Adds support for authentication via ssh-agent to charon-cmd (RSA and ECDSA keys
are currently supported).
The new sshkey plugin parses SSH public keys in RFC 4253 format.
SSH public keys can be configured with the left|rightsigkey ipsec.conf option,
which replaces left|rightrsasigkey and takes a public key in one of three
formats: SSH (RFC 4253, ssh: prefix), DNSKEY (RFC 3110, dns: prefix, not the
full RR, only the actual RSA key), or PKCS#1 (the default, no prefix).
As before the keys are either encoded in hex (0x) or base64 (0s).
left|rightsigkey also accepts the path to a file containing a PEM or DER
encoded public key.
The socket path is read from the SSH_AUTH_SOCK environment variable.
So using this with sudo might require the -E command line (or an appropriate
sudoers config) to preserve the environment.
There are issues with some versions of the XML/Ada library on i386,
blocking the build of the testing environment when these tests are run.
TKM tests won't work in such a case but at least make-testing does not
block with this patch.
Fixes#336.
Beside some OS X love, this merge introduces virtual IP and route installation
support on the pfkey/pfroute kernel interfaces.
Each virtual IP gets installed on a dedicated TUN device. As Linux-like source
routes are not supported, routes for the negotiated traffic selectors get
installed using the TUN device.
To prevent IKE packets from using those routes, special exclude routes get
installed to the IKE gateway. This works for most road-warrior deployments, but
certainly does not for some more exotic configurations, such as those using
virtual-IP-to-host. Mobility is not yet supported, either.
If routes installed along with policies covering the peer address affect local
IKE/ESP packets, they won't get routed correctly. To work around this issue,
the kernel interface can install "exclude" routes for the IKE peer. Not all
networking backends require this workaround, hence we export a flag for it
if it is required.
As forwarding policies are not available on all systems (OS X), using the
forward policy to attach the route is a bad pick. Using input policies allows
OS X to install routes.
