Re: Request for a Lockdown option

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On 04.07.24 15:21, Simon Josefsson wrote:
Does anyone know of any implementation that allows me to configure a
PGP/SSH/FIDO/TPM/whatever public key on the server side, and it then
only listens to signed port knocks from the corresponding private keys?

I notice fwknop has PGP support, but it requires a private key on the
server side, and that's really annoying.  Instead of using public-key
encryption, shouldn't be possible to rely only on public-key signing
instead?

fwknop insists on having the SPAs encrypted, presumably so that MitM can't read them and use the port(s) you just opened themselves¹, and encryption requires either a shared symmetric secret, or asymmetric keypairs on both sides (and thus a privkey on the server).

If you consider that unnecessary¹, you could consider server-side privkey and passphrase nonsensitive material, which would make it that much less "annoying" to have around ...

¹ Yes, I am aware that the MitM would probably *still* have enough time to do the same (in an automated way) even if he has to wait to see *your* use of the now-open port. Which would probably be the *best* reason to doubt the value of having the SPAs encrypted.

Last not least: I never did anything with it, but GnuPG *does* have an --export-ssh-key option, so using a single keypair in both SSH and PGP contexts *might* be feasible.

Kind regards,
--
Jochen Bern
Systemingenieur

Binect GmbH

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux