icon Top 9 categories map      RocketAware > man pages >

photurisd(8)

Tips: Browse or Search all pages for efficient awareness of more than 6000 of the most popular reusable and open source applications, functions, libraries, and FAQs.


The "RKT couplings" below include links to source code, updates, additional information, advice, FAQs, and overviews.


Home

Search all pages


Subjects

By activity
Professions, Sciences, Humanities, Business, ...

User Interface
Text-based, GUI, Audio, Video, Keyboards, Mouse, Images,...

Text Strings
Conversions, tests, processing, manipulation,...

Math
Integer, Floating point, Matrix, Statistics, Boolean, ...

Processing
Algorithms, Memory, Process control, Debugging, ...

Stored Data
Data storage, Integrity, Encryption, Compression, ...

Communications
Networks, protocols, Interprocess, Remote, Client Server, ...

Hard World
Timing, Calendar and Clock, Audio, Video, Printer, Controls...

File System
Management, Filtering, File & Directory access, Viewers, ...

    

RocketLink!--> Man page versions: OpenBSD



PHOTURISD(8)            OpenBSD System Manager's Manual           PHOTURISD(8)

NAME
     photurisd - IPSec key management daemon



SYNOPSIS
     photurisd [-cvi] [-d directory] [-p port]

DESCRIPTION
     The photuris daemon establisches security associations for encrypted
     and/or authenticated network traffic.

     The daemon listens to a named pipe photuris.pipe for user requests and on
     a PF_ENCAP socket for kernel requests.

     The options are as follows:

     -c      The -c option is used to force a primality check of the boot-
             strapped moduli.

     -v      The -v options is used to start photurisd(8) in VPN (Virtual Pri-
             vate Network) mode, see vpn(8).

     -i      The -i option can be used to ignore the photuris.startup file.
             Otherwise the exchanges in that file will be initiated on start-
             up.

     -d      The -d option specifies the directory in which photurisd looks
             for its startup files. The default is /etc/photuris/.

     -p      The -p option specifies the local port the daemon shall bind to.

     The file photuris.conf contains the moduli for the DH exchange and the
     actual exchange schemes used to establish a shared secret. The following
     keywords are understood:

           modulus   This keyword is followed by the numeric generator and
                     modulus. Those two values describe the group in which ex-
                     change values for the Diffie-Hellmann key exchange are
                     generated. The modulus needs to be a safe prime.

           exchange  The supported exchange schemes are specified here with.
                     The scheme is followed either by zero or the number of
                     bits of the modulus to be used with this scheme. If zero
                     is specified the given scheme acts as modifier to the
                     base scheme. The base scheme is DH_G_2_MD5 (generator of
                     two and MD5 identification). Extended schemes are
                     DH_G_2_DES_MD5 and DH_G_2_3DES_SHA1. An exchange can only
                     be configured if an apropriate modulus has be given be-
                     fore.

           config    This is used to configure the LifeTimes of SPIs and ex-
                     changes. The configurable values are:
                     exchange_max_retries, exchange_retransmit_timeout,
                     exchange_timeout, exchange_lifetime and spi_lifetime.
                     They are followed by an integer.

     The file attributes.conf contains the attributes, i.e. different choices
     of encryption and authenication, offered to the other peer. If a line
     starts with an ip address and a space seperated netmask the following at-
     tributes are only offered to hosts lying in that net range. Only one at-
     tribute per line is allowed. An attribute can either be an already de-
     fined tag or an new definition of an attribute. In that case the line is
     followed by a comma separated list: attribute name, Photuris id, type of
     attribute and key length. The name is only used as reference. A list of
     possible Photuris ids can be found in /usr/share/ipsec/attributes.conf.
     The attribute type is one of the following: enc, ident, auth or
     ident|auth. The key length is so far only used by the encryption at-
     tributes and specifies the number of keying bytes the daemon has to gen-
     erate.  Predefined attributes are:

           AT_AH_ATTRIB   Starts the list of authentication attributes.

           AT_ESP_ATTRIB  Starts the list of encryption attributes.

     The file secrets.conf contains the party preconfigured symmetric secrets
     for the identity exchange.

           identity local       Defines the identity the local daemon will as-
                                sume and the according password. Both name and
                                secret are braced by quotation marks and fol-
                                low the identity local directive.

           identity remote      Defines the parties the daemon can communicate
                                with and their secrets.  Both name and secret
                                are braced by quotation marks and follow the
                                identity remote directive. The name and secret
                                are the same as the identity local on the re-
                                mote site.

           identity pair local  If the identity of the remote site is already
                                known, identity pair local enables the daemon
                                to assume an identity and secret based on the
                                remote identity. The directive is followed by
                                the remote identity, a new local identity and
                                an according secret.  In that way the secrets
                                are not shared with all other parties.

     Once DNSSEC or other public key infrastructures are available, those will
     be supported also.

     Finally the file photuris.startup contains parameters for exchanges which
     are created during startup.

     The keywords dst, port, options, tsrc, tdst, exchange_lifetime,
     spi_lifetime and user are understood in the photuris.startup file. The
     values are as follows:

           dst                The destination IP address with which the ex-
                              change is to be established.

           port               The port number of the destination photuris dae-
                              mon.

           options            The options to be used in the exchange. Possible
                              values are enc and auth.

           tsrc               If both tsrc and tdst (see below) are specified,
                              a tunnel (IP over IP) is setup.  The tsrc option
                              is a network address with netmask used for
                              matching the source IP address of a packet.
                              When both the source and the destination ad-
                              dresses match their respective options the pack-
                              et will be routed into the tunnel.

           tdst               If both tsrc (see above) and tdst are specified,
                              a tunnel (IP over IP) is setup.  The tdst option
                              is a network address with netmask used for
                              matching the destination IP address of a packet.
                              When both the source and the destination ad-
                              dresses match their respective options the pack-

                              et will be routed into the tunnel.

           exchange_lifetime  Determines the lifetime of the exchange. After
                              an exchange expires no new SPIs are created,
                              which means the transport or tunnel is torn down
                              as soon as the current SPI times out (see
                              spi_lifetime below).  The default value is got-
                              ten from the exchange_lifetime parameter given
                              in photuris.conf. If it is not given there the
                              default is 1800 seconds.

           spi_lifetime       Determines the lifetime of each created SPI in
                              the exchange.

           user               The user name for whom the keying shall be done.
                              Preconfigured secrets are taken from the users
                              secret file.

     Exchanges are separated by newlines.

EXAMPLE
     A sample photuris.startup entry:

     dst=134.100.106.2 port=468 options=auth
     tsrc=134.100.104.0/255.255.255.255
     tdst=134.100.106.0/255.255.255.255

SEE ALSO
     startkey(1),  ipsec(4),  vpn(8).

HISTORY
     The photuris keymanagement protocol is described in the internet draft
     draft-simpson-photuris by the authors Phil Karn and William Allen Simp-
     son.  This implementation was done 1997 by Niels Provos and appeared in
     OpenBSD 2.1.


OpenBSD 2.3                      July 18, 1997                               3

Source: OpenBSD 2.6 man pages. Copyright: Portions are copyrighted by BERKELEY
SOFTWARE DESIGN, INC., The Regents of the University of California, Massachusetts
Institute of Technology, Free Software Foundation, FreeBSD Inc., and others.



(Corrections, notes, and links courtesy of RocketAware.com)


[Detailed Topics]
OpenBSD sources for photurisd(8)


[Overview Topics]

Up to: Identity Authentication - verifying the identity of the originator of a connection (passwords, radius, identd, crypto methods, et al.)


RocketLink!--> Man page versions: OpenBSD






Rapid-Links: Search | About | Comments | Submit Path: RocketAware > man pages > photurisd.8/
RocketAware.com is a service of Mib Software
Copyright 1999, Forrest J. Cavalier III. All Rights Reserved.
We welcome submissions and comments