Request for a Lockdown option

[Jochen Bern]

On 04.07.24 15:21, Simon Josefsson wrote:
> Does anyone know of any implementation that allows me to configure a
> PGP/SSH/FIDO/TPM/whatever public key on the server side, and it then
> only listens to signed port knocks from the corresponding private keys?
> 
> I notice fwknop has PGP support, but it requires a private key on the
> server side, and that's really annoying.  Instead of using public-key
> encryption, shouldn't be possible to rely only on public-key signing
> instead?

fwknop insists on having the SPAs encrypted, presumably so that MitM 
can't read them and use the port(s) you just opened themselves¹, and 
encryption requires either a shared symmetric secret, or asymmetric 
keypairs on both sides (and thus a privkey on the server).

If you consider that unnecessary¹, you could consider server-side 
privkey and passphrase nonsensitive material, which would make it that 
much less "annoying" to have around ...

¹ Yes, I am aware that the MitM would probably *still* have enough time 
to do the same (in an automated way) even if he has to wait to see 
*your* use of the now-open port. Which would probably be the *best* 
reason to doubt the value of having the SPAs encrypted.

Last not least: I never did anything with it, but GnuPG *does* have an 
--export-ssh-key option, so using a single keypair in both SSH and PGP 
contexts *might* be feasible.

Kind regards,
-- 
Jochen Bern
Systemingenieur

Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20240704/f19673db/attachment.p7s>