1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415 416 417 418 419 420 421 422 423 424 425 426 427 428 429 430 431 432 433 434 435 436 437 438 439 440 441 442 443 444 445 446 447 448 449 450 451 452 453 454 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 486 487 488 489 490 491 492 493 494 495 496 497 498 499 500 501 502 503 504 505 506 507 508 509 510 511 512 513 514 515 516 517 518 519 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 553 554 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 586 587 588 589 590 591 592 593 594 595 596 597 598 599 600 601 602 603 604 605 606 607 608 609 610 611 612 613 614 615 616 617 618 619 620 621 622 623 624 625 626 627 628 629 630 631 632 633 634 635 636 637 638 639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663 664 665 666 667 668 669 670 671 672 673 674 675 676 677 678 679 680 681 682 683 684 685 686 687 688 689 690 691 692 693 694 695 696 697 698 699 700 701 702 703 704 705 706 707 708 709 710 711 712 713 714 715 716 717 718 719 720 721 722 723 724 725 726 727 728 729 730 731 732 733 734 735 736 737 738 739 740 741 742 743 744 745 746 747 748 749 750 751 752 753 754 755 756 757 758 759 760 761 762 763 764 765 766 767 768 769 770 771 772 773 774 775 776 777 778 779 780 781 782 783 784 785 786 787 788 789 790 791 792 793 794 795 796 797 798 799 800 801 802 803 804 805 806 807 808 809 810 811 812 813 814 815 816 817 818 819 820 821 822 823 824 825 826 827 828 829 830 831 832 833 834 835 836 837 838 839 840 841 842 843 844 845 846 847 848 849 850 851 852 853 854 855 856 857 858 859 860 861 862 863 864 865 866 867 868 869 870 871 872 873 874 875 876 877 878 879 880 881 882 883 884 885 886 887 888 889 890 891 892 893 894 895 896 897 898 899 900 901 902 903 904 905 906 907 908 909 910 911 912 913 914 915 916 917 918 919 920 921 922 923 924 925 926 927 928 929 930 931 932 933 934 935 936 937 938 939 940 941 942 943 944 945 946 947 948 949 950 951 952 953 954 955 956 957 958 959 960 961 962 963 964 965 966 967 968 969 970 971 972 973 974 975 976 977 978 979 980 981 982 983 984 985 986 987 988 989 990 991 992 993 994 995 996 997 998 999 1000 1001 1002 1003 1004 1005 1006 1007 1008 1009 1010 1011 1012 1013 1014 1015 1016 1017 1018 1019 1020 1021 1022 1023 1024 1025 1026 1027 1028 1029 1030 1031 1032 1033 1034 1035 1036 1037 1038 1039 1040 1041 1042 1043 1044 1045 1046 1047 1048 1049 1050 1051 1052 1053 1054 1055 1056 1057 1058 1059 1060 1061 1062 1063 1064 1065 1066 1067 1068 1069 1070 1071 1072 1073 1074 1075 1076 1077 1078 1079 1080 1081 1082 1083 1084 1085 1086 1087 1088 1089 1090 1091 1092 1093 1094 1095 1096 1097 1098 1099 1100 1101 1102 1103 1104 1105 1106 1107 1108 1109 1110 1111 1112 1113 1114 1115 1116 1117 1118 1119 1120 1121 1122 1123 1124 1125 1126 1127 1128 1129 1130 1131 1132 1133 1134 1135 1136 1137 1138 1139 1140 1141 1142 1143 1144 1145 1146 1147 1148 1149 1150 1151 1152 1153 1154 1155 1156 1157 1158 1159 1160 1161 1162 1163 1164 1165 1166 1167 1168 1169 1170 1171 1172 1173 1174 1175 1176 1177 1178 1179 1180 1181 1182 1183 1184 1185 1186 1187 1188 1189 1190 1191 1192 1193 1194 1195 1196 1197 1198 1199 1200 1201 1202 1203 1204 1205 1206 1207 1208 1209 1210 1211 1212 1213 1214 1215 1216 1217 1218 1219 1220 1221 1222 1223 1224 1225 1226 1227 1228 1229 1230 1231 1232 1233 1234 1235 1236 1237 1238 1239 1240 1241 1242 1243 1244 1245 1246 1247 1248 1249 1250 1251 1252 1253 1254 1255 1256 1257 1258 1259 1260 1261 1262 1263 1264 1265 1266 1267 1268 1269 1270 1271 1272 1273 1274 1275 1276 1277 1278 1279 1280 1281 1282 1283 1284 1285 1286 1287 1288 1289 1290 1291 1292 1293 1294 1295 1296 1297 1298 1299 1300 1301 1302 1303 1304 1305
|
'\" t
.\" Title: fwknop
.\" Author: [see the "AUTHORS" section]
.\" Generator: DocBook XSL Stylesheets v1.79.1 <http://docbook.sf.net/>
.\" Date: 06/08/2016
.\" Manual: Fwknop Client
.\" Source: Fwknop Client
.\" Language: English
.\"
.TH "FWKNOP" "8" "06/08/2016" "Fwknop Client" "Fwknop Client"
.\" -----------------------------------------------------------------
.\" * Define some portability stuff
.\" -----------------------------------------------------------------
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.\" http://bugs.debian.org/507673
.\" http://lists.gnu.org/archive/html/groff/2009-02/msg00013.html
.\" ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.ie \n(.g .ds Aq \(aq
.el .ds Aq '
.\" -----------------------------------------------------------------
.\" * set default formatting
.\" -----------------------------------------------------------------
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
.ad l
.\" -----------------------------------------------------------------
.\" * MAIN CONTENT STARTS HERE *
.\" -----------------------------------------------------------------
.SH "NAME"
fwknop \- Firewall Knock Operator
.SH "SYNOPSIS"
.sp
\fBfwknop\fR \fB\-A\fR <\*(Aqproto/ports\*(Aq> \fB\-R\fR|\fB\-a\fR|\fB\-s \-D\fR <\*(Aqhost\*(Aq> [\fIoptions\fR]
.SH "DESCRIPTION"
.sp
\fBfwknop\fR implements an authorization scheme known as Single Packet Authorization (SPA) for strong service concealment\&. SPA requires only a single packet which is encrypted, non\-replayable, and authenticated via an HMAC in order to communicate desired access to a service that is hidden behind a firewall in a default\-drop filtering stance\&. The main application of SPA is to use a firewall to drop all attempts to connect to services such as \fISSH\fR in order to make the exploitation of vulnerabilities (both 0\-day and unpatched code) more difficult\&. Any service that is concealed by SPA naturally cannot be scanned for with \fINmap\fR\&. The fwknop project natively supports four different firewalls: \fIiptables\fR and \fIfirewalld\fR on Linux systems, \fIpf\fR on OpenBSD, and \fIipfw\fR on FreeBSD and Mac OS X\&.
.sp
SPA is essentially next generation Port Knocking (PK), but solves many of the limitations exhibited by PK while retaining its core benefits\&. PK limitations include a general difficulty in protecting against replay attacks, asymmetric ciphers and HMAC schemes are not usually possible to reliably support, and it is trivially easy to mount a DoS attack against a PK server just by spoofing an additional packet into a PK sequence as it traverses the network (thereby convincing the PK server that the client doesn\(cqt know the proper sequence)\&. All of these limitation are solved by SPA\&. At the same time, SPA hides services behind a default\-drop firewall policy, acquires SPA data passively (usually via libpcap or other means), and implements standard cryptographic operations for SPA packet authentication and encryption/decryption\&.
.sp
This is the manual page for the \fBfwknop\fR client which is responsible for constructing SPA packets and sending them over the network\&. The server side is implemented by the \fBfwknopd\fR daemon which sniffs the network for SPA packets and interacts with the local firewall to allow SPA authenticated connections\&. It is recommended to read the \fIfwknopd(8)\fR manual page as well\&. Further detailed information may be found in the tutorial \(lqSingle Packet Authorization: A Comprehensive Guide to Strong Service Concealment with fwknop\(rq available online (see: \fIhttp://www\&.cipherdyne\&.org/fwknop/docs/fwknop\-tutorial\&.html\fR)\&.
.sp
SPA packets generated by \fBfwknop\fR leverage HMAC for authenticated encryption in the encrypt\-then\-authenticate model\&. Although the usage of an HMAC is currently optional (enabled via the \fB\-\-use\-hmac\fR command line switch), it is highly recommended for three reasons: \fI1)\fR without an HMAC, cryptographically strong authentication is not possible with \fBfwknop\fR unless GnuPG is used, but even then an HMAC should still be applied, \fI2)\fR an HMAC applied after encryption protects against cryptanalytic CBC\-mode padding oracle attacks such as the Vaudenay attack and related trickery (like the more recent "Lucky 13" attack against SSL), and \fI3)\fR the code required by the \fBfwknopd\fR daemon to verify an HMAC is much more simplistic than the code required to decrypt an SPA packet, so an SPA packet without a proper HMAC isn\(cqt even sent through the decryption routines\&. Reason \fI3)\fR is why an HMAC should still be used even when SPA packets are encrypted with GnuPG due to the fact that SPA data is not sent through \fBlibgpgme\fR functions unless the HMAC checks out first\&. GnuPG and libgpgme are relatively complex bodies of code, and therefore limiting the ability of a potential attacker to interact with this code through an HMAC operation helps to maintain a stronger security stance\&. Generating an HMAC for SPA communications requires a dedicated key in addition to the normal encryption key, and both can be generated with the \fB\-\-key\-gen\fR option\&.
.sp
\fBfwknop\fR encrypts SPA packets either with the \fIRijndael\fR block cipher or via \fIGnuPG\fR and associated asymmetric cipher\&. If the symmetric encryption method is chosen, then as usual the encryption key is shared between the client and server (see the \fBfwknopd\fR \fI@sysconfdir@/fwknop/access\&.conf\fR file for details)\&. The actual encryption key used for Rijndael encryption is generated via the standard PBKDF1 key derivation algorithm, and CBC mode is set\&. If the GnuPG method is chosen, then the encryption keys are derived from GnuPG key rings\&. SPA packets generated by fwknop running as a client adhere to the following format (before encryption and the HMAC is applied):
.sp
.if n \{\
.RS 4
.\}
.nf
random data (16 digits)
username
timestamp
software version
mode (command mode (0) or access mode (1))
if command mode => command to execute
else access mode => IP,proto,port
message digest (SHA512 / SHA384 / SHA256 / SHA1 / MD5 / SHA3_256 / SHA3_512)
.fi
.if n \{\
.RE
.\}
.sp
Each of the above fields are separated by a ":" character due to the variable length of several of the fields, and those that might contain ":" characters are base64 encoded\&. The message digest (\fBSHA256\fR by default) is part of the data to be encrypted and is independent of the HMAC which is appended to the SPA packet data after encryption\&. The 16 digits of random data (about 53 bits) ensures that no two SPA packets are identical, and this is in addition to and independent of using PBKDF1 for key derivation for Rijndael in CBC mode (which uses an 8\-byte random "salt" value)\&. Because \fBfwknopd\fR tracks the SHA256 digest of all incoming valid SPA packets and throws out duplicates, replay attacks are not feasible against \fBfwknop\fR\&. Syslog alerts are generated if a replay is detected\&.
.sp
By default, the \fBfwknop\fR client sends authorization packets over UDP port 62201, but this can be altered with the \fB\-\-server\-port\fR argument (this requires \fBfwknopd\fR to be configured to acquire SPA data over the selected port)\&. Also, \fBfwknop\fR can send the SPA packet over a random port via the \fB\-\-rand\-port\fR argument\&. See \fIfwknopd(8)\fR for further details\&. See the \fBEXAMPLES\fR section for example invocations of the \fBfwknop\fR client\&.
.sp
The \fBfwknop\fR client is quite portable, and is known to run on various Linux distributions (all major distros and embedded ones such as OpenWRT as well), FreeBSD, OpenBSD, and Cygwin on Windows\&. There is also a library \fBlibfko\fR that both \fBfwknop\fR and \fBfwknopd\fR use for SPA packet encryption/decryption and HMAC authentication operations\&. This library can be used to allow third party applications to use SPA subject to the terms of the GNU General Public License (GPL v2+)\&.
.SH "REQUIRED ARGUMENTS"
.sp
These required arguments can be specified via command\-line or from within the \fI~/\&.fwknoprc\fR file (see \fI\-n, \-\-named\-config\fR option and the FWKNOPRC FILE section below)\&.
.PP
\fB\-A, \-\-access\fR=\fI<port list>\fR
.RS 4
Provide a list of ports and protocols to access on a remote computer running
\fBfwknopd\fR\&. The format of this list is \(lq+<proto>/<port>\&...<proto>/<port>+\(rq, e\&.g\&. \(lqtcp/22,udp/53\(rq\&.
\fBNOTE:\fR
The vast majority of usages for
\fBfwknop\fR
require the
\fB\-A\fR
argument, but sending full commands with the
\fB\-\-server\-cmd\fR
argument via an SPA packet to be executed by
\fBfwknopd\fR
does not require this argument\&.
.RE
.PP
\fB\-D, \-\-destination\fR=\fI<hostname/IP\-address>\fR
.RS 4
Direct the
\fBfwknop\fR
client to authenticate with the
\fBfwknopd\fR
daemon/service at the specified destination hostname or IP address\&. The connection mode is discovered by the
\fBfwknopd\fR
daemon/service when it decrypts and parses the authentication packet\&.
.RE
.PP
\fB\-R|\-a|\-s\fR
.RS 4
One of these options (see below) is required to tell the remote
\fBfwknopd\fR
daemon what IP should be allowed through the firewall\&. It is recommend to use the
\fB\-R\fR
or
\fB\-a\fR
options instead of
\fB\-s\fR
in order to harden SPA communications against possible
\fIMan\-In\-The\-Middle\fR
(MITM) attacks, and on the server side set
\fIREQUIRE_SOURCE_ADDRESS\fR
variable in the
\fI@sysconfdir@/fwknop/access\&.conf\fR
file\&. Note that the most secure option is
\fB\-a\fR
so that
\fBfwknop\fR
does not have to issue any HTTPS request to
\fIhttps://www\&.cipherdyne\&.org/cgi\-bin/myip\fR
in order to resolve the externally routable IP address\&. Using
\fB\-a\fR
requires that the user already knows what the external IP is for the network where fwknop is running\&.
.RE
.SH "GENERAL OPTIONS"
.PP
\fB\-h, \-\-help\fR
.RS 4
Print a usage summary message and exit\&.
.RE
.PP
\fB\-G, \-\-get\-key\fR=\fI<file>\fR
.RS 4
Load an encryption key/password from the specified file\&. The key file contains a line for each destination hostname or IP address, a colon (":"), optional space and the password, followed by a newline\&. Note that the last line has to have a terminating newline character\&. Also note: though this is a convenience, having a file on your system with clear text passwords is not a good idea and is not recommended\&. Having the
\fBfwknop\fR
client prompt you for the key is generally more secure\&. Note also that if a key is stored on disk, the
\fBfwknop\fR
rc file is a more powerful mechanism for specifying not only the key but other options as well\&.
.RE
.PP
\fB\-\-stdin\fR
.RS 4
Read the encryption key/password from stdin\&. This can be used to send the data via a pipe for example\&. This command is similar to \-\-fd 0\&.
.RE
.PP
\fB\-\-fd\fR=\fI<number>\fR
.RS 4
Specify the file descriptor number to read the key/password from\&. This command avoids the user being prompted for a password if none has been found in the user specific stanza, or none has been supplied on the command line\&. A file descriptor set to 0 is similar to the stdin command\&.
.RE
.PP
\fB\-\-get\-hmac\-key\fR=\fI<file>\fR
.RS 4
Load an HMAC key/password from the specified file\&. Similarly to the format for the
\fB\-\-get\-key\fR
option, the HMAC key file contains a line for each destination hostname or IP address, a colon (":"), optional space and the password, followed by a newline\&. Note that the last line has to have a terminating newline character\&. Also note: though this is a convenience, having a file on your system with clear text passwords is not a good idea and is not recommended\&. Having the
\fBfwknop\fR
client prompt you for the HMAC key is generally more secure\&. Note also that if a key is stored on disk, the
\fBfwknop\fR
rc file is a more powerful mechanism for specifying not only the HMAC key but other options as well\&.
.RE
.PP
\fB\-\-key\-gen\fR
.RS 4
Have
\fBfwknop\fR
generate both Rijndael and HMAC keys that can be used for SPA packet encryption and authentication\&. These keys are derived from /dev/urandom and then base64 encoded before being printed to stdout, and are meant to be included within the \(lq$HOME/\&.fwknoprc\(rq file (or the file referenced by
\fB\-\-get\-key\fR)\&. Such keys are generally more secure than passphrases that are typed in from the command line\&.
.RE
.PP
\fB\-\-key\-gen\-file\fR=\fI<file>\fR
.RS 4
Write generated keys to the specified file\&. Note that the file is overwritten if it already exists\&. If this option is not given, then
\fB\-\-key\-gen\fR
writes the keys to stdout\&.
.RE
.PP
\fB\-\-key\-len\fR=\fI<length>\fR
.RS 4
Specify the number of bytes for a generated Rijndael key\&. The maximum size is currently 128 bytes\&.
.RE
.PP
\fB\-\-hmac\-key\-len\fR=\fI<length>\fR
.RS 4
Specify the number of bytes for a generated HMAC key\&. The maximum size is currently 128 bytes\&.
.RE
.PP
\fB\-l, \-\-last\-cmd\fR
.RS 4
Execute
\fBfwknop\fR
with the command\-line arguments from the previous invocation (if any)\&. The previous arguments are parsed out of the
\fI~/\&.fwknop\&.run\fR
file\&.
.RE
.PP
\fB\-n, \-\-named\-config\fR=\fI<stanza name>\fR
.RS 4
Specify the name of the configuration stanza in the \(lq$HOME/\&.fwknoprc\(rq file to pull configuration and command directives\&. These named stanzas alleviate the need for remembering the various command\-line arguments for frequently used invocations of
\fBfwknop\fR\&. See the section labeled, FWKNOPRC FILE below for a list of the valid configuration directives in the
\fI\&.fwknoprc\fR
file\&.
.RE
.PP
\fB\-\-key\-rijndael\fR=\fI<key>\fR
.RS 4
Specify the Rijndael key on the command line\&. Since the key may be visible to utilities such as
\fIps\fR
under Unix, this form should only be used where security is not critical\&. Having the
\fBfwknop\fR
client either prompt you for the key or acquire via the \(lq$HOME/\&.fwknoprc\(rq file is generally more secure\&.
.RE
.PP
\fB\-\-key\-base64\-rijndael\fR=\fI<key>\fR
.RS 4
Specify the base64 encoded Rijndael key\&. Since the key may be visible to utilities such as
\fIps\fR
under Unix, this form should only be used where security is not critical\&. Having the
\fBfwknop\fR
client either prompt you for the key or acquire via the \(lq$HOME/\&.fwknoprc\(rq file is generally more secure\&.
.RE
.PP
\fB\-\-key\-base64\-hmac\fR=\fI<key>\fR
.RS 4
Specify the base64 encoded HMAC key\&. Since the key may be visible to utilities such as
\fIps\fR
under Unix, this form should only be used where security is not critical\&. Having the
\fBfwknop\fR
client either prompt you for the key or acquire via the \(lq$HOME/\&.fwknoprc\(rq file is generally more secure\&.
.RE
.PP
\fB\-\-key\-hmac\fR=\fI<key>\fR
.RS 4
Specify the raw HMAC key (not base64 encoded)\&. Since the key may be visible to utilities such as
\fIps\fR
under Unix, this form should only be used where security is not critical\&. Having the
\fBfwknop\fR
client either prompt you for the key or acquire via the \(lq$HOME/\&.fwknoprc\(rq file is generally more secure\&.
.RE
.PP
\fB\-\-rc\-file\fR=\fI<file>\fR
.RS 4
Specify path to the
\fBfwknop\fR
rc file (default is \(lq$HOME/\&.fwknoprc\(rq)\&.
.RE
.PP
\fB\-\-no\-rc\-file\fR
.RS 4
Perform
\fBfwknop\fR
client operations without referencing the \(lq$HOME/\&.fwknoprc\(rq file\&.
.RE
.PP
\fB\-\-no\-home\-dir\fR
.RS 4
Do not allow the
\fBfwknop\fR
client to look for the home directory associated with the user\&.
.RE
.PP
\fB\-\-save\-rc\-stanza\fR=\fI<stanza name>\fR
.RS 4
Save command line arguments to the \(lq$HOME/\&.fwknoprc\(rq stanza specified with the
\fB\-n\fR
option\&. If the
\fB\-n\fR
option is omitted, then the stanza name will default to the destination server value (hostname or IP) given with the
\fB\-D\fR
argument\&.
.RE
.PP
\fB\-\-force\-stanza\fR
.RS 4
Used with
\fB\-\-save\-rc\-stanza\fR
to overwrite all of the variables for the specified stanza
.RE
.PP
\fB\-\-stanza\-list\fR
.RS 4
Dump a list of the stanzas found in \(lq$HOME/\&.fwknoprc\(rq\&.
.RE
.PP
\fB\-\-show\-last\fR
.RS 4
Display the last command\-line arguments used by
\fBfwknop\fR\&.
.RE
.PP
\fB\-E, \-\-save\-args\-file\fR=\fI<file>\fR
.RS 4
Save command line arguments to a specified file path\&. Without this option, and when
\fB\-\-no\-save\-args\fR
is not also specified, then the default save args path is
\fI~/\&.fwknop\&.run\fR\&.
.RE
.PP
\fB\-\-no\-save\-args\fR
.RS 4
Do not save the command line arguments given when
\fBfwknop\fR
is executed\&.
.RE
.PP
\fB\-T, \-\-test\fR
.RS 4
Test mode\&. Generate the SPA packet data, but do not send it\&. Instead, print a break\-down of the SPA data fields, then run the data through the decryption and decoding process and print the break\-down again\&. This is primarily a debugging feature\&.
.RE
.PP
\fB\-B, \-\-save\-packet\fR=\fI<file>\fR
.RS 4
Instruct the
\fBfwknop\fR
client to write a newly created SPA packet out to the specified file so that it can be examined off\-line\&.
.RE
.PP
\fB\-b, \-\-save\-packet\-append\fR
.RS 4
Append the generated packet data to the file specified with the
\fB\-B\fR
option\&.
.RE
.PP
\fB\-\-fault\-injection\-tag\fR=\fI<tag>\fR
.RS 4
This option is only used for fault injection testing when
\fBfwknop\fR
is compiled to support the libfiu library (see:
\fIhttp://blitiri\&.com\&.ar/p/libfiu/\fR)\&. Under normal circumstances this option is not used, and any packaged version of fwknop will not have code compiled in so this capability is not enabled at run time\&. It is documented here for completeness\&.
.RE
.PP
\fB\-v, \-\-verbose\fR
.RS 4
Run the
\fBfwknop\fR
client in verbose mode\&. This causes
\fBfwknop\fR
to print some extra information about the current command and the resulting SPA data\&.
.RE
.PP
\fB\-V, \-\-version\fR
.RS 4
Display version information and exit\&.
.RE
.SH "SPA OPTIONS"
.PP
\fB\-\-use\-hmac\fR
.RS 4
Set HMAC mode for authenticated encryption of SPA communications\&. As of
\fBfwknop\fR
2\&.5, this is an optional feature, but this will become the default in a future release\&.
.RE
.PP
\fB\-a, \-\-allow\-ip\fR=\fI<IP\-address>\fR
.RS 4
Specify IP address that should be permitted through the destination
\fBfwknopd\fR
server firewall (this IP is encrypted within the SPA packet itself)\&. This is useful to prevent a MITM attack where a SPA packet can be intercepted en\-route and sent from a different IP than the original\&. Hence, if the
\fBfwknopd\fR
server trusts the source address on the SPA packet IP header then the attacker gains access\&. The
\fB\-a\fR
option puts the source address within the encrypted SPA packet, and so thwarts this attack\&. The
\fB\-a\fR
option is also useful to specify the IP that will be granted access when the SPA packet itself is spoofed with the
\fB\-\-spoof\-src\fR
option\&. Another related option is
\fB\-R\fR
(see below) which instructs the
\fBfwknop\fR
client to automatically resolve the externally routable IP address the local system is connected to by querying
\fIhttps://www\&.cipherdyne\&.org/cgi\-bin/myip\fR\&. This returns the actual IP address it sees from the calling system\&.
.RE
.PP
\fB\-g, \-\-gpg\-encryption\fR
.RS 4
Use GPG encryption on the SPA packet (default if not specified is Rijndael)\&.
\fBNote:\fR
Use of this option will also require a GPG recipient (see
\fB\-\-gpg\-recipient\fR
along with other GPG\-related options below)\&.
.RE
.PP
\fB\-\-hmac\-digest\-type\fR=\fI<digest>\fR
.RS 4
Set the HMAC digest algorithm for authenticated encryption of SPA packets\&. Choices are:
\fBMD5\fR,
\fBSHA1\fR,
\fBSHA256\fR
(the default),
\fBSHA384\fR,
\fBSHA512\fR,
\fBSHA3_256\fR, and
\fBSHA3_512\fR\&.
.RE
.PP
\fB\-N, \-\-nat\-access\fR=\fI<internalIP:forwardPort>\fR
.RS 4
The
\fBfwknopd\fR
server offers the ability to provide SPA access through an iptables firewall to an internal service by interfacing with the iptables NAT capabilities\&. So, if the
\fBfwknopd\fR
server is protecting an internal network on an RFC\-1918 address space, an external
\fBfwknop\fR
client can request that the server port forward an external port to an internal IP, i\&.e\&. \(lq+\-\-NAT\-access 192\&.168\&.10\&.2,55000+\(rq\&. In this case, access will be granted to 192\&.168\&.10\&.2 via port 55000 to whatever service is requested via the
\fB\-\-access\fR
argument (usually tcp/22)\&. Hence, after sending such an SPA packet, one would then do \(lqssh \-p 55000
user@host\(rq and the connection would be forwarded on through to the internal 192\&.168\&.10\&.2 system automatically\&. Note that the port \(lq55000\(rq can be randomly generated via the
\fB\-\-nat\-rand\-port\fR
argument (described later)\&.
.RE
.PP
\fB\-\-nat\-local\fR
.RS 4
On the
\fBfwknopd\fR
server, a NAT operation can apply to the local system instead of being forwarded through the system\&. That is, for iptables firewalls, a connection to, say, port 55,000 can be translated to port 22 on the local system\&. By making use of the
\fB\-\-nat\-local\fR
argument, the
\fBfwknop\fR
client can be made to request such access\&. This means that any external attacker would only see a connection over port 55,000 instead of the expected port 22 after the SPA packet is sent\&.
.RE
.PP
\fB\-\-nat\-port\fR
.RS 4
Usually
\fBfwknop\fR
is used to request access to a specific port such as tcp/22 on a system running
\fBfwknopd\fR\&. However, by using the
\fB\-\-nat\-port\fR
argument, it is possible to request access to a (again, such as tcp/22), but have this access granted via the specified port (so, the
\fB\-p\fR
argument would then be used on the
\fISSH\fR
client command line)\&. See the
\fB\-\-nat\-local\fR
and
\fB\-\-nat\-access\fR
command line arguments to
\fBfwknop\fR
for additional details on gaining access to services via a NAT operation\&.
.RE
.PP
\fB\-\-nat\-rand\-port\fR
.RS 4
Usually
\fBfwknop\fR
is used to request access to a specific port such as tcp/22 on a system running
\fBfwknopd\fR\&. However, by using the
\fB\-\-nat\-rand\-port\fR
argument, it is possible to request access to a particular service (again, such as tcp/22), but have this access granted via a random translated port\&. That is, once the
\fBfwknop\fR
client has been executed in this mode and the random port selected by
\fBfwknop\fR
is displayed, the destination port used by the follow\-on client must be changed to match this random port\&. For
\fISSH\fR, this is accomplished via the
\fB\-p\fR
argument\&. See the
\fB\-\-nat\-local\fR
and
\fB\-\-nat\-access\fR
command line arguments to
\fBfwknop\fR
for additional details on gaining access to services via a NAT operation\&.
.RE
.PP
\fB\-p, \-\-server\-port\fR=\fI<port>\fR
.RS 4
Specify the port number where
\fBfwknopd\fR
accepts packets via libpcap or ulogd pcap writer\&. By default
\fBfwknopd\fR
looks for authorization packets over UDP port 62201\&.
.RE
.PP
\fB\-P, \-\-server\-proto\fR=\fI<protocol>\fR
.RS 4
Set the protocol (udp, tcp, http, udpraw, tcpraw, or icmp) for the outgoing SPA packet\&. Note: The
\fBudpraw\fR,
\fBtcpraw\fR, and
\fBicmp\fR
modes use raw sockets and thus require root access to run\&. Also note: The
\fBtcp\fR
mode expects to establish a TCP connection to the server before sending the SPA packet\&. This is not normally done, but is useful for compatibility with the Tor for strong anonymity; see
\fIhttp://tor\&.eff\&.org/\fR\&. In this case, the
\fBfwknopd\fR
server will need to be configured to listen on the target TCP port (which is 62201 by default)\&.
.RE
.PP
\fB\-Q, \-\-spoof\-src\fR=\fI<IP>\fR
.RS 4
Spoof the source address from which the
\fBfwknop\fR
client sends SPA packets\&. This requires root on the client side access since a raw socket is required to accomplish this\&. Note that the
\fB\-\-spoof\-user\fR
argument can be given in this mode in order to pass any
\fBREQUIRE_USERNAME\fR
keyword that might be specified in
\fI@sysconfdir@/fwknop/access\&.conf\fR\&.
.RE
.PP
\fB\-r, \-\-rand\-port\fR
.RS 4
Instruct the
\fBfwknop\fR
client to send an SPA packet over a random destination port between 10,000 and 65535\&. The
\fBfwknopd\fR
server must use a
\fBPCAP_FILTER\fR
variable that is configured to accept such packets\&. For example, the
\fBPCAP_FILTER\fR
variable could be set to: \(lq+udp dst portrange 10000\-65535+\(rq\&.
.RE
.PP
\fB\-R, \-\-resolve\-ip\-https\fR
.RS 4
This is an important option, and instructs the
\fBfwknop\fR
client to issue an HTTPS request to a script running on
\fIcipherdyne\&.org\fR
that returns the client\(cqs IP address (as seen by the web server)\&. In some cases, this is needed to determine the IP address that should be allowed through the firewall policy at the remote
\fBfwknopd\fR
server side\&. This option is useful if the
\fBfwknop\fR
client is being used on a system that is behind an obscure NAT address, and the external Internet facing IP is not known to the user\&. The full resolution URL is:
\fIhttps://www\&.cipherdyne\&.org/cgi\-bin/myip\fR, and is accessed by
\fBfwknop\fR
via
\fIwget\fR
in
\fB\-\-secure\-protocol\fR
mode\&. Note that it is generally more secure to use the
\fB\-a\fR
option if the externally routable IP address for the client is already known to the user since this eliminates the need for
\fBfwknop\fR
to issue any sort of HTTPS request\&.
.RE
.PP
\fB\-\-resolve\-url\fR \fI<url>\fR
.RS 4
Override the default URL used for resolving the source IP address\&. For best results, the URL specified here should point to a web service that provides just an IP address in the body of the HTTP response\&.
.RE
.PP
\fB\-\-resolve\-http\-only\fR
.RS 4
This option forces the
\fBfwknop\fR
client to resolve the external IP via HTTP instead of HTTPS\&. There are some circumstances where this might be necessary such as when
\fIwget\fR
is not available (or hasn\(cqt been compiled with SSL support), but generally this is not recommended since it opens the possibility of a MITM attack through manipulation of the IP resolution HTTP response\&. Either specify the IP manually with
\fB\-a\fR, or use
\fB\-R\fR
and omit this option\&.
.RE
.PP
\fB\-w, \-\-wget\-cmd\fR=\fI<wget full path>\fR
.RS 4
Manually set the full path to the
\fIwget\fR
command\&. Normally the
\fIconfigure\fR
script finds the
\fIwget\fR
command, but this option can be used to specify the path if it is located in a non\-standard place\&.
.RE
.PP
\fB\-s, \-\-source\-ip\fR
.RS 4
Instruct the
\fBfwknop\fR
client to form an SPA packet that contains the special\-case IP address \(lq+0\&.0\&.0\&.0+\(rq which will inform the destination
\fBfwknopd\fR
SPA server to use the source IP address from which the SPA packet originates as the IP that will be allowed through upon modification of the firewall ruleset\&. This option is useful if the
\fBfwknop\fR
client is deployed on a machine that is behind a NAT device and the external IP is not known\&. However, usage of this option is not recommended, and either the
\fB\-a\fR
or
\fB\-R\fR
options should be used instead\&. The permit\-address options
\fB\-s\fR,
\fB\-R\fR
and
\fB\-a\fR
are mutually exclusive\&.
.RE
.PP
\fB\-S, \-\-source\-port\fR=\fI<port>\fR
.RS 4
Set the source port for outgoing SPA packet\&.
.RE
.PP
\fB\-\-server\-resolve\-ipv4\fR
.RS 4
This option forces the
\fBfwknop\fR
client to only accept an IPv4 address from DNS when a hostname is used for the SPA server\&. This is necessary in some cases where DNS may return both IPv6 and IPv4 addresses\&.
.RE
.PP
\fB\-f, \-\-fw\-timeout\fR=\fI<seconds>\fR
.RS 4
Specify the length of time (seconds) that the remote firewall rule that grants access to a service is to remain active\&. The default maintained by
\fBfwknopd\fR
is 30 seconds, but any established connection can be kept open after the initial accept rule is deleted through the use of a connection tracking mechanism that may be offered by the firewall\&.
.RE
.PP
\fB\-C, \-\-server\-cmd\fR=\fI<command to execute>\fR
.RS 4
Instead of requesting access to a service with an SPA packet, the
\fB\-\-server\-cmd\fR
argument specifies a command that will be executed by the
\fBfwknopd\fR
server\&. The command is encrypted within the SPA packet and sniffed off the wire (as usual) by the
\fBfwknopd\fR
server\&.
.RE
.PP
\fB\-H, \-\-http\-proxy\fR=\fI<proxy\-host>[:port]\fR
.RS 4
Specify an HTTP proxy that the
\fBfwknop\fR
client will use to send the SPA packet through\&. Using this option will automatically set the SPA packet transmission mode (usually set via the
\fB\-\-server\-proto\fR
argument) to "http"\&. You can also specify the proxy port by adding ":<port>" to the proxy host name or ip\&.
.RE
.PP
\fB\-m, \-\-digest\-type\fR=\fI<digest>\fR
.RS 4
Specify the message digest algorithm to use in the SPA data\&. Choices are:
\fBMD5\fR,
\fBSHA1\fR,
\fBSHA256\fR
(the default),
\fBSHA384\fR, and
\fBSHA512\fR,
\fBSHA3_256\fR, and
\fBSHA3_512\fR\&.
.RE
.PP
\fB\-M, \-\-encryption\-mode\fR=\fI<mode>\fR
.RS 4
Specify the encryption mode when AES is used for encrypting SPA packets\&. The default is CBC mode, but others can be chosen such as CFB or OFB as long as this is also specified in the
\fI@sysconfdir@/fwknop/access\&.conf\fR
file on the server side via the ENCRYPTION_MODE variable\&. In general, it is recommended to not include this argument and let the default (CBC) apply\&. Note that the string \(lqlegacy\(rq can be specified in order to generate SPA packets with the old initialization vector strategy used by versions of
\fBfwknop\fR
prior to 2\&.5\&. With the 2\&.5 release,
\fBfwknop\fR
generates initialization vectors in a manner that is compatible with OpenSSL via the PBKDF1 algorithm\&.
.RE
.PP
\fB\-\-time\-offset\-plus\fR=\fI<time>\fR
.RS 4
By default, the
\fBfwknopd\fR
daemon on the server side enforces time synchronization between the clocks running on client and server systems\&. The
\fBfwknop\fR
client places the local time within each SPA packet as a time stamp to be validated by the fwknopd server after decryption\&. However, in some circumstances, if the clocks are out of sync and the user on the client system does not have the required access to change the local clock setting, it can be difficult to construct and SPA packet with a time stamp the server will accept\&. In this situation, the
\fB\-\-time\-offset\-plus\fR
option can allow the user to specify an offset (e\&.g\&. \(lq60sec\(rq \(lq60min\(rq \(lq2days\(rq etc\&.) that is added to the local time\&.
.RE
.PP
\fB\-\-time\-offset\-minus\fR=\fI<time>\fR
.RS 4
This is similar to the
\fB\-\-time\-offset\-plus\fR
option (see above), but subtracts the specified time offset instead of adding it to the local time stamp\&.
.RE
.PP
\fB\-u, \-\-user\-agent\fR=\fI<user\-agent\-string>\fR
.RS 4
Set the HTTP User\-Agent for resolving the external IP via
\fB\-R\fR, or for sending SPA packets over HTTP\&.
.RE
.PP
\fB\-\-use\-wget\-user\-agent\fR
.RS 4
By default when the
\fBfwknop\fR
client resolves the external IP with
\fBwget\fR
via SSL, it sets the User\-Agent to \(lqFwknop/<version>\(rq unless it was already manually specified with the
\fB\-\-user\-agent\fR
option mentioned above\&. However, the
\fB\-\-user\-wget\-user\-agent\fR
option lets the default
\fBwget\fR
User\-Agent string apply without influence from
\fBfwknop\fR\&.
.RE
.PP
\fB\-U, \-\-spoof\-user\fR=\fI<user>\fR
.RS 4
Specify the username that is included within SPA packet\&. This allows the
\fBfwknop\fR
client to satisfy any non\-root
\fBREQUIRE_USERNAME\fR
keyword on the fwknopd server (\fB\-\-spoof\-src\fR
mode requires that the
\fBfwknop\fR
client is executed as root)\&.
.RE
.PP
\fB\-\-icmp\-type\fR=\fI<type>\fR
.RS 4
In
\fB\-P icmp\fR
mode, specify the ICMP type value that will be set in the SPA packet ICMP header\&. The default is echo reply\&.
.RE
.PP
\fB\-\-icmp\-code\fR=\fI<code>\fR
.RS 4
In
\fB\-P icmp\fR
mode, specify the ICMP code value that will be set in the SPA packet ICMP header\&. The default is zero\&.
.RE
.SH "GPG OPTIONS"
.sp
Note that the usage of GPG for SPA encryption/decryption can and should involve GPG keys that are signed by each side (client and server)\&. The basic procedure for this involves the following steps after the client key has been transferred to the server and vice\-versa:
.sp
.if n \{\
.RS 4
.\}
.nf
[spaserver]# gpg \-\-import client\&.asc
[spaserver]# gpg \-\-edit\-key 1234ABCD
Command> sign
[spaclient]$ gpg \-\-import server\&.asc
[spaclient]$ gpg \-\-edit\-key ABCD1234
Command> sign
.fi
.if n \{\
.RE
.\}
.sp
More comprehensive information on this can be found here: \fIhttp://www\&.cipherdyne\&.org/fwknop/docs/gpghowto\&.html\fR\&.
.PP
\fB\-\-gpg\-agent\fR
.RS 4
Instruct
\fBfwknop\fR
to acquire GnuPG key password from a running gpg\-agent instance (if available)\&.
.RE
.PP
\fB\-\-gpg\-home\-dir\fR=\fI<dir>\fR
.RS 4
Specify the path to the GnuPG directory; normally this path is derived from the home directory of the user that is running the
\fBfwknop\fR
client (so the default is
\fI~/\&.gnupg\fR)\&. This is useful when a \(lqroot\(rq user wishes to log into a remote machine whose sshd daemon/service does not permit root login\&.
.RE
.PP
\fB\-\-gpg\-recipient\fR=\fI<key ID or Name>\fR
.RS 4
Specify the GnuPG key ID, e\&.g\&. \(lq+1234ABCD+\(rq (see the output of "gpg\(emlist\-keys") or the key name (associated email address) of the recipient of the Single Packet Authorization message\&. This key is imported by the
\fBfwknopd\fR
server and the associated private key is used to decrypt the SPA packet\&. The recipient\(cqs key must first be imported into the client GnuPG key ring\&.
.RE
.PP
\fB\-\-gpg\-signer\-key\fR=\fI<key ID or Name>\fR
.RS 4
Specify the GnuPG key ID, e\&.g\&. \(lq+ABCD1234+\(rq (see the output of "gpg \-\-list\-keys") or the key name to use when signing the SPA message\&. The user is prompted for the associated GnuPG password to create the signature\&. This adds a cryptographically strong mechanism to allow the
\fBfwknopd\fR
daemon on the remote server to authenticate who created the SPA message\&.
.RE
.PP
\fB\-\-gpg\-no\-signing\-pw\fR
.RS 4
Instruct
\fBfwknop\fR
to not acquire a passphrase for usage of GnuPG signing key\&. This option is provided to make SPA packet construction easier for client\-side operations in automated environments where the passphrase for the signing key has been removed from the GnuPG key ring\&. However, it is usually better to leverage
\fIgpg\-agent\fR
instead of using this option\&.
.RE
.SH "FWKNOPRC FILE"
.sp
The \fI\&.fwknoprc\fR file is used to set various parameters to override default program parameters at runtime\&. It also allows for additional named configuration \fIstanzas\fR for setting program parameters for a particular invocation\&.
.sp
The \fBfwknop\fR client will create this file if it does not exist in the user\(cqs home directory\&. This initial version has some sample directives that are commented out\&. It is up to the user to edit this file to meet their needs\&.
.sp
The \fI\&.fwknoprc\fR file contains a default configuration area or stanza which holds global configuration directives that override the program defaults\&. You can edit this file and create additional \fInamed stanzas\fR that can be specified with the \fB\-n\fR or \fB\-\-named\-config\fR option\&. Parameters defined in the named stanzas will override any matching \fIdefault\fR stanza directives\&. Note that command\-line options will still override any corresponding \fI\&.fwknoprc\fR directives\&.
.sp
There are directives to match most of the command\-line parameters \fBfwknop\fR supports\&. Here is the current list of each directive along with a brief description and its matching command\-line option(s):
.PP
\fBSPA_SERVER\fR \fI<hostname/IP\-address>\fR
.RS 4
Specify the hostname or IP of the destination (\fBfwknopd\fR) server (\fI\-D, \-\-destination\fR)\&.
.RE
.PP
\fBALLOW_IP\fR \fI<IP\-address>\fR
.RS 4
Specify the address to allow within the SPA data\&. Note: This parameter covers the
\fB\-a\fR,
\fB\-s\fR, and
\fB\-R\fR
command\-line options\&. You can specify a hostname or IP address (the
\fB\-a\fR
option), specify the word "source" to tell the
\fBfwknopd\fR
server to accept the source IP of the packet as the IP to allow (the
\fB\-s\fR
option), or use the word "resolve" to have
\fBfwknop\fR
resolve the external network IP via HTTP request (the
\fB\-R\fR
option)\&.
.RE
.PP
\fBACCESS\fR \fI<port list>\fR
.RS 4
Set the one or more protocol/ports to open on the firewall (\fI\-A, \-\-access\fR)\&. The format of this list is \(lq+<proto>/<port>\&...<proto>/<port>+\(rq, e\&.g\&. \(lqtcp/22,udp/53\(rq\&.
.RE
.PP
\fBSPA_SERVER_PORT\fR \fI<port>\fR
.RS 4
Set the server port to use for sending the SPA packet (\fI\-p, \-\-server\-port\fR)\&.
.RE
.PP
\fBSPA_SERVER_PROTO\fR \fI<protocol\fR>
.RS 4
Set the protocol to use for sending the SPA packet (\fI\-P, \-\-server\-proto\fR)\&.
.RE
.PP
\fBKEY\fR \fI<passphrase>\fR
.RS 4
This is the passphrase that is used for SPA packet encryption and applies to both Rijndael or GPG encryption modes\&. The actual encryption key that is used for Rijndael is derived from the PBKDF1 algorithm, and the GPG key is derived from the specified GPG key ring\&.
.RE
.PP
\fBKEY_BASE64\fR \fI<base64 encoded passphrase>\fR
.RS 4
Specify the encryption passphrase as a base64 encoded string\&. This allows non\-ascii characters to be included in the base64\-decoded key\&.
.RE
.PP
\fBUSE_HMAC\fR \fI<Y/N>\fR
.RS 4
Set HMAC mode for authenticated encryption of SPA packets\&. This will have
\fBfwknop\fR
prompt the user for a dedicated HMAC key that is independent of the encryption key\&. Alternatively, the HMAC key can be specified with the
\fIHMAC_KEY\fR
or
\fIHMAC_KEY_BASE64\fR
directives (see below)\&.
.RE
.PP
\fBHMAC_KEY\fR \fI<key>\fR
.RS 4
Specify the HMAC key for authenticated encryption of SPA packets\&. This supports both Rijndael and GPG encryption modes, and is applied according to the encrypt\-then\-authenticate model\&.
.RE
.PP
\fBHMAC_KEY_BASE64\fR \fI<base64 encoded key>\fR
.RS 4
Specify the HMAC key as a base64 encoded string\&. This allows non\-ascii characters to be included in the base64\-decoded key\&.
.RE
.PP
\fBHMAC_DIGEST_TYPE\fR \fI<digest algorithm>\fR
.RS 4
Set the HMAC digest algorithm used for authenticated encryption of SPA packets\&. Choices are:
\fBMD5\fR,
\fBSHA1\fR,
\fBSHA256\fR
(the default),
\fBSHA384\fR,
\fBSHA512\fR,
\fBSHA3_256\fR, and
\fBSHA3_512\fR\&.
.RE
.PP
\fBSPA_SOURCE_PORT\fR \fI<port>\fR
.RS 4
Set the source port to use for sending the SPA packet (\fI\-S, \-\-source\-port\fR)\&.
.RE
.PP
\fBFW_TIMEOUT\fR \fI<seconds>\fR
.RS 4
Set the firewall rule timeout value (\fI\-f, \-\-fw\-timeout\fR)\&.
.RE
.PP
\fBRESOLVE_IP_HTTPS\fR \fI<Y/N>\fR
.RS 4
Set to
\fIY\fR
to automatically resolve the externally routable IP associated with the
\fBfwknop\fR
client\&. This is done over SSL via
\fIwget\fR
in
\fI\-\-secure\-protocol\fR
mode against the IP resolution service available at
\fIhttps://www\&.cipherdyne\&.org/cgi\-bin/myip\fR\&.
.RE
.PP
\fBRESOLVE_HTTP_ONLY\fR \fI<Y/N>\fR
.RS 4
When the
\fBfwknop\fR
client is instructed to resolve the external client IP, this option can be used to force an
\fIHTTP\fR
connection instead of an
\fIHTTPS\fR
connection when set to
\fIY\fR\&. This option is useful when
\fIwget\fR
is not installed on the local OS, or when it is not compiled against an SSL library\&.
.RE
.PP
\fBRESOLVE_URL\fR \fI<url>\fR
.RS 4
Set to a URL that will be used for resolving the source IP address (\fI\-\-resolve\-url\fR)\&.
.RE
.PP
\fBWGET_CMD\fR \fI<wget full path>\fR
.RS 4
Set the full path to the
\fIwget\fR
command (used for client IP resolution)\&.
.RE
.PP
\fBTIME_OFFSET\fR \fI<time>\fR
.RS 4
Set a value to apply to the timestamp in the SPA packet\&. This can be either a positive or negative value (\fI\-\-time\-offset\-plus/minus\fR)\&.
.RE
.PP
\fBENCRYPTION_MODE\fR \fI<mode>\fR
.RS 4
Specify the encryption mode when AES is used\&. This variable is a synonym for the
\fI\-M, \-\-encryption\-mode\fR
command line argument\&. In general, it is recommended to not include this argument and let the default (CBC) apply\&. Note that the string \(lqlegacy\(rq can be specified in order to generate SPA packets with the old initialization vector strategy used by versions of
\fBfwknop\fR
prior to 2\&.5\&.
.RE
.PP
\fBDIGEST_TYPE\fR \fI<digest algorithm>\fR
.RS 4
Set the SPA message digest type (\fI\-m, \-\-digest\-type\fR)\&. Choices are:
\fBMD5\fR,
\fBSHA1\fR,
\fBSHA256\fR
(the default),
\fBSHA384\fR,
\fBSHA512\fR,
\fBSHA3_256\fR, and
\fBSHA3_512\fR\&.
.RE
.PP
\fBUSE_GPG\fR \fI<Y/N>\fR
.RS 4
Set to
\fIY\fR
to specify the use of GPG for encryption (\fI\-\-gpg\-encryption\fR)\&.
.RE
.PP
\fBUSE_GPG_AGENT\fR \fI<Y/N>\fR
.RS 4
Set to
\fIY\fR
to have
\fBfwknop\fR
interface with a GPG agent instance for the GPG key password (\fI\-\-gpg\-agent\fR)\&. Agent information itself is specified with the
\fIGPG_AGENT_INFO\fR
environmental variable\&.
.RE
.PP
\fBGPG_SIGNING_PW\fR \fI<passphrase>\fR
.RS 4
This is the passphrase that is used for signing SPA packet data in GPG encryption mode, and is a synonym for the
\fIKEY\fR
variable (i\&.e\&. the signing passphrase can be specified with the
\fIKEY\fR
variable instead)\&. The SPA packet is encrypted with the remote server key and signed with the local client key\&.
.RE
.PP
\fBGPG_SIGNING_PW_BASE64\fR \fI<base64 encoded passphrase>\fR
.RS 4
Specify the GPG signing passphrase as a base64 encoded string\&. This allows non\-ascii characters to be included in the base64\-decoded key\&.
.RE
.PP
\fBGPG_SIGNER\fR \fI<key ID or Name>\fR
.RS 4
Specify the GPG key name or ID for signing the GPG\-encrypted SPA data (\fI\-\-gpg\-signer\-key\fR)\&.
.RE
.PP
\fBGPG_RECIPIENT\fR \fI<key ID or Name>\fR
.RS 4
Specify the GPG key name or ID for the recipient of the GPG\-encrypted SPA data (\fI\-\-gpg\-recipient\-key\fR)\&.
.RE
.PP
\fBGPG_HOMEDIR\fR \fI<dir>\fR
.RS 4
Specify the GPG home directory (\fI\-\-gpg\-home\-dir\fR)\&. Defaults to
\fI~/\&.gnupg\fR\&.
.RE
.PP
\fBGPG_EXE\fR \fI<path>\fR
.RS 4
Specify the path to GPG (\fI\-\-gpg\-exe\fR)\&. Defaults to
\fI/usr/bin/gpg\fR\&.
.RE
.PP
\fBSPOOF_USER\fR \fI<user>\fR
.RS 4
Set the username in the SPA data to the specified value (\fI\-U, \-\-spoof\-user\fR)\&.
.RE
.PP
\fBSPOOF_SOURCE_IP\fR \fI<IP>\fR
.RS 4
Set the source IP of the outgoing SPA packet to the specified value (\fI\-Q, \-\-spoof\-source\fR)\&.
.RE
.PP
\fBRAND_PORT\fR \fI<Y/N>\fR
.RS 4
Send the SPA packet over a randomly assigned port (\fI\-r, \-\-rand\-port\fR)\&.
.RE
.PP
\fBKEY_FILE\fR \fI<file>\fR
.RS 4
Load an encryption key/password from a file (\fI\-G, \-\-get\-key\fR)\&.
.RE
.PP
\fBHTTP_USER_AGENT\fR \fI<agent string>\fR
.RS 4
Set the HTTP User\-Agent for resolving the external IP via \-R, or for sending SPA packets over HTTP (\fI\-u, \-\-user\-agent\fR)\&.
.RE
.PP
\fBUSE_WGET_USER_AGENT\fR \fI<Y/N>\fR
.RS 4
Allow default
\fBwget\fR
User\-Agent string to be used when resolving the external IP instead of a User\-Agent supplied by the
\fBfwknop\fR
client\&.
.RE
.PP
\fBNAT_ACCESS\fR \fI<internalIP:forwardPort>\fR
.RS 4
Gain NAT access to an internal service protected by the fwknop server (\fI\-N, \-\-nat\-access\fR)\&.
.RE
.PP
\fBNAT_LOCAL\fR \fI<Y/N>\fR
.RS 4
Access a local service via a forwarded port on the fwknopd server system (\fI\-\-nat\-local\fR)\&.
.RE
.PP
\fBNAT_PORT\fR \fI<port>\fR
.RS 4
Specify the port to forward to access a service via NAT (\fI\-\-nat\-port\fR)\&.
.RE
.PP
\fBNAT_RAND_PORT\fR \fI<Y/N>\fR
.RS 4
Have the fwknop client assign a random port for NAT access (\fI\-\-nat\-rand\-port\fR)\&.
.RE
.SH "ENVIRONMENT"
.sp
\fBSPOOF_USER\fR, \fBGPG_AGENT_INFO\fR (only used in \fB\-\-gpg\-agent\fR mode)\&.
.SH "SPA PACKET SPOOFING"
.sp
Because \fBfwknop\fR places the IP to be allowed through the firewall within the encrypted SPA payload (unless \fB\-s\fR is used which is not recommended and can be prohibited in the \fBfwknopd\fR server configuration), SPA packets can easily be spoofed, and this is a good thing in this context\&. That is, the source IP of an SPA packet is ignored by the \fBfwknopd\fR daemon (when the \fIREQUIRE_SOURCE_ADDRESS\fR variable is set in the \fI@sysconfdir@/fwknop/access\&.conf\fR file) and only the IP that is contained within an authenticated and properly decrypted SPA packet is granted access through the firewall\&. This makes it possible to make it appear as though, say, www\&.yahoo\&.com is trying to authenticate to a target system but in reality the actual connection will come from a seemingly unrelated IP\&.
.SH "EXAMPLES"
.sp
The following examples illustrate the command line arguments that could be supplied to the fwknop client in a few situations:
.SS "Quick start"
.sp
The most effective and easiest way to use \fBfwknop\fR is to have the client generate both an encryption key and an HMAC key, and then save them to the \(lq$HOME/\&.fwknoprc\(rq file along with access request specifics\&. The keys will also need to be transferred to the system where \fBfwknopd\fR is running\&. The also client supports a separate set of encryption and HMAC keys for each SPA destination if multiple fwknopd servers are running on different systems\&.
.sp
So, assuming that the IP \fI2\&.2\&.2\&.2\fR is the system where \fBfwknopd\fR is deployed and SSH is protected by the firewall on that system in a default\-drop stance, run the client like so to generate encryption and HMAC keys:
.sp
.if n \{\
.RS 4
.\}
.nf
$ fwknop \-A tcp/22 \-\-use\-hmac \-R \-D 2\&.2\&.2\&.2 \-\-key\-gen \-\-save\-rc\-stanza \-\-verbose
[+] Wrote Rijndael and HMAC keys to rc file: /home/user/\&.fwknoprc
.fi
.if n \{\
.RE
.\}
.sp
With the access request arguments and encryption and HMAC keys generated and saved in \(lq$HOME/\&.fwknoprc\(rq, the keys themselves need to be transferred to the \fI2\&.2\&.2\&.2\fR system where fwknopd is running\&. As always, this should be done via some secure means such as SSH before SPA is enabled and SSHD is blocked by the firewall\&. Here is what the new \fI2\&.2\&.2\&.2\fR stanza looks like in the \fI~/\&.fwknoprc\fR file:
.sp
.if n \{\
.RS 4
.\}
.nf
$ tail \-n 8 /home/user/\&.fwknoprc
[2\&.2\&.2\&.2]
ACCESS tcp/22
SPA_SERVER 2\&.2\&.2\&.2
KEY_BASE64 HvUtIOramehLGKimD4ECXOzinaH4h3U8H1WXum7b54Q=
HMAC_KEY_BASE64 DLeLf93a3yBT2vhEpM+dWlirGta5GU+jdyG5uXp4461HgOtbqMem4gX0Bp2PJGzYZlbbcavcOM00UPm+0GqkXA==
USE_HMAC Y
VERBOSE Y
RESOLVE_IP_HTTPS Y
.fi
.if n \{\
.RE
.\}
.sp
The keys are base64 encoded blobs of random data, and both the \fBKEY_BASE64\fR and \fBHMAC_KEY_BASE64\fR lines should be copied verbatim and placed within the \fI@sysconfdir@/fwknop/access\&.conf\fR file on \fI2\&.2\&.2\&.2\fR\&. Once this is done, \fBfwknopd\fR can be started on that system, a default\-drop policy against SSH connections can be put in place, and then access to SSH is managed via fwknop\&. To access SSH, just use the \fB\-n\fR argument to reference the \fI2\&.2\&.2\&.2\fR stanza out of the \&.fwknoprc file (some \fB\-\-verbose\fR output is included for illustration):
.sp
.if n \{\
.RS 4
.\}
.nf
$ fwknop \-n 2\&.2\&.2\&.2
FKO Field Values:
=================
Random Value: 8950423288486978
Username: mbr
Timestamp: 1370194770
FKO Version: 2\&.5
Message Type: 1 (Access msg)
Message String: 1\&.1\&.1\&.1,tcp/22
Nat Access: <NULL>
Server Auth: <NULL>
Client Timeout: 0 (seconds)
Digest Type: 3 (SHA256)
HMAC Type: 3 (SHA256)
Encryption Type: 1 (Rijndael)
Encryption Mode: 2 (CBC)
\&.\&.\&.
$ ssh \-l user 2\&.2\&.2\&.2
user@2\&.2\&.2\&.2\*(Aqs password:
.fi
.if n \{\
.RE
.\}
.SS "Access mode examples"
.sp
The most common usage of \fBfwknop\fR is to gain access to SSH running on a remote system that has the \fBfwknopd\fR daemon deployed along with a default\-drop firewall policy\&. The following command illustrates this where IP \fI1\&.1\&.1\&.1\fR is the IP to be allowed through the firewall running on \fI3\&.3\&.3\&.3\fR (note that the \fI@sysconfdir@/fwknop/access\&.conf\fR file consumed by \fBfwknopd\fR will need to have matching encryption and HMAC keys, and configuration specifics can be found in the \fIfwknopd(8)\fR manual page)\&. Also, note the examples below prompt the user to supply the encryption and HMAC keys via stdin instead of writing them to disk as in the case of using the \(lq$HOME/\&.fwknoprc\(rq file in the example above\&. However, all of the following examples can be converted to using the ~/\&.fwknoprc file just by adding the \fB\-\-save\-rc\-stanza\fR argument:
.sp
.if n \{\
.RS 4
.\}
.nf
$ fwknop \-A tcp/22 \-\-use\-hmac \-a 1\&.1\&.1\&.1 \-D 3\&.3\&.3\&.3
Enter encryption key:
Enter HMAC key:
$ ssh \-l user 3\&.3\&.3\&.3
user@3\&.3\&.3\&.3\*(Aqs password:
.fi
.if n \{\
.RE
.\}
.sp
If the \fB\-\-verbose\fR flag is added to the command line, then some SPA packet specifics are printed to stdout (not all output is shown for brevity):
.sp
.if n \{\
.RS 4
.\}
.nf
$ fwknop \-A tcp/22 \-\-use\-hmac \-a 1\&.1\&.1\&.1 \-D 3\&.3\&.3\&.3 \-\-verbose
Enter encryption key:
Enter HMAC key:
Random Value: 1916307060193417
Username: mbr
Timestamp: 1368498909
FKO Version: 2\&.5
Message Type: 1 (Access msg)
Message String: 1\&.1\&.1\&.1,tcp/22
Nat Access: <NULL>
Server Auth: <NULL>
Client Timeout: 0 (seconds)
Digest Type: 3 (SHA256)
HMAC Type: 3 (SHA256)
Encryption Type: 1 (Rijndael)
Encryption Mode: 2 (CBC)
.fi
.if n \{\
.RE
.\}
.sp
Simultaneous access to multiple services is also supported, and here is an example of requesting access to both \fISSH\fR and \fIOpenVPN\fR on \fI3\&.3\&.3\&.3\fR:
.sp
.if n \{\
.RS 4
.\}
.nf
$ fwknop \-A "tcp/22,tcp/1194" \-\-use\-hmac \-a 1\&.1\&.1\&.1 \-D 3\&.3\&.3\&.3
.fi
.if n \{\
.RE
.\}
.sp
There are many cases where an \fBfwknop\fR client is deployed on a network behind a NAT device and the externally routable IP is not known to the user\&. In this case, use the IP resolution service available at \fIhttps://www\&.cipherdyne\&.org/cgi\-bin/myip\fR via the \fB\-R\fR command line switch in order to derive the external client IP address\&. This is a safer method of acquiring the client IP address than using the \fB\-s\fR option mentioned earlier in this manual page because the source IP is put within the encrypted packet instead of having the \fBfwknopd\fR daemon grant the requested access from whatever IP address the SPA packet originates (i\&.e\&. using \fB\-s\fR opens the possibility of a MITM attack):
.sp
.if n \{\
.RS 4
.\}
.nf
$ fwknop \-A tcp/22 \-\-use\-hmac \-R \-D 3\&.3\&.3\&.3
.fi
.if n \{\
.RE
.\}
.sp
Use the Single Packet Authorization mode to gain access to \fISSH\fR and this time use GnuPG keys to encrypt and decrypt:
.sp
.if n \{\
.RS 4
.\}
.nf
$ fwknop \-A tcp/22 \-\-use\-hmac \-\-gpg\-sign ABCD1234 \-\-gpg\-\-recipient 1234ABCD \-R \-D 3\&.3\&.3\&.3
.fi
.if n \{\
.RE
.\}
.sp
Instruct the fwknop server running at 3\&.3\&.3\&.3 to allow 1\&.1\&.1\&.1 to connect to \fISSH\fR, but spoof the authorization packet from an IP associated with \fIwww\&.yahoo\&.com\fR (requires root on the \fBfwknop\fR client OS):
.sp
.if n \{\
.RS 4
.\}
.nf
# fwknop \-\-spoof\-src "www\&.yahoo\&.com" \-A tcp/22 \-\-use\-hmac \-a 1\&.1\&.1\&.1 \-D 3\&.3\&.3\&.3
.fi
.if n \{\
.RE
.\}
.sp
When \fBfwknopd\fR is running on an iptables firewall with systems deployed behind it, it is possible to take advantage of the NAT capabilities offered by iptables in order to transparently reach systems behind the firewall via SPA\&. Here is an example where the \fBfwknop\fR client is used to gain access to SSH running on the non\-routable IP \fI192\&.168\&.10\&.23\fR that is deployed on the network behind \fI3\&.3\&.3\&.3\fR\&. In this case, the SSH connection made to \fI3\&.3\&.3\&.3\fR is translated via NAT to the \fI192\&.168\&.10\&.2\fR system automatically:
.sp
.if n \{\
.RS 4
.\}
.nf
$ fwknop \-A tcp/22 \-N 192\&.168\&.10\&.2:22 \-R \-D 3\&.3\&.3\&.3
.fi
.if n \{\
.RE
.\}
.SH "BACKWARDS COMPATIBILITY"
.sp
With the \fI2\&.5\fR release, \fBfwknop\fR underwent significant changes in its usage of cryptography including the addition of support for HMAC authenticated encryption for both Rijndael and GnuPG modes, ensuring the proper usage of PBKDF1 for key derivation when SPA packets are encrypted with Rijndael, and several bugs were fixed from previous versions of fwknop\&. In general, this implies that when Rijndael is used, SPA packets produced by the \fI2\&.5\fR release are incompatible with previous versions of fwknop\&. The GnuPG encryption mode is unaffected by these updates\&. However, even with Rijndael is used, backwards compatibility is supported through setting the \fIlegacy\fR encryption mode with \fB\-M\fR on the fwknop client command line and/or the \fIENCRYPTION_MODE\fR variable in the \fI@sysconfdir@/fwknop/access\&.conf\fR file\&. This way, a pre\-2\&.5 server can decrypt SPA packets produced by a 2\&.5 and later client (set \fI\-M legacy\fR), and a 2\&.5 and later server can decrypt SPA packets produced by pre\-2\&.5 clients (set \fIENCRYPTION_MODE legacy\fR in the access\&.conf file)\&. Note that HMAC is only supported as of 2\&.5 and is an optional feature, so backwards compatibility is only for configurations that don\(cqt use an HMAC on either side\&. It is strongly recommended to upgrade all fwknop clients and servers to 2\&.5 and use the new HMAC mode for properly authenticated SPA communications\&. The backwards compatibility support is used to make it easier to upgrade clients and servers with a phased approach\&.
.sp
For emphasis, if the \fBfwknopd\fR server is upgraded to 2\&.5 (or later), but older clients cannot be upgraded at the same time, then for each \fISOURCE\fR stanza in the \fI@sysconfdir@/fwknop/access\&.conf\fR file, add the following line:
.sp
.if n \{\
.RS 4
.\}
.nf
ENCRYPTION_MODE legacy
.fi
.if n \{\
.RE
.\}
.sp
In addition, if the \fIKEY\fR variable has an encryption key longer than 16 bytes, it will need to be truncated to 16 characters in the \fIaccess\&.conf\fR file in order for pre\-2\&.5 clients to work properly\&. This limitation is fixed in 2\&.5, and provides additional motivation for upgrading all clients and servers to 2\&.5 or later\&.
.sp
Now, flipping the scenario around, if the \fBfwknop\fR clients are upgraded but the \fBfwknopd\fR server is still at a pre\-2\&.5 version, then add the \fI\-M legacy\fR argument to the fwknop command line:
.sp
.if n \{\
.RS 4
.\}
.nf
$ fwknop \-A tcp/22 \-M legacy \-R \-D 2\&.2\&.2\&.2
.fi
.if n \{\
.RE
.\}
.SH "DEPENDENCIES"
.sp
The \fBfwknop\fR client requires \fIlibfko\fR which is normally included with both source and binary distributions, and is a dedicated library developed by the fwknop project\&. Whenever the \fBfwknopd\fR server is used, \fIlibpcap\fR is a required dependency\&. However, the upcoming \fI2\&.6\fR release will offer a UDP listener mode along with privilege separation support and will not require libpcap in this mode\&. In UDP listener mode, even though fwknopd binds to a UDP port, SPA packets are never acknowledged so from an attacker\(cqs perspective there is no difference between fwknopd sniffing the wire passively vs\&. listening on a UDP socket in terms of what can be scanned for\&.
.sp
For GPG functionality, GnuPG must also be correctly installed and configured along with the \fIlibgpgme\fR library\&.
.sp
To take advantage of all of the authentication and access management features of the \fBfwknopd\fR daemon/service a functioning \fIiptables\fR, \fIipfw\fR, or \fIpf\fR firewall is required on the underlying operating system\&.
.SH "DIAGNOSTICS"
.sp
The most comprehensive way to gain diagnostic information on \fBfwknop\fR is to run the test suite \fItest\-fwknop\&.pl\fR script located in the \fItest/\fR directory in the fwknop sources\&. The test suite sends fwknop through a large number of run time tests, has \fIvalgrind\fR support, validates both SPA encryption and HMAC results against OpenSSL, and even has its own built in fuzzer for SPA communications (and fwknop in version 2\&.6\&.4 supports the \fIAmerican Fuzzy Lop\fR (AFL) from Michal Zalewski as well)\&. For more basic diagnostic information, \fBfwknop\fR can be executed with the \fB\-T\fR (or \fB\-\-test\fR) command line option\&. This will have \fBfwknop\fR simply create and print the SPA packet information, then run it through a decrypt/decode cycle and print it again\&. In addition, the \fB\-\-verbose\fR command line switch is useful to see various SPA packet specifics printed to stdout\&.
.SH "SEE ALSO"
.sp
fwknopd(8), iptables(8), pf(4), pfctl(8), ipfw(8), gpg(1), libfko documentation\&.
.sp
More information on Single Packet Authorization can be found in the paper \(lqSingle Packet Authorization with fwknop\(rq available at \fIhttp://www\&.cipherdyne\&.org/fwknop/docs/SPA\&.html\fR\&. A comprehensive tutorial on \fBfwknop\fR operations and theory can be found at \fIhttp://www\&.cipherdyne\&.org/fwknop/docs/fwknop\-tutorial\&.html\fR\&. This tutorial also includes information about the design of \fBfwknop\fR that may be worth reading for those interested in why fwknop is different from other SPA implementations\&.
.sp
\fBfwknop\fR uses the \fIgit\fR versioning system as its source code repository along with \fIGithub\fR for tracking of issues and milestones:
.sp
.if n \{\
.RS 4
.\}
.nf
$ git clone https://github\&.com/mrash/fwknop\&.git fwknop\&.git
.fi
.if n \{\
.RE
.\}
.sp
Additional commentary on Single Packet Authorization can be found via Michael Rash\(cqs Twitter feed: http://twitter\&.com/michaelrash, @michaelrash
.SH "AUTHORS"
.sp
The primary developers of \fBfwknop\fR are Michael Rash (project creator) <mbr@cipherdyne\&.org>, Damien Stuart <dstuart@dstuart\&.org>, and Jonathan Bennett <jbennett@incomsystems\&.biz>\&.
.SH "CONTRIBUTORS"
.sp
This \(lqC\(rq version of fwknop was derived from the original Perl\-based version on which many people who are active in the open source community have contributed\&. See the CREDITS file in the fwknop sources, or visit \fIhttps://github\&.com/mrash/fwknop/blob/master/CREDITS\fR to view the online list of contributors\&. A few contributors deserve to be singled out including: Franck Joncourt, Max Kastanas, Vlad Glagolev, Sean Greven, Hank Leininger, Fernando Arnaboldi, and Erik Gomez\&.
.sp
The phrase \(lqSingle Packet Authorization\(rq was coined by MadHat and Simple Nomad at the BlackHat Briefings of 2005\&.
.SH "BUGS"
.sp
Send bug reports to dstuart@dstuart\&.org or mbr@cipherdyne\&.org, or open a new issue on Github (see \fIhttps://github\&.com/mrash/fwknop\&.git\fR)\&. Suggestions and/or comments are always welcome as well\&. Additional information may be found in the \fBfwknop\fR mailing list archives (see: \fIhttps://lists\&.sourceforge\&.net/lists/listinfo/fwknop\-discuss\fR)\&.
.SH "DISTRIBUTION"
.sp
\fBfwknop\fR is distributed under the GNU General Public License (GPL v2+), and the latest version may be downloaded from \fIhttp://www\&.cipherdyne\&.org\fR\&.
|