flashboot - Jun 2009 - Auto generation of the isakmpd/ipsec rsa keys

Would it be prudent to add the following OpenBSD 4.5 code snippet:

if [ X"${isakmpd_flags}" != X"NO" ]; then
        if [ ! -f /etc/isakmpd/private/local.key ]; then
                echo -n "openssl: generating new isakmpd RSA key... "
                if /usr/sbin/openssl genrsa -out
/etc/isakmpd/private/local.key 2048 \
                    > /dev/null 2>&1; then
                        chmod 600 /etc/isakmpd/private/local.key
                        openssl rsa -out /etc/isakmpd/local.pub \
                            -in /etc/isakmpd/private/local.key
-pubout
> /dev/null 2>&1
                        echo done.
                else
                        echo failed.
                fi
        fi
        echo -n '' isakmpd'';     isakmpd ${isakmpd_flags}
fi

to the current rc.initial file?

This would allow autogeneration of the isakmpd rsa keys in a fashion
similar to the ssh ones.

Comments?

-- 
Russell Sutherland
russ at quist.ca
+1.416.696.7600

Good idea,

Test and send a diff to Jakob and he''ll include it in the CVS.

Rickard.

19 jun 2009 kl. 15.26 skrev Russell Sutherland:
> Would it be prudent to add the following OpenBSD 4.5 code snippet:
>
> if [ X"${isakmpd_flags}" != X"NO" ]; then
>        if [ ! -f /etc/isakmpd/private/local.key ]; then
>                echo -n "openssl: generating new isakmpd RSA key...
"
>                if /usr/sbin/openssl genrsa -out
> /etc/isakmpd/private/local.key 2048 \
>> /dev/null 2>&1; then
>                        chmod 600 /etc/isakmpd/private/local.key
>                        openssl rsa -out /etc/isakmpd/local.pub \
>                            -in /etc/isakmpd/private/local.key -pubout
>> /dev/null 2>&1
>                        echo done.
>                else
>                        echo failed.
>                fi
>        fi
>        echo -n '' isakmpd'';     isakmpd ${isakmpd_flags}
> fi
>
> to the current rc.initial file?
>
> This would allow autogeneration of the isakmpd rsa keys in a fashion
> similar to the ssh ones.
>
> Comments?
>
> -- 
> Russell Sutherland
> russ at quist.ca
> +1.416.696.7600
> _______________________________________________
> flashboot mailing list
> flashboot at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/flashboot

On Fri, Jun 19, 2009 at 09:26:24AM -0400, Russell Sutherland wrote:
: Would it be prudent to add the following OpenBSD 4.5 code snippet:
: 
: if [ X"${isakmpd_flags}" != X"NO" ]; then
:         if [ ! -f /etc/isakmpd/private/local.key ]; then
:                 echo -n "openssl: generating new isakmpd RSA key...
"
:                 if /usr/sbin/openssl genrsa -out
: /etc/isakmpd/private/local.key 2048 \
:                     > /dev/null 2>&1; then
:                         chmod 600 /etc/isakmpd/private/local.key
:                         openssl rsa -out /etc/isakmpd/local.pub \
:                             -in /etc/isakmpd/private/local.key -pubout
: > /dev/null 2>&1
:                         echo done.
:                 else
:                         echo failed.
:                 fi
:         fi
:         echo -n '' isakmpd'';     isakmpd ${isakmpd_flags}
: fi
: 
: to the current rc.initial file?
: 
: This would allow autogeneration of the isakmpd rsa keys in a fashion
: similar to the ssh ones.

yes, but you should look at rc.initial for how the ssh keys are
generated on /flash--it''s not a cut and paste from openbsd /etc/rc.