Just setup a VPN. I hate wireguard, but it’s extremely simple and works and you can get it running in minutes. Adding complexity to OpenSSH solves nothing. Jan > On 4. 7. 2024, at 15:21, Simon Josefsson <simon@xxxxxxxxxxxxx> wrote: > > Jochen Bern <Jochen.Bern@xxxxxxxxx> writes: > >> (And since you mention "port knocking", I'd like to repeat how fond I >> am of upgrading that original concept to a single-packet >> crypto-armored implementation like fwknop.) > > I am reluctantly considering to use some kind of port knocking mechanism > on some machines, however I really don't want to carry around shared > symmetric keys or setup yet another public/private key infrastructure > for that purpose. I already have a working infrastructure for SSH > authentication. > > Does anyone know of any implementation that allows me to configure a > PGP/SSH/FIDO/TPM/whatever public key on the server side, and it then > only listens to signed port knocks from the corresponding private keys? > > I notice fwknop has PGP support, but it requires a private key on the > server side, and that's really annoying. Instead of using public-key > encryption, shouldn't be possible to rely only on public-key signing > instead? I already carry around a physical device with a public/private > keypair in it, and I need that for SSH public-key authentication anyway. > To avoid replay attacks, the signed data needs to be an ever increasing > counter or timestamp a'la HOTP/TOTP. > > I think this could be a good builtin functionality of OpenSSH, it > already has all of the public/private key trust infrastructure > available, what is missing is just the plumbing to connect it the > firewall. Maybe it could go into a separate binary and not in the > default sshd though. How about a sshfwkd? > > /Simon > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
