Request for a Lockdown option

Steffen Nurpmeso steffen at sdaoden.eu
Fri Jul 5 04:05:38 AEST 2024 

Simon Josefsson wrote in
 <87jzi1fg24.fsf at kaka.sjd.se>:
 |Jochen Bern <Jochen.Bern at binect.de> writes:
 |> (And since you mention "port knocking", I'd like to repeat how fond I
 |> am of upgrading that original concept to a single-packet
 |> crypto-armored implementation like fwknop.)
 |
 |I am reluctantly considering to use some kind of port knocking mechanism
 |on some machines, however I really don't want to carry around shared
 |symmetric keys or setup yet another public/private key infrastructure
 |for that purpose.  I already have a working infrastructure for SSH
 |authentication.
 |
 |Does anyone know of any implementation that allows me to configure a
 |PGP/SSH/FIDO/TPM/whatever public key on the server side, and it then
 |only listens to signed port knocks from the corresponding private keys?

No, but for many years i do have a super simple port-knock server
to do the I/O plus sh(1)ell based client which can do .. whatever.
The whitelist default whitelists the source IP for 30 seconds.

   836 0% 1 0% /root/port-knock-server PORT-NUMBER /root/bin/port-knock-client.sh

But it "integrates" into and relies upon the firewall via

    # port_knock: input only server
    if [ -n "${SERVER}" ] && fwcore_has_i port_knock; then
            : ${FWCORE_PORT_KNOCK:?port_knock in FWCORE_IPROTOS needs FWCORE_PORT_KNOCK}
            if ipaddr_split ap "${FWCORE_PORT_KNOCK}"; then
                    add_rule -p udp --dport ${port} \
                            -m recent --name port_knock --set \
                            -m recent --name port_knock --rcheck --seconds 60 --reap --hitcount 2 \
                            -m recent --name alien_super --set -j DROP
                    add_rule -p udp --dport ${port} -j f_m1
            fi
    fi

Which allows only one packet per minute, otherwise the
alien_super rule will block you for 23+ hours.  I would not do it
without that, as it would then really be a door to attacks.

One could very well change the script to allow more keys, to
delete a key once used (commented out now), require to create
a new one, etc.  Of course, as it is a shell script, no setuid or
setgid works, people need to be trusted.

At earlier times it also started the public ssh instance as such,
that was only running on request.  Now that only within VPN, but
the port-knock is still needed due to super-strict firewall rules
and TCP etc which send packets and after a reboot of the server
these will be alien and thus cause blocks to apply...

 |I notice fwknop has PGP support, but it requires a private key on the
 |server side, and that's really annoying.  Instead of using public-key
 |encryption, shouldn't be possible to rely only on public-key signing
 |instead?  I already carry around a physical device with a public/private
 |keypair in it, and I need that for SSH public-key authentication anyway.
 |To avoid replay attacks, the signed data needs to be an ever increasing
 |counter or timestamp a'la HOTP/TOTP.
 |
 |I think this could be a good builtin functionality of OpenSSH, it
 |already has all of the public/private key trust infrastructure
 |available, what is missing is just the plumbing to connect it the
 |firewall.  Maybe it could go into a separate binary and not in the
 |default sshd though.  How about a sshfwkd?

With the possibilities that ssh-keygen -Y sign|verify have added,
one could easily adapt the server and client to send "user-name
MSG", so that the server could look into authorized_keys of
user-name and verify MSG, whatever that is.
(Or only use the current encryption thing for user-name, or
completely different and without user-name, but then a possible
large bunch of directories would need to be searched i guess.  To
be continue..)

Ie, for me personally sshfwkd would only make sense if it could be
made to listen on a different interface than the real SSH server.
I'll attach my very, very simple things, but which work for me
without any problems for years.  (They require IPv4.)

 |/Simon

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: port-knock-client.sh
Type: text/x-shellscript
Size: 2360 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20240704/a5b63641/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: port-knock-server.c
Type: text/x-csrc
Size: 2967 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20240704/a5b63641/attachment-0003.bin>

More information about the openssh-unix-dev mailing list