LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/LDP/LG/issue35/tag/crypto.html

670 lines
27 KiB
HTML
Raw Permalink Blame History

<!--startcut ======================================================= -->
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<html>
<head>
<META NAME="generator" CONTENT="lgazmail v1.1F.i">
<TITLE>The Answer Guy 35: FS Security using Linux</TITLE>
</HEAD><BODY BGCOLOR="#FFFFFF" TEXT="#000000"
LINK="#3366FF" VLINK="#A000A0">
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<H4>"The Linux Gazette...<I>making Linux just a little more fun!</I>"</H4>
<P> <hr> <P>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<center>
<H1><A NAME="answer">
<img src="../../gx/dennis/qbubble.gif" alt="(?)" border="0" align="middle">
<font color="#B03060">The Answer Guy</font>
<img src="../../gx/dennis/bbubble.gif" alt="(!)" border="0" align="middle">
</A></H1>
<BR>
<H4>By James T. Dennis,
<a href="mailto:linux-questions-only@ssc.com">linux-questions-only@ssc.com</a><BR>
Starshine Technical Services,
<A HREF="http://www.starshine.org/">http://www.starshine.org/</A>
</H4>
</center>
<p><hr><p>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<H3 align="left"><img src="../../gx/dennis/qbubble.gif" height="50" width="60"
alt="(?) " border="0">Crypto Support for Linux</H3>
<p><strong>From dreamwvr, August sometime in 1998
(in an old thread on the Linux-Admin List which
I've been reading as part of the research for my book).
</strong></p>
<!-- begin 15 -->
<P><STRONG>i believe it is called efs which stands for encrypted file system...
</STRONG></P>
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" alt="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
><FONT COLOR="#000099"><EM>
Glynn Clements wrote:
<br>There is Matt Blaze's CFS (cryptogrphic filesystem) which
is basically a userspace filesytem over NFS to the loopback
interface. This was part of a larger package called ESM,
encrypted session manager. That wasn't Linux specific, but
does work under it.
</em></font></BLOCKQUOTE>
<P><STRONG><FONT COLOR="#000066"><EM><IMG SRC="../../gx/dennis/qbub.gif"
ALT="(?)" HEIGHT="28" WIDTH="50" BORDER="0"
>Joseph Martin wrote:
<br>I am helping a friend set up a new computer system. He is
particularly interested in security. The regular linux authentication at
the console should work well enough, however I was wondering about even
more security. Are there any encrypted file systems we could set up? For
example the computer boots up, loads the system from a ext2 partition and
then presents a login prompt. After login a mount command is given, a
password supplied and the partition data made visible and acessable. After
use of partition it is unmounted and rendered unusuable again. Anything
like that exist?
</EM></FONT></STRONG></P>
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" alt="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
><FONT COLOR="#000099"><EM>
You can use the loop device, which turns a file into a device which
can then be mounted (assuming that it contains a valid filesystem).
</EM></FONT></blockquote>
<blockquote><FONT COLOR="#000099"><EM>
The loop device supports on-the-fly encryption/decryption using DES or
IDEA (but you have to get the appropriate kernel source files
separately; they aren't part of the standard kernel source due to
legal nonsense).
</EM></FONT></blockquote>
<blockquote><FONT COLOR="#000099"><EM>
Alternatively, you can just encrypt the file with any encryption
package (e.g. PGP), and decrypt it before mounting. However, this
requires sufficient disk space to store two copies of the file.
</EM></FONT></blockquote>
<blockquote><FONT COLOR="#000099"><EM>
Glynn Clements
</EM></FONT></blockquote>
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" alt="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
>There is also the TCFS --- a transparent CFS from Italy. This
is Linux specific code. (<A HREF="http://tcfs.dia.unisa.it"
>http://tcfs.dia.unisa.it</A>)
</BLOCKQUOTE>
<BLOCKQUOTE>
There was also supposed to be a userfs module for encryption
--- but I don't know if that was ever completed to production
quality.
</BLOCKQUOTE>
<BLOCKQUOTE>
The best place to get most crypto code is to just fetch it
from <A HREF="ftp://ftp.replay.com">ftp://ftp.replay.com</A> (or
<A HREF="http://www.replay.com">http://www.replay.com</A>) which is
located offshore (Netherlands?) to put it beyond the
jurisdiction of my government's inane trade regulations.
(Apologies to the free world).
</BLOCKQUOTE>
<BLOCKQUOTE>
I thought I read on the kernel list that
<A HREF="http://www.kerneli.org">http://www.kerneli.org</A>
was supposed to be a site where
international (non-U.S. exportable) patches would be gathered
and made available. However that address only returns a lame
one line piece of text to lynx. I fared better with their ftp
site at:
</BLOCKQUOTE>
<BLOCKQUOTE><BLOCKQUOTE><code>
<A HREF="ftp://ftp.kerneli.org/pub/Linux/kerneli/v2.1"
>ftp://ftp.kerneli.org/pub/Linux/kerneli/v2.1</A>
</code></BLOCKQUOTE></BLOCKQUOTE>
<BLOCKQUOTE>
Where I saw a list of files of the form: <tt>patch-int-2.1.*</tt>
(which I presume are "international" patches).
</BLOCKQUOTE>
<BLOCKQUOTE>
Userspace toys can be found in:
</BLOCKQUOTE>
<BLOCKQUOTE><BLOCKQUOTE><code>
<A HREF="ftp://ftp.kerneli.org/pub/Linux/redhat-contrib/hacktic/i386"
>ftp://ftp.kerneli.org/pub/Linux/redhat-contrib/hacktic/i386</A>
</code></BLOCKQUOTE>
(RPM format, of course).
</BLOCKQUOTE>
<BLOCKQUOTE>
Meanwhile the loopfs encryption module seems to be located at
Linux Mama (canonical home of unofficial Linux kernel patches)
</BLOCKQUOTE>
<BLOCKQUOTE><BLOCKQUOTE><code>
<A HREF="http://www.linuxmama.com/dev-server.html"
>http://www.linuxmama.com/dev-server.html</A>
</code></BLOCKQUOTE></BLOCKQUOTE>
<BLOCKQUOTE>
which has a link to:
</BLOCKQUOTE>
<BLOCKQUOTE><BLOCKQUOTE><code>
<A HREF="ftp://fractal.mta.ca/pub/crypto/aem"
>ftp://fractal.mta.ca/pub/crypto/aem</A>
</code></BLOCKQUOTE></BLOCKQUOTE>
<BLOCKQUOTE>
TCFS is also suitable for encrytion of files on an NFS server
(only the encrypted blocks traverse your network --- the
client system does the decryption. That's a big win for
security <EM>and</EM> performance).
</BLOCKQUOTE>
<BLOCKQUOTE>
As for encryption of other network protocols: There's the
standard ssh, ssltelnet/sslftp (SSLeay), STEL, suite for
applications layer work, and a couple of IPSec projects for
Linux at the network/transport layer. A friend of mine has
been deeply interested in the <A HREF="http://www.xs4all.nl/~freeswan/"
>FreeS/WAN</A> project at:
</BLOCKQUOTE>
<BLOCKQUOTE><BLOCKQUOTE><code>
<A HREF="http://www.xs4all.nl/~freeswan"
>http://www.xs4all.nl/~freeswan</A>
</code></BLOCKQUOTE></BLOCKQUOTE>
<BLOCKQUOTE>
... or at:
</BLOCKQUOTE>
<BLOCKQUOTE><BLOCKQUOTE><code>
<A HREF="http://www.flora.org/freeswan">http://www.flora.org/freeswan</A>
</code></BLOCKQUOTE>(a mirror)</BLOCKQUOTE>
<BLOCKQUOTE>
... This consists of a kernel patch and some programs to
manage the creation of keys etc.
</BLOCKQUOTE>
<BLOCKQUOTE>
The idea of the <A HREF="http://www.xs4all.nl/~freeswan/">FreeS/WAN</A>
project is to provide opportunistic
host-to-host encryption at the TCP/IP layer. In other words
my Linux router would automatically attempt to create a secure
context (tunnel/route) when communicating with your IPSec
enabled system or router. Similar projects are underway for
<A HREF="http://www.freebsd.org/">FreeBSD</A>, a few routers like Cisco,
and even NT.
</BLOCKQUOTE>
<BLOCKQUOTE>
Anyway I haven't tried it recently but I hear that it's almost
ready for prime time.
</BLOCKQUOTE>
<BLOCKQUOTE>
One of the big issues is that FreeS/WAN isn't designed for
manual VPN use --- so it's command line utilities for testing
this are pretty crude (or were, last time I tried them). On
the other hand we still don't have wide deployment of
Secure-DNS --- which is necessary before we can trust those
DNS "KEY" RR's. So, for now, all FreeS/WAN and other S/WAN
secure contexts involve some other (non-transparent) key
management hackery.
</BLOCKQUOTE>
<BLOCKQUOTE>
Hopefully someone will at least create a fairly simple
front end script for those of us that want to "just put up
a secure link" between ourselves and a remote office or
"stategic business partner."
</BLOCKQUOTE>
<BLOCKQUOTE>
Also FreeS/WAN has focused it's effort on the 2.0.x kernels.
When 2.2 ships there will be another, non-trivial, effort
required to adapt the KLIPS (kernel level IP security?)
code to the new TCP/IP stack. The addition of LSF (linux
socket facility --- a BPF-like interface) should make that
easier --- but it still sounds like it will be a pain.
</BLOCKQUOTE>
<BLOCKQUOTE>
There's apparently also an independent implementation of
IPSec for Linux from University of Arizona (Mason Katz).
</BLOCKQUOTE>
<BLOCKQUOTE><BLOCKQUOTE><code>
<A HREF="http://www.cs.arizona.edu/xkernel/hpcc-blue/linux.html"
>http://www.cs.arizona.edu/xkernel/hpcc-blue/linux.html</A>
</code></BLOCKQUOTE></BLOCKQUOTE>
<BLOCKQUOTE>
... however this doesn't seem to offer any of the crypto
code, even through some sort of hoops (like MIT's
"prove-you're-a-U.S.-citizen/resident" stuff). I've copied
Mason on this (Bcc) so he can comment if he chooses.
I've also copied Kevin Fenzi and Dave Wreski in case they
want to incorporate any of these links into their Linux
Security HOWTO.
</BLOCKQUOTE>
<BLOCKQUOTE><BLOCKQUOTE><code>
<A HREF="http://sunsite.unc.edu/LDP/HOWTO/mini/VPN.html"
>http://sunsite.unc.edu/LDP/HOWTO/mini/VPN.html</A>
<br><A HREF="http://sunsite.unc.edu/LDP/HOWTO/Security-HOWTO.html"
>http://sunsite.unc.edu/LDP/HOWTO/Security-HOWTO.html</A>
</code></BLOCKQUOTE></BLOCKQUOTE>
<BLOCKQUOTE>
An alternative to FreeS/WAN for now is to use VPS
<A HREF="http://www.strongcrypto.com">http://www.strongcrypto.com</A>
with '<tt>ssh</tt>' This basically creates a pppd "tunnel" over a specially
conditioned ssh connection. You have to get your copy of '<tt>ssh</tt>' from
some other site, for the usual reasons.
</BLOCKQUOTE>
<BLOCKQUOTE>
Yet another alternative to these is CIPE (cryptographic IP
encapsulation?) at:
</BLOCKQUOTE>
<BLOCKQUOTE><BLOCKQUOTE><code>
<A HREF="http://sites.inka.de/sites/bigred/devel/cipe.html"
>http://sites.inka.de/sites/bigred/devel/cipe.html</A>
</code></BLOCKQUOTE></BLOCKQUOTE>
<BLOCKQUOTE>
... which used encrypted UDP as the main transport.
</BLOCKQUOTE>
<BLOCKQUOTE>
Of course we shouldn't forget our venerable old three head dog
of mythic fame: Kerberos. This old dog is voted most likely
to be our future authentication and encryption infrastructure
(if for no other reason than the fact that Microsoft has vowed
to "embrace and extent" --- e.g. "engulf and extinguish" it
with Windows <strike>NT v5.0</strike>2000).
</BLOCKQUOTE>
<BLOCKQUOTE>
The canonical web page for MIT Kerberos seems to be at:
</BLOCKQUOTE>
<BLOCKQUOTE><BLOCKQUOTE><code>
<A HREF="http://web.mit.edu/kerberos/www">http://web.mit.edu/kerberos/www</A>
</code></BLOCKQUOTE></BLOCKQUOTE>
<BLOCKQUOTE>
... some news on that front is that Kermit version 6.1
is slated to include support for Kerberos authentication and
encryption. More on that is on their web site:
</BLOCKQUOTE>
<BLOCKQUOTE><BLOCKQUOTE><code>
<A HREF="http://www.columbia.edu/kermit/ck61.html"
>http://www.columbia.edu/kermit/ck61.html</A>
</code></BLOCKQUOTE></BLOCKQUOTE>
<BLOCKQUOTE>
... on the international front I hope to see the Heimdal
project (from Sweden) reach production quality very soon.
</BLOCKQUOTE>
<BLOCKQUOTE><BLOCKQUOTE><code>
<A HREF="http://www.pdc.kth.se/heimdal">http://www.pdc.kth.se/heimdal</A>
</code></BLOCKQUOTE></BLOCKQUOTE>
<BLOCKQUOTE>
When I talked to a couple of the developers of Heimdal I asked
some hard questions about things like support SOCKS proxy (by
their Kerberized clients), and support for one-time-passwords,
support for NIS/NIS+ (nameservices lookups), etc. They seemed
to have all the right answers on all counts.
</BLOCKQUOTE>
<BLOCKQUOTE>
All that and it's free.
</BLOCKQUOTE>
<BLOCKQUOTE>
Another European effort that is not nearly as attractive to
us "free software fanatics" is the SESAME project (Secure
European System for Applications in a Multi-vendor
Environment)
</BLOCKQUOTE>
<BLOCKQUOTE><BLOCKQUOTE><code>
<A HREF="http://www.esat.kuleuven.ac.be/cosic/sesame"
>http://www.esat.kuleuven.ac.be/cosic/sesame</A>
</code></BLOCKQUOTE></BLOCKQUOTE>
<BLOCKQUOTE>
The SESAME license only allows for free "experimental" use ---
no free distribution, no installation for customers, and no
"production use." Worse than all that no indication is made
as to how much licensing would cost (say for individual use by
a consultant). It appears to be geared towards limited
distribution to "big" clients (the owners seem to be Bull SA,
of France).
</BLOCKQUOTE>
<BLOCKQUOTE>
However, they have some interesting ideas and their web pages
are well worth reading. The suite of libraries seems to
offer some worthwhile extensions over Kerberos.
</BLOCKQUOTE>
<BLOCKQUOTE>
Some other pointers to cryptographic software are
at Tatu Ylonen's (author of ssh) pages:
</BLOCKQUOTE>
<BLOCKQUOTE><BLOCKQUOTE><code>
<A HREF="http://www.cs.hut.fi/crypto/software.html"
>http://www.cs.hut.fi/crypto/software.html</A>
</code></BLOCKQUOTE></BLOCKQUOTE>
<BLOCKQUOTE>
(I've also copied Arpad Magosanyi, author of the
VPN mini-HOWTO, in the hopes that he can find the time
to integrate some of these notes into his HOWTO ---
perhaps just as a list of references to other packages
near the end).
</BLOCKQUOTE>
<BLOCKQUOTE>
Of course the main thrust of Linux security has nothing
to do with cryptography. An over-riding concern is
that any privileged process might be subverted to take
over the whole system.
</BLOCKQUOTE>
<BLOCKQUOTE>
Bugs in <tt>imapd</tt>, <tt>in.popd</tt>, <tt>mountd</tt>, etc.
continue to plague Linux admins.
</BLOCKQUOTE>
<BLOCKQUOTE>
If security is really your friend's top interest and concern,
and he's planning on running a general purpose Unix system
with a mixture of common daemons (network services) and
applications on it. I'd really have to recommend
<A HREF="http://www.openbsd.org/">OpenBSD</A>
<A HREF="http://www.openbsd.org">http://www.openbsd.org</A>.
That is considered by many to be the
most secure "out of the box" version of Unix available to the
general market today. (In the realm of commercial Unix, I've
heard good things about BSDI/OS (<A HREF="http://www.bsdi.com"
>http://www.bsdi.com</A>).
</BLOCKQUOTE>
<BLOCKQUOTE>
That is not to say that Linux is hopeless. Alan Cox has been
co-ordinating a major Linux Security Audit project at
</BLOCKQUOTE>
<BLOCKQUOTE><BLOCKQUOTE><code>
<A HREF="http://www.eds.org/audit">http://www.eds.org/audit</A>
</code></BLOCKQUOTE></BLOCKQUOTE>
<BLOCKQUOTE>
or:
</BLOCKQUOTE>
<BLOCKQUOTE><BLOCKQUOTE><code>
<A HREF="http://lwn.net/980806/a/secfaq.html"
>http://lwn.net/980806/a/secfaq.html</A>
</code></BLOCKQUOTE></BLOCKQUOTE>
<BLOCKQUOTE>
There's also a set of "Secure Linux kernel patches" by
Solar Designer (I don't know his conventional name ---
everyone on the lists refers to him by this handle).
</BLOCKQUOTE>
<BLOCKQUOTE><BLOCKQUOTE><code>
<A HREF="http://www.false.com/security/linux/index.html"
>http://www.false.com/security/linux/index.html</A>
</code></BLOCKQUOTE></BLOCKQUOTE>
<BLOCKQUOTE>
These are a set of patches that prevent a couple of the most
common sorts of exploits (buffer overflows and symlinks
in <TT>/tmp</TT> and other world-writable directories).
</BLOCKQUOTE>
<BLOCKQUOTE>
However, these patches are for 2.0.x kernels. They've been
firmly rejected by Linus for inclusion into future kernels in
favor of a more flexible and general (and more complicated)
approach.
</BLOCKQUOTE>
<BLOCKQUOTE>
Linux version 2.2 will support a "capabilities lists"
(privileges) feature. This splits the SUID 'root' mechanism
into a few dozen separate privileged operations. By default
the system maps 'root' and 'SUID root' to setting all of these
privileges as "enabled" and "inheritable." A <tt>sysctl()</tt> call
allows a program to blank some or all of these bits,
preventing it and (if one is clearing the "inheritable" bits)
all of its descendants (all the processes it creates) from
exercising these operations.
</BLOCKQUOTE>
<BLOCKQUOTE>
This should allow us to emulate the BSD securelevel if we want
to (create a little userspace utility that clears the
appropriate "inheritable" bits and then <tt>exec()</tt>'s '<tt>init</tt>' ---
now <EM>all</EM> processes are unable to perform these operations).
</BLOCKQUOTE>
<BLOCKQUOTE>
It's also nice in that it's more flexible than the BSD
'securelevel' feature. For example you could just strip the
privilege bits from 'inetd' and your various networking
daemons. This would mean that the attacker would have to
trick some console/serial line controlled process into
executing any exploit code.
</BLOCKQUOTE>
<BLOCKQUOTE>
The eventual plan is to add support for the additional bits in
the filesystem. That won't happen for 2.2 --- but will likely
be one of the planned project for 2.3. These filesystem
attributes would be like a whole vector of SUID like bits ---
each enabling one privilege. So each program that you'd
currently make SUID 'root' would get a (hopefully) small
subset of the privileges. If that sounds complicated and
<EM>big</EM> --- then you understand. This is essentially what the
MLS/CMW "B2-level" secure versions of commercial Unix do. (As
described in the TCSEC "orange book" from what I hear).
</BLOCKQUOTE>
<BLOCKQUOTE>
As a stopgap measure I hope that someone writes a wrapper
utility that allows me (as an admin) to "manually" start
programs with a limited set of privileges. This would allow
me to write scripts, started as 'root' that would strip all
unnecessary privs, and exec some other program (such as
'<tt>dump</tt>' or '<tt>sendmail</tt>' or '<tt>imapd</tt>' etc).
(Such a wrapper would
also allow a developer or distribution maintainer to easily
test what privs a particular package really needed to work).
</BLOCKQUOTE>
<BLOCKQUOTE>
So, that's an overview of the Linux crypto and security.
There are just too many web resources on this subject to list
them all, and there is obviously plenty of work being done on
this all the time. The major constraint on any new security
work is the need to support Unix and all the existing and
portable Unix/Linux packages.
</BLOCKQUOTE>
<!-- end 15 -->
<p><hr width="40%" align="center"><p>
<!-- ::::::::::::::::::::::::::::::::::::::::::: -->
<H3 align="left"><img src="../../gx/dennis/qbubble.gif" height="50" width="60"
alt="(?) " border="0">Crypto Support ... What Book?</H3>
<p><strong>From Dave Wreski on Mon, 09 Nov 1998
</strong></p>
<!-- begin 13 -->
<P><STRONG><FONT COLOR="#000066"><EM>
(From an old thread on the Linux-Admin List which
I've been reading as part of the research for my book).
</EM></FONT></STRONG></P>
<P><STRONG>
Hey Jim. I was just wondering what kind of book you are writing? Is this
a linux-specific security book?
</STRONG></P>
<P><STRONG>
Dave
</STRONG></P>
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" alt="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
>
Linux Systems Administration (for Macmillan Computer
Publishing <A HREF="http://www.mcp.com">http://www.mcp.com</A>).
</BLOCKQUOTE>
<BLOCKQUOTE>
Since I consider security to permeate all aspects of
systems administration, there will be quite a bit of that
interwined with my discussions of requirements analysis,
recovery and capacity planning, maintenance and automation
etc.
</BLOCKQUOTE>
<!-- end 13 -->
<p><hr width="40%" align="center"><p>
<!-- ::::::::::::::::::::::::::::::::::::::::::: -->
<H3 align="left"><img src="../../gx/dennis/qbubble.gif" height="50" width="60"
alt="(?) " border="0">FS Security using Linux</H3>
<p><strong>From AZ75 on Tue, 10 Nov 1998
</strong></p>
<!-- begin 11 -->
<P><STRONG>
Hello, My name is Jim Xxxxxx and I am a US citizen. I would like have a
copy of the crypto code sent to me for testing if that's posible.
I am at: ....
</STRONG></P>
<BLOCKQUOTE><IMG SRC="../../gx/dennis/bbub.gif" alt="(!)"
HEIGHT="28" WIDTH="50" BORDER="0"
>
I think you misunderstand part of this thread.
</BLOCKQUOTE>
<BLOCKQUOTE>
I wrote an article (posted to the Linux-admin mailing list
and copied to my editors at the Linux Gazette, and to a
couple of involved parties and HOWTO authors). In that
article I referred to the work of Mason Katz.
</BLOCKQUOTE>
<BLOCKQUOTE>
Mason wrote one of the two implementation of IPSec for
Linux. Please go to
</BLOCKQUOTE>
<BLOCKQUOTE><BLOCKQUOTE><code>
<A HREF="http://www.cs.arizona.edu/xkernel/hpcc-blue/linux.html"
>http://www.cs.arizona.edu/xkernel/hpcc-blue/linux.html</A>
</code></BLOCKQUOTE></BLOCKQUOTE>
<BLOCKQUOTE>
... and take particular note of this:
</BLOCKQUOTE>
<BLOCKQUOTE>
You may request the export controlled sections by sending email to
<A HREF="mailto:mjk@cs.arizona.edu">mjk@cs.arizona.edu</A>
</BLOCKQUOTE>
<BLOCKQUOTE>
... at the bottom.
</BLOCKQUOTE>
<BLOCKQUOTE>
Also, if you read the notes more thoroughly, you'll
find a comment that:
</BLOCKQUOTE>
<BLOCKQUOTE><blockquote><font color="#000066"><em>
Although we are not currently tracking the IPSEC architecture, we
believe that the released version can be brought up to date and
extended to allow for more services.
</em></font></blockquote></BLOCKQUOTE>
<BLOCKQUOTE>
... which means that this implementation is probably out
of sync with recent revisions to IPSec. That means that
coding work would have to be done to make it interoperable
with other implementations.
</BLOCKQUOTE>
<BLOCKQUOTE>
I think you'd be far better off with the Linux
<A HREF="http://www.xs4all.nl/~freeswan/">FreeS/WAN</A>
implementation. In that case you'll be importing the
code from the Netherlands. The stated goal of the Linux
FreeS/WAN project is to provide a fully interoperable,
standard implementation of IPSec.
</BLOCKQUOTE>
<BLOCKQUOTE>
I still don't know what they're going to do about
key management and Secure-DNS. I can't pretend to
have sorted out the morass of competing key management
specifications: Photuris, ISAKMP/Oakley, SKIP, IKE, etc.
The Pluto utility with FreeS/WAN implements some sort
of IKE with ISAKMP for part of the job (router-to-router
mutual authentication?). The
<A HREF="http://www.openbsd.org/">OpenBSD</A> IPSec uses Photuris
--- and I don't know of a Linux port of that. Presumably
an interested party in some free country could port the
OpenBSD Photuris to use the same interfaces to FreeS/WAN's
KLIPS (kernel level IP security) as Pluto. My guess is
that the two key management protocols could work
concurrently (your FreeS/WAN host could concievably
establish SA -- security associations -- with IKE hosts
through Pluto and with Photuris hosts) although I don't
know how each end would know which key management protocol
to use.
</BLOCKQUOTE>
<BLOCKQUOTE>
I came across one reference to an alleged free
implementation of Sun's SKIP for Linux in an online
back issue of UnixReview Magazine (now called Performance
Computing). That made a passing references with no URL.
</BLOCKQUOTE>
<BLOCKQUOTE>
Further Yahoo! searches dug up Robert Muchsel's:
</BLOCKQUOTE>
<BLOCKQUOTE><BLOCKQUOTE><code>
<A HREF="http://www.tik.ee.ethz.ch/~skip"
>http://www.tik.ee.ethz.ch/~skip</A>
</code></BLOCKQUOTE></BLOCKQUOTE>
<BLOCKQUOTE>
... which leads to a frames site (Yuck!). However, the
recent versions of Lynx can get one past that to more
useful page at:
</BLOCKQUOTE>
<BLOCKQUOTE><BLOCKQUOTE><code>
<A HREF="http://www.tik.ee.ethz.ch/~skip/UsersGuide.html"
>http://www.tik.ee.ethz.ch/~skip/UsersGuide.html</A>
</code></BLOCKQUOTE></BLOCKQUOTE>
<BLOCKQUOTE>
I also guess that <A HREF="http://www.freebsd.org/">FreeBSD</A>
offers a SKIP enabled IPSec/IPv6
implementation out of Japan through the KAME project at:
</BLOCKQUOTE>
<BLOCKQUOTE><BLOCKQUOTE><code>
<A HREF="http://www.kame.net">http://www.kame.net</A>
</code></BLOCKQUOTE></BLOCKQUOTE>
<BLOCKQUOTE>
Anyway, for now it appears that most of the key management
will have to be done by hand (using shared secrets which
are exchanged using PGP, GNU Privacy Guard, or over '<tt>ssh</tt>'
or '<tt>psst</tt>' (GPG is the GNU re-implementation of PGP
<A HREF="http://www.d.shuttle.de/isil/gnupg"
>http://www.d.shuttle.de/isil/gnupg</A>
which is moving along
nicely, and psst is the very beginnings of an independent
GNU implementation of the ssh protocol IETF draft
specification at: <A HREF="http://www.net.lut.ac.uk/psst"
>http://www.net.lut.ac.uk/psst</A>).
</BLOCKQUOTE>
<BLOCKQUOTE>
So, Jim, there's plenty of crypto code freely available
--- you just have to import it from various countries
with greater degrees of "free speech" than our government
currently recognizes here in the U.S.
</BLOCKQUOTE>
<BLOCKQUOTE>
(as is my custom I've removed identifying personal
info from your message --- since this is being copied
to my editors at LG).
</BLOCKQUOTE>
<!-- end 11 -->
<!--startcut ======================================================= -->
<P> <hr> <P>
<H5 align="center"><a href="http://www.linuxgazette.com/copying.html"
>Copyright &copy;</a> 1998, James T. Dennis
<BR>Published in <I>The Linux Gazette</I> Issue 35 December 1998</H5>
<P> <hr> <P>
<!--::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::-->
<TABLE WIDTH="96%"><TR VALIGN="center" ALIGN="center">
<TD ROWSPAN="3" COLSPAN="3" WIDTH="26%"><A HREF="../lg_answer35.html"
><IMG SRC="../../gx/dennis/answernew.gif"
ALT="[ Answer Guy Index ]"></A></td>
<TD WIDTH="14%"><A HREF="office.html">office</A></TD>
<TD WIDTH="14%"><A HREF="largedisk.html">largedisk</A></TD>
<TD WIDTH="14%"><A HREF="links.html">links</A></TD>
<TD WIDTH="14%"><A HREF="yamaha.html">yamaha</A></TD>
<TD WIDTH="14%"><A HREF="magickeys.html">magickeys</A></TD>
</TR><TR VALIGN="center" ALIGN="center">
<TD><A HREF="passwd.html">passwd</A></TD>
<TD><A HREF="ftproot.html">ftproot</A></TD>
<TD><A HREF="pvtmail.html">pvtmail</A></TD>
<TD><A HREF="netware.html">netware</A></TD>
<TD><A HREF="crypto.html">crypto</A></TD>
</TR><TR VALIGN="center" ALIGN="center">
<TD><A HREF="relay.html">relay</A></TD>
<TD><A HREF="project.html">project</A></TD>
<TD><A HREF="bootmethod.html">bootmethod</A></TD>
<TD><A HREF="sysadmin.html">sysadmin</A></TD>
<TD><A HREF="ipscript.html">ipscript</A></TD>
</TR><TR VALIGN="center" ALIGN="center">
<TD><A HREF="loopfs.html">loopfs</A></TD>
<TD><A HREF="mrtg.html">mrtg</A></TD>
<TD><A HREF="slimscan.html">slimscan</A></TD>
<TD><A HREF="rpm.html">rpm</A></TD>
<TD><A HREF="egg.html">modutil</A></TD>
<TD><A HREF="libc.html">libc</A></TD>
<TD><A HREF="dell.html">dell</A></TD>
<TD><A HREF="remoteroot.html">remoteroot</A></TD>
</TR></TABLE>
<P> <hr> <P>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
<A HREF="../index.html"
><IMG SRC="../../gx/indexnew.gif" ALT="[ Table Of Contents ]"></A>
<A HREF="../../index.html"
><IMG SRC="../../gx/homenew.gif" ALT="[ Front Page ]"></A>
<A HREF="../lg_bytes35.html"
><IMG SRC="../../gx/back2.gif" ALT="[ Previous Section ]"></A>
<A HREF="../anderson.html"
><IMG SRC="../../gx/fwd.gif" ALT="[ Next Section ]"></A>
<!-- ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->
</BODY></HTML>
<!--endcut ========================================================= -->
Reference in New Issue View Git Blame Copy Permalink