search for: psktool

...4 +++++++++++++++++++++++++++++++++++++---------------- > src/internal.h | 1 + > src/main.c | 8 +- > 4 files changed, 210 insertions(+), 78 deletions(-) > > +Create a PSK file containing one or more C<username:key> pairs. It is > +easiest to use L<psktool(1)> for this: > + > + psktool -u rich -p /tmp/psk > + > +The PSK file contains the hex-encoded random keys in plaintext. Any > +client which can read this file will be able to connect to the server. If I'm understanding correctly, it's also possible for a server to crea...

...++++---------------- > > src/internal.h | 1 + > > src/main.c | 8 +- > > 4 files changed, 210 insertions(+), 78 deletions(-) > > > > > +Create a PSK file containing one or more C<username:key> pairs. It is > > +easiest to use L<psktool(1)> for this: > > + > > + psktool -u rich -p /tmp/psk > > + > > +The PSK file contains the hex-encoded random keys in plaintext. Any > > +client which can read this file will be able to connect to the server. > > If I'm understanding correctly, it's...

v2: * Improved documentation. * Added a test (interop with qemu client).

This is ready for review but needs a bit more real-world testing before I'd be happy about it going upstream. It also needs tests. It does interoperate with qemu, at least in my limited tests. Rich.

...t; src/internal.h | 1 + > > > src/main.c | 8 +- > > > 4 files changed, 210 insertions(+), 78 deletions(-) > > > > > > > > +Create a PSK file containing one or more C<username:key> pairs. It is > > > +easiest to use L<psktool(1)> for this: > > > + > > > + psktool -u rich -p /tmp/psk > > > + > > > +The PSK file contains the hex-encoded random keys in plaintext. Any > > > +client which can read this file will be able to connect to the server. > > > > If I'm...

...head2 TLS with Pre-Shared Keys (PSK) + +As a simpler alternative to TLS certificates, you may used pre-shared +keys to authenticate clients. Currently PSK support in NBD clients is +not widespread. + +Create a PSK file containing one or more C<username:key> pairs. It is +easiest to use L<psktool(1)> for this: + + psktool -u rich -p /tmp/psk + +The PSK file contains the hex-encoded random keys in plaintext. Any +client which can read this file will be able to connect to the server. + +Use the nbdkit I<--tls-psk> option to start the server: + + nbdkit --tls-psk=/tmp/psk file file=d...

On 9/17/19 5:35 PM, Richard W.M. Jones wrote: > This neutral refactoring adds -DTLS_MODE. We can in future change the > requested TLS mode, but not in this commit. > > It also checks that nbd_get_tls_negotiated returns true after > connecting, when the requested mode was set to LIBNBD_TLS_REQUIRE. > --- > interop/Makefile.am | 4 ++++ > interop/interop.c | 26

...ttacks where a malicious proxy pretends not to support TLS in order to force either the client @@ -275,6 +277,7 @@ More information can be found in L<gnutls_priority_init(3)>. =head1 SEE ALSO L<nbdkit(1)>, +L<nbdkit-tlsdummy-filter(1)>, L<gnutls_priority_init(3)>, L<psktool(1)>, L<https://github.com/NetworkBlockDevice/nbd/blob/master/doc/proto.md>, diff --git a/filters/tlsdummy/nbdkit-tlsdummy-filter.pod b/filters/tlsdummy/nbdkit-tlsdummy-filter.pod new file mode 100644 index 00000000..f8eef69f --- /dev/null +++ b/filters/tlsdummy/nbdkit-tlsdummy-filter.pod...

Patch 3 still needs tests added, but it is at least working from my simple command line tests. Eric Blake (3): server: Implement nbdkit_is_tls for use during .open server: Expose final thread_model to filter's .get_ready tlsdummy: New filter docs/nbdkit-filter.pod | 21 +- docs/nbdkit-plugin.pod | 34 ++- docs/nbdkit-tls.pod