Re: Request for a Lockdown option

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Jochen Bern <Jochen.Bern@xxxxxxxxx> writes:

> (And since you mention "port knocking", I'd like to repeat how fond I
> am of upgrading that original concept to a single-packet
> crypto-armored implementation like fwknop.)

I am reluctantly considering to use some kind of port knocking mechanism
on some machines, however I really don't want to carry around shared
symmetric keys or setup yet another public/private key infrastructure
for that purpose.  I already have a working infrastructure for SSH
authentication.

Does anyone know of any implementation that allows me to configure a
PGP/SSH/FIDO/TPM/whatever public key on the server side, and it then
only listens to signed port knocks from the corresponding private keys?

I notice fwknop has PGP support, but it requires a private key on the
server side, and that's really annoying.  Instead of using public-key
encryption, shouldn't be possible to rely only on public-key signing
instead?  I already carry around a physical device with a public/private
keypair in it, and I need that for SSH public-key authentication anyway.
To avoid replay attacks, the signed data needs to be an ever increasing
counter or timestamp a'la HOTP/TOTP.

I think this could be a good builtin functionality of OpenSSH, it
already has all of the public/private key trust infrastructure
available, what is missing is just the plumbing to connect it the
firewall.  Maybe it could go into a separate binary and not in the
default sshd though.  How about a sshfwkd?

/Simon

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux