Next, you'll put all of this information together and create a complete access.conf file that you can use to protect your SSH server. (You'll find operational examples in "Deploying fwknop" on page 243.)
With your favorite editor, open the /etc/fwknop/access.conf file and add the configuration directives listed below.
# cat /etc/fwknop/access.conf SOURCE: ANY; OPEN_PORTS: tcp/22; FW_ACCESS_TIMEOUT: 30; REQUIRE_USERNAME: mbr; KEY: mypassword;
GPG_DECRYPT_PW: gpgdecryptpassword; GPG_HOME_DIR: /root/.gnupg; GPG_REMOTE_ID: 5678DEFG; GPG_DECRYPT_ID: ABCD1234;
4 fwknop can acquire secret key information from gpg-agent.
SOURCE: ANY means that the fwknop daemon will accept a valid SPA packet from any source IP address. This is handy if you are on the road and cannot predict which network your laptop or other system will be connected to.
OPEN_PORTS: tcp/22 means that the fwknop daemon will grant temporary access through the local iptables firewall with an ACCEPT rule to the SSH port. The ACCEPT rule is removed after 30 seconds, as specified by the FW_ACCESS_TIMEOUT variable.
REQUIRE_USERNAME: mbr forces the remote username that runs the fwknop client to be mbr. In this case, the fwknop daemon is configured to accept an SPA packet that has been symmetrically encrypted with Rijndael (KEY: mypassword) or asymmetrically encrypted (GPG_DECRYPT_PW: gpgdecryptpassword) with a GnuPG key (usually with the Elgamal cipher). For SPA packets that are encrypted with GnuPG, the fwknop daemon requires that the ID of the remote signing key is 5678DEFG, and the ID of the local decryption key is ABCD1234—see the GPG_REMOTE_ID and GPG_DECRYPT_ID variables, respectively.
Was this article helpful?