On Mon, May 11, 2015 at 8:06 PM, Michael Rash <[email protected]>
wrote:
>
>
> On Mon, May 11, 2015 at 12:05 PM, Jonathan Bennett <[email protected]>
> wrote:
>
>>
>>
>> On Sun, May 10, 2015 at 9:46 PM, Michael Rash <[email protected]>
>> wrote:
>>
>>>
>>> On Sun, May 10, 2015 at 2:49 PM, Jonathan Bennett <[email protected]
>>> > wrote:
>>>
>>>> Michael,
>>>>
>>>> Those changes have been made. The Luci interface is getting more
>>>> polished, too.
>>>>
>>>
>>> Excellent.
>>>
>>>
>>>>
>>>> In regards to fwknop and --key-gen: What sources of randomness does
>>>> --key-gen use to generate keys? I could probably add a button to generate
>>>> the keys and populate the needed fields automagically, but routers can have
>>>> problems with sources of entropy. In theory, we could even have the router
>>>> autogen keys when the luci app is installed, but the entropy concern still
>>>> applies. Thoughts?
>>>>
>>>
>>> When using symmetric keys and HMAC keys, they are generated by the
>>> client (fwknopd does not offer the --key-gen option), and random data is
>>> read from /dev/urandom and then base64-encoded:
>>>
>>> https://github.com/mrash/fwknop/blob/master/lib/cipher_funcs.c#L48
>>> https://github.com/mrash/fwknop/blob/master/lib/cipher_funcs.c#L55
>>>
>>> I should probably add an option to read from /dev/random instead in case
>>> the user doesn't mind blocking for a while like gpg's key generation
>>> process. Thoughts? But, on an embedded system, I completely understand
>>> where you are coming from with the entropy concern. Maybe just have people
>>> use their client systems? Not sure there is a great solution if the OS
>>> itself does not provide a good source of entropy.
>>>
>> What I have done is this: Part of the initial setup of the luci app
>> checks for the fwknop client. If it is there, it generates a base64 key and
>> hmac and plugs those in to the luci app's config file, but doesn't flip the
>> "Enable config overwrite" option. In this state, the fwknopd service
>> fails on trying to start, as it is still running the example conf files
>> that ship with the project. Once the user enables "Enable config
>> overwrite" and hits save and apply, access.conf is overwritten and the
>> service is fully running with the generated keys.
>>
>>
> Sounds good.
>
>
>> It would probably be useful to have an option to use /dev/random instead
>> of urandom. That said, I have generated several keys in this fashion, and
>> they seem to all be different. Not quite a statistical entropy analysis, I
>> know.
>>
>
> /dev/urandom can be fairly decent, and usually provides something a lot
> stronger than a manually remembered ascii-only passphrase at least.
>
My concern was that since the keys are generated during the boot sequence,
the router's state might be deterministic. It seems, however, that other
keys are generated during firstboot, so apparently the openwrt devs don't
believe there is a problem there. My own limited observations haven't
turned up any issues, either.
>
>
>>
>>
>> It looks like this now:
>> http://incomsystems.biz/misc/fwknop_interface2.png
>> http://incomsystems.biz/misc/fwknop_interface3.png
>> The keys show as "CHANGEME" still. In this case, The packages were
>> installed to a running router: the keys will be generated on the next boot.
>>
>
> Very nice. OpenWRT will have some strong usability features for fwknop
> thanks to your efforts.
>
If anybody on the list wants to try testing out the packages, I can give
guidance or even build binaries for whatever hardware is available, given
that openwrt supports it. Everything but the luci module is now in openwrt
bleeding edge.
~Jonathan
>
> Thanks,
>
> --Mike
>
>
>
>>
>> ~Jonathan Bennett
>>
>>>
>>> Thanks,
>>>
>>> --Mike
>>>
>>>
>>>
>>>>
>>>> ~Jonathan Bennett
>>>>
>>>> On Sat, May 9, 2015 at 8:52 PM, Michael Rash <[email protected]>
>>>> wrote:
>>>>
>>>>>
>>>>>
>>>>> On Sat, May 9, 2015 at 3:43 PM, Jonathan Bennett <
>>>>> [email protected]> wrote:
>>>>>
>>>>>> Hello, all. I keep fwknop up to date in the OpenWrt project. I've
>>>>>> intended to improve the user friendliness of running fwknopd on a router
>>>>>> for a while now, and I've finally started work on it.
>>>>>>
>>>>>
>>>>> Hello Jonathan,
>>>>>
>>>>> Awesome - ease of use is definitely an aspect of the fwknop project
>>>>> that needs to be improved through efforts like yours.
>>>>>
>>>>>
>>>>>>
>>>>>> I pushed an update to 2.6.6 into openwrt just last night. I've put
>>>>>> together a new web based config, and done a pull request into the openwrt
>>>>>> project. it is waiting for critiques or to be pulled. Latest screengrab
>>>>>> of
>>>>>> the work is here: http://http://incomsystems.biz/fwknop_interface.png
>>>>>>
>>>>>> It is still a bit rough, but it seems to be working well enough. You
>>>>>> can add as many access.conf stanzas as needed, and config options are not
>>>>>> limited to what I've baked in to the interface.
>>>>>>
>>>>>
>>>>> Excellent. Are other config options allowed through the "Add" box
>>>>> below the one for the encryption key? Just a quick suggestion - if you are
>>>>> looking to have a set of default config options, I think the ones you have
>>>>> (SOURCE, HMAC_KEY, and KEY) are good. For the two keys, it might be handy
>>>>> to accept base64-encoded versions (maybe if a box is checked?). This would
>>>>> allow for keys that are created with the client --key-gen mode. Also, it
>>>>> could be handy to have three additional options: OPEN_PORTS,
>>>>> FW_ACCESS_TIMEOUT and REQUIRE_SOURCE_ADDRESS. These are probably the most
>>>>> often customized options. Lastly, since this is for OpenWRT, I wonder if
>>>>> people will use any of the NAT modes?
>>>>>
>>>>> Thanks,
>>>>>
>>>>> --Mike
>>>>>
>>>>>
>>>>>
>>>>>> Any comments welcome.
>>>>>>
>>>>>> ~Jonathan Bennett
>>>>>>
>>>>>>
>>>>>> ------------------------------------------------------------------------------
>>>>>> One dashboard for servers and applications across
>>>>>> Physical-Virtual-Cloud
>>>>>> Widest out-of-the-box monitoring support with 50+ applications
>>>>>> Performance metrics, stats and reports that give you Actionable
>>>>>> Insights
>>>>>> Deep dive visibility with transaction tracing using APM Insight.
>>>>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>>>>> _______________________________________________
>>>>>> Fwknop-discuss mailing list
>>>>>> [email protected]
>>>>>> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>>>>>>
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> ------------------------------------------------------------------------------
>>>>> One dashboard for servers and applications across
>>>>> Physical-Virtual-Cloud
>>>>> Widest out-of-the-box monitoring support with 50+ applications
>>>>> Performance metrics, stats and reports that give you Actionable
>>>>> Insights
>>>>> Deep dive visibility with transaction tracing using APM Insight.
>>>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>>>> _______________________________________________
>>>>> Fwknop-discuss mailing list
>>>>> [email protected]
>>>>> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>>>>>
>>>>>
>>>>
>>>>
>>>> ------------------------------------------------------------------------------
>>>> One dashboard for servers and applications across Physical-Virtual-Cloud
>>>> Widest out-of-the-box monitoring support with 50+ applications
>>>> Performance metrics, stats and reports that give you Actionable Insights
>>>> Deep dive visibility with transaction tracing using APM Insight.
>>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>>> _______________________________________________
>>>> Fwknop-discuss mailing list
>>>> [email protected]
>>>> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>>>>
>>>>
>>>
>>>
>>> --
>>> Michael Rash | Founder
>>> http://www.cipherdyne.org/
>>> Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> One dashboard for servers and applications across Physical-Virtual-Cloud
>>> Widest out-of-the-box monitoring support with 50+ applications
>>> Performance metrics, stats and reports that give you Actionable Insights
>>> Deep dive visibility with transaction tracing using APM Insight.
>>> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
>>> _______________________________________________
>>> Fwknop-discuss mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>>>
>>>
>>
>
>
> --
> Michael Rash | Founder
> http://www.cipherdyne.org/
> Key fingerprint = 53EA 13EA 472E 3771 894F AC69 95D8 5D6B A742 839F
>
>
> ------------------------------------------------------------------------------
> One dashboard for servers and applications across Physical-Virtual-Cloud
> Widest out-of-the-box monitoring support with 50+ applications
> Performance metrics, stats and reports that give you Actionable Insights
> Deep dive visibility with transaction tracing using APM Insight.
> http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
> _______________________________________________
> Fwknop-discuss mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
>
>
------------------------------------------------------------------------------
One dashboard for servers and applications across Physical-Virtual-Cloud
Widest out-of-the-box monitoring support with 50+ applications
Performance metrics, stats and reports that give you Actionable Insights
Deep dive visibility with transaction tracing using APM Insight.
http://ad.doubleclick.net/ddm/clk/290420510;117567292;y
_______________________________________________
Fwknop-discuss mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/fwknop-discuss
