[Openswan Users] CKAIDNSS keyword not found where expected in RSAkey in /var/log/secure

Greg Scott GregScott at InfraSupportEtc.com
Wed Jul 8 19:08:25 EDT 2009


Well that's just peachy - after pounding on this all day, it would be
lots better if it didn't blow up without using /dev/urandom and the
exact steps Avesh suggested.

- Greg
 

-----Original Message-----
From: Paul Wouters [mailto:paul at xelerance.com] 
Sent: Wednesday, July 08, 2009 6:05 PM
To: Greg Scott
Cc: Avesh Agarwal; users at lists.openswan.org
Subject: RE: [Openswan Users] CKAIDNSS keyword not found where expected
in RSAkey in /var/log/secure

On Wed, 8 Jul 2009, Greg Scott wrote:

> [root at huge-fw ipsec.d]# ipsec newhostkey --random /dev/urandom 
> --configdir /etc/ipsec.d/nssdb --password ZSE45tgb --output 
> /etc/ipsec.d/hostkey.secrets Generated RSA key pair using the NSS 
> database

Never use /dev/urandom for long term keys! Openswan knows when it needs
to use /dev/random and when it is not safe to use /dev/urandom. Don't
second guess it!

Paul


More information about the Users mailing list