From owner-freebsd-security Wed Sep 27 17: 1: 5 2000 Delivered-To: freebsd-security@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.org [216.136.204.21]) by hub.freebsd.org (Postfix) with ESMTP id 3114937B423; Wed, 27 Sep 2000 17:01:03 -0700 (PDT) Received: from localhost (kris@localhost) by freefall.freebsd.org (8.9.3/8.9.2) with ESMTP id RAA05244; Wed, 27 Sep 2000 17:01:03 -0700 (PDT) (envelope-from kris@FreeBSD.org) X-Authentication-Warning: freefall.freebsd.org: kris owned process doing -bs Date: Wed, 27 Sep 2000 17:01:02 -0700 (PDT) From: Kris Kennaway To: Sam wun Cc: "'freebsd-security@freebsd.org'" Subject: Re: What happened if the pre-share key got cacked? In-Reply-To: <39D1B8E8.B5B070FB@eSec.com.au> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org On Wed, 27 Sep 2000, Sam wun wrote: > I am a bit concernt about hte pre-share key that using by the IPsec couple of > client and the server machines. > What if this key got stolent somehow? what will be the consequence? > I am using IPSec in FreeBSD. The pre-share key is used by racoon. The psk.txt > is protected by 600 permission. But what if my root account got cracked? > anyone whom posesses my root account will be able to see the content of the > psk.txt file? They can do a hell of a lot more than that if they get root. Thats why it's important to make sure attackers can't get root on your boxes, and to choose a cryptographically strong pre-shared key (i.e. n bits of output from /dev/random :-) Kris -- In God we Trust -- all others must submit an X.509 certificate. -- Charles Forsythe To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message