2008/525 ikeadm token login

[James Carlson]

Dan McDonald writes:
> On Fri, Aug 15, 2008 at 01:01:13PM -0400, Paul Wernau wrote:
> >> Isn't this (changing the default way the pin is stored) an
> >> incompatible change?
> 
> The storage of the PIN isn't an interface, per se.
> 
> You are worried, I suspect, about least-surprise if someone creates a new
> keypair and subsequently has to "ikeadm setpin" every time in.iked restarts.

Exactly.  "It didn't used to do that before."

> > Hmmm, I had queried the IPsec team about the very same question and we had
> > decided collectively that this is probably an exceptional case (if the
> > feature existed before, it would have been done that way.)  I actually
> > would like Bill Sommerfeld or Dan McDonald to weigh in with their opinion
> > as I am kind of on the fence about this particular issue.
> 
> We feel that the increase in security (and for a feature traditionally used
> only with hardware keystores) outweighs the detriment of any disruptive
> changes.

Yep, I understand the motivation.

This should _at least_ have a patch README entry and a release note
for the update it goes into, and should probably get other exposure as
well.

The fact that nobody will be able to provide a clear set of "how to
use this stuff" directions should give the project team some pause
about tightening security in this way.  A recipe would have to say
something like this in the middle:

	"If you are running Solaris 10 and have patch 999998-01
	[SPARC] or 999999-01 [x86] installed, then you need to include
	'-p' on the following command line, so that the unattended
	service will start up correctly at boot time.  If you don't
	have that patch installed, then '-p' isn't recognized, and
	unattended operation will be the default ...."

Poor user.

-- 
James Carlson, Solaris Networking              <james.d.carlson at sun.com>
Sun Microsystems / 35 Network Drive        71.232W   Vox +1 781 442 2084
MS UBUR02-212 / Burlington MA 01803-2757   42.496N   Fax +1 781 442 1677