Content-type: text/html Manpage of SHSECD.CONF

SHSECD.CONF

Section: User Manuals (5)
Updated: December 2004
Index Return to Main Contents

NAME

shsecd.conf - Shared Secret Daemon configuration file

DESCRIPTION

Shared Secret daemon is almost ready to run with options set to defaults. Minimal configuration requires to list allowed peers in allow control list, however. Empty list means no access. Note default configuration has several options to setup file locations, in particular pid-file, db-file, sock-file. These files exist in /var/run/shsec directory, and non-priveleged users are normally not allowed to setup access to this directory. Configuration file accepts several type of comments: traditional '#' (hash) used in scripting languages or C++ style '//' to comment to the end of string or even C style '/* */' to cover several lines, but these comments cannot be nested. Syntax of configuration file is quite simple. Values are assigned to reserved words (options) and each statement is separeted by ';' (semicolon). A value can be one of folowing type:

boolean: Can be represented as a string or number. true is yes|y|Y|1 (or any non-zero number) and false is no|n|N|0.
number: Any positive integer in decimal 123 , octal 0123 or hexdecimal 0x123 notation.
string: Any single quoted or double quted string. Following escape sequences could be used inside a string \t \n \ \' or even a new line could be escaped - just put \ at the end of the line and continue on another.
ipaddr: IpV4 address in dotted decimal notation x.x.x.x
network: IpV4 network address in dotted decimal with subnet mask x.x.x.x/x.x.x.x or CIDR x.x.x.x/x notations.
identity: Host identity could be <ipaddr>|<network>|<FQDN>. FQDN can be a single quoted, double quoted or non-quoted string.

OPTIONS

egid = <number>: Effective group id. If run by root, daemon sets egid to restrict client access and allow to certain users only, in particular to the members of that group. By default egid is 0.
pid-file = <string>: Location of pid file. The default value is /var/run/shsec/shsecd.pid
keydb-file = <string>: Location of key database file. The default value is /var/run/shsec/shsecd.db
sock-file = <string>: Location of socket file. The default value is /var/run/shsec/shsecd.sock
verbose = <boolean>|<number>: Verbose level can be 0-2. logical 'y' means 1. All error messages vill be logged or printed, even if you specify quite mode (which is default).
flush-db = <boolean>: Flush key database on startup. The default value is no.
dh-group = <number>: Key size in number of bits used for DH key exchange. Possible values are 768, 1024, 1536, 2048, 3072, 4096. The Default value is 1024.
listen = <ipaddr>: Ip address to listen on. The default is to listen on any address.
port = <number>: Port number to bind to. The default value is 24680.
host = <identity>: Host identity is sent along with request since ip address cannot be used to identify host by peer in some cases (host is behind a NAT). Peer uses this id to identify a key. Empty string is acceptable. In this case, peer take source address from connection and uses as an idetity.
rsa-key = <string>: Host keeps it's own credentials here.
rsa-key-file = <string>: Host keeps it's own credentials in a separete file here. It makes possible to keep a secret from unauthorized access in some file.
peer <identity> { credendial_statements }: This statement must be created for every peer which allowed to send requests or responses. These credential statements are used to verify signed request send by peer or to sign a request in case of digital signature with pre-shared key. It also specified here how credentials are used. Only one of psk, psk-file, rsa-pub, rsa-pub-file options is accepted in combination with auth option.
auth = none|psk|rsa: This mandatory option specifies a method of authentication required from peer to be able to sent request/response. none value allows non-signed messages. In case of psk or rsa peer is required to sign a message and appropriate credentials must be specified.
psk = <string>: The value of pre-shred key is used to calculate HMAC-SHA1 digest for signing and verification.
psk-file = <string>: The same as above, just makes it possible to keep a secret from unauthorized access in some file.
rsa-pub = <string>: Value used to decrypt RSA signature in order to verify request/response.
rsa-pub-file = <string>: The same as above, just value loaded from a given file.
order = <allow,deny>|<deny,allow>: Option is used to specify in which order access list are processed. Daemon stops searching on the first match. The default order is allow,deny The second value defines default action for those peers which cannot be found in ACL. In case of allow,deny eg. this means all requests from non-matched peers will be rejected.
allow = <identity>[, ...]: A list of peers allowed to communicate with the host. Daemon tries to find identity, send by host within request to allow access. If no identity was sent by peer, source address is used as a peer identity. For every item in this list, a peer definition is created whith identity, literally matching to the list item. It is not required by client to request a peer by exact identity as defined in configuration, however. eg. An item in allow list has 10.0.0.0/24 as an identity and client sends a request to peer identified by 10.0.0.1 or FQDN which will be resolved to that ip address, so this will work. If any item in the list is FQDN and cannot be resolved during configuration reading, access is denied for that peer.
deny = <identity>[, ...]: A list of peers prohibited to communicate with the host. Daemon tries to find identity, send by host within request to deny access. If no identity was sent by peer, source address is used as a peer identity.

AUTHOR

Arvydas Juskaitis <arvydasj@users.sourceforge.net>