Request for a Lockdown option
Brian Candler
b.candler at pobox.com
Thu Jul 4 23:44:29 AEST 2024
On 04/07/2024 14:21, Simon Josefsson wrote:
> I notice fwknop has PGP support, but it requires a private key on the
> server side, and that's really annoying. Instead of using public-key
> encryption, shouldn't be possible to rely only on public-key signing
> instead?
Without the encryption, random people on the Internet could read the SPA
payload
<https://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.html#spa-packet-format>
and/or signature.
It's explained here:
https://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.html#fwknop-gpg
- you use your existing PGP key for authenticating (signing) your requests
- the client also encrypts messages to fwknop using fwknop's public key
- fwknop has its own private key for decrypting those messages
Therefore you just need a copy of fwknop's public key on each client
device, and it doesn't need to be held securely. Just think of it as a
bit of config. It doesn't seem that annoying to me.
More information about the openssh-unix-dev
mailing list