[Ipsec-tools-devel] Documentation Diff: Plain RSA Authentication
Brought to you by:
mit_warlord,
netbsd
From: Simon C. <sim...@gm...> - 2006-12-09 02:30:15
|
Hello, Here is a submission for a documentation fix that provides a little more on the RSA authentication process. Please let me know what you think. Thanks, Simon ? plainrsadoc.diff ? src/racoon/racoon.conf.5.master Index: src/racoon/racoon.conf.5 =================================================================== RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5,v retrieving revision 1.33 diff -U4 -r1.33 racoon.conf.5 --- src/racoon/racoon.conf.5 5 Dec 2006 13:38:40 -0000 1.33 +++ src/racoon/racoon.conf.5 9 Dec 2006 02:22:52 -0000 @@ -506,8 +506,14 @@ means a file name of a certificate. .Ar privkeyfile means a file name of a secret key. .El +.Bl -tag -width Ds -compact +.It Ic plain_rsa Ar privkeyfile ; +.Ar privkeyfile +means a file name of a private key generated by plainrsa-gen(8). Required +for RSA authentication. +.El .It Ic ca_type Ar cacertspec ; specifies a root certificate authority specification. .Ar cacertspec is one of followings: @@ -528,9 +534,9 @@ This is a small security risk, so the default is off, meaning that racoon will keep on trying to establish a connection even if the user credentials ar wrong, for instance. .\" -.It Ic peers_certfile ( dnssec | Ar certfile ) ; +.It Ic peers_certfile ( dnssec | Ar certfile | Ic plain_rsa Ar pubkeyfile ) ; If .Ic dnssec is defined, .Xr racoon 8 @@ -541,8 +547,16 @@ is defined, .Xr racoon 8 will ignore the CERT payload from the peer, and will use this certificate as the peer's certificate. +If +.Ic plain_rsa +is defined, +.Xr racoon 8 +will expect +.Ar pubkeyfile +to be the peer's public key that was generated +by plainrsa-gen(8). .\" .It Ic script Ar script Ic phase1_up .It Ic script Ar script Ic phase1_down Shell scripts that get executed when a phase 1 SA goes up or down. @@ -825,9 +839,11 @@ defines the authentication method used for the phase 1 negotiation. This directive must be defined. .Ar type is one of: -.Ic pre_shared_key , rsasig , gssapi_krb , hybrid_rsa_server , +.Ic pre_shared_key , rsasig +(for plain RSA authentication), +.Ic gssapi_krb , hybrid_rsa_server , .Ic hybrid_rsa_client , xauth_rsa_server , xauth_rsa_client , xauth_psk_server or .Ic xauth_psk_client . .\" @@ -1328,8 +1344,27 @@ compression_algorithm deflate ; } .Ed .Pp +If you are configuring plain RSA authentication, the remote directive +should look like the following: +.Bd -literal -offset +path certificate "/usr/local/v6/etc" ; +remote anonymous +{ + exchange_mode main,base ; + lifetime time 12 hour ; + certificate_type plain_rsa "/usr/local/v6/etc/myrsakey.priv"; + peers_certfile plain_rsa "/usr/local/v6/etc/yourrsakey.pub"; + proposal { + encryption_algorithm aes ; + hash_algorithm sha1 ; + authentication_method rsasig ; + dh_group 2 ; + } +} +.Ed +.Pp The following is a sample for the pre-shared key file. .Bd -literal -offset 10.160.94.3 mekmitasdigoat 172.16.1.133 0x12345678 |