On Aug 11, 2013, David Klann wrote: > Hi List,
Hello David, > First, thanks to Michael and all the fwknop contributors for this > powerful tool! My apology in advance for this long message, but it is > mostly command output... > > I have been using fwknop to access my public-facing servers for a few > months. And while I can access them from several different systems > (Debian and Fedora), fwknop is broken on my main computer. This > (broken) instance of the fwknop client is running on a current (and > consistently updated) Gentoo system (x86_64 architecture). The command > I am running (with no previously existing ~/.fwknoprc) is: > > /usr/local/bin/fwknop --access='tcp/22' --server-port=<server-port-number> > --gpg-recipient-key=DC20C8A9 --gpg-signer-key=286EC7BC --gpg-agent > --source-ip --destination=<public.hostname> --verbose > --allow-ip=<public.i.p.addr> > > The error I am getting from the above command is: > [+] GPG mode set, signing passphrase acquired via gpg-agent > fwknop: fko_spa_data_final: Error 102 - Args contain invalid data: > FKO_ERROR_INVALID_DATA_ENCRYPT_GPG_RESULT_MSGLEN_VALIDFAIL GPG ERR: > > > Here are some more details: > > - fwknop from github.com/mrash/fwknop (commit 333302a) Cool, that is the latest commit on github. This includes Hank Leininger's patch for better libfko error codes, and the FKO_ERROR_INVALID_DATA_ENCRYPT_GPG_RESULT_MSGLEN_VALIDFAIL error is quite instructive. It is being called as follows: https://github.com/mrash/fwknop/blob/master/lib/fko_encryption.c#L399 That error code is only returned when is_valid_encoded_msg_len() fails, and in this case that is because the encrypted SPA payload coming back from gpg is longer than 1500 bytes. I'd say there are couple of things to try: - Add the line "compress-level 9" to your ~/.gnupg/options file. Assuming that gpg-agent picks this up, then I think it will apply to SPA packets that are encrypted via libgpgme (used by fwknop). The server side might need this option added too - not sure about that. - Add "DIGEST_TYPE md5" to your ~/.fwknoprc file under the [default] stanza section (towards the top). Even though md5 is not secure, you are still using gpg which should eliminate this as a problem although I'd still recommend using an HMAC since libgpgme functions aren't even executed unless the HMAC check passes. > fwknop --version says :fwknop client 2.5.1, FKO protocol version 2.0 > > - gnupg --version says: > gpg (GnuPG) 2.0.20 > libgcrypt 1.5.3 > Copyright (C) 2013 Free Software Foundation, Inc. > License GPLv3+: GNU GPL version 3 or later > <http://gnu.org/licenses/gpl.html> This is free software: you are free to > change and redistribute it. There is NO WARRANTY, to the extent permitted > by law. > > Home: ~/.gnupg > Supported algorithms: > Pubkey: RSA, ELG, DSA > Cipher: IDEA (S1), 3DES (S2), CAST5 (S3), BLOWFISH (S4), AES (S7), > AES192 (S8), AES256 (S9), TWOFISH (S10), CAMELLIA128 (S11), > CAMELLIA192 (S12), CAMELLIA256 (S13) > Hash: MD5 (H1), SHA1 (H2), RIPEMD160 (H3), SHA256 (H8), SHA384 (H9), > SHA512 (H10), SHA224 (H11) > Compression: Uncompressed (Z0), ZIP (Z1), ZLIB (Z2), BZIP2 (Z3) > > - linux kernel (uname -a): > Linux fritz.lan 3.10.5-gentoo-r1 #1 SMP PREEMPT Sat Aug 10 11:03:34 CDT > 2013 x86_64 Intel(R) Core(TM)2 Duo CPU T9600 @ 2.80GHz GenuineIntel > GNU/Linux > > I have restarted gpg-agent (and even rebooted) several times to ensure > it is not something like stale data in the agent. gpg-agent is > properly being used to sign things like email and is working with > other instances of gpg that I regularly use. > > I have run fwknop with strace(1) to try to discern where it fails, but > it makes little sense to me. I would be happy to post the output of > strace. strace output is not necessary in this case because of the specific error code you sent above. If the suggestions don't work above, then you may need to reduce your gpg key sizes. Thanks, --Mike > Can someone point me where to look next at troubleshooting this > situation? > > Thanks much! > > ~David Klann ------------------------------------------------------------------------------ Get 100% visibility into Java/.NET code with AppDynamics Lite! It's a free troubleshooting tool designed for production. Get down to code-level detail for bottlenecks, with <2% overhead. Download for free and get started troubleshooting in minutes. http://pubads.g.doubleclick.net/gampad/clk?id=48897031&iu=/4140/ostg.clktrk _______________________________________________ Fwknop-discuss mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
