Request for a Lockdown option

Steffen Nurpmeso steffen at sdaoden.eu
Sun Jul 7 12:52:34 AEST 2024 

Steffen Nurpmeso wrote in
 <20240704180538.iV4uex29 at steffen%sdaoden.eu>:
 |Simon Josefsson wrote in
 | <87jzi1fg24.fsf at kaka.sjd.se>:
 ||Jochen Bern <Jochen.Bern at binect.de> writes:
 ||> (And since you mention "port knocking", I'd like to repeat how fond I
 ||> am of upgrading that original concept to a single-packet
 ||> crypto-armored implementation like fwknop.)
 ||
 ||I am reluctantly considering to use some kind of port knocking mechanism
 ||on some machines, however I really don't want to carry around shared
 ||symmetric keys or setup yet another public/private key infrastructure
 ||for that purpose.  I already have a working infrastructure for SSH
 ||authentication.
 ||
 ||Does anyone know of any implementation that allows me to configure a
 ||PGP/SSH/FIDO/TPM/whatever public key on the server side, and it then
 ||only listens to signed port knocks from the corresponding private keys?
 ...
 |No, but for many years i do have a super simple port-knock server
 |to do the I/O plus sh(1)ell based client which can do .. whatever.
 ...
 |With the possibilities that ssh-keygen -Y sign|verify have added,
 |one could easily adapt the server and client to send "user-name
 |MSG", so that the server could look into authorized_keys of
 |user-name and verify MSG, whatever that is.

Hey!  That vision of yours, in conjunction with that -Y
possibility of ssh-keygen thrilled me so much i wrote a draft.
It uses TLS over TCP to secure the packet.  (Not UDP based, hm.)
It is not yet fully worked out, but that draft i like, i will
change to use that approach next week for sure -- no more becoming
root locally in order to port knock, only need loaded ssh-agent!

	echo >&2 'SYNOPSIS: '$0' create-server-cert email-address filename'

self-signed port-knock server cert creation.
clients need to have the cert for TLS verification.

	echo >&2 'SYNOPSIS: '$0' create-ssh-key email-address filename'

create a ssh key for port knock purposes.
Users then knock via

	echo >&2 'SYNOPSIS: '$0' knock path-to-ssh-pubkey path-to-port-knock-bin host port server-cert'

a little bit complicated yet.
The C binary needs to be compiled via

  gcc -W -Wall -pedantic -o /tmp/zt port-knock-bin.c  -lssl -lcrypto

and then run via

  cd /tmp/
  ./zt -v server ./.Z.key ./.Z.pub 10000 /tmp/port-knock.sh /tmp/.ZX.ALLO

The client then does

  ./port-knock.sh knock .ZX.pub /tmp/zt localhost 10000 /tmp/.Z.pub

Of course it is a play thing, but for you all it is sunday and
maybe you like it.  'Will review and polish it on Monday.
TLS client certificates and things like capsicum or pledge/unveil
or missing for, also after Monday.

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: port-knock.sh
Type: text/x-shellscript
Size: 3324 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20240707/d3597b69/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: port-knock-bin.c
Type: text/x-csrc
Size: 12996 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20240707/d3597b69/attachment-0003.bin>

More information about the openssh-unix-dev mailing list