a point to point (roadwarrior) VPN solution (tun or tap based)? Ideally this would support both TLS certificate based authentication as well as username/password based authentication, just like “native” OpenVPN. 🙂
Yes, it is possible. I have already planned to do it.
Regards and thank you for your suggestions
Thanks again for all your work and a great tool. If there’s anything I can do to help out, please let me know.