man isakmpd typos

Hi IPv6/IPSec masters,

Reading the manual page for isakmpd, I think I found some typos in the
X509 authentication section. Currently, it reads:

     2.   Create Certificate Signing Requests (CSRs) for IKE peers.  The CSRs
          are signed with a pre-generated private key.

          This step, as well as the next one, needs to be done for every peer.
          Furthermore the last step will need to be done once for each ID you
          want the peer to have.  The 10.0.0.1 below symbolizes that ID, in
          this case an IPv4 ID, and should be changed for each invocation.
          You will be asked for a DN for each run.  Encoding the ID in the
          common name is recommended, as it should be unique.

                # openssl req -new -key /etc/isakmpd/private/local.key \
                        -out /etc/isakmpd/private/10.0.0.1.csr

I think the command is wrong. The "-key" command-line argument tells
OpenSSL where the existing RSA private key is located. However, since
we are requesting a new CSR and they key does not exist yet (in the
manual page I can't seem to find any sentence that states this fact),
the previously listed command will fail:

Error opening Private Key /etc/isakmpd/private/local.key
20798:error:02001002:system library:fopen:No such file or
directory:/usr/src/lib/libssl/src/crypto/bio/bss_file.c:278:fopen('/etc/isakmpd/private/local.key','r')
20798:error:20074002:BIO routines:FILE_CTRL:system
lib:/usr/src/lib/libssl/src/crypto/bio/bss_file.c:280:
unable to load Private Key

I think the manual page should list the following commands:

  # openssl genrsa -out /etc/isakmpd/private/local.key

This will generate a (by default, 1024 bits) RSA private key. Then,
this command will generate the Certificate Signing Request:

  # openssl req -new -key /etc/isakmpd/private/local.key -out
/etc/isakmpd/private/10.0.0.1.csr

Can you comment?
Thanks!

--
http://www.felipe-alfaro.org/blog/disclaimer/

On 2008/10/27 02:19, Felipe Alfaro Solana wrote:
>
>                 # openssl req -new -key /etc/isakmpd/private/local.key \
>                         -out /etc/isakmpd/private/10.0.0.1.csr
>
> I think the command is wrong. The "-key" command-line argument tells
> OpenSSL where the existing RSA private key is located. However, since
> we are requesting a new CSR and they key does not exist yet

It is created by /etc/rc at system startup.

On Mon, Oct 27, 2008 at 8:30 AM, Stuart Henderson <stu@...> wrote:
You are totally right. I killed that file when configuring isakmpd.

But, wouldn't it be nice to add a comment to the manual page about how
local.key is generated by /etc/rc? It might prevent dumb people like
me, that removed the local.key file, from getting funny error messages
in the command-line when they are not familiar with OpenSSL?

--
http://www.felipe-alfaro.org/blog/disclaimer/

On 2008/10/27 12:36, Felipe Alfaro Solana wrote:
I don't know, ssh manuals don't go into detail about how to fix
things when you remove the host keys, etc.. I think it's expected
that if you remove a system configuration file you should know
what you're letting yourself in for.

Hi Felipe,

On Mon, Oct 27, 2008 at 12:36:17PM +0100, Felipe Alfaro Solana wrote:
| On Mon, Oct 27, 2008 at 8:30 AM, Stuart Henderson <stu@...>
wrote:
| > On 2008/10/27 02:19, Felipe Alfaro Solana wrote:
| >>
| >>                 # openssl req -new -key /etc/isakmpd/private/local.key \
| >>                         -out /etc/isakmpd/private/10.0.0.1.csr
| >>
| >> I think the command is wrong. The "-key" command-line argument tells
| >> OpenSSL where the existing RSA private key is located. However, since
| >> we are requesting a new CSR and they key does not exist yet
| >
| > It is created by /etc/rc at system startup.
|
| You are totally right. I killed that file when configuring isakmpd.
|
| But, wouldn't it be nice to add a comment to the manual page about how
| local.key is generated by /etc/rc? It might prevent dumb people like
| me, that removed the local.key file, from getting funny error messages
| in the command-line when they are not familiar with OpenSSL?

A reboot will get you this file back (well, not exactly the same
file). This is mentioned in the documentation of isakpmd(8) :

     /etc/isakmpd/private/
             The directory where local private keys used for public
             key authentication are kept.  By default, the system
             startup script rc(8) generates a key-pair when starting,
             if one does not already exist.

Cheers,

Paul 'WEiRD' de Weerd

--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
                 http://www.weirdnet.nl/

[demime 1.01d removed an attachment of type application/pgp-signature]

On Mon, Oct 27, 2008 at 12:55 PM, Paul de Weerd <weerd@...> wrote:
Yes, that's for sure.

Also, some people might want to use bigger keys (like 2,048 bits),
that's why I thought that mentioning how the local.key file is created
might be worth it. It's not a big deal, though, as it's just a matter
of searching a bit (and running openssl genrsa). But for people not
familiar with OpenSSL it could save a bit of time.

Just my 2 Swiss Francs :)

>     /etc/isakmpd/private/
>             The directory where local private keys used for public
>             key authentication are kept.  By default, the system
>             startup script rc(8) generates a key-pair when starting,
>             if one does not already exist.

Turns out that I didn't read the manual page very well, as this is
already mentioned.

--
http://www.felipe-alfaro.org/blog/disclaimer/