On Apr 26, 2012, Morgan Smith wrote: > Hello, > > In trying to get fwknopd to work with gpg keys I come across a situation > where it looks like fwknopd receives a valid packet but never inserts an > iptables rule to allow access. It seems like fwknopd is waiting for > gpg/gpg-agent/pinentry to return. I'd like to understand if this > behavior is due to some misconfiguration of my server, configuration, or > how I'm using fwknopd. Here is some verbose goodness:
I haven't tested fwknop-2.0 with gpg-agent, so I suspect that pinentry is just not a supported feature. This thread is interesting: http://lists.gnupg.org/pipermail/gnupg-users/2007-April/030927.html This weekend I will work on this to see what options would be available to fwknop. Thanks for sending the information below - it will definitely help. --Mike > I started fwknopd 2.0 with -v for extra goodness. Here is what is in > /var/log/messages: > > Apr 26 15:41:55 server fwknopd[18346]: Starting fwknopd > Apr 26 15:41:55 server fwknopd[18346]: delete_all_chains() CMD: > '/sbin/iptables -t filter -D INPUT 1 2>&1' (res: 0, err: ) > Apr 26 15:41:55 server fwknopd[18346]: delete_all_chains() CMD: > '(/sbin/iptables -t filter -F FWKNOP_INPUT 2>&1; /sbin/iptables -t > filter -X FWKNOP_INPUT 2>&1)' (res: 0, err: ) > Apr 26 15:41:55 server fwknopd[18346]: create_fw_chains() CMD: > '/sbin/iptables -t filter -N FWKNOP_INPUT 2>&1' (res: 0, err: ) > Apr 26 15:41:55 server fwknopd[18346]: add_jump_rule() CMD: > '/sbin/iptables -t filter -I INPUT 1 -j FWKNOP_INPUT 2>&1' (res: 0, err: ) > Apr 26 15:41:55 server fwknopd[18346]: Added jump rule from chain: INPUT > to chain: FWKNOP_INPUT > Apr 26 15:41:55 server fwknopd[18346]: PCAP filter is: udp port 62201 > Apr 26 15:41:55 server fwknopd[18346]: Starting fwknopd main event loop. > Apr 26 15:42:48 server kernel: Dump tcp: IN=eth0 OUT= > MAC=00:14:22:1a:d8:e4:00:26:98:1a:af:41:08:00 SRC=50.116.66.240 > DST=50.115.119.68 LEN=44 TOS=0x00 PREC=0x00 TTL=52 ID=60775 PROTO=TCP > SPT=80 DPT=1234 WINDOW=16384 RES=0x00 ACK SYN URGP=0 > Apr 26 15:43:07 server kernel: Dump udp: IN=eth0 OUT= > MAC=00:14:22:1a:d8:e4:00:26:98:1a:af:41:08:00 SRC=174.52.254.248 > DST=50.115.119.68 LEN=1030 TOS=0x00 PREC=0x00 TTL=49 ID=10051 DF > PROTO=UDP SPT=43878 DPT=62201 LEN=1010 > Apr 26 15:43:07 server fwknopd[18346]: (stanza #1) SPA Packet from IP: > 174.52.254.248 received with access source match > > > After that last message, there are no more. Here's what I see from the > cmdline: > > # ps auxw --forest | grep -A5 [f]wknopd > root 18346 0.0 0.0 17628 3712 ? Ss 15:41 0:00 fwknopd -v > root 18371 0.0 0.0 24648 1628 ? SL 15:43 0:00 gpg > --enable-special-filenames --no-sk-comment --homedir /root/.gnupg > --status-fd 4 --no-tty --charset utf8 --enable-progress-filter > --command-fd 5 --decrypt --output - -- -&9 > root 18373 0.0 0.0 13164 980 ? SL 15:43 0:00 \_ > gpg-agent --server > root 18374 0.0 0.0 8548 780 ? SL 15:43 0:00 \_ > pinentry > > > According to strace and lsof, pinentry is trying to read from file > handle 0 which is a pipe: > > # strace -fp 18374 > Process 18374 attached - interrupt to quit > read(0, ^C <unfinished ...> > Process 18374 detached > # lsof -p 18374 | awk '$4 ~/0/ {print $0}' > pinentry 18374 root 0r FIFO 0,6 0t0 574833 pipe > > > Strace shows gpg-agent trying to read from filehandle 8 however I don't > see one with lsof: > > # strace -fp 18373 > Process 18373 attached - interrupt to quit > select(8, [3 7], [], [], NULL^C <unfinished ...> > Process 18373 detached > # lsof -p 18373 | awk '$4 ~/8/ {print $0}' > # > > > It looks like gpg is trying to read from a pipe as well: > > # strace -fp 18371 > Process 18371 attached - interrupt to quit > read(9, ^C <unfinished ...> > Process 18371 detached > # lsof -p 18371 | awk '$4 ~ /9/ {print $0}' > gpg 18371 root 9r FIFO 0,6 0t0 577265 pipe > > > At this point fwknopd seems to be looping however it doesn't respond to > any additional authentication packets that I send it's way. Here is a > strace of fwknopd as I send another authentication packet to the server: > > # strace -fp 18346 > Process 18346 attached - interrupt to quit > select(8, [2 7], [], NULL, {0, 216681}) = 0 (Timeout) > select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout) > select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout) > select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout) > select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout) > select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout) > select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout) > select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout) > select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout) > select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout) > select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout) > select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout) > select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout) > select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout) > select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout) > select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout) > select(8, [2 7], [], NULL, {1, 0}) = 0 (Timeout) > > > Fwknopd doesn't respond to the -K option as I'd expect. If I kill -15 > the pinentry/gpg-agent/gpg, then fwknopd puts this inside /var/log/messages: > > Apr 26 15:55:37 server fwknopd[18346]: (stanza #1) Error creating fko > context: Decryption operation failed > Apr 26 15:55:37 server fwknopd[18346]: (stanza #1) - GPG ERROR: No data > > I have seen it sometimes say this: > Apr 26 15:58:01 server fwknopd[18346]: (stanza #1) - GPG ERROR: Bad > passphrase > despite my access.conf having this line: > GPG_DECRYPT_PW:<space><passphrase>; > > At this point fwknopd will process new authentication packets so long as > I don't use gpg. Here's what a strace then looks like: > > # strace -fp 18346 2>&1 | head -10 > Process 18346 attached - interrupt to quit > restart_syscall(<... resuming interrupted call ...>) = 0 > poll([{fd=1, events=POLLIN}], 1, 0) = 0 (Timeout) > nanosleep({0, 10000000}, NULL) = 0 > poll([{fd=1, events=POLLIN}], 1, 0) = 0 (Timeout) > nanosleep({0, 10000000}, NULL) = 0 > poll([{fd=1, events=POLLIN}], 1, 0) = 0 (Timeout) > nanosleep({0, 10000000}, NULL) = 0 > poll([{fd=1, events=POLLIN}], 1, 0) = 0 (Timeout) > nanosleep({0, 10000000}, NULL) = 0 > > > Are there any suggestions as to what my next steps should be to get this > working properly? > > -- Morgan > > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Fwknop-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss ------------------------------------------------------------------------------ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
