On Mar 07, 2013, Erich Weiler wrote: > Actually, it seems that it's a problem with the server certificate > passphrase. If I set no password for the server passphrase it works. > It seems like "GPG_DECRYPT_PW" doesn't get read at all. Or is it only > useful if you are running a gpg-agent on the server side?
Some gpg engines appear to always require gpg-agent or pinentry when accepting passphrases from users (at least for gpg key pairs that have passphrases associated with them). This was why a new directive "GPG_ALLOW_NO_PW" was added in fwknop-2.0.2 to make it possible to remove the passphrase from a key pair used by the server for SPA communications: http://www.cipherdyne.org/cgi-bin/gitweb.cgi?p=fwknop.git;a=commitdiff;h=27ccfe35d36c7ba1d94734fb21a46c77aaf30719 This link referenced in the commit message helps to make a case for why there is little downside for doing such a thing in an automated environment since the decryption passphrase has to be included in the access.conf file anyway: http://www.gnupg.org/faq/GnuPG-FAQ.html#how-can-i-use-gnupg-in-an-automated-environment If the gpg engine on your system requires gpg-agent or pinentry, then removing the passphrase from the gpg key pair and setting GPG_ALLOW_NO_PW is the way to go. --Mike > On 03/07/13 16:07, Erich Weiler wrote: > >> Do you by chance have an iptables chain for FWKNOP_INPUT, and a rule in > >> the INPUT chain to jump to there? I was missing that when I first got > >> out of the gates. > > > > First off, thanks for responding!! Yes, that appears to be OK.. I think > > I have a better idea of what's happening... > > > > I have in access.conf on the server: > > > > SOURCE: ANY; > > OPEN_PORTS: tcp/12345; > > GPG_REMOTE_ID: 1234ABCD; > > GPG_DECRYPT_ID: ABCD1234; > > GPG_DECRYPT_PW: somepass; > > GPG_REQUIRE_SIG: Y; > > GPG_IGNORE_SIG_VERIFY_ERROR: N; > > REQUIRE_SOURCE_ADDRESS: Y; > > GPG_HOME_DIR: /root/.gnupg; > > FW_ACCESS_TIMEOUT: 30; > > > > (IDs, ports and password obviously not real) > > > > When I connect from the client, I get: > > > > Enter passphrase for signing: > > > > It doesn't seem to matter what I enter there (something or nothing), I > > always get another full screen thing asking for a decrypt password. That > > seems to be the password that matters, not the first one. > > > > Then, on the server side, I was not getting my firewall rule added > > right, so I decided to run the fwknopd daemon in the foreground for > > debugging: > > > > fwknopd -v -f > > > > and I think I see where my problem lies. When I send the packet from the > > client, the *server* goes into full screen mode and asks for a password > > (passphrase to unlock secret key for the server certificate). Obviously > > in daemon mode it just sits there and does nothing, because no one is > > there to enter a password.. In foreground mode, if I enter the password, > > it correctly adds the firewall rule. > > > > It doesn't seem to matter what the value of "GPG_DECRYPT_PW" is in > > access.conf. It still asks me in that full screen mode what the password > > is. How can I get around that? And why does it ask me for two passwords > > on the client side? (the "passphrase for signing" and then the > > "passphrase to unlock the secret key"). > > > > Do I need a server cert with no password? Does this have something to do > > with gpg-agent (which I'd like not to run)? > > > > Many thanks if you have any hints!! > > ------------------------------------------------------------------------------ > Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester > Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the > endpoint security space. For insight on selecting the right partner to > tackle endpoint security challenges, access the full report. > http://p.sf.net/sfu/symantec-dev2dev > _______________________________________________ > Fwknop-discuss mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/fwknop-discuss ------------------------------------------------------------------------------ Symantec Endpoint Protection 12 positioned as A LEADER in The Forrester Wave(TM): Endpoint Security, Q1 2013 and "remains a good choice" in the endpoint security space. For insight on selecting the right partner to tackle endpoint security challenges, access the full report. http://p.sf.net/sfu/symantec-dev2dev _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
