Re: SunScreen v3.1 to v3.0b communications

From: Valerie Anne Bubb (Valerie.Bubb@Sun.COM)
Date: 10/03/01 

Message-Id: <200110031903.MAA23161@phys-ha2mpka-16.Eng.Sun.COM>
Date: Wed, 3 Oct 2001 12:03:02 -0700 (PDT)
From: Valerie Anne Bubb <Valerie.Bubb@Sun.COM>
Subject: Re: SunScreen v3.1 to v3.0b communications
To: focus-sun@securityfocus.com, sean@boran.com

Hi Sean -

Yes, you have hit a common problem (which is the result of
US crypto laws relaxing between releases of SunScreen).

>From: sean@boran.com
>
>I'm trying to get a (new) Sunscreen EFS 3.1 working with an existing
>administration station which manages a group of Sunscreen 3.0b. They are
>internation versions (weak keys).
>
>The problem is SKIP (as usual... :-).
>After a bit of digging, I noticed that the v3.0b key sizes are 512bit
>and the v3.1 keys are 1024 bit.
>
>Ss_install doesn't allow me to specify key sizes, has anyone found a way
>of making these beasts talk to each other?

I have set this up before (also with an old admin station to talk
to a new screen), but you do need to manually generate and set up
new keys that all have the same size.

>Any help would be appreciated..
>
>Sean Boran
>
>Creating new sunscreen keys:
>
>a) Sunscreen:
>List current keys:
>skiplocal -l
>Delete current keys:
>skiplocal -r -s 0

It is not necessary to delete the old ones.

>Create new one:
>skiplocal -k -m 512
>Print out command for other side:
>skiplocal -x
>Add local and remote certs to Sunscreen engine:
>ssadm edit Mypolicy
>edit> list certificate
>edit> add certificate "admin-group" GROUP "remote"
>edit> add certificate  "remote" SINGLE NSID 8 MKID
>"0x4fd3a1eec3a168e1lotsofcrap"
>edit> add certificate  "MyScreen.admin" SINGLE NSID 8 MKID
>"0x9c6e6b0822b590otsofcrap"
>edit> save
>ssadm activate Mypolicy
>skipd_restart

Have you set up an accessRemote rule? (one would have been set
up by default with ss_install if you said you wanted remote
administration, and you would only need to update the key now).
If so, what does it look like?

>
>b) Admin station:
>Delete ACL entry to screen:
>skiphost -i le0 -d MyScreenIP
>Add new entry according to "skiplocal -x" above.
>Save skip settings and restart skip:
>skipif -i all -s
>skipd_restart

Looks fine.

Valerie

Relevant Pages

  • RE: SunScreen v3.1 to v3.0b communications
    ... > new keys that all have the same size. ... >>edit> list certificate ... >>ssadm activate Mypolicy ... On the admin station I see several entries like: ...
    (Focus-SUN)
  • Re: D3 ODBC Problem
    ... That phrase "accepted wisdom" reminds me of another party deriding complex keys and saying did I not realise that the accepted wisdom was to use random numeric keys for all Pick data. ... We did some work recently on a banking system that did not have decent standard edit facilities so the first thing I did before we cut a line of operational code was to write an edit routine that we used at all times. ... I regard leading zeroes on numbers as even more stupid than case sensitivity and edit them out, anyone who has seen the chaos caused by false emergency calls in Australia would understand - the emergency number is triple zero and the area codes start with zero, so what happens is people in an office dial zero to get a line, followed by another zero for the area code, glance at the number to double check and promptly enter another zero. ...
    (comp.databases.pick)
  • Re: local area connections
    ... Don't edit the reg. ... Type the following commands at a command prompt ... > in the registry i found referrences to the previous> numbers but there were also four other keys in the same> dir that the referrences to the numbers were in. ... >>shows up under network adapters. ...
    (microsoft.public.windowsxp.network_web)
  • RE: Explorer "Edit File Type" dialog Edit/Remove buttons grayed out
    ... Some additional discoveries since first post... ... The following Registry Key sets are probably involved somehow: ... made in on set of keys is automatically changed in the other set. ... So I couldn't edit it or even ...
    (microsoft.public.windowsxp.general)
  • Re: OpenSSH on win2k
    ... create the sys env var ALTCMD, set it to %ComSpec% (edit ... create the sys env var HOME and set it to D:\Var\SSH ... create the dir .ssh in D:\Var\SSH and copy the appropriate pub keys ...
    (comp.security.ssh)