On Feb 28, 2011, Spezifikum wrote: > Hi,
Hello Malte, > i read about fwknop in the german it magazine iX (03/2011). It seems > like a perfect fit for my use case here, but i need something like > multiple otp lists, one per user. I know that allowing multiple users > manipulating the firewall is a bit strange, but it is the best solution > i came across so far. Currently i am using a website (PHP) written to > accomplish that task, but port knocking would be much better and easier > to maintain. Is there any chance that an English translation exists for the iX magazine article? It appears to me that there isn't an electronic version available via the magazine website. Do you mean port knocking, or Single Packet Authorization? The port knocking mode in fwknop is deprecated in favor of the much more robust SPA mode. > In a school environment i need to grant internet-acces (http(s), ftp, > pop, imap, sftp) on demand to a group of computers. Currently the > teacher opens the web-page, logs in with his name and an otp which is > stored in a database, one table per user, and grants inet access to one > room. In the background a php script calls a script which manipulates > the firewall. The script is setuid-root by the way (with a wrapper of > course). Technically this works like charm, but i do not like setuid > root executes shell-scripts by php-pages. Since you are using a table of one time passwords, this implies that a user has multiple OTP's, and therefore this would be equivalent in the fwknop world to assigning a maximize usage number to each SPA key. (On the wire in SPA mode fwknop already has strong protection against replay attacks, which is one of the primary reasons to use OTP's anyway - i.e. they aren't needed in the SPA world.) Support doesn't currently exist to limit the number of usages of a key, but potentially could be added. I would need to think about this a bit more. > What i would need to do is to make fwknop look up the knock sequence or > a part of it in a database, be it an internal or external like mysql. > Let's say the user/teacher Joe has the number 0001 assigned then the > sequence 0001 7331 0001 1234 1234 would execute the start command if the > number "7331" is the next unused number in the table "0001". > Another way would be to create one set of entries per user in the config > file, where one set consists of two entries per group of computer. That > would currently result in 80 * 2 * 8 entries. > Could anybody help me and tell me > a) if that is possible in a sense that it doesn't conflict with fwknop's > design? The architecture is very different. For one thing, your users would have to download and run the fwknop client on their local systems instead of interacting with a web page. Or, some development could be done on a web proxy that would execute the fwknop command on behalf of a user - this has been on the fwknop todo list for a while. Either way, SPA would be used instead of port knocking. > b) and where in the sources of the perl version the changes would have > to be done? I would recommend that all modifications be made against the C version of fwknop first as this is where the primary development effort is. To implmenent the usage limits per key feature, modifications would need to be made in the fwknopd server (see the server/ directory in the C sources). Thanks, --Mike > Thanks a lot > Malte Müller ------------------------------------------------------------------------------ Free Software Download: Index, Search & Analyze Logs and other IT data in Real-Time with Splunk. Collect, index and harness all the fast moving IT data generated by your applications, servers and devices whether physical, virtual or in the cloud. Deliver compliance at lower cost and gain new business insights. http://p.sf.net/sfu/splunk-dev2dev _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
