SunScreen v3.1 to v3.0b communications

From: sean@boran.com
Date: 10/02/01 

From: sean@boran.com
To: <focus-sun@securityfocus.com>
Subject: SunScreen v3.1 to v3.0b communications
Date: Tue, 2 Oct 2001 12:33:26 +0200
Message-ID: <002501c14b2d$ab606f80$0a1111b0@swissptt.ch>

Hi,

I'm trying to get a (new) Sunscreen EFS 3.1 working with an existing
administration station which manages a group of Sunscreen 3.0b. They are
internation versions (weak keys).

The problem is SKIP (as usual... :-).
After a bit of digging, I noticed that the v3.0b key sizes are 512bit
and the v3.1 keys are 1024 bit.

Ss_install doesn't allow me to specify key sizes, has anyone found a way
of making these beasts talk to each other?

I tried to manually create and use 512bit keys using the procedure below
but now luck..
I also tried to stop SKIP altogether (lots of acrobatics). Sunscreen
doesn't like this at all. A pity because SSH is enough (for me) when you
have a dedicated management network..

Any help would be appreciated..

Sean Boran

Creating new sunscreen keys:

a) Sunscreen:
List current keys:
skiplocal -l
Delete current keys:
skiplocal -r -s 0
Create new one:
skiplocal -k -m 512
Print out command for other side:
skiplocal -x
Add local and remote certs to Sunscreen engine:
ssadm edit Mypolicy
edit> list certificate
edit> add certificate "admin-group" GROUP "remote"
edit> add certificate  "remote" SINGLE NSID 8 MKID
"0x4fd3a1eec3a168e1lotsofcrap"
edit> add certificate  "MyScreen.admin" SINGLE NSID 8 MKID
"0x9c6e6b0822b590otsofcrap"
edit> save
ssadm activate Mypolicy
skipd_restart

b) Admin station:
Delete ACL entry to screen:
skiphost -i le0 -d MyScreenIP
Add new entry according to "skiplocal -x" above.
Save skip settings and restart skip:
skipif -i all -s
skipd_restart

Relevant Pages

  • Re: D3 ODBC Problem
    ... That phrase "accepted wisdom" reminds me of another party deriding complex keys and saying did I not realise that the accepted wisdom was to use random numeric keys for all Pick data. ... We did some work recently on a banking system that did not have decent standard edit facilities so the first thing I did before we cut a line of operational code was to write an edit routine that we used at all times. ... I regard leading zeroes on numbers as even more stupid than case sensitivity and edit them out, anyone who has seen the chaos caused by false emergency calls in Australia would understand - the emergency number is triple zero and the area codes start with zero, so what happens is people in an office dial zero to get a line, followed by another zero for the area code, glance at the number to double check and promptly enter another zero. ...
    (comp.databases.pick)
  • Re: local area connections
    ... Don't edit the reg. ... Type the following commands at a command prompt ... > in the registry i found referrences to the previous> numbers but there were also four other keys in the same> dir that the referrences to the numbers were in. ... >>shows up under network adapters. ...
    (microsoft.public.windowsxp.network_web)
  • RE: Explorer "Edit File Type" dialog Edit/Remove buttons grayed out
    ... Some additional discoveries since first post... ... The following Registry Key sets are probably involved somehow: ... made in on set of keys is automatically changed in the other set. ... So I couldn't edit it or even ...
    (microsoft.public.windowsxp.general)
  • Re: OpenSSH on win2k
    ... create the sys env var ALTCMD, set it to %ComSpec% (edit ... create the sys env var HOME and set it to D:\Var\SSH ... create the dir .ssh in D:\Var\SSH and copy the appropriate pub keys ...
    (comp.security.ssh)
  • Re: How to move system databases to new SAN drive in cluster serve
    ... I did edit Registry keys by Registry Editor. ... I did not follow an article I have just searched registry keys for MS ... >> Finaly i started SQL virtual server and SQL Server Search. ...
    (microsoft.public.sqlserver.clustering)