Request for a Lockdown option

[Jan Schermer]

Just setup a VPN.
I hate wireguard, but it’s extremely simple and works and you can get it running in minutes.

Adding complexity to OpenSSH solves nothing.

Jan

> On 4. 7. 2024, at 15:21, Simon Josefsson <simon at josefsson.org> wrote:
> 
> Jochen Bern <Jochen.Bern at binect.de> writes:
> 
>> (And since you mention "port knocking", I'd like to repeat how fond I
>> am of upgrading that original concept to a single-packet
>> crypto-armored implementation like fwknop.)
> 
> I am reluctantly considering to use some kind of port knocking mechanism
> on some machines, however I really don't want to carry around shared
> symmetric keys or setup yet another public/private key infrastructure
> for that purpose.  I already have a working infrastructure for SSH
> authentication.
> 
> Does anyone know of any implementation that allows me to configure a
> PGP/SSH/FIDO/TPM/whatever public key on the server side, and it then
> only listens to signed port knocks from the corresponding private keys?
> 
> I notice fwknop has PGP support, but it requires a private key on the
> server side, and that's really annoying.  Instead of using public-key
> encryption, shouldn't be possible to rely only on public-key signing
> instead?  I already carry around a physical device with a public/private
> keypair in it, and I need that for SSH public-key authentication anyway.
> To avoid replay attacks, the signed data needs to be an ever increasing
> counter or timestamp a'la HOTP/TOTP.
> 
> I think this could be a good builtin functionality of OpenSSH, it
> already has all of the public/private key trust infrastructure
> available, what is missing is just the plumbing to connect it the
> firewall.  Maybe it could go into a separate binary and not in the
> default sshd though.  How about a sshfwkd?
> 
> /Simon
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev