bump version to 2.5, minor fwknopd -S exit status update
This commit bumps the fwknop version to 2.5 and sets the libfko version to 2.0 to signal incompatibility with older libfko versions. Backwards compatibility is maintained in SPA packet construction, but function prototypes in libfko-2.0 are no longer compatible with older versions. This commit also returns non-zero exit status under 'fwknopd --status' if there is no existing fwknopd process. This is better than always exiting with a zero status regardless of whether fwknopd is already running or not, and adds a level of scriptability to --status usage. This change was suggested by George Herlin.
This commit is contained in:
Michael Rash
parent
2812897666
commit
37b624ac8b
@ -2,12 +2,12 @@
|
||||
.\" Title: fwknop
|
||||
.\" Author: [see the "AUTHORS" section]
|
||||
.\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
|
||||
.\" Date: 06/20/2013
|
||||
.\" Date: 06/27/2013
|
||||
.\" Manual: Fwknop Client
|
||||
.\" Source: Fwknop Client
|
||||
.\" Language: English
|
||||
.\"
|
||||
.TH "FWKNOP" "8" "06/20/2013" "Fwknop Client" "Fwknop Client"
|
||||
.TH "FWKNOP" "8" "06/27/2013" "Fwknop Client" "Fwknop Client"
|
||||
.\" -----------------------------------------------------------------
|
||||
.\" * Define some portability stuff
|
||||
.\" -----------------------------------------------------------------
|
||||
@ -156,7 +156,7 @@ rc file is a more powerful mechanism for specifying not only the HMAC key but ot
|
||||
.RS 4
|
||||
Have
|
||||
\fBfwknop\fR
|
||||
generate both Rijndael and HMAC keys that can be used for SPA packet encryption\&. These keys are derived from /dev/random and then base64 encoded before being printed to stdout, and are meant to be included within the \(lq$HOME/\&.fwknoprc\(rq file (or the file referenced by
|
||||
generate both Rijndael and HMAC keys that can be used for SPA packet encryption\&. These keys are derived from /dev/urandom and then base64 encoded before being printed to stdout, and are meant to be included within the \(lq$HOME/\&.fwknoprc\(rq file (or the file referenced by
|
||||
\fB\-\-get\-key\fR)\&. Such keys are generally more secure than passphrases that are typed in from the command line\&.
|
||||
.RE
|
||||
.PP
|
||||
@ -916,7 +916,7 @@ So, assuming that the IP \fI2\&.2\&.2\&.2\fR is the system where \fBfwknopd\fR i
|
||||
.RE
|
||||
.\}
|
||||
.sp
|
||||
With the access request arguments and encryption and HMAC keys generated and saved in \(lq$HOME/\&.fwknoprc\(rq, the keys themselves need to be transferred to the \fI2\&.2\&.2\&.2\fR system where fwknopd is running\&. As always, this should be done via some secure means such as SSH before SPA is enabled and SSHD is blocked by the firewall\&. Here is what the new \fI2\&.2\&.2\&.2\fR stanza looks like in the \&.fwknoprc file:
|
||||
With the access request arguments and encryption and HMAC keys generated and saved in \(lq$HOME/\&.fwknoprc\(rq, the keys themselves need to be transferred to the \fI2\&.2\&.2\&.2\fR system where fwknopd is running\&. As always, this should be done via some secure means such as SSH before SPA is enabled and SSHD is blocked by the firewall\&. Here is what the new \fI2\&.2\&.2\&.2\fR stanza looks like in the \fI~/\&.fwknoprc\fR file:
|
||||
.sp
|
||||
.if n \{\
|
||||
.RS 4
|
||||
@ -950,7 +950,7 @@ The keys are base64 encoded blobs of random data, and both the \fBKEY_BASE64\fR
|
||||
Random Value: 8950423288486978
|
||||
Username: mbr
|
||||
Timestamp: 1370194770
|
||||
FKO Version: 2\&.5\&.0
|
||||
FKO Version: 2\&.5
|
||||
Message Type: 1 (Access msg)
|
||||
Message String: 1\&.1\&.1\&.1,tcp/22
|
||||
Nat Access: <NULL>
|
||||
@ -970,7 +970,7 @@ The keys are base64 encoded blobs of random data, and both the \fBKEY_BASE64\fR
|
||||
.\}
|
||||
.SS "Access mode examples"
|
||||
.sp
|
||||
The most common usage of \fBfwknop\fR is to gain access to SSH running on a remote system that has the \fBfwknopd\fR daemon deployed along with a default\-drop firewall policy\&. The following command illustrates this where IP \fI1\&.1\&.1\&.1\fR is the IP to be allowed through the firewall running on \fI3\&.3\&.3\&.3\fR (note that the \fI@sysconfdir@/fwknop/access\&.conf\fR file consumed by \fBfwknopd\fR will need to have matching encryption and HMAC keys, and configuration specifics can be found in the \fIfwknopd(8)\fR manual page)\&. Also, note the examples below prompt the user to supply the encryption and HMAC keys via stdin instead of writing them to disk as in the case of using the \(lq$HOME/\&.fwknoprc\(rq file in the example above\&. However, all of the following examples can be converted to using the \&.fwknoprc file just by adding the \fB\-\-save\-rc\-stanza\fR argument:
|
||||
The most common usage of \fBfwknop\fR is to gain access to SSH running on a remote system that has the \fBfwknopd\fR daemon deployed along with a default\-drop firewall policy\&. The following command illustrates this where IP \fI1\&.1\&.1\&.1\fR is the IP to be allowed through the firewall running on \fI3\&.3\&.3\&.3\fR (note that the \fI@sysconfdir@/fwknop/access\&.conf\fR file consumed by \fBfwknopd\fR will need to have matching encryption and HMAC keys, and configuration specifics can be found in the \fIfwknopd(8)\fR manual page)\&. Also, note the examples below prompt the user to supply the encryption and HMAC keys via stdin instead of writing them to disk as in the case of using the \(lq$HOME/\&.fwknoprc\(rq file in the example above\&. However, all of the following examples can be converted to using the ~/\&.fwknoprc file just by adding the \fB\-\-save\-rc\-stanza\fR argument:
|
||||
.sp
|
||||
.if n \{\
|
||||
.RS 4
|
||||
@ -999,7 +999,7 @@ If the \fB\-\-verbose\fR flag is added to the command line, then some SPA packet
|
||||
Random Value: 1916307060193417
|
||||
Username: mbr
|
||||
Timestamp: 1368498909
|
||||
FKO Version: 2\&.5\&.0
|
||||
FKO Version: 2\&.5
|
||||
Message Type: 1 (Access msg)
|
||||
Message String: 1\&.1\&.1\&.1,tcp/22
|
||||
Nat Access: <NULL>
|
||||
|
||||
@ -11,7 +11,7 @@ AC_PREREQ(2.62)
|
||||
|
||||
dnl Define our name, version and email.
|
||||
m4_define(my_package, [fwknop])
|
||||
m4_define(my_version, [2.5.0b])
|
||||
m4_define(my_version, [2.5])
|
||||
m4_define(my_bug_email, [dstuart@dstuart.org])
|
||||
|
||||
AC_INIT(my_package, my_version, my_bug_email)
|
||||
|
||||
@ -760,7 +760,7 @@ With the access request arguments and encryption and HMAC keys generated and sav
|
||||
in ``$HOME/.fwknoprc'', the keys themselves need to be transferred to the '2.2.2.2'
|
||||
system where fwknopd is running. As always, this should be done via some secure
|
||||
means such as SSH before SPA is enabled and SSHD is blocked by the firewall. Here
|
||||
is what the new '2.2.2.2' stanza looks like in the .fwknoprc file:
|
||||
is what the new '2.2.2.2' stanza looks like in the '~/.fwknoprc' file:
|
||||
|
||||
..........................
|
||||
$ tail -n 8 /home/user/.fwknoprc
|
||||
@ -791,7 +791,7 @@ file (some *--verbose* output is included for illustration):
|
||||
Random Value: 8950423288486978
|
||||
Username: mbr
|
||||
Timestamp: 1370194770
|
||||
FKO Version: 2.5.0
|
||||
FKO Version: 2.5
|
||||
Message Type: 1 (Access msg)
|
||||
Message String: 1.1.1.1,tcp/22
|
||||
Nat Access: <NULL>
|
||||
@ -818,7 +818,7 @@ and HMAC keys, and configuration specifics can be found in the 'fwknopd(8)'
|
||||
manual page). Also, note the examples below prompt the user to supply the
|
||||
encryption and HMAC keys via stdin instead of writing them to disk as in the
|
||||
case of using the ``$HOME/.fwknoprc'' file in the example above. However, all
|
||||
of the following examples can be converted to using the .fwknoprc file just by
|
||||
of the following examples can be converted to using the ~/.fwknoprc file just by
|
||||
adding the *--save-rc-stanza* argument:
|
||||
|
||||
..........................
|
||||
@ -840,7 +840,7 @@ specifics are printed to stdout (not all output is shown for brevity):
|
||||
Random Value: 1916307060193417
|
||||
Username: mbr
|
||||
Timestamp: 1368498909
|
||||
FKO Version: 2.5.0
|
||||
FKO Version: 2.5
|
||||
Message Type: 1 (Access msg)
|
||||
Message String: 1.1.1.1,tcp/22
|
||||
Nat Access: <NULL>
|
||||
|
||||
@ -136,7 +136,8 @@ COMMAND-LINE OPTIONS
|
||||
|
||||
*-S, --status*::
|
||||
Display the status of any *fwknopd* processes that may or not be
|
||||
running.
|
||||
running. If there is an existing fwknopd process then 0 is returned for the
|
||||
exit status and 1 is returned otherwise.
|
||||
|
||||
*-v, --verbose*::
|
||||
Run *fwknopd* in verbose mode. This can option can be specified
|
||||
@ -155,7 +156,7 @@ FWKNOPD CONFIG AND ACCESS VARIABLES
|
||||
*fwknopd* references the '@sysconfdir@/fwknop/fwknopd.conf'' file for configuration variables
|
||||
that define its operational parameters (what network interface and port
|
||||
to sniff, what features to enable/disable, etc.). The 'fwknopd.conf' file
|
||||
does not define any access control directives.
|
||||
does not define any access control directives.
|
||||
|
||||
The access control directives are contained in the '@sysconfdir@/fwknop/access.conf' file.
|
||||
Access control directives define encryption keys and level of access that
|
||||
|
||||
@ -13,7 +13,7 @@
|
||||
%define _mandir /usr/share/man
|
||||
|
||||
Name: fwknop
|
||||
Version: 2.5.0b
|
||||
Version: 2.5
|
||||
Epoch: 1
|
||||
Release: 1%{?dist}
|
||||
Summary: Firewall Knock Operator client. An implementation of Single Packet Authorization.
|
||||
@ -30,13 +30,13 @@ Requires: libfko, iptables
|
||||
|
||||
|
||||
%package -n libfko
|
||||
Version: 1.0.0
|
||||
Version: 2.0
|
||||
Summary: The fwknop library
|
||||
Group: Development/Libraries
|
||||
Requires: gpg, gpgme
|
||||
|
||||
%package -n libfko-devel
|
||||
Version: 1.0.0
|
||||
Version: 2.0
|
||||
Summary: The fwknop library header and API docs
|
||||
Group: Development/Libraries
|
||||
Requires: libfko
|
||||
|
||||
@ -53,7 +53,7 @@ extern "C" {
|
||||
|
||||
/* General params
|
||||
*/
|
||||
#define FKO_PROTOCOL_VERSION "2.5.0" /* The fwknop protocol version */
|
||||
#define FKO_PROTOCOL_VERSION "2.0" /* The fwknop protocol version */
|
||||
|
||||
/* Supported FKO Message types...
|
||||
*/
|
||||
|
||||
@ -2,12 +2,12 @@
|
||||
.\" Title: fwknopd
|
||||
.\" Author: [see the "AUTHORS" section]
|
||||
.\" Generator: DocBook XSL Stylesheets v1.76.1 <http://docbook.sf.net/>
|
||||
.\" Date: 06/01/2013
|
||||
.\" Date: 06/27/2013
|
||||
.\" Manual: Fwknop Server
|
||||
.\" Source: Fwknop Server
|
||||
.\" Language: English
|
||||
.\"
|
||||
.TH "FWKNOPD" "8" "06/01/2013" "Fwknop Server" "Fwknop Server"
|
||||
.TH "FWKNOPD" "8" "06/27/2013" "Fwknop Server" "Fwknop Server"
|
||||
.\" -----------------------------------------------------------------
|
||||
.\" * Define some portability stuff
|
||||
.\" -----------------------------------------------------------------
|
||||
@ -202,7 +202,7 @@ Rotate the digest cache file by renaming it to \(lq<name>\-old\(rq, and starting
|
||||
.RS 4
|
||||
Display the status of any
|
||||
\fBfwknopd\fR
|
||||
processes that may or not be running\&.
|
||||
processes that may or not be running\&. If there is an existing fwknopd process then 0 is returned for the exit status and 1 is returned otherwise\&.
|
||||
.RE
|
||||
.PP
|
||||
\fB\-v, \-\-verbose\fR
|
||||
|
||||
@ -101,11 +101,15 @@ main(int argc, char **argv)
|
||||
old_pid = write_pid_file(&opts);
|
||||
|
||||
if(old_pid > 0)
|
||||
{
|
||||
fprintf(stdout, "Detected fwknopd is running (pid=%i).\n", old_pid);
|
||||
clean_exit(&opts, NO_FW_CLEANUP, EXIT_SUCCESS);
|
||||
}
|
||||
else
|
||||
{
|
||||
fprintf(stdout, "No running fwknopd detected.\n");
|
||||
|
||||
clean_exit(&opts, NO_FW_CLEANUP, EXIT_SUCCESS);
|
||||
clean_exit(&opts, NO_FW_CLEANUP, EXIT_FAILURE);
|
||||
}
|
||||
}
|
||||
|
||||
/* Restart the currently running fwknopd?
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user