Jochen Bern <Jochen.Bern at binect.de> writes:> (And since you mention "port knocking", I'd like to repeat how fond I > am of upgrading that original concept to a single-packet > crypto-armored implementation like fwknop.)I am reluctantly considering to use some kind of port knocking mechanism on some machines, however I really don't want to carry around shared symmetric keys or setup yet another public/private key infrastructure for that purpose. I already have a working infrastructure for SSH authentication. Does anyone know of any implementation that allows me to configure a PGP/SSH/FIDO/TPM/whatever public key on the server side, and it then only listens to signed port knocks from the corresponding private keys? I notice fwknop has PGP support, but it requires a private key on the server side, and that's really annoying. Instead of using public-key encryption, shouldn't be possible to rely only on public-key signing instead? I already carry around a physical device with a public/private keypair in it, and I need that for SSH public-key authentication anyway. To avoid replay attacks, the signed data needs to be an ever increasing counter or timestamp a'la HOTP/TOTP. I think this could be a good builtin functionality of OpenSSH, it already has all of the public/private key trust infrastructure available, what is missing is just the plumbing to connect it the firewall. Maybe it could go into a separate binary and not in the default sshd though. How about a sshfwkd? /Simon -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 255 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20240704/1de5ebbc/attachment.asc>
On 04/07/2024 14:21, Simon Josefsson wrote:> I notice fwknop has PGP support, but it requires a private key on the > server side, and that's really annoying. Instead of using public-key > encryption, shouldn't be possible to rely only on public-key signing > instead?Without the encryption, random people on the Internet could read the SPA payload <https://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.html#spa-packet-format> and/or signature. It's explained here: https://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.html#fwknop-gpg - you use your existing PGP key for authenticating (signing) your requests - the client also encrypts messages to fwknop using fwknop's public key - fwknop has its own private key for decrypting those messages Therefore you just need a copy of fwknop's public key on each client device, and it doesn't need to be held securely. Just think of it as a bit of config. It doesn't seem that annoying to me.
Just setup a VPN. I hate wireguard, but it?s extremely simple and works and you can get it running in minutes. Adding complexity to OpenSSH solves nothing. Jan> On 4. 7. 2024, at 15:21, Simon Josefsson <simon at josefsson.org> wrote: > > Jochen Bern <Jochen.Bern at binect.de> writes: > >> (And since you mention "port knocking", I'd like to repeat how fond I >> am of upgrading that original concept to a single-packet >> crypto-armored implementation like fwknop.) > > I am reluctantly considering to use some kind of port knocking mechanism > on some machines, however I really don't want to carry around shared > symmetric keys or setup yet another public/private key infrastructure > for that purpose. I already have a working infrastructure for SSH > authentication. > > Does anyone know of any implementation that allows me to configure a > PGP/SSH/FIDO/TPM/whatever public key on the server side, and it then > only listens to signed port knocks from the corresponding private keys? > > I notice fwknop has PGP support, but it requires a private key on the > server side, and that's really annoying. Instead of using public-key > encryption, shouldn't be possible to rely only on public-key signing > instead? I already carry around a physical device with a public/private > keypair in it, and I need that for SSH public-key authentication anyway. > To avoid replay attacks, the signed data needs to be an ever increasing > counter or timestamp a'la HOTP/TOTP. > > I think this could be a good builtin functionality of OpenSSH, it > already has all of the public/private key trust infrastructure > available, what is missing is just the plumbing to connect it the > firewall. Maybe it could go into a separate binary and not in the > default sshd though. How about a sshfwkd? > > /Simon > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
On 04.07.24 15:21, Simon Josefsson wrote:> Does anyone know of any implementation that allows me to configure a > PGP/SSH/FIDO/TPM/whatever public key on the server side, and it then > only listens to signed port knocks from the corresponding private keys? > > I notice fwknop has PGP support, but it requires a private key on the > server side, and that's really annoying. Instead of using public-key > encryption, shouldn't be possible to rely only on public-key signing > instead?fwknop insists on having the SPAs encrypted, presumably so that MitM can't read them and use the port(s) you just opened themselves?, and encryption requires either a shared symmetric secret, or asymmetric keypairs on both sides (and thus a privkey on the server). If you consider that unnecessary?, you could consider server-side privkey and passphrase nonsensitive material, which would make it that much less "annoying" to have around ... ? Yes, I am aware that the MitM would probably *still* have enough time to do the same (in an automated way) even if he has to wait to see *your* use of the now-open port. Which would probably be the *best* reason to doubt the value of having the SPAs encrypted. Last not least: I never did anything with it, but GnuPG *does* have an --export-ssh-key option, so using a single keypair in both SSH and PGP contexts *might* be feasible. Kind regards, -- Jochen Bern Systemingenieur Binect GmbH -------------- next part -------------- A non-text attachment was scrubbed... Name: smime.p7s Type: application/pkcs7-signature Size: 3449 bytes Desc: S/MIME Cryptographic Signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20240704/f19673db/attachment.p7s>
Simon Josefsson wrote in
<87jzi1fg24.fsf at kaka.sjd.se>:
|Jochen Bern <Jochen.Bern at binect.de> writes:
|> (And since you mention "port knocking", I'd like to repeat
how fond I
|> am of upgrading that original concept to a single-packet
|> crypto-armored implementation like fwknop.)
|
|I am reluctantly considering to use some kind of port knocking mechanism
|on some machines, however I really don't want to carry around shared
|symmetric keys or setup yet another public/private key infrastructure
|for that purpose. I already have a working infrastructure for SSH
|authentication.
|
|Does anyone know of any implementation that allows me to configure a
|PGP/SSH/FIDO/TPM/whatever public key on the server side, and it then
|only listens to signed port knocks from the corresponding private keys?
No, but for many years i do have a super simple port-knock server
to do the I/O plus sh(1)ell based client which can do .. whatever.
The whitelist default whitelists the source IP for 30 seconds.
836 0% 1 0% /root/port-knock-server PORT-NUMBER
/root/bin/port-knock-client.sh
But it "integrates" into and relies upon the firewall via
# port_knock: input only server
if [ -n "${SERVER}" ] && fwcore_has_i port_knock; then
: ${FWCORE_PORT_KNOCK:?port_knock in FWCORE_IPROTOS needs
FWCORE_PORT_KNOCK}
if ipaddr_split ap "${FWCORE_PORT_KNOCK}"; then
add_rule -p udp --dport ${port} \
-m recent --name port_knock --set \
-m recent --name port_knock --rcheck --seconds 60
--reap --hitcount 2 \
-m recent --name alien_super --set -j DROP
add_rule -p udp --dport ${port} -j f_m1
fi
fi
Which allows only one packet per minute, otherwise the
alien_super rule will block you for 23+ hours. I would not do it
without that, as it would then really be a door to attacks.
One could very well change the script to allow more keys, to
delete a key once used (commented out now), require to create
a new one, etc. Of course, as it is a shell script, no setuid or
setgid works, people need to be trusted.
At earlier times it also started the public ssh instance as such,
that was only running on request. Now that only within VPN, but
the port-knock is still needed due to super-strict firewall rules
and TCP etc which send packets and after a reboot of the server
these will be alien and thus cause blocks to apply...
|I notice fwknop has PGP support, but it requires a private key on the
|server side, and that's really annoying. Instead of using public-key
|encryption, shouldn't be possible to rely only on public-key signing
|instead? I already carry around a physical device with a public/private
|keypair in it, and I need that for SSH public-key authentication anyway.
|To avoid replay attacks, the signed data needs to be an ever increasing
|counter or timestamp a'la HOTP/TOTP.
|
|I think this could be a good builtin functionality of OpenSSH, it
|already has all of the public/private key trust infrastructure
|available, what is missing is just the plumbing to connect it the
|firewall. Maybe it could go into a separate binary and not in the
|default sshd though. How about a sshfwkd?
With the possibilities that ssh-keygen -Y sign|verify have added,
one could easily adapt the server and client to send "user-name
MSG", so that the server could look into authorized_keys of
user-name and verify MSG, whatever that is.
(Or only use the current encryption thing for user-name, or
completely different and without user-name, but then a possible
large bunch of directories would need to be searched i guess. To
be continue..)
Ie, for me personally sshfwkd would only make sense if it could be
made to listen on a different interface than the real SSH server.
I'll attach my very, very simple things, but which work for me
without any problems for years. (They require IPv4.)
|/Simon
--steffen
|
|Der Kragenbaer, The moon bear,
|der holt sich munter he cheerfully and one by one
|einen nach dem anderen runter wa.ks himself off
|(By Robert Gernhardt)
-------------- next part --------------
A non-text attachment was scrubbed...
Name: port-knock-client.sh
Type: text/x-shellscript
Size: 2360 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20240704/a5b63641/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: port-knock-server.c
Type: text/x-csrc
Size: 2967 bytes
Desc: not available
URL:
<http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20240704/a5b63641/attachment-0003.bin>