Request for a Lockdown option
Jochen Bern
Jochen.Bern at binect.de
Fri Jul 5 00:40:13 AEST 2024
On 04.07.24 15:21, Simon Josefsson wrote:
> Does anyone know of any implementation that allows me to configure a
> PGP/SSH/FIDO/TPM/whatever public key on the server side, and it then
> only listens to signed port knocks from the corresponding private keys?
>
> I notice fwknop has PGP support, but it requires a private key on the
> server side, and that's really annoying. Instead of using public-key
> encryption, shouldn't be possible to rely only on public-key signing
> instead?
fwknop insists on having the SPAs encrypted, presumably so that MitM
can't read them and use the port(s) you just opened themselves¹, and
encryption requires either a shared symmetric secret, or asymmetric
keypairs on both sides (and thus a privkey on the server).
If you consider that unnecessary¹, you could consider server-side
privkey and passphrase nonsensitive material, which would make it that
much less "annoying" to have around ...
¹ Yes, I am aware that the MitM would probably *still* have enough time
to do the same (in an automated way) even if he has to wait to see
*your* use of the now-open port. Which would probably be the *best*
reason to doubt the value of having the SPAs encrypted.
Last not least: I never did anything with it, but GnuPG *does* have an
--export-ssh-key option, so using a single keypair in both SSH and PGP
contexts *might* be feasible.
Kind regards,
--
Jochen Bern
Systemingenieur
Binect GmbH
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 3449 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20240704/f19673db/attachment.p7s>
More information about the openssh-unix-dev
mailing list