Hello Stuart, Stuart Henderson wrote on Tue, Jul 08, 2025 at 10:47:21AM -0000: > On 2025-07-07, an anonymous coward wrote:
>> I would like to understand why OpenBSD 7.7's iked always uses >> /etc/iked/private.local key, no matter what better matching keys >> and certs are available under /etc/iked/private and /etc/iked/certs >> and no matter what is specified as local ID in /etc/iked.conf's srcid. >> >> Expected behavior would be that the local identity is derived >> from srcid. The currently implemented behavior is also totally >> undocumented. It took me days to debug why my childsa's were failing. >> >> In the current form I don't understand why we even maintain srcid >> as selector in /etc/iked.conf when the only valid srcid is what >> gets hardcoded via /etc/iked/private/local.key and its matching cert. > From the manual > > /etc/iked/private/ The directory where local private keys used for > public key authentication are kept. The file > local.key is used to store the local private key. > > using the plural there doesn't seems right to me, but the rest of that > information (in particular "The file local.key is used to store the > local private key") is correct and there's nothing else in documentation > that refers to a private key other than local.key. That would be the patch below. Rationale for the finer markup details: * Shorten "private key used for public key authentication" to "private key used for authentication". When a private key is used, it is obvious we are talking about asymmetric cryptography without restating the fact yet again. * While keeping tags of similar lengths is typographically and presentationally desirable, content always takes precedence over presentation. When the output looks nice but the content is misleading, that's bad documentation right there. * When there are a few very long tags in a list, keep the -width down to a reasonable value even if that is shorter than the longest tags. The automatic line break after the tag that mdoc(7) implements in such cases is not particularly pretty, but better than letting the -width run off into the woods. * Adding additional tag-to-text spacing to .Bl -width arguments (like with the XXX in this case) is very rarely a good idea, the default spacing of 2n is usually just fine. Such increased spacing is particularly counter-productive when the -width is large (because it reduces the width remaining for the text too much) and when there are several short tags in a list with a large -width (because for those short tags, it becomes hard to see which tags belong to which text). Here, both snakes bite. * Shorten "in the fashion" to "as" to save a line, becoming more concise without being less precise. >> Am I missing something here? Somewhat lost after two days of debugging. > Neither local.key nor local.pub contain any information about the srcid, > they are just plain RSA or ECDSA keys, not certificates. > > iked doesn't have a mechanism to handle multiple private keys. OK? Ingo Index: iked.8 =================================================================== RCS file: /cvs/src/sbin/iked/iked.8,v diff -u -r1.30 iked.8 --- iked.8 29 Nov 2021 13:20:24 -0000 1.30 +++ iked.8 8 Jul 2025 11:18:09 -0000 @@ -161,7 +161,7 @@ in .Xr iked.conf 5 . .Sh FILES -.Bl -tag -width "/etc/iked/private/XXX" -compact +.Bl -tag -width "/etc/iked/pubkeys/" -compact .It Pa /etc/iked.conf The default .Nm @@ -174,15 +174,11 @@ permanently has been made. .It Pa /etc/iked/crls/ The directory where CRLs are kept. -.It Pa /etc/iked/private/ -The directory where local private keys used for public key authentication -are kept. -The file -.Pa local.key -is used to store the local private key. +.It Pa /etc/iked/private/local.key +The local private key used for authentication. .It Pa /etc/iked/pubkeys/ The directory in which trusted public keys are kept. -The keys must be named in the fashion described above. +The keys must be named as described above. .It Pa /var/run/iked.sock The default .Nm
