PHOTURISD(8) OpenBSD System Manager's Manual PHOTURISD(8)
NAME
photurisd - IPsec key management daemon
SYNOPSIS
photurisd [-ci] [-d directory] [-p port]
DESCRIPTION
The photurisd daemon establishes security associations for encrypted
and/or authenticated network traffic.
The daemon listens to a named pipe photuris.pipe for user requests and on
a PF_ENCAP socket for kernel requests.
The options are as follows:
-c The -c option is used to force a primality check of the boot-
strapped moduli.
-i The -i option can be used to ignore the photuris.startup file.
Otherwise the exchanges in that file will be initiated on start-
up.
-d directory
The -d option specifies the directory in which photurisd looks
for its startup files. The default is /etc/photuris/.
-p port
The -p option specifies the local port the daemon shall bind to.
The file photuris.conf contains the moduli for the DH exchange and the
actual exchange schemes used to establish a shared secret. The following
keywords are understood:
modulus This keyword is followed by the numeric generator and
modulus. Those two values describe the group in which
exchange values for the ``Diffie-Hellmann'' key exchange
are generated. The modulus needs to be a ``safe prime''.
exchange This keyword is used to specify the supported exchange
schemes. The scheme is followed by either zero or the
number of bits of the modulus to be used with this
scheme. If zero is specified the given scheme acts as
modifier to the base scheme. The base scheme is
``DH_G_2_MD5'' (generator of two and MD5 identification).
Extended schemes are ``DH_G_2_DES_MD5'' and
``DH_G_2_3DES_SHA1''. An exchange can only be configured
if an apropriate modulus has be given before.
config This is used to configure the LifeTimes of SPIs and ex-
changes. The configurable values are:
exchange_max_retries, exchange_retransmit_timeout,
exchange_timeout, exchange_lifetime and spi_lifetime.
They are followed by an integer.
The file attributes.conf contains the attributes, i.e., different choices
of encryption and authentication, offered to the other peer. If a line
starts with an ip address and a space separated netmask the following at-
tributes are only offered to hosts lying in that net range. Only one at-
tribute per line is allowed. An attribute can either be an already de-
fined tag or a new definition of an attribute. In that case the line is
followed by a comma-separated list: attribute name, Photuris ID, type of
attribute and key length. The name is only used as reference. A list of
possible Photuris IDs can be found in /usr/share/ipsec/attributes.conf.
The attribute type is one of the following: ``enc'', ``ident'', ``auth''
or ``ident|auth''. The key length is so far only used by the encryption
attributes and specifies the number of keying bytes the daemon has to
generate. Predefined attributes are:
AT_AH_ATTRIB Starts the list of authentication attributes.
AT_ESP_ATTRIB Starts the list of encryption attributes.
The file secrets.conf contains the party preconfigured symmetric secrets
for the identity exchange.
identity local Defines the identity the local daemon will as-
sume and the according password. Both name
and secret are braced by quotation marks and
follow the identity local directive.
identity remote Defines the parties the daemon can communicate
with and their secrets. Both name and secret
are braced by quotation marks and follow the
identity remote directive. The name and se-
cret are the same as the identity local on the
remote site.
identity pair local If the identity of the remote site is already
known, identity pair local enables the daemon
to assume an identity and secret based on the
remote identity. The directive is followed by
the remote identity, a new local identity and
an according secret. In that way the secrets
are not shared with all other parties.
Once DNSSEC or other public key infrastructures are available, those will
be supported also.
Finally the file photuris.startup contains parameters for exchanges which
are created during startup.
The keywords dst, port, options, tsrc, tdst, exchange_lifetime,
spi_lifetime and user are understood in the photuris.startup file. The
values are as follows:
dst The destination IP address with which the ex-
change is to be established.
port The port number of the destination photurisd
daemon.
options The options to be used in the exchange. Possi-
ble values are ``enc'' and ``auth''.
exchange_lifetime Determines the lifetime of the exchange. After
an exchange expires no new SPIs are created,
which means the transport or tunnel is torn down
as soon as the current SPI times out (see
spi_lifetime below). The default value is got-
ten from the exchange_lifetime parameter given
in photuris.conf. If it is not given there the
default is 1800 seconds.
spi_lifetime Determines the lifetime of each created SPI in
the exchange.
user The user name for whom the keying shall be done.
Preconfigured secrets are taken from the users
secret file.
Exchanges are separated by newlines.
EXAMPLES
A sample photuris.startup entry:
dst=134.100.106.2 port=468 options=auth
SEE ALSO
startkey(1), ipsec(4), vpn(8)
HISTORY
The photuris keymanagement protocol is described in the internet draft
draft-simpson-photuris by the authors Phil Karn and William Allen Simp-
son. This implementation was done 1997 by Niels Provos and appeared in
OpenBSD 2.1.
OpenBSD 3.1 July 18, 1997 3