The section on the fwknop.conf file gave lots of information about macro-level configuration options for fwknop, but it left out a discussion of important topics such as decryption passwords and authorization rights assigned to users. I'll rectify this by presenting the fwknop access.conf file, which defines all usernames, authorization rights, decryption keys, iptables rule time-outs, and command channels that the fwknop server uses.
Authorization of multiple users from arbitrary IP addresses is supported by fwknop; each user may use different encryption keys (and associated encryption algorithms). SOURCE is the main partitioning variable that allows fwknop to determine the access level of a valid SPA packet, and each group of configuration variables within the access.conf file defines a complete SOURCE access definition. The access.conf file supports multiple SOURCE access definitions. The default value for the SOURCE variable instructs fwknop to validate an SPA packet from any source IP address as shown below, but individual IP addresses and CIDR networks are also supported.
The OPEN_PORTS variable instructs fwknop to grant access to the specified ports by reconfiguring the local iptables policy. Unless the PERMIT_CLIENT_PORTS variable (see below) is set to Y, the client cannot gain access to any services other than those listed by OPEN_PORTS. The following definition allows a valid SPA packet to reconfigure iptables to allow access to TCP port 22 (SSHD).
When set to Y, this variable allows the fwknop client to dictate to the fwknop server the set of traffic (i.e., ports and protocols) that will be allowed through the iptables policy, instead of the fwknop server only reconfiguring iptables to allow the traffic defined by the OPEN_PORTS variable. An SPA packet may contain several ports that the client wishes to access (see "fwknop SPA Packet Format" on page 241 for more information).
When enabled, this variable allows authorized SPA clients to have the fwknop server execute a command on their behalf. This feature is controversial because fwknop (as of the 1.0 release) executes these commands as root, although the ability to run commands as less privileged users is in development. The ENABLE_CMD_EXEC feature must be explicitly and deliberately enabled if you want to use it.
The CMD_REGEX variable allows you to provide a regular expression that must match a command supplied by an fwknop client before the fwknop server will execute it. It only makes sense to use this variable in the context of setting ENABLE_CMD_EXEC to Y. For example, to limit the commands the fwknop server will execute on behalf of an fwknop client to variations on the mail command, you could use the following:
The DATA_COLLECT_MODE variable accepts the same packet collection modes as the AUTH_MODE variable in the fwknop.conf file. This allows each SOURCE access definition in the access.conf file to be independently enabled or disabled, depending on the value of the AUTH_MODE variable. Only those SOURCE access definitions with a DATA_COLLECT_MODE value that matches the AUTH_MODE variable are enabled. However, the DATA_COLLECT_MODE variable is optional, and if it is left out of the access.conf file, the fwknop daemon assumes that it is set to PCAP, the most common setting.
The REOUIRE_USERNAME variable refers to the username of the user on a remote system who executes the fwknop client to generate an SPA packet. This username is included within all SPA packets (see "fwknop SPA Packet Format" on page 241 for more information). The remote username allows fwknop to apply authorization rules to incoming SPA packets. The REOUIRE_USERNAME variable supports multiple usernames, which can be useful if there is a site or system-wide encryption key for multiple users on the client side.
The FW_ACCESS_TIMEOUT variable tells the fwknop server the number of seconds for which any iptables ACCEPT rules should be instantiated within the FWKNOP_INPUT chain, allowing access to the services requested by a valid SPA packet.
The KEY variable defines the encryption key used for decrypting SPA packets that have been encrypted with the Rijndael block cipher. It requires an argument that is at least eight characters long.
The GPG_DECRYPT_ID variable specifies a unique identifier for the fwknop server's GnuPG public key, which is used by an fwknop client to encrypt the SPA packet. This unique identifier can be obtained from the output of the gpg --list-keys command and is normally a string of eight hex characters.
The GPG_DECRYPT_PW variable holds the decryption password for the fwknop server's GnuPG public key, which is used by an fwknop client for encryption. Because this password is contained within a plaintext file, you should generate a new GnuPG key to be used only as the fwknop server key, rather than using a valuable GnuPG key that you might also use for other things, like confidential email communications.4
The GPG_REMOTE_ID variable contains a unique identifier for the GnuPG key that an fwknop client uses to digitally sign an SPA packet. This key needs to be imported into the fwknop server key ring (see "SPA via Asymmetric Encryption" on page 246).
Was this article helpful?