skiplocal: Managing Local Identities

skiplocal is the utility for managing SKIP identities on a workstation. A host may wish to have multiple identities if it must interoperate with other hosts that have incompatible Diffie-Hellman parameters (for instance, a U.S. host may wish to communicate with other U.S. hosts with a 1024-bit modulus, but must also communicate with a host outside the U.S. that is limited to a 512-bit modulus). Each local identity has a secret, a certificate, and a unique name. The name is extracted from the certificate and used as a local identity. skiplocal is the primary tool for administering local identities. With skiplocal, you can create, delete, and list local identities based on the command option specified.

You can use skiplocal to set or remove a passphrase that is used to encrypt SKIP locally stored secrets.

Beware of electronically transmitting access control commands to remote hosts. For complete security, the receiving system must verify the remote key ID out of band.

After adding a local ID, the key manager must be restarted using skipd_restart, in order for any changes to take effect.

skiplocal export does not work well for communicating with multiple keys. Since the local system does not know which key on the remote system should be used, incorrect bindings can occur. Therefore, it is recommended that the skiplocal export command be used carefully.

See the man pages for more detail.