(Sorry, this message got held up as spam by sourceforge - I've accepted it to the mailing list.)
Responses inline below: On Feb 05, 2010, PATRI IMPORT wrote: > Hi, > > I've installed fwknop to test it. > It works perfectly when I use symetric encryption. > > But when I use GnuPG keys, it doesn't work and I don't have any error in my > logs. > Here my access.conf file: > > SOURCE: ANY; > OPEN_PORTS: tcp/22; ### for ssh (change for access to other services) > KEY: 12345678; > FW_ACCESS_TIMEOUT: 30; > GPG_HOME_DIR: /root/.gnupg; > GPG_DECRYPT_ID: server_key_id; > GPG_DECRYPT_PW: 12345678; > GPG_REMOTE_ID: client_key_id; > GPG_NO_OPTIONS: Y; > GPG_NO_REQUIRE_PREFIX: Y; > > I put the 2 last variables just to test it but it doesn't work. > > I've read the discuss of Francois Marier because my symptoms were the same. > I tried to fix it with Mike's advices but that problem persist. > > I tried to use 1024 and 2048 bit keys. > > Here's the end of fwknopd debug output: > > Fri Feb 5 18:47:24 2010 [+] gpg key ID: client_key_id > Fri Feb 5 18:47:24 2010 GnuPG error messages: > Fri Feb 5 18:47:24 2010 gpg: encrypted with 2048-bit ELG-E key, > ID D3099EF0, created 2010-02-05 > Fri Feb 5 18:47:24 2010 "admin (server_key_id) <[email protected]>" > Fri Feb 5 18:47:24 2010 gpg: Signature made Fri Feb 5 18:47:14 > 2010 CET using DSA key ID E3F6B14C > Fri Feb 5 18:47:24 2010 gpg: Good signature from "admin > (client_key_id) <[email protected]>" > Fri Feb 5 18:47:24 2010 gpg: WARNING: This key is not certified > with a trusted signature! > Fri Feb 5 18:47:24 2010 gpg: There is no indication that > the signature belongs to the owner. > Fri Feb 5 18:47:24 2010 Primary key fingerprint: ED7A E513 8AF6 > 7C73 97F7 7357 0CDD 8E54 E3F6 B14C > Fri Feb 5 18:47:24 2010 [-] GnuPG message not signed by any required key ID. I believe that the critical line is the one above. It indicates that the incoming SPA message has not been signed by a trusted GnuPG key. You can solve this by signing the client's key in the server's GnuPG key ring like so: [spaserver]# gpg --import client.asc [spaserver]# gpg --edit-key 1234ABCD Command> sign This is documented here: http://www.cipherdyne.org/fwknop/docs/gpghowto.html Thanks, --Mike > Fri Feb 5 18:47:24 2010 [+] Adding encoded 'Salted__' prefix > (U2FsdGVkX1) to incoming encoded SPA packet. > Fri Feb 5 18:47:24 2010 [+] base64_equals_padding() msg len: 1063 > Fri Feb 5 18:47:24 2010 [+] Padding base64-encoded message with '='. > Fri Feb 5 18:47:24 2010 [+] decode_base64() against the following > data: U2FsdGVkX1IOAybrcADTCZ7wEAf/UpLt/l9QPMIbRZfuU5sfRK4MDRxal > m8a+aRhHtQh7k4VfMeCMWezvrV2qFoLceGMzCNmvdVpnIxcTkZdFH0w7wCj9t9HSKs9jeiG+jxXLhpWgeB3NR1269XDk8oS7nA3+pu3bFQSRaun > pd7tnQcinUaMiSiXOlkX/LFrEKE4S/VJvQVAp+oAuIE5AKUllJvzCqcU9+8KYxvE76ree07VHcsq/5sUvpxhif9JOVplU9TAZQZTLTCQx2g6GL6M53U > W6TaQZTMwk+KI2QWTZgPXFIkaGJAVTP+BpskM7h9q/1WOxf04bld4xeMvNG0O9ZFMeUHeoSkOTP+xTCQ4W9GQggf9EKdxVWvH5KnZd6rA > hEGbhJGDBsatz54mRbXrSD3fUBIgTQ1UexjW2E2iBUH+biVpfOO40vzn4vgCTEcQ8sBwe7J1QN/x1CG4m0xdChSYDzSfTOC6XSY4w03VZW3/yHKW > jmvDSs1sgEaV6y+qFNjchcWJMrnsYh/FaJhPU1+ssP4buAQSs87i9viN0wYM6+PmxLFfClsTupfVTVD1oGP42VRLJK35n0nVhTZJOzMUSh5vBcqxoz > HObRRyElHKaMtwDMvymAr9T74k43Vm6qpvjWKyMhbuKnHAS26MZw4BFtywWFyjD3HvaDi+Mr9gCeIYDudnY1xdOkzWD2Wem1J1pNLAQw > Gr743w6sQHZTM5QFF4YkoZmiZsXGQBSz5NgNKYH63fRrFm977j1WMHQR5GXx9Bjo06g5jnl6Fi3xP6mrxCL8Wkh0zNufomK7GVKcLYrR6Di8V9Cyr > sBQffJml6aqBFiCL/SxyDgqJuaRq2tP5OB9hN0jY2wS2VrOOF9m5yUG5D3uSRRkdEm8/7tsyTZxzbr53CCpk0UjR1WQcA4FPoDbcBjgVsnRTSn3Gdxw > kJy0BnHAhhIBYBpuOdMCZmmk/iclmWNuaDDE/bb+Etc3IBN61k76pRbuDsVcgEkc+Sg9pH2ZMAIA5JCk14klFrFsWl7h231xW8hDsGRg3ylIrZkLf > K5x0= > Fri Feb 5 18:47:24 2010 [-] base64-decoded data does not begin with > 'Salted__' > Fri Feb 5 18:47:24 2010 [-] Failed decrypt for SOURCE block ANY > > I forgot, I'm running 1.9.12 on my server (debian) and my client (ubuntu). > > Thanks. > > Alex > ------------------------------------------------------------------------------ > Download Intel® Parallel Studio Eval > Try the new software tools for yourself. Speed compiling, find bugs > proactively, and fine-tune applications for parallel performance. > See why Intel Parallel Studio got high marks during beta. > http://p.sf.net/sfu/intel-sw-dev > _______________________________________________ > Fwknop-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
