[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
- To: tech_(_at_)_openbsd_(_dot_)_org
- Subject: ssh sentinal?
- From: newsham_(_at_)_lava_(_dot_)_net (Tim Newsham)
- Date: Mon, 16 Apr 2001 12:53:50 -1000 (HST)
I'm playing with the ssh sentinal IPSEC implementation (available for
demo at www.ssh.com). The hurdles I passed so far are:
- they require x509v3 fields present in the CA (in particular,
the CA:true tag). I had to adjust my openssl commands and
generate new certs.
- They send out both SECONDS and KILOBYTES type lifetimes.
I had to adjust isakmpd.conf to add a new suite which
included both a lifetime of 3600 seconds and ANY kilobytes.
I think isakmpd can be adjusted to make this easier in
the future. All suites using time based lifetimes should be
augmented to support any data lifetime, and similarly any
suite using transfer based lifetimes should be augmented to
support any seconds lifetime. For example:
This wont affect functionality, except to make interop simpler,
since you dont normally mind if the peer rekeys more often than
The hurdle I'm on right now is this:
sentinal->obsd KE, NONCE, CertReq
next payload = 0
length = 5
cert type = 4 (x509)
[no certificate authority data follows]
The openbsd box at this point complains about ID missing in
x509_cert_obtain, because it is trying to look up the
id from the exchange->id_i or exchange->id_r, which has not
yet been exchanged. No reply is ever sent and the protocol
grinds to a halt. I'm not sure what the openbsd box is supposed
to do at this point. Any ideas?