diff options
| -rw-r--r-- | usr.sbin/sasyncd/sasyncd.8 | 43 | ||||
| -rw-r--r-- | usr.sbin/sasyncd/sasyncd.conf.5 | 47 |
2 files changed, 48 insertions, 42 deletions
diff --git a/usr.sbin/sasyncd/sasyncd.8 b/usr.sbin/sasyncd/sasyncd.8 index 9e4617a7ba2..0ab68b4a8e0 100644 --- a/usr.sbin/sasyncd/sasyncd.8 +++ b/usr.sbin/sasyncd/sasyncd.8 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sasyncd.8,v 1.3 2005/05/01 20:44:12 jmc Exp $ +.\" $OpenBSD: sasyncd.8,v 1.4 2005/05/23 17:32:49 ho Exp $ .\" .\" Copyright (c) 2005 Håkan Olsson. All rights reserved. .\" @@ -66,17 +66,17 @@ It is possible to the daemon to a particular state; see .Xr sasyncd.conf 5 . .Ss Host to host communication -All +As .Nm -host to host communication is protected by -.Xr ssl 8 , -so the daemon requires certificates configured for each host. -Normally -.Pa /etc/ssl/sasyncd.crt -and -.Pa /etc/ssl/private/sasyncd.key -are used, although alternate locations may be specified in the -configuration file. +will transmit IPSec SA keys over a network not guaranteed to be +private, +.Nm +messages are protected using AES and SHA. +The shared key used for the encryption must be specified in +.Pa /etc/sasyncd.conf . +See +.Xr sasyncd.conf 5 +for more information. .Pp The options are as follows: .Bl -tag -width Ds @@ -89,11 +89,16 @@ option specifies an alternate configuration file instead of The .Fl d option causes the daemon to run in the foreground, logging to stderr. +Without this option, +.Nm +sends log messages to +.Xr syslog(3) . .It Fl v The .Fl v -option increases the verbosity level of the daemon. -This option can be specified several times. +option increases the verbosity level of the daemon, used primarily for +debugging. +This option may be specified several times. .El .Sh FILES .Bl -tag -width /etc/ssl/private/sasyncd.key -compact @@ -101,20 +106,14 @@ This option can be specified several times. The default .Nm configuration file. -.It Pa /etc/ssl/sasyncd.crt -The default certificate. -.It Pa /etc/ssl/private/sasyncd.key -The default private key. -.It Pa /etc/ssl/ca.crt -The default CA certificate. .El .Sh SEE ALSO -.Xr openssl 1 , +.Xr crypto 3 , +.Xr syslog 3 , .Xr carp 4 , .Xr ipsec 4 , .Xr sasyncd.conf 5 , -.Xr isakmpd 8 , -.Xr ssl 8 +.Xr isakmpd 8 .Sh HISTORY The .Nm diff --git a/usr.sbin/sasyncd/sasyncd.conf.5 b/usr.sbin/sasyncd/sasyncd.conf.5 index 94552c5b110..4d9a7c9a1cd 100644 --- a/usr.sbin/sasyncd/sasyncd.conf.5 +++ b/usr.sbin/sasyncd/sasyncd.conf.5 @@ -1,4 +1,4 @@ -.\" $OpenBSD: sasyncd.conf.5,v 1.3 2005/05/01 17:35:27 david Exp $ +.\" $OpenBSD: sasyncd.conf.5,v 1.4 2005/05/23 17:32:49 ho Exp $ .\" .\" Copyright (c) 2005 Håkan Olsson. All rights reserved. .\" @@ -43,12 +43,21 @@ Comments can be put anywhere in the file using a hash mark .Pq Sq # , and extends to the end of the current line. .Pp +Since the file contains the shared secret key used to encrypt data +between this host and the others, +.Pa /etc/sasyncd.conf +must be owned either by +.Nm root +or the +.Nm _isakmpd +pseudo user and be readable only by this owner, e.g +.Bd -literal -offset indent +# chown root /etc/sasyncd.conf +# chmod 0600 /etc/sasyncd.conf +.Ed +.Pp The following configuration settings are understood: .Bl -tag -width Ds -.It Ic CAcertificate file Ar filename -Specify a file containing the CA certificate. -The default is -.Pa /etc/ssl/ca.crt . .It Ic carp interface Ar interface Specify which .Xr carp 4 @@ -59,20 +68,19 @@ should track master/slave state on. Specify how often the daemon should check the above interface for state changes. Defaults to once every 10 seconds. -.It Ic certificate file Ar filename -Specify a file containing our certificate. -The default is -.Pa /etc/ssl/sasyncd.crt . .It Ic listen on Ar address Specify a local IP address, hostname, or interface the .Xr sasyncd 8 daemon should listen on. The default is to listen on all local addresses. .It Ic listen port Ar port -Specify a local port the +Specify a local TCP port the .Xr sasyncd 8 daemon should listen on. -The default is to listen on port 501. +The default is to listen on port 500. +.It Ic mode master | slave +Force the daemon to run as master or slave. +Normally only intended for debugging use. .It Ic peer Ar address Specify a .Xr sasyncd 8 @@ -84,18 +92,17 @@ peer 10.0.0.2 peer 10.0.0.3 peer 10.0.0.4 .Ed -.It Ic private key file Ar filename -Specify a file containing the private key matching the certificate -specified using -.Ar certificate file . -The default is -.Pa /etc/ssl/private/sasyncd.key . -.It Ic run as master | slave -Force the daemon to run as master or slave. -Normally only intended for debugging use. +.It Ic sharedkey Ar key +The shared AES key used to encrypt messages between +.Xr sasyncd 8 +hosts. +This configuration setting is required and must be either 16, 24 or 32 +bytes long (corresponding to AES using a 128, 192 or 256 bit key). .El .Sh SEE ALSO +.Xr chmod 1 , .Xr carp 4 , +.Xr chown 8 , .Xr sasyncd 8 .Sh HISTORY The |