On 2025/07/08 08:02, Crystal Kolipe wrote: > On Tue, Jul 08, 2025 at 10:47:21AM -0000, Stuart Henderson wrote: > > From the manual > > > > /etc/iked/private/ The directory where local private keys used for > > public key authentication are kept. The file > > local.key is used to store the local private key. > > > > using the plural there doesn't seems right to me, > > I think it's written in the plural because it's intended to be understood in > the context of someone administering several machines. So if you have five > machines that you've swapped keys between to set up key-based auth with iked > then there will be five keyS scattered between the /etc/iked/private/ dirs > on those hosts.
hm, yes, could be. > Also, key based auth is mostly used on small centrally administered networks, > (E.G. home networks), so it's entirely reasonable to generate all of the > private keys on the primary machine and just scp them to the others as > required, (after a re-install or whatever). In that case, you might want to > keep the private keys for all of the hosts in /etc/iked/private/ on the > primary, (renamed to the hostname of the target), even though they are not > going to be accessed by iked on that host. > > But yes, the man page could probably be clearer. also I've just realised that "local private keys used for public key authentication" doesn't really cover "local private keys used with certificates". (and there's no decent doc for the support for intermediate certs, which iirc requires jumping some hoops not needed with other software that uses certs - IIRC it may have needed the intermediate to be bundled with the CA rather than the machine cert).
