Linux Firewalls - Michael Rash [150]
pub 1024D/25801B3A 2007-10-18
uid Michael Rash (Linux Firewalls fwknop_server key)
sub 2048g/39E2FDC6 2007-10-18 [root@spaserver ˜]# gpg -a --export "fwknop_server" > fwknop_server.asc Finally, you need to transfer the public keys to each respective system, import them, and sign them. The import step is required so that the server's public key is available on the client's GnuPG key ring, and vice versa. The signing step is necessary for fwknop to verify the identity of signed SPA packet data. Even though I'll transfer the public keys over scp, given the nature of public-key cryptosystems, I could have published the keys on a web page for all to see without any negative security impact. It is also important to note that SSHD may not always be accessible (in fact, it will intentionally be firewalled off by the fwknop setup), so other transfer mechanisms for the public keys may sometimes be required. Here's some abbreviated command output (the scp transfers are in ❶ and ❷, and the import and signing commands begin in ❸ and ❹). ❶ [mbr@spaclient ˜]$ scp fwknop_client.asc root@spaserver: Password: ❷ [mbr@spaclient ˜]$ scp root@spaserver:fwknop_server.asc . Password: ❸ [mbr@spaclient ˜]$ gpg --import fwknop_server.asc gpg: key 25801B3A: public key "Michael Rash (Linux Firewalls fwknop server key) gpg: Total number processed: 1 gpg: imported: 1 [mbr@spaclient ˜]$ gpg --default-key "fwknop_client" --sign-key "fwknop_server" [mbr@spaclient ˜]$ ssh -l root spaserver Password: ❹ [root@spaserver ˜]# gpg --import fwknop_client.asc gpg: key AB743C36: public key "Michael Rash (Linux Firewalls fwknop client key) gpg: Total number processed: 1 gpg: imported: 1 [root@spaserver ˜]# gpg --default-key "fwknop_server" --sign-key "fwknop_client" Running fwknop with GnuPG Keys With the GnuPG keys imported and signed within both the fwknop client's and the server's key rings, it is time to see fwknop in action with GnuPG. To begin, the access.conf file on the fwknop server must contain the proper GnuPG access definitions. The SOURCE block begins in ❶ and instructs fwknopd to require that SPA packets are encrypted with the fwknop_server key and signed with the fwknop_client key. In addition, iptables must be deployed to shut down access to SSHD, as shown in ❷, and fwknop must be running, as shown in ❸. [root@spaserver ˜]# cat /etc/fwknop/access.conf ❶ SOURCE: ANY; OPEN_PORTS: tcp/22; REQUIRE_USERNAME: mbr; GPG_HOME_DIR: /root/.gnupg; GPG_DECRYPT_ID: fwknop_server; GPG_DECRYPT_PW: GPGdecryptpw; GPG_REMOTE_ID: fwknop_client; FW_ACCESS_TIMEOUT: 30; ❷ [root@spaserver ˜]# iptables -I INPUT 1 -p tcp --dport 22 -j DROP [root@spaserver ˜]# iptables -I INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT ❸ [root@spaserver ˜]# /etc/init.d/fwknop start Starting fwknop ... [ ok ] Now, from the spaclient system, you can use Netcat to check that SSHD is indeed unreachable, and use fwknop to gain access through iptables. Below, the last line indicates that you have successfully logged into the spaserver system. [mbr@spaclient ˜]$ nc -v spaserver 22 [mbr@spaclient ˜]$ fwknop -A tcp/22 -gpg-recip "fwknop_server" --gpg-sign "fwknop_client" -R -k spaserver [mbr@spaclient ˜]$ ssh -l root spaserver Password: [root@spaserver ˜]# As was the case when fwknop was instructed to use the Rijndael symmetric cipher, the fwknop server writes several messages to syslog. This time, however, there is new information indicating that the GnuPG-encrypted SPA message was signed by ❶ the required key ID (defined by the GPG_REMOTE_ID variable in access.conf). As usual, an iptables ACCEPT rule is ❷ added and ❸ deleted after 30 seconds. Oct 18 15:48:07 spaserver fwknopd: received valid GnuPG encrypted packet (signed with required key ID: ❶"fwknop_client") from: 204.23.X.X, remote user: mbr ❷ Oct 18 15:48:07 spaserver fwknopd: adding FWKNOP_INPUT ACCEPT rule for 204.23.X. X -> tcp/22 (30 seconds) ❸ Oct 18