OpenBSD manual page server

Manual Page Search Parameters

PHOTURISD(8)            OpenBSD System Manager's Manual           PHOTURISD(8)

     photurisd - IPsec key management daemon

     photurisd [-ci] [-d directory] [-p port]

     The photurisd daemon establishes security associations for encrypted
     and/or authenticated network traffic.

     The daemon listens to a named pipe photuris.pipe for user requests and on
     a PF_ENCAP socket for kernel requests.

     The options are as follows:

     -c      The -c option is used to force a primality check of the boot-
             strapped moduli.

     -i      The -i option can be used to ignore the photuris.startup file.
             Otherwise the exchanges in that file will be initiated on start-

     -d directory
             The -d option specifies the directory in which photurisd looks
             for its startup files.  The default is /etc/photuris/.

     -p port
             The -p option specifies the local port the daemon shall bind to.

     The file photuris.conf contains the moduli for the DH exchange and the
     actual exchange schemes used to establish a shared secret.  The following
     keywords are understood:

           modulus   This keyword is followed by the numeric generator and
                     modulus.  Those two values describe the group in which
                     exchange values for the ``Diffie-Hellmann'' key exchange
                     are generated.  The modulus needs to be a ``safe prime''.

           exchange  This keyword is used to specify the supported exchange
                     schemes.  The scheme is followed by either zero or the
                     number of bits of the modulus to be used with this
                     scheme.  If zero is specified the given scheme acts as
                     modifier to the base scheme.  The base scheme is
                     ``DH_G_2_MD5'' (generator of two and MD5 identification).
                     Extended schemes are ``DH_G_2_DES_MD5'' and
                     ``DH_G_2_3DES_SHA1''. An exchange can only be configured
                     if an apropriate modulus has be given before.

           config    This is used to configure the LifeTimes of SPIs and ex-
                     changes.  The configurable values are:
                     exchange_max_retries, exchange_retransmit_timeout,
                     exchange_timeout, exchange_lifetime and spi_lifetime.
                     They are followed by an integer.

     The file attributes.conf contains the attributes, i.e., different choices
     of encryption and authentication, offered to the other peer.  If a line
     starts with an ip address and a space separated netmask the following at-
     tributes are only offered to hosts lying in that net range.  Only one at-
     tribute per line is allowed.  An attribute can either be an already de-
     fined tag or a new definition of an attribute.  In that case the line is
     followed by a comma-separated list: attribute name, Photuris ID, type of
     attribute and key length. The name is only used as reference.  A list of
     possible Photuris IDs can be found in /usr/share/ipsec/attributes.conf.
     The attribute type is one of the following: ``enc'', ``ident'', ``auth''
     or ``ident|auth''. The key length is so far only used by the encryption
     attributes and specifies the number of keying bytes the daemon has to
     generate.  Predefined attributes are:

           AT_AH_ATTRIB   Starts the list of authentication attributes.

           AT_ESP_ATTRIB  Starts the list of encryption attributes.

     The file secrets.conf contains the party preconfigured symmetric secrets
     for the identity exchange.

           identity local       Defines the identity the local daemon will as-
                                sume and the according password.  Both name
                                and secret are braced by quotation marks and
                                follow the identity local directive.

           identity remote      Defines the parties the daemon can communicate
                                with and their secrets.  Both name and secret
                                are braced by quotation marks and follow the
                                identity remote directive.  The name and se-
                                cret are the same as the identity local on the
                                remote site.

           identity pair local  If the identity of the remote site is already
                                known, identity pair local enables the daemon
                                to assume an identity and secret based on the
                                remote identity.  The directive is followed by
                                the remote identity, a new local identity and
                                an according secret.  In that way the secrets
                                are not shared with all other parties.

     Once DNSSEC or other public key infrastructures are available, those will
     be supported also.

     Finally the file photuris.startup contains parameters for exchanges which
     are created during startup.

     The keywords dst, port, options, tsrc, tdst, exchange_lifetime,
     spi_lifetime and user are understood in the photuris.startup file.  The
     values are as follows:

           dst                The destination IP address with which the ex-
                              change is to be established.

           port               The port number of the destination photurisd

           options            The options to be used in the exchange.  Possi-
                              ble values are ``enc'' and ``auth''.

           exchange_lifetime  Determines the lifetime of the exchange.  After
                              an exchange expires no new SPIs are created,
                              which means the transport or tunnel is torn down
                              as soon as the current SPI times out (see
                              spi_lifetime below).  The default value is got-
                              ten from the exchange_lifetime parameter given
                              in photuris.conf. If it is not given there the
                              default is 1800 seconds.

           spi_lifetime       Determines the lifetime of each created SPI in
                              the exchange.

           user               The user name for whom the keying shall be done.
                              Preconfigured secrets are taken from the users
                              secret file.

     Exchanges are separated by newlines.

     A sample photuris.startup entry:

     dst= port=468 options=auth

     startkey(1), ipsec(4), vpn(8)

     The photuris keymanagement protocol is described in the internet draft
     draft-simpson-photuris by the authors Phil Karn and William Allen Simp-
     son.  This implementation was done 1997 by Niels Provos and appeared in
     OpenBSD 2.1.

OpenBSD 3.1                      July 18, 1997                               3