Linux Firewalls - Michael Rash [149]
[root@spaserver ˜]# fwknopd --fw-list
[+] Listing chains from IPT_AUTO_CHAIN keywords...
Chain FWKNOP_INPUT (1 references)
pkts bytes target prot opt in out source destination
11 812 ACCEPT tcp -- * * 204.23.X.X 0.0.0.0/0 tcp dpt:22
In this example, the fwknop server has reconfigured iptables to allow access to SSHD for 30 seconds; then fwknopd will delete the ACCEPT rule from the FWKNOP_INPUT chain. Although most SSH connections last longer than 30 seconds, this isn't a serious limitation as long as the Netfilter connection tracking facilities are used, allowing the established TCP connection to remain open between the client and the server:
[root@spaserver ˜]# iptables -I INPUT 1 -m state --state ESTABLISHED,RELATED -j ACCEPT
SPA via Asymmetric Encryption
The problem of key exchange is a central one in the field of cryptography and the novel solution provided by public key cryptosystems distinguishes itself. In contrast to symmetric ciphers where the key must be shared between two parties in the clear over an insecure channel,[82] asymmetric ciphers rely on a system whereby people actively publish the public portion of a public/private key pair. For example, when person A encrypts data with person B's public key, person B, and only person B, can decrypt the ciphertext by combining the public and private key via an operation that breaks the lock on the data. This lock is built from a mathematical puzzle that is computationally expensive to solve without access to both the public and private keys.[83]
GnuPG Key Exchange for fwknop
In order to use GnuPG keys within fwknop, you must create and import the server's public key into the client's key ring, and vice versa. Because the decryption password for the client's key is never stored in a file, it is safe to use any GnuPG key with the fwknop client. However, for this discussion, I'll generate new client and server keys and import them as follows (some of the output has been removed for brevity).
[mbr@spaclient ˜]$ gpg --gen-key
gpg (GnuPG) 1.4.5; Copyright (C) 2006 Free Software Foundation, Inc.
Please select what kind of key you want:
(1) DSA and Elgamal (default)
(2) DSA (sign only)
(5) RSA (sign only)
Your selection? 1
DSA keypair will have 1024 bits.
ELG-E keys may be between 1024 and 4096 bits long.
What keysize do you want? (2048)
Requested keysize is 2048 bits
Please specify how long the key should be valid.
0 = key does not expire
Key is valid for? (0)
Key does not expire at all
Is this correct? (y/N) y
You need a user ID to identify your key; the software constructs the user ID
from the Real Name, Comment and Email Address in this form:
"Heinrich Heine (Der Dichter) Real name: Michael Rash Email address: mbr@cipherdyne.org Comment: Linux Firewalls fwknop_client key You selected this USER-ID: "Michael Rash (Linux Firewalls fwknop_client key) Change (N)ame, (C)omment, (E)mail or (O)kay/(Q)uit? O You need a passphrase to protect your secret key. Enter passphrase: [mbr@spaclient ˜]$ gpg --list-keys "fwknop_client" pub 1024D/AB743C36 2007-10-18 uid Michael Rash (Linux Firewalls fwknop_client key) sub 2048g/1035BC5C 2007-10-18 The length of ciphertext data associated with an SPA message that is encrypted with a 4,096-bit Elgamal key is usually well over the 1,500-byte MTU of Ethernet networks, so a key length of 2,048 bits is chosen (shown in bold above). Now we export the client public key to a file: [mbr@spaclient ˜]$ gpg -a --export-key "fwknop_client" > fwknop_client.asc A similar process is performed on the fwknop server with the key generation and exporting commands duplicated on the server side: [root@spaserver ˜]# gpg --gen-key [root@spaserver