cpet/openbsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
openbsd-ports/productivity/radicale/pkg
History

README 

$OpenBSD: README,v 1.5 2014/03/26 10:17:02 sthen Exp $

+-----------------------------------------------------------------------
| Running ${FULLPKGNAME} on OpenBSD
+-----------------------------------------------------------------------

Radicale will run out of the box but with NO SECURITY.

There are two things you should do to enable security:
enable passwords and enable encryption.

Authentication
==============
To enable simple passwords, edit ${SYSCONFDIR}/radicale/config and change
"type = None" (i.e. passwords are not requested or checked) to
"type = htpasswd".

User password(s) may be created with htpasswd(1); e.g.
"htpasswd ${SYSCONFDIR}/radicale/users username".

As of radicale-0.8p0, the OpenBSD port of Radicale has been modified
to support bcrypt password hashes.

Previous versions required old unix "crypt" or unsalted SHA-1 hashes
of passwords, neither of which are safe.

Users of previous versions should set "htpasswd_encryption = bcrypt"
in ${SYSCONFDIR}/radicale/config and update their saved passwords when
possible (to help with migration, existing SHA hashes stored with a
"{SHA}" prefix in the users file will still work with the new setting).

By default all calendars may be accessed by any authenticated user.
To restrict calendars so that "/user1/calendar_name" can ONLY be
accessed by user1, also change "personal = False" to "personal = True".

For further authentication options (including deferring authentication
to an existing IMAP server), consult Radicale's documentation.

Encryption
==========
To enable encryption, you need both to change "ssl = False" to
"ssl = True" in file "config", and install a certificate and key in
the files named in "certificate" and "key".
Note that it does not suffice to change these variables to point
at a certificate installed in /etc/ssl because the key
file will be unreadable (/etc/ssl/private has restricted
directory permissions).
Either copy your existing key and certificate to the locations
in ${SYSCONFDIR} and owned by (and only readable by) the user _radicale,
or, generate a self-signed RSA server certificate as described
in ssl(8) (but changing /etc/ssl to ${SYSCONFDIR}/radicale).