diff options
| author | Reyk Floeter <reyk@cvs.openbsd.org> | 2017-03-27 10:06:42 +0000 |
|---|---|---|
| committer | Reyk Floeter <reyk@cvs.openbsd.org> | 2017-03-27 10:06:42 +0000 |
| commit | e3affe111fdf78b3b570254f4a8bcac92e8e2264 (patch) | |
| tree | 73ccda4a2c611b5451af51e88ec416c476c3f7fd /sbin/iked/iked.conf.5 | |
| parent | 650ec76b079154b185c886970968e2cc614b4e65 (diff) | |
Add support for RFC4754 (ECDSA) and RFC7427 authentication.
These modes provide stronger and more flexible ways for
authentication: while RSA public key auth relies on SHA-1 hashes, the
news modes use SHA2-256 and up to SHA2-512 hashes.
Original diff from markus@ with patches from mikeb@ and me.
OK mikeb@ patrick@
Diffstat (limited to 'sbin/iked/iked.conf.5')
| -rw-r--r-- | sbin/iked/iked.conf.5 | 29 |
1 files changed, 22 insertions, 7 deletions
diff --git a/sbin/iked/iked.conf.5 b/sbin/iked/iked.conf.5 index a4b60844e78..68784f45161 100644 --- a/sbin/iked/iked.conf.5 +++ b/sbin/iked/iked.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: iked.conf.5,v 1.47 2017/03/13 15:07:51 patrick Exp $ +.\" $OpenBSD: iked.conf.5,v 1.48 2017/03/27 10:06:41 reyk Exp $ .\" .\" Copyright (c) 2010 - 2014 Reyk Floeter <reyk@openbsd.org> .\" Copyright (c) 2004 Mathieu Sauve-Frankel All rights reserved. @@ -15,7 +15,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: March 13 2017 $ +.Dd $Mdocdate: March 27 2017 $ .Dt IKED.CONF 5 .Os .Sh NAME @@ -477,9 +477,14 @@ for kilo-, mega- and gigabytes accordingly. Please note that rekeying must happen at least several times a day as IPsec security heavily depends on frequent key renewals. .It Op Ar ikeauth -Specify the mode to mutually authenticate the peers. -Non-psk modes will require to set up certificates and RSA public keys; -see +Specify a method to be used to authenticate the remote peer. +.Xr iked 8 +will automatically determine a method based on public keys or certificates +configured for the peer. +.Ar ikeauth +can be used to override this behaviour. +Non-psk modes will require to set up certificates and RSA or ECDSA public +keys; see .Xr iked 8 for more information. .Pp @@ -491,14 +496,24 @@ The only supported EAP is currently .Ar MSCHAP-V2 . The responder will use RSA public key authentication. +.It Ic ecdsa256 +Use ECDSA with a 256-bit elliptic curve key and SHA2-256 for authentication. +.It Ic ecdsa384 +Use ECDSA with a 384-bit elliptic curve key and SHA2-384 for authentication. +.It Ic ecdsa521 +Use ECDSA with a 521-bit elliptic curve key and SHA2-512 for authentication. .It Ic psk Ar string Use a pre-shared key .Ar string or hex value (starting with 0x) for authentication. +.It Ic rfc7427 +Only use RFC 7427 signatures for authentication. +RFC 7427 signatures currently only support SHA2-256 as the hash. .It Ic rsa -Use RSA public key authentication. -This is the default mode if no option is specified. +Use RSA public key authentication with SHA1 as the hash. .El +.Pp +The default is to allow any signature authentication. .It Ic config Ar option address Send one or more optional configuration payloads (CP) to the peer. The configuration |