Request for a Lockdown option
Simon Josefsson
simon at josefsson.org
Thu Jul 4 23:21:55 AEST 2024
Jochen Bern <Jochen.Bern at binect.de> writes:
> (And since you mention "port knocking", I'd like to repeat how fond I
> am of upgrading that original concept to a single-packet
> crypto-armored implementation like fwknop.)
I am reluctantly considering to use some kind of port knocking mechanism
on some machines, however I really don't want to carry around shared
symmetric keys or setup yet another public/private key infrastructure
for that purpose. I already have a working infrastructure for SSH
authentication.
Does anyone know of any implementation that allows me to configure a
PGP/SSH/FIDO/TPM/whatever public key on the server side, and it then
only listens to signed port knocks from the corresponding private keys?
I notice fwknop has PGP support, but it requires a private key on the
server side, and that's really annoying. Instead of using public-key
encryption, shouldn't be possible to rely only on public-key signing
instead? I already carry around a physical device with a public/private
keypair in it, and I need that for SSH public-key authentication anyway.
To avoid replay attacks, the signed data needs to be an ever increasing
counter or timestamp a'la HOTP/TOTP.
I think this could be a good builtin functionality of OpenSSH, it
already has all of the public/private key trust infrastructure
available, what is missing is just the plumbing to connect it the
firewall. Maybe it could go into a separate binary and not in the
default sshd though. How about a sshfwkd?
/Simon
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 255 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20240704/1de5ebbc/attachment.asc>
More information about the openssh-unix-dev
mailing list