Re: Request for a Lockdown option

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 04/07/2024 14:21, Simon Josefsson wrote:
I notice fwknop has PGP support, but it requires a private key on the
server side, and that's really annoying.  Instead of using public-key
encryption, shouldn't be possible to rely only on public-key signing
instead?

Without the encryption, random people on the Internet could read the SPA payload <https://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.html#spa-packet-format> and/or signature.

It's explained here: https://www.cipherdyne.org/fwknop/docs/fwknop-tutorial.html#fwknop-gpg

- you use your existing PGP key for authenticating (signing) your requests

- the client also encrypts messages to fwknop using fwknop's public key

- fwknop has its own private key for decrypting those messages

Therefore you just need a copy of fwknop's public key on each client device, and it doesn't need to be held securely. Just think of it as a bit of config. It doesn't seem that annoying to me.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux