From eb0e8eb6a1946c2e89ff66399e186d54535bf013 Mon Sep 17 00:00:00 2001 From: Michael Rash Date: Tue, 26 Aug 2014 23:21:14 -0400 Subject: [PATCH] fwknopd man page updates for access.conf vars --- client/config_init.c | 9 ++++---- doc/fwknopd.man.asciidoc | 44 +++++++++++++++++++++++------------- server/fwknopd.8.in | 48 +++++++++++++++++++++++++++------------- 3 files changed, 67 insertions(+), 34 deletions(-) diff --git a/client/config_init.c b/client/config_init.c index fb01d965..73e83ce2 100644 --- a/client/config_init.c +++ b/client/config_init.c @@ -2408,7 +2408,7 @@ usage(void) " '$HOME/.fwknoprc' file to provide some of all\n" " of the configuration parameters.\n" " If more arguments are set through the command\n" - " line, the configuration is updated accordingly\n" + " line, the configuration is updated accordingly.\n" " -A, --access Provide a list of ports/protocols to open\n" " on the server (e.g. 'tcp/22').\n" " -a, --allow-ip Specify IP address to allow within the SPA\n" @@ -2454,6 +2454,7 @@ usage(void) " -u, --user-agent Set the HTTP User-Agent for resolving the\n" " external IP via -R, or for sending SPA\n" " packets over HTTP.\n" + " -w, --wget-cmd Manually set the path to wget in -R mode.\n" " -H, --http-proxy Specify an HTTP proxy host through which the\n" " SPA packet will be sent. The port can also be\n" " specified here by following the host/ip with\n" @@ -2470,9 +2471,9 @@ usage(void) " -K, --key-gen-file Write generated Rijndael + HMAC keys to a\n" " file\n" " --key-rijndael Specify the Rijndael key. Since the password is\n" - " visible to utilities (like 'ps' under Unix) this\n" - " form should only be used where security is not\n" - " important.\n" + " visible to utilities (like 'ps' under Unix)\n" + " this form should only be used where security is\n" + " not important.\n" " --key-base64-rijndael Specify the base64 encoded Rijndael key. Since\n" " the password is visible to utilities (like 'ps'\n" " under Unix) this form should only be used where\n" diff --git a/doc/fwknopd.man.asciidoc b/doc/fwknopd.man.asciidoc index b9eba9f1..f9d57010 100644 --- a/doc/fwknopd.man.asciidoc +++ b/doc/fwknopd.man.asciidoc @@ -229,17 +229,6 @@ See the '@sysconfdir@/fwknop/fwknopd.conf'' file for the full list and correspon synchronization with the *fwknopd* server system (NTP is good). The default age is 120 seconds (two minutes). -*ACCESS_EXPIRE* '':: - Defines an expiration date for the access stanza in MM/DD/YYYY format. - All SPA packets that match an expired stanza will be ignored. This - parameter is optional. - -*ACCESS_EXPIRE_EPOCH* '':: - Defines an expiration date for the access stanza as the epoch time, and is - useful if a more accurate expiration time needs to be given than the day - resolution offered by the ACCESS_EXPIRE variable above. All SPA packets - that match an expired stanza will be ignored. This parameter is optional. - *ENABLE_DIGEST_PERSISTENCE* '':: Track digest sums associated with previous SPA packets processed by *fwknopd*. This allows digest sums to remain persistent across @@ -303,7 +292,7 @@ See the '@sysconfdir@/fwknop/fwknopd.conf'' file for the full list and correspon the '$HOME/.gnupg' directory of the user running *fwknopd* (most likely root). -GPG_EXE* '':: +*GPG_EXE* '':: Specify the path to GPG, and defaults to '/usr/bin/gpg' if not set. *LOCALE* '':: @@ -443,6 +432,17 @@ directive starts a new stanza. optional field, and if not specified then *fwknopd* defaults to using SHA256 if the access stanza requires an HMAC. +*ACCESS_EXPIRE* '':: + Defines an expiration date for the access stanza in MM/DD/YYYY format. + All SPA packets that match an expired stanza will be ignored. This + parameter is optional. + +*ACCESS_EXPIRE_EPOCH* '':: + Defines an expiration date for the access stanza as the epoch time, and is + useful if a more accurate expiration time needs to be given than the day + resolution offered by the ACCESS_EXPIRE variable above. All SPA packets + that match an expired stanza will be ignored. This parameter is optional. + *ENABLE_CMD_EXEC* '':: This instructs *fwknopd* to accept complete commands that are contained within an authorization packet. Any such command will be executed on @@ -468,6 +468,9 @@ directive starts a new stanza. client behind a NAT) or the client must know the external IP and set it via the *-a* argument. +*REQUIRE_SOURCE_ADDRESS* '':: + Synonym for ``REQUIRE_SOURCE_ADDRESS''. + *FORCE_NAT* ' ':: For any valid SPA packet, force the requested connection to be NAT'd through to the specified (usually internal) IP and port value. This is @@ -522,10 +525,14 @@ directive starts a new stanza. and/or pinentry to collect a passphrase. *GPG_REQUIRE_SIG* '':: - With this setting set to 'Y', fwknopd check all GPG-encrypted SPA + With this setting set to 'Y', fwknopd check all GPG-encrypted SPA messages for a signature (signed by the sender's key). If the incoming message is not signed, the decryption process will fail. If not set, the - default is 'N'. + default is 'Y'. + +*GPG_DISABLE_SIG* '':: + Disable signature verification for incoming SPA messages. This is not a + recommended setting, and the default is 'N'. *GPG_IGNORE_SIG_VERIFY_ERROR* '':: Setting this will allow fwknopd to accept incoming GPG-encrypted packets @@ -538,9 +545,16 @@ directive starts a new stanza. any incoming SPA message that has been encrypted with the *fwknopd* server key. This ensures that the verification of the remote user is accomplished via a strong cryptographic mechanism. - This setting only applies if the ``GPG_REQUIRE_SIG'' is set to 'Y'. + Signature verification is enabled by default, and can only be disabled + if ``GPG_DISABLE_SIG'' is set to 'Y' (not a recommended setting). Separate multiple entries with a comma. +*GPG_FINGERPRINT_ID* '':: + Specify a set of full-length GnuPG key fingerprints instead of the shorter + key identifiers set with the ``GPG_REMOTE_ID'' variable. Here is an + example fingerprint for one of the fwknop test suite keys: + '00CC95F05BC146B6AC4038C9E36F443C6A3FAD56'. + *GPG_HOME_DIR* '':: Define the path to the GnuPG directory to be used by the *fwknopd* server. If this keyword is not specified within '@sysconfdir@/fwknop/access.conf' diff --git a/server/fwknopd.8.in b/server/fwknopd.8.in index a318f686..bd349a78 100644 --- a/server/fwknopd.8.in +++ b/server/fwknopd.8.in @@ -2,12 +2,12 @@ .\" Title: fwknopd .\" Author: [see the "AUTHORS" section] .\" Generator: DocBook XSL Stylesheets v1.78.1 -.\" Date: 06/05/2014 +.\" Date: 08/26/2014 .\" Manual: Fwknop Server .\" Source: Fwknop Server .\" Language: English .\" -.TH "FWKNOPD" "8" "06/05/2014" "Fwknop Server" "Fwknop Server" +.TH "FWKNOPD" "8" "08/26/2014" "Fwknop Server" "Fwknop Server" .\" ----------------------------------------------------------------- .\" * Define some portability stuff .\" ----------------------------------------------------------------- @@ -317,16 +317,6 @@ Defines the maximum age (in seconds) that an SPA packet will be accepted\&. This server system (NTP is good)\&. The default age is 120 seconds (two minutes)\&. .RE .PP -\fBACCESS_EXPIRE\fR \fI\fR -.RS 4 -Defines an expiration date for the access stanza in MM/DD/YYYY format\&. All SPA packets that match an expired stanza will be ignored\&. This parameter is optional\&. -.RE -.PP -\fBACCESS_EXPIRE_EPOCH\fR \fI\fR -.RS 4 -Defines an expiration date for the access stanza as the epoch time, and is useful if a more accurate expiration time needs to be given than the day resolution offered by the ACCESS_EXPIRE variable above\&. All SPA packets that match an expired stanza will be ignored\&. This parameter is optional\&. -.RE -.PP \fBENABLE_DIGEST_PERSISTENCE\fR \fI\fR .RS 4 Track digest sums associated with previous SPA packets processed by @@ -407,7 +397,7 @@ directory of the user running (most likely root)\&. .RE .PP -GPG_EXE* \fI\fR +\fBGPG_EXE\fR \fI\fR .RS 4 Specify the path to GPG, and defaults to \fI/usr/bin/gpg\fR @@ -551,6 +541,16 @@ Specify the digest algorithm for incoming SPA packet authentication\&. Must be o defaults to using SHA256 if the access stanza requires an HMAC\&. .RE .PP +\fBACCESS_EXPIRE\fR \fI\fR +.RS 4 +Defines an expiration date for the access stanza in MM/DD/YYYY format\&. All SPA packets that match an expired stanza will be ignored\&. This parameter is optional\&. +.RE +.PP +\fBACCESS_EXPIRE_EPOCH\fR \fI\fR +.RS 4 +Defines an expiration date for the access stanza as the epoch time, and is useful if a more accurate expiration time needs to be given than the day resolution offered by the ACCESS_EXPIRE variable above\&. All SPA packets that match an expired stanza will be ignored\&. This parameter is optional\&. +.RE +.PP \fBENABLE_CMD_EXEC\fR \fI\fR .RS 4 This instructs @@ -585,6 +585,11 @@ has to be used to automatically resolve the external address (if the client behi argument\&. .RE .PP +\fBREQUIRE_SOURCE_ADDRESS\fR \fI\fR +.RS 4 +Synonym for \(lqREQUIRE_SOURCE_ADDRESS\(rq\&. +.RE +.PP \fBFORCE_NAT\fR \fI \fR .RS 4 For any valid SPA packet, force the requested connection to be NAT\(cqd through to the specified (usually internal) IP and port value\&. This is useful if there are multiple internal systems running a service such as SSHD, and you want to give transparent access to only one internal system for each stanza in the access\&.conf file\&. This way, multiple external users can each directly access only one internal system per SPA key\&. @@ -633,6 +638,12 @@ to leverage a GnuPG key pair that does not have an associated password\&. While .RS 4 With this setting set to \fIY\fR, fwknopd check all GPG\-encrypted SPA messages for a signature (signed by the sender\(cqs key)\&. If the incoming message is not signed, the decryption process will fail\&. If not set, the default is +\fIY\fR\&. +.RE +.PP +\fBGPG_DISABLE_SIG\fR \fI\fR +.RS 4 +Disable signature verification for incoming SPA messages\&. This is not a recommended setting, and the default is \fIN\fR\&. .RE .PP @@ -646,8 +657,15 @@ Setting this will allow fwknopd to accept incoming GPG\-encrypted packets that a .RS 4 Define a list of gpg key ID\(cqs that are required to have signed any incoming SPA message that has been encrypted with the \fBfwknopd\fR -server key\&. This ensures that the verification of the remote user is accomplished via a strong cryptographic mechanism\&. This setting only applies if the \(lqGPG_REQUIRE_SIG\(rq is set to -\fIY\fR\&. Separate multiple entries with a comma\&. +server key\&. This ensures that the verification of the remote user is accomplished via a strong cryptographic mechanism\&. Signature verification is enabled by default, and can only be disabled if \(lqGPG_DISABLE_SIG\(rq is set to +\fIY\fR +(not a recommended setting)\&. Separate multiple entries with a comma\&. +.RE +.PP +\fBGPG_FINGERPRINT_ID\fR \fI\fR +.RS 4 +Specify a set of full\-length GnuPG key fingerprints instead of the shorter key identifiers set with the \(lqGPG_REMOTE_ID\(rq variable\&. Here is an example fingerprint for one of the fwknop test suite keys: +\fI00CC95F05BC146B6AC4038C9E36F443C6A3FAD56\fR\&. .RE .PP \fBGPG_HOME_DIR\fR \fI\fR