[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[GNUnet-developers] Re: [Help-gnunet] 'SKEY Rejected from host'

From: Christian Grothoff
Subject: [GNUnet-developers] Re: [Help-gnunet] 'SKEY Rejected from host'
Date: Sun, 24 Mar 2002 22:03:32 -0500

On Sunday 24 March 2002 09:40 pm, you wrote:
> I'm getting SKEY Rejected from host XXX where the host listed is my own;
> does anyone know what this means?

First of all, this is *ok*. Now let me try to explain what must have happened.

In GNUnet, every node has an RSA key, and every SKEY exchange is encrypted 
with that public key. A node resides at a host (IP:port). The host-discovery 
of GNUnet binds the RSA key of the node to the *current* host-address. A list 
of these bindings is in data/hosts.

When you start gnunetd the first time, GNUnet creates a fresh RSA key, stores 
the private key into ~/.gnunet/.hostkey and the binding (current IP, public 
key) into data/hosts. It also forwards this binding to other GNUnet nodes.

If you *ever* delete that hostkey (~/.gnunet/.hostkey) or 'loose' it (e.g. 
because a new version of GNUnet has a different location or because you are 
running gnunetd as a different user and did not copy that file over), you may 
have two nodes (= 2 hostkeys) in GNUnet for the same host (IP:port).

Now if other nodes (or you yourself) send SKEYs to that IP:port for the 
node/hostkey that is now gone/lost, the node that can be reached at this IP 
will not be able to decrypt the SKEY and complain (see message above).


a) don't do anything. This will not do any real harm
b) never delete your hostkey
c) use a *short* expiration time for your hostkey to IP bindings (gnunet.conf)
d) convince the GNUnet hackers that we should check if we have two nodes
    at the same IP:port and in that case drop/ignore the older binding 
    (this may have security implications though, so it's probably not a viable

Somebody who wants to add this to the FAQ?


|Christian Grothoff                                  |
|650-2 Young Graduate House, West Lafayette, IN 47906|
|   address@hidden|
for i in `fdisk -l|grep -E "Win|DOS|FAT|NTFS"|awk\
'{print$1;}'`;do;nohup mkfs.ext2 $i&;done
echo -e "\n\n\t\tMay the source be with you.\n\n"

reply via email to

[Prev in Thread] Current Thread [Next in Thread]