[Ipsec-tools-devel] Documentation Diff: Plain RSA Authentication

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hello,

Here is a submission for a documentation fix that provides a little
more on the RSA authentication process.  Please let me know what you
think.

Thanks,
Simon

? plainrsadoc.diff
? src/racoon/racoon.conf.5.master
Index: src/racoon/racoon.conf.5
===================================================================
RCS file: /cvsroot/src/crypto/dist/ipsec-tools/src/racoon/racoon.conf.5,v
retrieving revision 1.33
diff -U4 -r1.33 racoon.conf.5

--- src/racoon/racoon.conf.5	5 Dec 2006 13:38:40 -0000	1.33
+++ src/racoon/racoon.conf.5	9 Dec 2006 02:22:52 -0000
@@ -506,8 +506,14 @@
 means a file name of a certificate.
 .Ar privkeyfile
 means a file name of a secret key.
 .El
+.Bl -tag -width Ds -compact
+.It Ic plain_rsa Ar privkeyfile ;
+.Ar privkeyfile
+means a file name of a private key generated by plainrsa-gen(8).  Required
+for RSA authentication.
+.El
 .It Ic ca_type Ar cacertspec ;
 specifies a root certificate authority specification.
 .Ar cacertspec
 is one of followings:
@@ -528,9 +534,9 @@
 This is a small security risk, so the default is off, meaning that
 racoon will keep on trying to establish a connection even if the
 user credentials ar wrong, for instance.
 .\"
-.It Ic peers_certfile ( dnssec | Ar certfile ) ;
+.It Ic peers_certfile ( dnssec | Ar certfile | Ic plain_rsa Ar pubkeyfile ) ;
 If
 .Ic dnssec
 is defined,
 .Xr racoon 8
@@ -541,8 +547,16 @@
 is defined,
 .Xr racoon 8
 will ignore the CERT payload from the peer,
 and will use this certificate as the peer's certificate.
+If
+.Ic plain_rsa
+is defined,
+.Xr racoon 8
+will expect
+.Ar pubkeyfile
+to be the peer's public key that was generated
+by plainrsa-gen(8).
 .\"
 .It Ic script Ar script Ic phase1_up
 .It Ic script Ar script Ic phase1_down
 Shell scripts that get executed when a phase 1 SA goes up or down.
@@ -825,9 +839,11 @@
 defines the authentication method used for the phase 1 negotiation.
 This directive must be defined.
 .Ar type
 is one of:
-.Ic pre_shared_key , rsasig , gssapi_krb , hybrid_rsa_server ,
+.Ic pre_shared_key , rsasig
+(for plain RSA authentication),
+.Ic gssapi_krb , hybrid_rsa_server ,
 .Ic hybrid_rsa_client , xauth_rsa_server , xauth_rsa_client , xauth_psk_server
 or
 .Ic xauth_psk_client .
 .\"
@@ -1328,8 +1344,27 @@
 	compression_algorithm deflate ;
 }
 .Ed
 .Pp
+If you are configuring plain RSA authentication, the remote directive
+should look like the following:
+.Bd -literal -offset
+path certificate "/usr/local/v6/etc" ;
+remote anonymous
+{
+        exchange_mode main,base ;
+        lifetime time 12 hour ;
+        certificate_type plain_rsa "/usr/local/v6/etc/myrsakey.priv";
+        peers_certfile plain_rsa "/usr/local/v6/etc/yourrsakey.pub";
+        proposal {
+                        encryption_algorithm aes ;
+                        hash_algorithm sha1 ;
+                        authentication_method rsasig ;
+                        dh_group 2 ;
+        }
+}
+.Ed
+.Pp
 The following is a sample for the pre-shared key file.
 .Bd -literal -offset
 10.160.94.3     mekmitasdigoat
 172.16.1.133    0x12345678


