On Sun, May 10, 2015 at 9:46 PM, Michael Rash <[email protected]>
wrote:
>
> On Sun, May 10, 2015 at 2:49 PM, Jonathan Bennett <[email protected]>
> wrote:
>
>> Michael,
>>
>> Those changes have been made. The Luci interface is getting more
>> polished, too.
>>
>
> Excellent.
>
>
>>
>> In regards to fwknop and --key-gen: What sources of randomness does
>> --key-gen use to generate keys? I could probably add a button to generate
>> the keys and populate the needed fields automagically, but routers can have
>> problems with sources of entropy. In theory, we could even have the router
>> autogen keys when the luci app is installed, but the entropy concern still
>> applies. Thoughts?
>>
>
> When using symmetric keys and HMAC keys, they are generated by the client
> (fwknopd does not offer the --key-gen option), and random data is read from
> /dev/urandom and then base64-encoded:
>
> https://github.com/mrash/fwknop/blob/master/lib/cipher_funcs.c#L48
> https://github.com/mrash/fwknop/blob/master/lib/cipher_funcs.c#L55
>
> I should probably add an option to read from /dev/random instead in case
> the user doesn't mind blocking for a while like gpg's key generation
> process. Thoughts? But, on an embedded system, I completely understand
> where you are coming from with the entropy concern. Maybe just have people
> use their client systems? Not sure there is a great solution if the OS
> itself does not provide a good source of entropy.
>
What I have done is this: Part of the initial setup of the luci app checks
for the fwknop client. If it is there, it generates a base64 key and hmac
and plugs those in to the luci app's config file, but doesn't flip the "Enable
config overwrite" option. In this state, the fwknopd service fails on
trying to start, as it is still running the example conf files that ship
with the project. Once the user enables "Enable config overwrite" and hits
save and apply, access.conf is overwritten and the service is fully running
with the generated keys.
It would probably be useful to have an option to use /dev/random instead of
urandom. That said, I have generated several keys in this fashion, and they
seem to all be different. Not quite a statistical entropy analysis, I know.
It looks like this now: http://incomsystems.biz/misc/fwknop_interface2.png
http://incomsystems.biz/misc/fwknop_interface3.png
The keys show as "CHANGEME" still. In this case, The packages were
installed to a running router: the keys will be generated on the next boot.
~Jonathan Bennett
>
> Thanks,
>
> --Mike
>
>
>
>>
>> ~Jonathan Bennett
>>
>> On Sat, May 9, 2015 at 8:52 PM, Michael Rash <[email protected]>
>> wrote:
>>
>>>
>>>
>>> On Sat, May 9, 2015 at 3:43 PM, Jonathan Bennett <[email protected]>
>>> wrote:
>>>
>>>> Hello, all. I keep fwknop up to date in the OpenWrt project. I've
>>>> intended to improve the user friendliness of running fwknopd on a router
>>>> for a while now, and I've finally started work on it.
>>>>
>>>
>>> Hello Jonathan,
>>>
>>> Awesome - ease of use is definitely an aspect of the fwknop project that
>>> needs to be improved through efforts like yours.
>>>
>>>
>>>>
>>>> I pushed an update to 2.6.6 into openwrt just last night. I've put
>>>> together a new web based config, and done a pull request into the openwrt
>>>> project. it is waiting for critiques or to be pulled. Latest screengrab of
>>>> the work is here: http://http://incomsystems.biz/fwknop_interface.png
>>>>
>>>> It is still a bit rough, but it seems to be working well enough. You
>>>> can add as many access.conf stanzas as needed, and config options are not
>>>> limited to what I've baked in to the interface.
>>>>
>>>
>>> Excellent. Are other config options allowed through the "Add" box below
>>> the one for the encryption key? Just a quick suggestion - if you are
>>> looking to have a set of default config options, I think the ones you have
>>> (SOURCE, HMAC_KEY, and KEY) are good. For the two keys, it might be handy
>>> to accept base64-encoded versions (maybe if a box is checked?). This would
>>> allow for keys that are created with the client --key-gen mode. Also, it
>>> could be handy to have three additional options: OPEN_PORTS,
>>> FW_ACCESS_TIMEOUT and REQUIRE_SOURCE_ADDRESS. These are probably the most
>>> often customized options. Lastly, since this is for OpenWRT, I wonder if
>>> people will use any of the NAT modes?
>>>
>>> Thanks,
>>>
>>> --Mike
>>>
>>>
>>>
>>>> Any comments welcome.
>>>>
>>>> ~Jonathan Bennett
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> One dashboard for servers and applications across Physical-Virtual-Cloud
>>>> Widest out-of-the-box monitoring support with 50+ applications
>>>> Performance metrics, stats and reports that give you Actionable Insights
>>>> Deep dive visibility with transaction tracing using APM Insight.
>>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>>> _______________________________________________
>>>> Fwknop-discuss mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>>>>
>>>>
>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> One dashboard for servers and applications across Physical-Virtual-Cloud
>>> Widest out-of-the-box monitoring support with 50+ applications
>>> Performance metrics, stats and reports that give you Actionable Insights
>>> Deep dive visibility with transaction tracing using APM Insight.
>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>> _______________________________________________
>>> Fwknop-discuss mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>>>
>>>
>>
>>
>> ------------------------------------------------------------------------------
>> One dashboard for servers and applications across Physical-Virtual-Cloud
>> Widest out-of-the-box monitoring support with 50+ applications
>> Performance metrics, stats and reports that give you Actionable Insights
>> Deep dive visibility with transaction tracing using APM Insight.
>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> _______________________________________________
>> Fwknop-discuss mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>>
>>
>
>
> --
> Michael Rash | Founder
> http://www.cipherdyne.org/
> Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Fwknop-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>
>
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Fwknop-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
