On Wed, Mar 01, 2023 at 08:35:05AM -0700, Theo de Raadt wrote: > Tobias Heider <[email protected]> wrote: > > > On Wed, Mar 01, 2023 at 01:38:24PM +0000, Stuart Henderson wrote: > > > On 2023/03/01 14:21, Tobias Heider wrote: > > > > On Wed, Mar 01, 2023 at 09:24:50AM -0000, Stuart Henderson wrote: > > > > > On 2023-03-01, J Doe <[email protected]> wrote: > > > > > > Hello, > > > > > > > > > > > > I have a question regarding authentication options in OpenIKED on > > > > > > OpenBSD 7.2 > > > > > > > > > > > > On my test lab I have one OpenBSD 7.2 machine with OpenIKED > > > > > > configured > > > > > > to use PSK and a macOS 13.2.1 client that can connect to it. > > > > > > > > > > > > I read in: man iked.conf that PSK should not be used, so I am now > > > > > > > > > > I don't see that in the iked.conf manual. There is some reference to > > > > > not > > > > > using psk in /etc/examples/iked.conf but it's not clear whether that's > > > > > because of the need to share a single psk with all endpoints > > > > > connecting > > > > > via the same iked.conf configuration line (certainly a problem when > > > > > you have multiple users from unknown IPs but perhaps not if used for > > > > > separately-configured lan-to-lan tunnels with strong randomly > > > > > generated > > > > > psks) or whether it's something else. > > > > > > > > We should probably remove that comment. > > > > > > Wondering if we should actually remove the whole examples/iked.conf > > > file, it doesn't seem hugely useful.. > > > > > > > I don't think I have ever used it. ok with me if no one objects. > > There are no lessons or hints about format of the file found in there, > are there? Everyorne reads the manual page and starts from scratch? > > I was also trying to read the iked manual page, and I got confused. > Delete it at the same time? > > How about we delete the entire examples directory? And for every one > of these commands remove this educational piece and force people to > start from first principles as described in the respective manual pages? > > > I want to point out: Of course you never used it. I never used it either. > The file doesn't exist for you or I.
Another small advantage of the examples/* files is that they have the correct permissions set for the corresponding real configuration file. So new users who do: # cp /etc/examples/iked.conf /etc/ # vi /etc/iked.conf At least get a file which is not world readable by default. If they just create a new file with vi, then it will have 0644 permissions. Admittedly a user with such little experience shouldn't be managing a system where this matters particularly, but having those example files there does at least mitigate one possible class of problems.
