SunScreen SKIP Open Issues and Late-Breaking News contains information that was not available until immediately before the release of SunScreen SKIP. This document is the companion to the SunScreen SKIP User's Guide, Release 1.1. It incorporates information for SunScreen SKIP, Release 1.1.1.
Understand that a save core file contains your local secret or secrets. It would be difficult for someone to discern or discover, but it can be done! You should, therefore, protect a core file as carefully as any of your other local secrets. Remember, if you send your core file out-of-house for analysis, you are giving your local secret to the analyst.
Any system backups made while such a core file exists may contain the core file as well and so must be considered a possible means of discovering your local secret or secrets.
All regular system backups will also contain the files in which your local secrets or secrets are stored. These backups must be kept in a secure location.
To upgrade to SunScreen SKIP, Release 1.1.1, from SunScreen SKIP, Release 1.1, follow the instructions in the SunScreen SKIP User's Guide, Chapter 1, "Installing SunScreen SKIP, "Upgrading from Earlier Versions of SKIP for Solaris."
To preserve the previous configurations (access control lists [ACL] files), certificates, and the key manager configuration file, do not remove the /etc/opt/SUNWicg/skip directory.
You may continue to use the old identities, whether UDH or CA, as long as you have not removed them.
SunScreen SKIP, Release 1.1.1, incorporates an improved random number generator that greatly increases security.
The following error messages were not included in the SunScreen SKIP for Solaris User's Guide.
N-counter out of range - either replayed packets or out of sync clocks
"Old" packets have been received by SKIP. This indicates either that, typically, the sending machine's clock is not in synchronization with your machine's clock or that, rarely, an intermediary is sending old packets in a replay attack.
Certificate g+p do not match dh_params
An entry in your access control list has a local identity and remote identity that do not have matching Diffie-Hellman parameters (g is the generator value, p is the prime value). This is typically caused when you try to talk to a system with moduli that do not match (i.e., a 1024-bit system trying to talk to a 512-bit system using 1024-bit keys).
Local secret nsid=xx mkid=xx has expired. Deleting
Your local secret has expired. Generate a new local identity.
Unable to load skipsup.o -- Exiting!
The SKIP support module could not be loaded. Typically, this means that one of the necessary libraries is not available on the machine that is attempting to run SKIP. Ensure that your system has the required software packages installed according to the instructions in the SunScreen SKIP User's Guide.
Modulus too big for U.S. export law
You have attempted to load a key that is not permitted under U.S. export law. Make sure that you have installed both the base SKIP package and any SKIP encryption upgrade packages that you have purchased under appropriate U.S. export license control.
skipd: passphrase required issue skipd_restart to enable encryption
The key manager cannot start without a password to decrypt local secrets. Use the command skip_restart to start the key manager.
SunScreen SKIP is limited to a maximum of 100 local keys. All local keys in excess of the first 100 will silently fail.
If your system hangs when you are configuring SKIP and you do not have access to your machine, reboot your machine in the single-user mode and become root.
With a text editor, such as vi, edit the file acl.<network_interface> in the /etc/opt/SUNWicg/skip/ directory so that line
skiphost -i <network_interface> -o on
reads
skiphost -i <network_interface> -o off
to disable SKIP.
Reboot your machine normally to clean up the file system.
You, then, as root, may reconfigure your access control list as your security policy dictates.
If your system hangs when you are configuring SKIP and you still have access to your machine and can become root, enter
# skiphost -o off -i <network_interface>
This will disable SKIP on the network interface
Then, as root, you may reconfigure your access control list as your security policy dictates.