On Mon, May 11, 2015 at 12:05 PM, Jonathan Bennett <[email protected]>
wrote:
>
>
> On Sun, May 10, 2015 at 9:46 PM, Michael Rash <[email protected]>
> wrote:
>
>>
>> On Sun, May 10, 2015 at 2:49 PM, Jonathan Bennett <[email protected]>
>> wrote:
>>
>>> Michael,
>>>
>>> Those changes have been made. The Luci interface is getting more
>>> polished, too.
>>>
>>
>> Excellent.
>>
>>
>>>
>>> In regards to fwknop and --key-gen: What sources of randomness does
>>> --key-gen use to generate keys? I could probably add a button to generate
>>> the keys and populate the needed fields automagically, but routers can have
>>> problems with sources of entropy. In theory, we could even have the router
>>> autogen keys when the luci app is installed, but the entropy concern still
>>> applies. Thoughts?
>>>
>>
>> When using symmetric keys and HMAC keys, they are generated by the client
>> (fwknopd does not offer the --key-gen option), and random data is read from
>> /dev/urandom and then base64-encoded:
>>
>> https://github.com/mrash/fwknop/blob/master/lib/cipher_funcs.c#L48
>> https://github.com/mrash/fwknop/blob/master/lib/cipher_funcs.c#L55
>>
>> I should probably add an option to read from /dev/random instead in case
>> the user doesn't mind blocking for a while like gpg's key generation
>> process. Thoughts? But, on an embedded system, I completely understand
>> where you are coming from with the entropy concern. Maybe just have people
>> use their client systems? Not sure there is a great solution if the OS
>> itself does not provide a good source of entropy.
>>
> What I have done is this: Part of the initial setup of the luci app checks
> for the fwknop client. If it is there, it generates a base64 key and hmac
> and plugs those in to the luci app's config file, but doesn't flip the "Enable
> config overwrite" option. In this state, the fwknopd service fails on
> trying to start, as it is still running the example conf files that ship
> with the project. Once the user enables "Enable config overwrite" and
> hits save and apply, access.conf is overwritten and the service is fully
> running with the generated keys.
>
>
Sounds good.
> It would probably be useful to have an option to use /dev/random instead
> of urandom. That said, I have generated several keys in this fashion, and
> they seem to all be different. Not quite a statistical entropy analysis, I
> know.
>
/dev/urandom can be fairly decent, and usually provides something a lot
stronger than a manually remembered ascii-only passphrase at least.
>
>
> It looks like this now: http://incomsystems.biz/misc/fwknop_interface2.png
> http://incomsystems.biz/misc/fwknop_interface3.png
> The keys show as "CHANGEME" still. In this case, The packages were
> installed to a running router: the keys will be generated on the next boot.
>
Very nice. OpenWRT will have some strong usability features for fwknop
thanks to your efforts.
Thanks,
--Mike
>
> ~Jonathan Bennett
>
>>
>> Thanks,
>>
>> --Mike
>>
>>
>>
>>>
>>> ~Jonathan Bennett
>>>
>>> On Sat, May 9, 2015 at 8:52 PM, Michael Rash <[email protected]>
>>> wrote:
>>>
>>>>
>>>>
>>>> On Sat, May 9, 2015 at 3:43 PM, Jonathan Bennett <[email protected]
>>>> > wrote:
>>>>
>>>>> Hello, all. I keep fwknop up to date in the OpenWrt project. I've
>>>>> intended to improve the user friendliness of running fwknopd on a router
>>>>> for a while now, and I've finally started work on it.
>>>>>
>>>>
>>>> Hello Jonathan,
>>>>
>>>> Awesome - ease of use is definitely an aspect of the fwknop project
>>>> that needs to be improved through efforts like yours.
>>>>
>>>>
>>>>>
>>>>> I pushed an update to 2.6.6 into openwrt just last night. I've put
>>>>> together a new web based config, and done a pull request into the openwrt
>>>>> project. it is waiting for critiques or to be pulled. Latest screengrab of
>>>>> the work is here: http://http://incomsystems.biz/fwknop_interface.png
>>>>>
>>>>> It is still a bit rough, but it seems to be working well enough. You
>>>>> can add as many access.conf stanzas as needed, and config options are not
>>>>> limited to what I've baked in to the interface.
>>>>>
>>>>
>>>> Excellent. Are other config options allowed through the "Add" box below
>>>> the one for the encryption key? Just a quick suggestion - if you are
>>>> looking to have a set of default config options, I think the ones you have
>>>> (SOURCE, HMAC_KEY, and KEY) are good. For the two keys, it might be handy
>>>> to accept base64-encoded versions (maybe if a box is checked?). This would
>>>> allow for keys that are created with the client --key-gen mode. Also, it
>>>> could be handy to have three additional options: OPEN_PORTS,
>>>> FW_ACCESS_TIMEOUT and REQUIRE_SOURCE_ADDRESS. These are probably the most
>>>> often customized options. Lastly, since this is for OpenWRT, I wonder if
>>>> people will use any of the NAT modes?
>>>>
>>>> Thanks,
>>>>
>>>> --Mike
>>>>
>>>>
>>>>
>>>>> Any comments welcome.
>>>>>
>>>>> ~Jonathan Bennett
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> One dashboard for servers and applications across
>>>>> Physical-Virtual-Cloud
>>>>> Widest out-of-the-box monitoring support with 50+ applications
>>>>> Performance metrics, stats and reports that give you Actionable
>>>>> Insights
>>>>> Deep dive visibility with transaction tracing using APM Insight.
>>>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>>>> _______________________________________________
>>>>> Fwknop-discuss mailing list
>>>>> [email protected]
>>>>> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>>>>>
>>>>>
>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> One dashboard for servers and applications across Physical-Virtual-Cloud
>>>> Widest out-of-the-box monitoring support with 50+ applications
>>>> Performance metrics, stats and reports that give you Actionable Insights
>>>> Deep dive visibility with transaction tracing using APM Insight.
>>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>>> _______________________________________________
>>>> Fwknop-discuss mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>>>>
>>>>
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> One dashboard for servers and applications across Physical-Virtual-Cloud
>>> Widest out-of-the-box monitoring support with 50+ applications
>>> Performance metrics, stats and reports that give you Actionable Insights
>>> Deep dive visibility with transaction tracing using APM Insight.
>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>> _______________________________________________
>>> Fwknop-discuss mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>>>
>>>
>>
>>
>> --
>> Michael Rash | Founder
>> http://www.cipherdyne.org/
>> Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
>>
>>
>> ------------------------------------------------------------------------------
>> One dashboard for servers and applications across Physical-Virtual-Cloud
>> Widest out-of-the-box monitoring support with 50+ applications
>> Performance metrics, stats and reports that give you Actionable Insights
>> Deep dive visibility with transaction tracing using APM Insight.
>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>> _______________________________________________
>> Fwknop-discuss mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>>
>>
>
--
Michael Rash | Founder
http://www.cipherdyne.org/
Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Fwknop-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
