客户端和服务端配置完全依从
fwknop Single Packet Authorization with GnuPG keys (cipherdyne.org)
按照这个配置就好。全文抄录如下,
The process of generating the necessary GnuPG keys from the perspectives of both the client and server is outlined below. First we generate GnuPG keys and then export them to ascii files:
[spaserver]# gpg --gen-key
[spaserver]# gpg --list-keys
pub 1024D/ABCD1234 2006-05-01
uid fwknop server key
sub 2048g/EFGH1234 2006-05-01
[spaserver]# gpg -a --export ABCD1234 > server.asc
[spaclient]$ gpg --gen-key
[spaclient]$ gpg --list-keys
pub 1024D/1234ABCD 2006-05-01
uid fwknop client key
sub 2048g/1234EFGH 2006-05-01
[spaclient]$ gpg -a --export 1234ABCD > client.asc
Next, we transfer the ascii files between the two systems. In this example we use scp (which will presumably be firewalled off after fwknop is deployed!), but any other transfer mechanism (ftp, http, etc.) will work:
[spaclient]$ scp client.asc root@serverhost:
[spaserver]# scp server.asc user@clienthost:
Now we import and sign each key:
[spaserver]# gpg --import client.asc
[spaserver]# gpg --edit-key 1234ABCD
Command> sign
[spaclient]$ gpg --import server.asc
[spaclient]$ gpg --edit-key ABCD1234
Command> sign
On the server side, we need to add several configuration directives to the /etc/fwknop/access.conf file so that fwknopd uses GnuPG to verify and decrypt SPA packets and are signed and encrypted with GnuPG. Note that the server key ID is ABCD1234 and the client key ID is 1234ABCD:
SOURCE: ANY;
OPEN_PORTS: tcp/22;
DATA_COLLECT_MODE: PCAP;
GPG_REMOTE_ID: 1234ABCD;
GPG_DECRYPT_ID: ABCD1234;
GPG_DECRYPT_PW: ;
GPG_HOME_DIR: /root/.gnupg;
FW_ACCESS_TIMEOUT: 60;
More information on the access.conf directives above can be found in the fwknop man pages. See fwknop(8) and fwknopd(8).
Finally, to see fwknop in action in GnuPG mode, on the client side we execute the following fwknop command to gain access to sshd after fwknopd reconfigures the local Netfilter policy. First we show that nmap is unable to tell that sshd is even listening:
[scanner]$ nmap -p 22 -n
Starting Nmap 4.10 ( http://www.insecure.org/nmap/ ) at 2007-01-06 10:21 EST
Interesting ports on 71.127.x.x
PORT STATE SERVICE
22/tcp filtered ssh
Nmap finished: 1 IP address (1 host up) scanned in 10.316 seconds
Now, to gain access to sshd, we execute fwknop:
[spaclient]$ fwknop -A tcp/22 --gpg-recip ABCD1234 --gpg-sign 1234ABCD \
-R -D
[spaclient]$ ssh -l mbr
mbr@host's password:
On the server side, fwknopd messages such as the following will be written to syslog:
Jan 14 20:12:37 host fwknopd: adding FWKNOP_INPUT ACCEPT rule for
72.x.x.x -> tcp/22 (10 seconds)
Jan 15 10:13:09 host fwknopd: received valid GnuPG encrypted packet
(signed with required key ID: 1234ABCD) from: 72.x.x.x, remote user: mbr
注意,由于我的客户端和服务端存了很多私钥,我所以加了uid选项,用来区分用哪个私钥去签名对端公钥。操作命令如下,和上面的命令略微有区别
客户端公钥
A90C539160627C008BBD0393ABA1D1819884B85E
服务器公钥
24F768B29AB954554F021427AEC3DA5B615BF68A
1 服务端
服务端选择加密的私钥来自 fwknop server key gpg -u "fwknop server key " --edit-key A90C539160627C008BBD0393ABA1D1819884B85E
gpg -u "fwknop server key " --edit-key ABCD1234
sign
2 服务端
gpg -a --export 24F768B29AB954554F021427AEC3DA5B615BF68A > server.asc
2
http://cipherdyne.org/fwknop/docs/gpghowto.html
3 客户端
客户端加密的私钥对来自服务器的公钥进行签名
gpg -u "fwknop client key " --edit-key 24F768B29AB954554F021427AEC3DA5B615BF68A