Chapter 1 SunScreen SKIP Open Issues and Late-Breaking News

SunScreen SKIP Open Issues and Late-Breaking News contains information that was not available until immediately before the release of SunScreen SKIP. This document is the companion to the SunScreen SKIP User's Guide, Release 1.1. It incorporates information for SunScreen SKIP, Release 1.1.1.

A Word of Caution

Understand that a save core file contains your local secret or secrets. It would be difficult for someone to discern or discover, but it can be done! You should, therefore, protect a core file as carefully as any of your other local secrets. Remember, if you send your core file out-of-house for analysis, you are giving your local secret to the analyst.

Any system backups made while such a core file exists may contain the core file as well and so must be considered a possible means of discovering your local secret or secrets.

All regular system backups will also contain the files in which your local secrets or secrets are stored. These backups must be kept in a secure location.

Upgrading to SunScreen SKIP, Release 1.1.1, from SunScreen SKIP, Release 1.1

To upgrade to SunScreen SKIP, Release 1.1.1, from SunScreen SKIP, Release 1.1, follow the instructions in the SunScreen SKIP User's Guide, Chapter 1, "Installing SunScreen SKIP, "Upgrading from Earlier Versions of SKIP for Solaris."

To preserve the previous configurations (access control lists [ACL] files), certificates, and the key manager configuration file, do not remove the /etc/opt/SUNWicg/skip directory.

You may continue to use the old identities, whether UDH or CA, as long as you have not removed them.

Improved Security

SunScreen SKIP, Release 1.1.1, incorporates an improved random number generator that greatly increases security.

Error Messages

The following error messages were not included in the SunScreen SKIP for Solaris User's Guide.

N-counter out of range - either replayed packets or out of sync clocks

"Old" packets have been received by SKIP. This indicates either that, typically, the sending machine's clock is not in synchronization with your machine's clock or that, rarely, an intermediary is sending old packets in a replay attack.

Certificate g+p do not match dh_params

An entry in your access control list has a local identity and remote identity that do not have matching Diffie-Hellman parameters (g is the generator value, p is the prime value). This is typically caused when you try to talk to a system with moduli that do not match (i.e., a 1024-bit system trying to talk to a 512-bit system using 1024-bit keys).

Local secret nsid=xx mkid=xx has expired. Deleting

Your local secret has expired. Generate a new local identity.

Unable to load skipsup.o -- Exiting!

The SKIP support module could not be loaded. Typically, this means that one of the necessary libraries is not available on the machine that is attempting to run SKIP. Ensure that your system has the required software packages installed according to the instructions in the SunScreen SKIP User's Guide.

Modulus too big for U.S. export law

You have attempted to load a key that is not permitted under U.S. export law. Make sure that you have installed both the base SKIP package and any SKIP encryption upgrade packages that you have purchased under appropriate U.S. export license control.

skipd: passphrase required
issue skipd_restart to enable encryption

The key manager cannot start without a password to decrypt local secrets. Use the command skip_restart to start the key manager.

Limited Number of Local Keys

SunScreen SKIP is limited to a maximum of 100 local keys. All local keys in excess of the first 100 will silently fail.

Emergency Start Instructions

System Hangs and You Cannot Access the Machine

1. If your system hangs when you are configuring SKIP and you do not have access to your machine, reboot your machine in the single-user mode and become root.

2. With a text editor, such as vi, edit the file acl.<network_interface> in the /etc/opt/SUNWicg/skip/ directory so that line

   	skiphost -i <network_interface> -o on 

   reads

   	skiphost -i <network_interface> -o off 

   to disable SKIP.

3. Reboot your machine normally to clean up the file system.

4. You, then, as root, may reconfigure your access control list as your security policy dictates.

System Hangs, But You Still Can Become Root

1. If your system hangs when you are configuring SKIP and you still have access to your machine and can become root, enter

   	# skiphost -o off -i <network_interface>

   This will disable SKIP on the network interface

2. Then, as root, you may reconfigure your access control list as your security policy dictates.