DeforaNetworks/fwknop
DeforaNetworks/fwknop
3
0
Fork 0
Code Releases Activity

[client] man page update for GPG key signing material

Browse Source
This commit is contained in:
Michael Rash 2013-05-15 21:17:39 -04:00
parent a6f9f1d9ec
commit 2c8469e95e
1 changed files with 22 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

24
doc/fwknop.man.asciidoc
View File

@ -99,6 +99,7 @@ that both *fwknop* and *fwknopd* use for SPA packet encryption/decryption
and HMAC authentication operations. This library can be used to allow and HMAC authentication operations. This library can be used to allow
third party applications to use SPA. third party applications to use SPA.
REQUIRED ARGUMENTS REQUIRED ARGUMENTS
------------------ ------------------
These required arguments can be specified via command-line or from within These required arguments can be specified via command-line or from within
@ -183,7 +184,6 @@ GENERAL OPTIONS
security is not critical. Having the *fwknop* client prompt you for the security is not critical. Having the *fwknop* client prompt you for the
key is generally more secure. key is generally more secure.
*--key-hmac*='<key>':: *--key-hmac*='<key>'::
Specify the raw HMAC key (not base64 encoded). Since the key may be visible Specify the raw HMAC key (not base64 encoded). Since the key may be visible
to utilities such as 'ps' under Unix, this form should only be used where to utilities such as 'ps' under Unix, this form should only be used where
@ -437,6 +437,24 @@ SPA OPTIONS
GPG-RELATED OPTIONS GPG-RELATED OPTIONS
------------------- -------------------
Note that the usage of GPG for SPA encryption/decryption can and should involve
GPG keys that are signed by each side (client and server). The basic procedure
for this involves the following steps after the client key has been transferred
the server and vice-versa:
..........................
[spaserver]# gpg --import client.asc
[spaserver]# gpg --edit-key 1234ABCD
Command> sign
[spaclient]$ gpg --import server.asc
[spaclient]$ gpg --edit-key ABCD1234
Command> sign
..........................
More comprehensive information on this can be found here:
'http://www.cipherdyne.org/fwknop/docs/gpghowto.html'.
*--gpg-agent*:: *--gpg-agent*::
Instruct *fwknop* to acquire GnuPG key password from a running gpg-agent Instruct *fwknop* to acquire GnuPG key password from a running gpg-agent
instance (if available). instance (if available).
@ -626,6 +644,7 @@ access through the firewall. This makes it possible to make it appear as
though, say, www.yahoo.com is trying to authenticate to a target system but in though, say, www.yahoo.com is trying to authenticate to a target system but in
reality the actual connection will come from a seemingly unrelated IP. reality the actual connection will come from a seemingly unrelated IP.
EXAMPLES EXAMPLES
-------- --------
The following examples illustrate the command line arguments that could The following examples illustrate the command line arguments that could
@ -749,9 +768,10 @@ print the SPA packet information, then run it through a decrypt/decode cycle
and print it again. In addition, the *--verbose* command line switch is useful and print it again. In addition, the *--verbose* command line switch is useful
to see various SPA packet specifics printed to stdout. to see various SPA packet specifics printed to stdout.
SEE ALSO SEE ALSO
-------- --------
fwknopd(8), iptables(8), gpg(1), libfko documentation. fwknopd(8), iptables(8), pf(4), pfctl(8), ipfw(8), gpg(1), libfko documentation.
More information on Single Packet Authorization can be found in the paper More information on Single Packet Authorization can be found in the paper
``Single Packet Authorization with fwknop'' available at ``Single Packet Authorization with fwknop'' available at