Content-type: text/html Manpage of SHSECD

SHSECD

Section: User Manuals (8)
Updated: December 2004
Index Return to Main Contents

NAME

shsecd - Shared Secret daemon

SYNOPSIS

shsecd [-hVvdDC] [-c config-file ]

DESCRIPTION

shsecd (Shared Secret daemon) is the daemon program for shsec(1) and used to negotiate a shared secret (password) by two hosts in secure way over the Internet. See shsec(1) for further details about functionality. Daemon listens for TCP connections on predefined port (24680 by default, can be changed). It can accept key request from peer and initiate one upon request from a local client. Servers uses Diffie-Hellman key agreement algorithm to negotiate a shared secret and simple protocol to exchange public values. Servers could require authenticate each other by requiring request/response to be signed. It is possible to restrict access for local clients as well. This could be done by setting group permissions to unix socket file and users must be members in that group to be able to send request to a daemon. See SECURITY section for further information. No root privileges required to run shsecd. In order to run shsecd for non-privileged users without write access to /var/run/shsec directory (note this is not default installation), a separate configuration file is specified with -c command line option where pid-file, db-file, sock-file options should point to different locations for files. It is also possible to run several instancies of daemon on the same system. See shsecd.conf(5) to get more information. If configuration file was modified while server is running, daemon must be restarted to reload latest configuration. Sending SIGHUP to daemon will not work here.

OPTIONS

-h, --help: Print this option list, then exit.
-V, --version: Print version number, then exit.
-v, --verbose: Be verbose. To increase level, specify this option twice. By default only error messages are printed or sent to syslog.
-d, --daemon: Run as daemon, use syslog for logging. shsecd logs messages with daemon facility.
-D, --debug: Do not fork and print messages to stderr. Used for debuging.
-C, --child-debug: If set, children go to sleep to be able to debug. Used for debuging. This option will be removed one day.
-c file, --conf-file=file: Path to config file. Default is /etc/shsecd.conf

FILES

/etc/shsecd.conf

: Configuration file for daemon. Another location of the file can be specified by -c command line argument. See shsecd.conf(5) for further details.

/var/run/shsec/shsecd.pid

: This file is created by daemon to ensure that only one instance of daemon is running at the time. Another location of the file can be specified by pid-file option in configuration file.

/var/run/shsec/shsecd.db

: This file is used to store unexpired keys in case of daemon's shut down. Another location of the file can be specified by db-file option in configuration file.

/var/run/shsec/shsecd.sock

: This file is created by daemon for clients to be able to communicate with. Another location of the file can be specified by sock-file option in configuration file.

SECURITY

shsecd uses signed requests to authenticate a peer. Several algorithms could be used to create a signature, like HMAC-MD5, HMAC-SHA1 with pre-shared key or RSA encryption. Access for local client is restricted by setting permissions and group id to socket file. If daemon is run by root, it sets effective group id to value, specified by egid option in configuration file. Only members of that group permitted access to use the programs. Socket file is recreated every time when daemon starts-up, permissions to shsecd.conf and /var/run/shsec directory must be set during installation. If daemon is run by regular user, group id for all created files, including socket file, set to default group id of that user.

ENVIRONMENT

shsecd does not use any enviroment variable at the moment.

BUGS

You are welcome to report about shsecd bugs in https://sourceforge.net/projects/shsec

AUTHOR

Arvydas Juskaitis <arvydasj@users.sourceforge.net>

This document was created by man2html, using the manual pages.
Time: 21:05:04 GMT, January 19, 2005