File: README.GPG

package info (click to toggle)
fwknop 1.9.12-2
  • links: PTS, VCS
  • area: main
  • in suites: squeeze
  • size: 1,696 kB
  • ctags: 604
  • sloc: perl: 14,617; ansic: 1,258; sh: 462; makefile: 88
file content (89 lines) | stat: -rw-r--r-- 3,706 bytes parent folder | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89

This HOWTO is available online at the following link:

http://www.cipherdyne.org/fwknop/docs/gpghowto.html


If you want to use GnuPG to encrypt communications from the fwknop client to
the fwknopd server, you will need to first create the necessary GnuPG keys on
both the client and server.  If you already have a GnuPG key that you use for
email (or other) encryption, you can safely use this key on the client side
since it will only be used for message signing by fwknop. On the fwknopd
server you will need to create a special GnuPG key that is exclusively used
for fwknop communications. The reason stems from the fact that the password
used to unlock this key must be stored within the /etc/fwknop/access.conf
file; fwknopd must be able to decrypt messages that have been encrypted by an
fwknop client with the server's public key. Hence, it is not a good idea to
use a highly valuable personal GnuPG key on the server. Once you have created
the requisite keys, you will need to import and sign each key into its
"opposite" system; e.g. import and sign the server key into the client's GnuPG
key ring, and vice-versa.

* Note *
Because SPA messages must fit within a single IP packet, it is recommended to
choose a key size of 2048 bits or less for an fwknopd server GnuPG key.  The
process of generating the necessary GnuPG keys from the perspectives of both
the client and server is outlined below. First we generate GnuPG keys and then
export them to ascii files:

    [server]#  gpg --gen-key
    [server]#  gpg --list-keys
    pub   1024D/ABCD1234 2006-05-01
    uid                  fwknop server key
    sub   2048g/EFGH1234 2006-05-01
    [server]#  gpg -a --export ABCD1234 > server.asc

    [client]$  gpg --gen-key
    [client]$  gpg --list-keys
    pub   1024D/1234ABCD 2006-05-01
    uid                  fwknop client key
    sub   2048g/1234EFGH 2006-05-01
    [client]$  gpg -a --export 1234ABCD > client.asc

Next, we transfer the ascii files between the two systems. In this example we
use scp (which will presumably be firewalled off after fwknop is deployed!),
but any other transfer mechanism (ftp, http, etc.) will work:

    [client]$ scp client.asc root@serverhost:

    [server]# scp server.asc user@clienthost:

Now we import and sign each key:
    [server]#  gpg --import client.asc

    [server]#  gpg --edit-key 1234ABCD
    Command> sign

    [client]$  gpg --import server.asc
    [client]$  gpg --edit-key ABCD1234
    Command> sign

On the server side, we need to add several configuration directives to the
/etc/fwknop/access.conf file so that fwknopd uses GnuPG to verify and decrypt
SPA packets and are signed and encrypted with GnuPG. Note that the server key
ID is ABCD1234 and the client key ID is 1234ABCD:

    SOURCE: ANY;
    OPEN_PORTS: tcp/22;
    DATA_COLLECT_MODE: PCAP;
    GPG_REMOTE_ID: 1234ABCD;
    GPG_DECRYPT_ID: ABCD1234;
    GPG_DECRYPT_PW: <your decryption password>;
    GPG_HOME_DIR: /root/.gnupg;
    FW_ACCESS_TIMEOUT: 60;

More information on the access.conf directives above can be found in the
fwknop man pages.  See fwknop(8) and fwknopd(8).  Finally, to see fwknop in
action in GnuPG mode, on the client side we execute the following fwknop
command to gain access to sshd after fwknopd reconfigures the local Netfilter
policy:

    $ fwknop -A tcp/22 --gpg-recip ABCD1234 --gpg-sign 1234ABCD -w -k <host>

On the server side, fwknopd messages such as the following will be written to
syslog:

Jan 14 20:12:37 host fwknopd: adding FWKNOP_INPUT ACCEPT rule for
72.x.x.x -> tcp/22 (10 seconds)
Jan 15 10:13:09 host fwknopd: received valid GnuPG encrypted packet
(signed with required key ID: 1234ABCD) from: 72.x.x.x, remote user: mbr