Actually, it seems that it's a problem with the server certificate passphrase. If I set no password for the server passphrase it works. It seems like "GPG_DECRYPT_PW" doesn't get read at all. Or is it only useful if you are running a gpg-agent on the server side?
On 03/07/13 16:07, Erich Weiler wrote: >> Do you by chance have an iptables chain for FWKNOP_INPUT, and a rule in >> the INPUT chain to jump to there? I was missing that when I first got >> out of the gates. > > First off, thanks for responding!! Yes, that appears to be OK.. I think > I have a better idea of what's happening... > > I have in access.conf on the server: > > SOURCE: ANY; > OPEN_PORTS: tcp/12345; > GPG_REMOTE_ID: 1234ABCD; > GPG_DECRYPT_ID: ABCD1234; > GPG_DECRYPT_PW: somepass; > GPG_REQUIRE_SIG: Y; > GPG_IGNORE_SIG_VERIFY_ERROR: N; > REQUIRE_SOURCE_ADDRESS: Y; > GPG_HOME_DIR: /root/.gnupg; > FW_ACCESS_TIMEOUT: 30; > > (IDs, ports and password obviously not real) > > When I connect from the client, I get: > > Enter passphrase for signing: > > It doesn't seem to matter what I enter there (something or nothing), I > always get another full screen thing asking for a decrypt password. That > seems to be the password that matters, not the first one. > > Then, on the server side, I was not getting my firewall rule added > right, so I decided to run the fwknopd daemon in the foreground for > debugging: > > fwknopd -v -f > > and I think I see where my problem lies. When I send the packet from the > client, the *server* goes into full screen mode and asks for a password > (passphrase to unlock secret key for the server certificate). Obviously > in daemon mode it just sits there and does nothing, because no one is > there to enter a password.. In foreground mode, if I enter the password, > it correctly adds the firewall rule. > > It doesn't seem to matter what the value of "GPG_DECRYPT_PW" is in > access.conf. It still asks me in that full screen mode what the password > is. How can I get around that? And why does it ask me for two passwords > on the client side? (the "passphrase for signing" and then the > "passphrase to unlock the secret key"). > > Do I need a server cert with no password? Does this have something to do > with gpg-agent (which I'd like not to run)? > > Many thanks if you have any hints!! ------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
