Date: Wed, 21 Oct 1998 15:42:37 -0400 From: "Jim Flowers" <jflowers@ezo.net> To: "Frank Tobin" <ftobin@bigfoot.com> Cc: <security@FreeBSD.ORG> Subject: Re: SKIP Message-ID: <005301bdfd2a$f58611e0$abd396ce@ivy.ezo.net>
next in thread | raw e-mail | index | archive | help
There are a number of possibilities. Make sure the times of the two machines are synched. Are you using udh keys? One techique I have found quite useful is to do a 'skiplocal export > /tmp/add_remote' on each host which generates a shell script. Then ftp them to the opposite host and run it 'sh /tmp/add_remote', all before turning skip on with 'skiphost -o on'. This is particularly useful when setting up tunnels although you have to edit the script. I just use the examples from the manual pages as a template. Good idea to do a 'skiphost -a default' while your getting the feel of it to eliminate side issues. Use tcpdump host skiphost.machine.name on another virtual console to see what's going on. Another thing to watch. Both keys must be the same length and the NSID must be correct (8 if you're using UDH). If you generate multiple keys, you may not be using the one you think you are. Skiplocal export will tell you what it thinks the default is (it's in slot 0). Also, the update of the certificate database can be non-intuitive. Do a skipdb_restart when it doesn't work and you think it should. Good luck and stay with it. Skip on FreeBSD is very robust and once you get the hang of it, very capable. Got one VPN up almost a year now. Archie Cobb's port is great and it sounds like you got through the whole thing correctly. -----Original Message----- From: Frank Tobin <ftobin@bigfoot.com> To: security@FreeBSD.ORG <security@FreeBSD.ORG> Date: Wednesday, October 21, 1998 2:48 PM Subject: SKIP >-----BEGIN PGP SIGNED MESSAGE----- >Hash: SHA1 > >- From the looks of it and documentation of it, SKIP seems to be a very nice >secure-communications program; however, I'm having a lot of difficulty >getting it to communicate with other machines. Here's a summary of what >I've done and attempted: > >- - Installed via the port's Makefile. >- - Verified skipd is starting up okay, a public and secret key exists. >- - Added a SKIP-secure host in the authorized list (via skiptool). >- - Attempted connections via ping, and failed. >- - Transferred public keys manually to each machine; connections still > failed. > >- - /var/log/messages has lines such as: > > Oct 20 21:28:44 isr3277 skipd: sending CDP request for nsid=1 > mkid=c7588652 to 199.88.134.82 > Oct 20 21:28:44 isr3277 skipd: IP 199.88.134.82:1640 action=getfail > nsid=1 mkid=c7588652 cert=NULL : response=getfail > Oct 20 21:28:49 isr3277 skipd: NOCERT: kernel query nsid=1 mkid=c7588652 > > *Note* the above logs were after attempting to communicate with a > machine I had _not_ transferred public keys with manually. I don't have > the logs that say what happened with the machine I did transfer keys > with. > >- - SKIP _does_ deny the disallowed hosts. > > >All of this was reciprocally done on two other remote machines to test >with (e.g., SKIP was setup in the same manner on the other machine I was >attempting to connect with). > >I've read through all of the documentation, especially the sections that >deal with 'Why isn't it working?' to no avail. I've tried everything (I >think). This looks like a lovely program, one I'd really like to get >working, and _any_ help such as noting common pitfalls when setting it up >would be extremely appreciated. > >- -- > >Frank Tobin "To learn what is good and what is to be >http://www.bigfoot.com/~ftobin valued, those truths which cannot be > shaken or changed." Myst: The Book of Atrus >FreeBSD: The Power To Serve > > >-----BEGIN PGP SIGNATURE----- >Version: PGPfreeware 5.0i for non-commercial use >Charset: noconv > >iQA/AwUBNi4YnAL4UDr0DrZeEQKkbgCfXXkETrE+leRXkaOPr75toKOUGLsAoPad >YFsYw0O2og7yDxfD02IlWOWQ >=BJil >-----END PGP SIGNATURE----- > > >To Unsubscribe: send mail to majordomo@FreeBSD.org >with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?005301bdfd2a$f58611e0$abd396ce>