|
Home
Search all pages
Subjects
By activity
Professions, Sciences, Humanities, Business, ...
User Interface
Text-based, GUI, Audio, Video, Keyboards, Mouse, Images,...
Text Strings
Conversions, tests, processing, manipulation,...
Math
Integer, Floating point, Matrix, Statistics, Boolean, ...
Processing
Algorithms, Memory, Process control, Debugging, ...
Stored Data
Data storage, Integrity, Encryption, Compression, ...
Communications
Networks, protocols, Interprocess, Remote, Client Server, ...
Hard World
Timing, Calendar and Clock, Audio, Video, Printer, Controls...
File System
Management, Filtering, File & Directory access, Viewers, ...
|
|
|
RocketLink!--> Man page versions:
OpenBSD
PHOTURISD(8) OpenBSD System Manager's Manual PHOTURISD(8)
NAME
photurisd - IPSec key management daemon
SYNOPSIS
photurisd [-cvi] [-d directory] [-p port]
DESCRIPTION
The photuris daemon establisches security associations for encrypted
and/or authenticated network traffic.
The daemon listens to a named pipe photuris.pipe for user requests and on
a PF_ENCAP socket for kernel requests.
The options are as follows:
-c The -c option is used to force a primality check of the boot-
strapped moduli.
-v The -v options is used to start photurisd(8) in VPN (Virtual Pri-
vate Network) mode, see vpn(8).
-i The -i option can be used to ignore the photuris.startup file.
Otherwise the exchanges in that file will be initiated on start-
up.
-d The -d option specifies the directory in which photurisd looks
for its startup files. The default is /etc/photuris/.
-p The -p option specifies the local port the daemon shall bind to.
The file photuris.conf contains the moduli for the DH exchange and the
actual exchange schemes used to establish a shared secret. The following
keywords are understood:
modulus This keyword is followed by the numeric generator and
modulus. Those two values describe the group in which ex-
change values for the Diffie-Hellmann key exchange are
generated. The modulus needs to be a safe prime.
exchange The supported exchange schemes are specified here with.
The scheme is followed either by zero or the number of
bits of the modulus to be used with this scheme. If zero
is specified the given scheme acts as modifier to the
base scheme. The base scheme is DH_G_2_MD5 (generator of
two and MD5 identification). Extended schemes are
DH_G_2_DES_MD5 and DH_G_2_3DES_SHA1. An exchange can only
be configured if an apropriate modulus has be given be-
fore.
config This is used to configure the LifeTimes of SPIs and ex-
changes. The configurable values are:
exchange_max_retries, exchange_retransmit_timeout,
exchange_timeout, exchange_lifetime and spi_lifetime.
They are followed by an integer.
The file attributes.conf contains the attributes, i.e. different choices
of encryption and authenication, offered to the other peer. If a line
starts with an ip address and a space seperated netmask the following at-
tributes are only offered to hosts lying in that net range. Only one at-
tribute per line is allowed. An attribute can either be an already de-
fined tag or an new definition of an attribute. In that case the line is
followed by a comma separated list: attribute name, Photuris id, type of
attribute and key length. The name is only used as reference. A list of
possible Photuris ids can be found in /usr/share/ipsec/attributes.conf.
The attribute type is one of the following: enc, ident, auth or
ident|auth. The key length is so far only used by the encryption at-
tributes and specifies the number of keying bytes the daemon has to gen-
erate. Predefined attributes are:
AT_AH_ATTRIB Starts the list of authentication attributes.
AT_ESP_ATTRIB Starts the list of encryption attributes.
The file secrets.conf contains the party preconfigured symmetric secrets
for the identity exchange.
identity local Defines the identity the local daemon will as-
sume and the according password. Both name and
secret are braced by quotation marks and fol-
low the identity local directive.
identity remote Defines the parties the daemon can communicate
with and their secrets. Both name and secret
are braced by quotation marks and follow the
identity remote directive. The name and secret
are the same as the identity local on the re-
mote site.
identity pair local If the identity of the remote site is already
known, identity pair local enables the daemon
to assume an identity and secret based on the
remote identity. The directive is followed by
the remote identity, a new local identity and
an according secret. In that way the secrets
are not shared with all other parties.
Once DNSSEC or other public key infrastructures are available, those will
be supported also.
Finally the file photuris.startup contains parameters for exchanges which
are created during startup.
The keywords dst, port, options, tsrc, tdst, exchange_lifetime,
spi_lifetime and user are understood in the photuris.startup file. The
values are as follows:
dst The destination IP address with which the ex-
change is to be established.
port The port number of the destination photuris dae-
mon.
options The options to be used in the exchange. Possible
values are enc and auth.
tsrc If both tsrc and tdst (see below) are specified,
a tunnel (IP over IP) is setup. The tsrc option
is a network address with netmask used for
matching the source IP address of a packet.
When both the source and the destination ad-
dresses match their respective options the pack-
et will be routed into the tunnel.
tdst If both tsrc (see above) and tdst are specified,
a tunnel (IP over IP) is setup. The tdst option
is a network address with netmask used for
matching the destination IP address of a packet.
When both the source and the destination ad-
dresses match their respective options the pack-
et will be routed into the tunnel.
exchange_lifetime Determines the lifetime of the exchange. After
an exchange expires no new SPIs are created,
which means the transport or tunnel is torn down
as soon as the current SPI times out (see
spi_lifetime below). The default value is got-
ten from the exchange_lifetime parameter given
in photuris.conf. If it is not given there the
default is 1800 seconds.
spi_lifetime Determines the lifetime of each created SPI in
the exchange.
user The user name for whom the keying shall be done.
Preconfigured secrets are taken from the users
secret file.
Exchanges are separated by newlines.
EXAMPLE
A sample photuris.startup entry:
dst=134.100.106.2 port=468 options=auth
tsrc=134.100.104.0/255.255.255.255
tdst=134.100.106.0/255.255.255.255
SEE ALSO
startkey(1), ipsec(4), vpn(8).
HISTORY
The photuris keymanagement protocol is described in the internet draft
draft-simpson-photuris by the authors Phil Karn and William Allen Simp-
son. This implementation was done 1997 by Niels Provos and appeared in
OpenBSD 2.1.
OpenBSD 2.3 July 18, 1997 3
Source: OpenBSD 2.6 man pages. Copyright: Portions are copyrighted by BERKELEY
SOFTWARE DESIGN, INC., The Regents of the University of California, Massachusetts
Institute of Technology, Free Software Foundation, FreeBSD Inc., and others. |
(Corrections, notes, and links courtesy of RocketAware.com)
![[Detailed Topics]](/inbndsm.gif)
OpenBSD sources for photurisd(8)
![[Overview Topics]](/outbndsm.gif)
Up to: Identity Authentication - verifying the identity of the originator of a connection (passwords, radius, identd, crypto methods, et al.)
RocketLink!--> Man page versions:
OpenBSD
Rapid-Links:
Search | About | Comments | Submit Path: RocketAware > man pages >
photurisd.8/
RocketAware.com is a service of Mib Software
Copyright 1999, Forrest J. Cavalier III. All Rights Reserved.
We welcome submissions and comments
|
