owampd.pfs(5) owampd.pfs(5)
NAME
owampd.pfs - One-way latency server pass-phrase store
DESCRIPTION
The owampd.pfs file is used to hold the identity/pass-phrase pairs
needed for owampd to authenticate users. The format of this file is
described in the pfstore(1) manual page. The location of this file is
controlled by the -c option to owampd.
owampd uses symmetric AES keys for authentication. These keys are
derived from a shared secret (the pass-phrase) using the PBKDF2 algo-
rithm (RFC 2898) with an HMAC-SHA1 as the pseudorandom function.
Therefore, the owping client must have access to the exact same pass-
phrase that the owampd server uses. Both the client and the server need
to derive the same AES key for authentication to work. It is important
that the system administrator and end user ensure the pass-phrase is
not compromised.
If the owping client is able to authenticate using the identity and
derived AES key, owampd will use the directives found in the
owampd.limits file to map policy restrictions for this connection.
SECURITY CONSIDERATIONS
The pass-phrases in the owampd.pfs file are not encrypted in any way.
(They are simply hex encoded.) The security of these pass-phrases are
completely dependent upon the security of the filesystem and the dis-
cretion of the system administrator.
RESTRICTIONS
Identity names are restricted to 80 characters.
SEE ALSO
pfstore(1), owping(1), owampd(8), owampd.limits(5), and the
http://e2epi.internet2.edu/owamp/ web site.
ACKNOWLEDGMENTS
This material is based in part on work supported by the National Sci-
ence Foundation (NSF) under Grant No. ANI-0314723. Any opinions, find-
ings and conclusions or recommendations expressed in this material are
those of the author(s) and do not necessarily reflect the views of the
NSF.
$Date$ owampd.pfs(5)
