Request for a Lockdown option

Steffen Nurpmeso steffen at sdaoden.eu
Thu Jul 18 09:50:28 AEST 2024 

Hello (and finally),

Steffen Nurpmeso wrote in
 <20240714024434.vvSRh10_ at steffen%sdaoden.eu>:
 ...
 |Anyhow, this approach i like much better than TLS.
 |It is a bit ugly that ssh-keygen does not give access to the PEM
 |version of the OpenSSL private key, on the other hand encryption
 |only works for RSA (in the western world, and libsodium, on the
 |other hand, would allow this for Ed25519 it seems, too, and i also
 ...
 |I will attach these, i like them.  Maybe i find time to make the
 |OpenBSD variant work for IPv4 and IPv6, but i think it needs two
 |sockets and select(2), so this is a bit of work.

So i did that.  It became a "more regular thing" while doing that,
ie, with a README (and a big fat warning that this thing should be
firewall protected), with nicer -h for the script, etc etc.
I keep using IPv6 and mapped address except on *BSD, it works
nicely on Linux and OpenIndiana.

It is only a pity that the new algorithms do not "simply" allow
encryption, and that OpenSSH does not reveal a PEM variant of the
private key (for "decrypting", then), so that OpenSSL is needed in
addition, at all.

Anyhow this is much smaller than installing OpenVPN for some knock
daemon (if i understood the discussion right), and i use it.

Thanks, and ciao,

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)
-------------- next part --------------
S - p o r t - k n o c k
=======================

A simple port knock implementation.
It requires modern OpenSSH (ssh-keygen(1)), openssl(1) and sh(1)
implementations.  (It actively searches for bash(1) *if* the sh(1)
seems insufficient.  $OPENSSL= may be passed to dedicate that.)

BIG FAT WARNING
---------------

  This software MUST be protected by suitable firewall rules!
  Any network packet sent to it causes a sh(1)ell script to run!
  For example the author uses this Linux firewall rule which effectively
  allows only one packet per source address per minute (and causes a
  hour-long block otherwise).

    # port_knock: input only server
    if fwcore_has_i port_knock; then
            : ${FWCORE_PORT_KNOCK:?port_knock needs FWCORE_PORT_KNOCK}
            if ipaddr_split ap "${FWCORE_PORT_KNOCK}"; then
                    add_rule -p udp --dport ${port} \
                            -m recent --name port_knock --set \
                            -m recent --name port_knock \
                              --rcheck --seconds 60 --reap --hitcount 2 \
                            -m recent --name alien_super --set -j DROP
                    add_rule -p udp --dport ${port} -j f_m1
            fi
    fi

What does this software do?
---------------------------

On servers:

. If the packets seems sane,
. the OpenSSL private key is used to decrypt the random key,
. the random key is used to decrypt the signature,
. the "ssh-keygen -Y" mechanism is used to find a principal for the
  signature in the "allowed signers" file.
. (If a $MAGIC string is required, the signature is also verified.)

. On any stage a failure causes the act_block() action,
. upon overall success the act_allow() action is applied.

  # cd /tmp/
  # $CC -o zt s-port-knock-bin.c

  # head -n1 ~/.ssh/authorized_keys > .Zpub1
  # { printf 'uid1 '; cat .Zpub1; } > .Zsigs
  # echo MAGIC= > .Z.rc

  # ./s-port-knock.sh create-server-key .Zk
  # PORT_KNOCK_BIN=./zt PORT_KNOCK_SHELL=/bin/bash PORT_KNOCK_RC=./.Z.rc \
    ./s-port-knock.sh start-server -v 10000 s-port-knock.sh \
      .Zk-pri.pem .Zsigs

On clients:

. Creates a signature for a SSH public key via "ssh-keygen -Y",
. (if a $MAGIC string is required, includes that in the signature),
. encrypts that with a random key,
. and encrypts the random key for a dedicated target server via an
  (its) OpenSSL public key,
. sends the resulting packet to that server,
. invokes the $PORT_KNOCK_RC act_sent() hook; if that does not return 0,
  the packet is sent again, etc.

  # cd /tmp/
  # PORT_KNOCK_BIN=./zt PORT_KNOCK_RC=./.Z.rc \
    ./s-port-knock.sh knock localhost 10000 .Zk-pub.pem .Zpub1

Build and Install
-----------------

  gcc -o /usr/sbin/s-port-knock-bin s-port-knock-bin.c
  cp s-port-knock.sh /usr/bin

RELEASES
--------

v0.8.0, 2024-07-17: (first release)
  + Linux (musl, glibc), *BSD:
    As above.  (IPv6 support is assumed.)
  + OpenIndiana 2024:
      $ LD_LIBRARY_PATH=/usr/openssl/3.1/lib/amd64:$LD_LIBRARY_PATH \
        C_INCLUDE_PATH=/usr/openssl/3.1/include:$C_INCLUDE_PATH \
        gcc -o /usr/sbin/s-port-knock-bin s-port-knock-bin.c -lsocket
    is needed in the environment for the build.
    You may need to pass OPENSSL=PATH to the s-port-knock* commands.

# s-ts-mode
-------------- next part --------------
A non-text attachment was scrubbed...
Name: s-port-knock.sh
Type: text/x-shellscript
Size: 10875 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20240718/86d7022b/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: s-port-knock-bin.c
Type: text/x-csrc
Size: 12521 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20240718/86d7022b/attachment-0003.bin>

More information about the openssh-unix-dev mailing list