Subject: Re: CVS commit: basesrc
To: Jim Wise <jwise@draga.com>
From: None <itojun@iijlab.net>
List: source-changes
Date: 12/29/2000 12:00:42
>> as following note shows, we cannot use racoon to protect
>> NFS-over-IPsec mounted /usr. it is unfortunate, but footprint is
>> rather big for static linkage (it has to link libcrypto as well as
>> kerberos libraries). please use manual keys during bootstrap.
>Hmm. That's unfortunate -- it seems to me that in a shop with a large
>number of hosts, especially one otherwise using the new Kerberos IKE
>code, this could be a big management hassle.
anyway you'll need to populate lots of preshared keys, or
lots of certificates, to all the clients. (if you would like to
use kerberos for phase 1 authentication, you need /usr anyways).
>On the other hand, I understand the difficulty in placing such a large
>binary on / by default. I wonder if it would be possible to set a
>mk.conf variable to have usr.sbin/racoon built statically into /sbin?
>It seems that even if not a good default, this should be available as an
>option...
i see, will do.
itojun