Jochen Bern <Jochen.Bern@xxxxxxxxx> writes: > (And since you mention "port knocking", I'd like to repeat how fond I > am of upgrading that original concept to a single-packet > crypto-armored implementation like fwknop.) I am reluctantly considering to use some kind of port knocking mechanism on some machines, however I really don't want to carry around shared symmetric keys or setup yet another public/private key infrastructure for that purpose. I already have a working infrastructure for SSH authentication. Does anyone know of any implementation that allows me to configure a PGP/SSH/FIDO/TPM/whatever public key on the server side, and it then only listens to signed port knocks from the corresponding private keys? I notice fwknop has PGP support, but it requires a private key on the server side, and that's really annoying. Instead of using public-key encryption, shouldn't be possible to rely only on public-key signing instead? I already carry around a physical device with a public/private keypair in it, and I need that for SSH public-key authentication anyway. To avoid replay attacks, the signed data needs to be an ever increasing counter or timestamp a'la HOTP/TOTP. I think this could be a good builtin functionality of OpenSSH, it already has all of the public/private key trust infrastructure available, what is missing is just the plumbing to connect it the firewall. Maybe it could go into a separate binary and not in the default sshd though. How about a sshfwkd? /Simon
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev