Fwknop OpenSSH Integration Patch

The fwknop project hopes to make the use of SPA as easy and user friendly as possible. One thing that can help reduce the burden on the user is to integrate seamlessly with a variety of client applications. Because the most common application of SPA is to protect SSH communications, fwknop provides a patch against the OpenSSH source code, which integrates the ability to execute the fwknop client directly from the OpenSSH client command line. For this to work, you must first apply the patch to the OpenSSH source code and recompile it. The following illustrates how to accomplish this for the OpenSSH-4.3p2 release, assuming the source code is located in /usr/local/src.

$ cd /usr/local/src/openssh-4.3p2

$ wget http://www.cipherdyne.org/LinuxFirewalls/ch13/openssh-4.3p2_SPA.patch

$ patch -p1 < openssh-4.3p2_SPA.patch patching file config.h.in patching file configure patching file configure.ac patching file ssh.c

$ ./configure --prefix --with-spa-mode && make

# cd /usr/local/src/openssh-4.3p2

# make install

The most important thing to note about the commands above is that the --with-spa-mode argument to the configure script ensures that the SPA patch code is included within OpenSSH when it is compiled.

Now, with the modified SSH client installed, the fWknop client can be invoked directly from the SSH command line, eliminating the need to run fwknop manually before using SSH to make a connection. The patch adds the new command-line argument -K fwknop args to SSH; this argument can be used as follows to gain access to the spaserver system without separately running the fwknop client.

[[email protected] ~]$ ssh -K "--gpg-recip ABCD1234 --gpg-sign DEFG5678 -A tcp/22 -R -k spaserver" [email protected] GnuPG signing password: Password:

Last login: Wed Oct 17 15:48:19 2007 from spaclient [[email protected] ~]$

Familiar log messages on the fwknop server side indicate receipt of the SPA packet and confirm that the packet checks out (i.e., it was encrypted with a required key ID and not replayed on the network).

Oct 17 15:53:39 spaserver fwknopd: received valid GnuPG encrypted packet

(signed with required key ID: A742839F) from: 204.23.X.X, remote user: mbr Oct 17 15:53:39 spaserver fwknopd: adding FWKNOP_INPUT ACCEPT rule for 204.23.X.X -> tcp/22 (30 seconds)

The new SSH -K option passes its arguments down to the fwknop command line, so all functionality provided by fwknop is exposed to the SSH command line. This includes the -L host argument, which, as mentioned earlier in this chapter, allows a previously used fwknop command line to be leveraged against the same host. Therefore, the following command would work.

Was this article helpful?

0 0

Post a comment